Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't query facts added with authorizer_merge! #192

Closed
Tipnos opened this issue Oct 30, 2023 · 3 comments
Closed

Can't query facts added with authorizer_merge! #192

Tipnos opened this issue Oct 30, 2023 · 3 comments

Comments

@Tipnos
Copy link
Contributor

Tipnos commented Oct 30, 2023

Below an example showing the issue:

use biscuit_auth::{macros::*, KeyPair};

fn main() {
    let mut authorizer = biscuit!(r#"fact("foo");"#)
        .build(&KeyPair::new())
        .unwrap()
        .authorizer()
        .unwrap();

    authorizer_merge!(&mut authorizer, r#"fact("bar");"#);

    let query_facts: Vec<(String,)> = authorizer.query(rule!("x($n) <- fact($n)")).unwrap();
    let (dumped_facts, _, _, _) = authorizer.dump();
    // [Fact { predicate: Predicate { name: "fact", terms: [Str("foo")] }, parameters: None },
    // Fact { predicate: Predicate { name: "fact", terms: [Str("bar")] }, parameters: Some({}) }]
    println!("{:?}", dumped_facts);

    // panic here!
    assert!(query_facts.len() == 2);
}

It looks like query don't lookup on facts added with authorizer_merge!
@divarvel
Copy link
Collaborator

Thanks! I'm not sure how much of this is intended behaviour or not.

In any case, it should be properly documented.

This was referenced Oct 30, 2023
Closed
Closed
@wez
Copy link

wez commented Dec 20, 2023

I'm just getting my feet wet with this crate, so weight my comment accordingly.

I think the current behavior is desirable, and if different semantics are needed, I think an additional or alternative query method should be provided for that.

Here's my scenario:

The base token includes some facts (such as a list of resources that are to be updated as part of an operation) that I can trust, because they were put into the token by the original token issuer.

In my endpoint I plan to use the query method to extract those facts from the base token and use those to determine which resources my endpoint should operate on. This way my endpoint doesn't accept any additional parameters from the client; it will only operate on the trusted facts in the token. Additional appended facts are not to be trusted; these are the same semantics as described and illustrated in https://doc.biscuitsec.org/reference/datalog#block-scoping

@divarvel divarvel mentioned this issue Nov 28, 2024
Merged
@Geal Geal mentioned this issue Nov 29, 2024
Merged
@Geal
Copy link
Contributor

Geal commented Nov 29, 2024

The behaviour should be stricter now that the AuthorizerBuilder is merged: #250
Now when the Authorizer is created, we will be sure that all facts are available

@Geal Geal closed this as completed Nov 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wez @Geal @divarvel @Tipnos