biscuit/schema.proto

syntax = "proto2";

package biscuit.format.schema;

message Biscuit {
  optional uint32 rootKeyId = 1;
  required SignedBlock authority = 2;
  repeated SignedBlock blocks = 3;
  required Proof proof = 4;
}

message SignedBlock {
  required bytes block = 1;
  required PublicKey nextKey = 2;
  required bytes signature = 3;
  optional ExternalSignature externalSignature = 4;
}

message ExternalSignature {
  required bytes signature = 1;
  required PublicKey publicKey = 2;
}

message PublicKey {
  required Algorithm algorithm = 1;

  enum Algorithm {
    Ed25519 = 0;
  }

  required bytes key = 2;
}


message Proof {
  oneof Content {
    bytes nextSecret = 1;
    bytes finalSignature = 2;
  }
}

message Block {
  repeated string symbols = 1;
  optional string context = 2;
  optional uint32 version = 3;
  repeated FactV2 facts_v2 = 4;
  repeated RuleV2 rules_v2 = 5;
  repeated CheckV2 checks_v2 = 6;
  repeated Scope scope = 7;
  repeated PublicKey publicKeys = 8;
}

message Scope {
  enum ScopeType {
    Authority = 0;
    Previous  = 1;
  }

  oneof Content {
    ScopeType scopeType = 1;
    int64 publicKey = 2;
  }
}

message FactV2 {
  required PredicateV2 predicate = 1;
}

message RuleV2 {
  required PredicateV2 head = 1;
  repeated PredicateV2 body = 2;
  repeated ExpressionV2 expressions = 3;
  repeated Scope scope = 4;
}

message CheckV2 {
  repeated RuleV2 queries = 1;
  optional Kind kind = 2;

  enum Kind {
    One = 0;
    All = 1;
  }
}

message PredicateV2 {
  required uint64 name = 1;
  repeated TermV2 terms = 2;
}

message TermV2 {
  oneof Content {
    uint32 variable = 1;
    int64 integer = 2;
    uint64 string = 3;
    uint64 date = 4;
    bytes bytes = 5;
    bool bool = 6;
    TermSet set = 7;
  }
}

message TermSet {
  repeated TermV2 set = 1;
}

message ExpressionV2 {
  repeated Op ops = 1;
}

message Op {
  oneof Content {
    TermV2 value = 1;
    OpUnary unary = 2;
    OpBinary Binary = 3;
  }
}

message OpUnary {
  enum Kind {
    Negate = 0;
    Parens = 1;
    Length = 2;
  }

  required Kind kind = 1;
}

message OpBinary {
  enum Kind {
    LessThan = 0;
    GreaterThan = 1;
    LessOrEqual = 2;
    GreaterOrEqual = 3;
    Equal = 4;
    Contains = 5;
    Prefix = 6;
    Suffix = 7;
    Regex = 8;
    Add = 9;
    Sub = 10;
    Mul = 11;
    Div = 12;
    And = 13;
    Or = 14;
    Intersection = 15;
    Union = 16;
    BitwiseAnd = 17;
    BitwiseOr = 18;
    BitwiseXor = 19;
    NotEqual = 20;
  }

  required Kind kind = 1;
}

message Policy {
  enum Kind {
    Allow = 0;
    Deny = 1;
  }

  repeated RuleV2 queries = 1;
  required Kind kind = 2;
}

message AuthorizerPolicies {
  repeated string symbols = 1;
  optional uint32 version = 2;
  repeated FactV2 facts = 3;
  repeated RuleV2 rules = 4;
  repeated CheckV2 checks = 5;
  repeated Policy policies = 6;
}

message ThirdPartyBlockRequest {
  required PublicKey previousKey = 1;
  repeated PublicKey publicKeys = 2;
}

message ThirdPartyBlockContents {
  required bytes payload = 1;
  required ExternalSignature externalSignature = 2;
}

message AuthorizerSnapshot {
  required RunLimits limits = 1;
  required uint64 executionTime = 2;
  required AuthorizerWorld world = 3;
}

message RunLimits {
  required uint64 maxFacts = 1;
  required uint64 maxIterations = 2;
  required uint64 maxTime = 3;
}

message AuthorizerWorld {
  optional uint32 version = 1;
  repeated string symbols = 2;
  repeated PublicKey publicKeys = 3;
  repeated SnapshotBlock blocks = 4;
  required SnapshotBlock authorizerBlock = 5;
  repeated Policy authorizerPolicies = 6;
  repeated GeneratedFacts generatedFacts = 7;
  required uint64 iterations = 8;
}

message Origin {
  oneof Content {
    Empty authorizer = 1;
    uint32 origin = 2;
  }
}

message Empty {}

message GeneratedFacts {
  repeated Origin origins = 1;
  repeated FactV2 facts = 2;
}

message SnapshotBlock {
  optional string context = 1;
  optional uint32 version = 2;
  repeated FactV2 facts_v2 = 3;
  repeated RuleV2 rules_v2 = 4;
  repeated CheckV2 checks_v2 = 5;
  repeated Scope scope = 6;
  optional PublicKey externalKey = 7;
}
move to protobuf 2019-04-01 18:41:20 +03:00			`syntax = "proto2";`

			`package biscuit.format.schema;`

			`message Biscuit {`
new cryptographic scheme 2021-09-03 00:04:46 +03:00			`optional uint32 rootKeyId = 1;`
			`required SignedBlock authority = 2;`
			`repeated SignedBlock blocks = 3;`
			`required Proof proof = 4;`
move to protobuf 2019-04-01 18:41:20 +03:00			`}`

new cryptographic scheme 2021-09-03 00:04:46 +03:00			`message SignedBlock {`
			`required bytes block = 1;`
the key is now serialized with an enum indicating its algorithm this will open the way t other urves or algorithms, like P256 2021-09-25 00:37:28 +03:00			`required PublicKey nextKey = 2;`
move to protobuf 2019-04-01 18:41:20 +03:00			`required bytes signature = 3;`
3rd-party: add new protobuf fields and messages - externalSignature allows to attach an optional signature (from a non-ephemeral private key) to biscuit blocks - scope lets blocks and rules specify which facts can be loaded (either through keywords for selecting groups of blocks, or through public keys for blocks signed by a specific key) - publicKeys provides a way to intern public keys in a way similar to symbols. Only public keys referenced in datalog elements can be interned - ThirdPartyBlockRequest / ThirdPartyBlockContents provide a way to add a signed 3rd party block to a given biscuit token without disclosing the token itself. For that, the request needs to provide: - the public key of the last block (needed to pin the signature to a specific biscuit token) - the list of already interned public keys (needed to properly generate the datalog ast). Contrary to public keys, interned symbols are not shared to 3rd party blocks to prevent information leaks. The response provides the serialized block, as well as the associated signature. 2022-04-04 23:15:36 +03:00			`optional ExternalSignature externalSignature = 4;`
			`}`

			`message ExternalSignature {`
			`required bytes signature = 1;`
			`required PublicKey publicKey = 2;`
move to protobuf 2019-04-01 18:41:20 +03:00			`}`

the key is now serialized with an enum indicating its algorithm this will open the way t other urves or algorithms, like P256 2021-09-25 00:37:28 +03:00			`message PublicKey {`
			`required Algorithm algorithm = 1;`

			`enum Algorithm {`
			`Ed25519 = 0;`
			`}`

			`required bytes key = 2;`
			`}`


new cryptographic scheme 2021-09-03 00:04:46 +03:00			`message Proof {`
			`oneof Content {`
			`bytes nextSecret = 1;`
			`bytes finalSignature = 2;`
			`}`
move to protobuf 2019-04-01 18:41:20 +03:00			`}`

			`message Block {`
start updating the schema for v2 - remove v0 compatibility - convert v1 to v2 - remove the index from blocks (now the cryptographisc design guarantees the order 2021-09-03 22:58:14 +03:00			`repeated string symbols = 1;`
			`optional string context = 2;`
			`optional uint32 version = 3;`
			`repeated FactV2 facts_v2 = 4;`
			`repeated RuleV2 rules_v2 = 5;`
			`repeated CheckV2 checks_v2 = 6;`
3rd-party: add new protobuf fields and messages - externalSignature allows to attach an optional signature (from a non-ephemeral private key) to biscuit blocks - scope lets blocks and rules specify which facts can be loaded (either through keywords for selecting groups of blocks, or through public keys for blocks signed by a specific key) - publicKeys provides a way to intern public keys in a way similar to symbols. Only public keys referenced in datalog elements can be interned - ThirdPartyBlockRequest / ThirdPartyBlockContents provide a way to add a signed 3rd party block to a given biscuit token without disclosing the token itself. For that, the request needs to provide: - the public key of the last block (needed to pin the signature to a specific biscuit token) - the list of already interned public keys (needed to properly generate the datalog ast). Contrary to public keys, interned symbols are not shared to 3rd party blocks to prevent information leaks. The response provides the serialized block, as well as the associated signature. 2022-04-04 23:15:36 +03:00			`repeated Scope scope = 7;`
			`repeated PublicKey publicKeys = 8;`
			`}`

			`message Scope {`
			`enum ScopeType {`
			`Authority = 0;`
			`Previous = 1;`
			`}`

3rd party: improve Scope pb definition The stored value is the index of a public key, not a block index 2022-07-15 18:34:35 +03:00			`oneof Content {`
3rd-party: add new protobuf fields and messages - externalSignature allows to attach an optional signature (from a non-ephemeral private key) to biscuit blocks - scope lets blocks and rules specify which facts can be loaded (either through keywords for selecting groups of blocks, or through public keys for blocks signed by a specific key) - publicKeys provides a way to intern public keys in a way similar to symbols. Only public keys referenced in datalog elements can be interned - ThirdPartyBlockRequest / ThirdPartyBlockContents provide a way to add a signed 3rd party block to a given biscuit token without disclosing the token itself. For that, the request needs to provide: - the public key of the last block (needed to pin the signature to a specific biscuit token) - the list of already interned public keys (needed to properly generate the datalog ast). Contrary to public keys, interned symbols are not shared to 3rd party blocks to prevent information leaks. The response provides the serialized block, as well as the associated signature. 2022-04-04 23:15:36 +03:00			`ScopeType scopeType = 1;`
3rd party: improve Scope pb definition The stored value is the index of a public key, not a block index 2022-07-15 18:34:35 +03:00			`int64 publicKey = 2;`
3rd-party: add new protobuf fields and messages - externalSignature allows to attach an optional signature (from a non-ephemeral private key) to biscuit blocks - scope lets blocks and rules specify which facts can be loaded (either through keywords for selecting groups of blocks, or through public keys for blocks signed by a specific key) - publicKeys provides a way to intern public keys in a way similar to symbols. Only public keys referenced in datalog elements can be interned - ThirdPartyBlockRequest / ThirdPartyBlockContents provide a way to add a signed 3rd party block to a given biscuit token without disclosing the token itself. For that, the request needs to provide: - the public key of the last block (needed to pin the signature to a specific biscuit token) - the list of already interned public keys (needed to properly generate the datalog ast). Contrary to public keys, interned symbols are not shared to 3rd party blocks to prevent information leaks. The response provides the serialized block, as well as the associated signature. 2022-04-04 23:15:36 +03:00			`}`
duplicate messages for v1 currently the messages have the same structure as v0, but they will change significantly 2021-01-05 17:02:44 +03:00			`}`

start updating the schema for v2 - remove v0 compatibility - convert v1 to v2 - remove the index from blocks (now the cryptographisc design guarantees the order 2021-09-03 22:58:14 +03:00			`message FactV2 {`
			`required PredicateV2 predicate = 1;`
duplicate messages for v1 currently the messages have the same structure as v0, but they will change significantly 2021-01-05 17:02:44 +03:00			`}`

start updating the schema for v2 - remove v0 compatibility - convert v1 to v2 - remove the index from blocks (now the cryptographisc design guarantees the order 2021-09-03 22:58:14 +03:00			`message RuleV2 {`
			`required PredicateV2 head = 1;`
			`repeated PredicateV2 body = 2;`
			`repeated ExpressionV2 expressions = 3;`
3rd-party: add new protobuf fields and messages - externalSignature allows to attach an optional signature (from a non-ephemeral private key) to biscuit blocks - scope lets blocks and rules specify which facts can be loaded (either through keywords for selecting groups of blocks, or through public keys for blocks signed by a specific key) - publicKeys provides a way to intern public keys in a way similar to symbols. Only public keys referenced in datalog elements can be interned - ThirdPartyBlockRequest / ThirdPartyBlockContents provide a way to add a signed 3rd party block to a given biscuit token without disclosing the token itself. For that, the request needs to provide: - the public key of the last block (needed to pin the signature to a specific biscuit token) - the list of already interned public keys (needed to properly generate the datalog ast). Contrary to public keys, interned symbols are not shared to 3rd party blocks to prevent information leaks. The response provides the serialized block, as well as the associated signature. 2022-04-04 23:15:36 +03:00			`repeated Scope scope = 4;`
duplicate messages for v1 currently the messages have the same structure as v0, but they will change significantly 2021-01-05 17:02:44 +03:00			`}`

start updating the schema for v2 - remove v0 compatibility - convert v1 to v2 - remove the index from blocks (now the cryptographisc design guarantees the order 2021-09-03 22:58:14 +03:00			`message CheckV2 {`
			`repeated RuleV2 queries = 1;`
missing update to the schema for "check all" (#121) Co-authored-by: Clément Delafargue <clement@delafargue.name> 2022-12-23 00:53:37 +03:00			`optional Kind kind = 2;`

			`enum Kind {`
			`One = 0;`
			`All = 1;`
			`}`
duplicate messages for v1 currently the messages have the same structure as v0, but they will change significantly 2021-01-05 17:02:44 +03:00			`}`

start updating the schema for v2 - remove v0 compatibility - convert v1 to v2 - remove the index from blocks (now the cryptographisc design guarantees the order 2021-09-03 22:58:14 +03:00			`message PredicateV2 {`
duplicate messages for v1 currently the messages have the same structure as v0, but they will change significantly 2021-01-05 17:02:44 +03:00			`required uint64 name = 1;`
rename ID to Term in the protobuf schema 2021-09-12 16:18:19 +03:00			`repeated TermV2 terms = 2;`
duplicate messages for v1 currently the messages have the same structure as v0, but they will change significantly 2021-01-05 17:02:44 +03:00			`}`
move to protobuf 2019-04-01 18:41:20 +03:00
rename ID to Term in the protobuf schema 2021-09-12 16:18:19 +03:00			`message TermV2 {`
use oneof in the Protobuf schema this simplifies the format, using oneof instead of a 'Kind' enum with optional fields. Additionally, it reduces token size 2021-01-06 13:23:15 +03:00			`oneof Content {`
remove the symbol type symbols were a kind of strings with less available operations and some specific optimizations: they store in index into a symbol table carried by the token, to reduce size by avoiding repetitions. They were too confusing for users, and now that #authority and #ambient are gone, we can remove them completely. The symbol table was useful though, so now the symbol table is used for all predicate names and strings 2021-09-06 22:54:32 +03:00			`uint32 variable = 1;`
			`int64 integer = 2;`
			`uint64 string = 3;`
			`uint64 date = 4;`
			`bytes bytes = 5;`
			`bool bool = 6;`
rename ID to Term in the protobuf schema 2021-09-12 16:18:19 +03:00			`TermSet set = 7;`
move to protobuf 2019-04-01 18:41:20 +03:00			`}`
			`}`

rename ID to Term in the protobuf schema 2021-09-12 16:18:19 +03:00			`message TermSet {`
			`repeated TermV2 set = 1;`
add the set type 2021-01-08 18:42:36 +03:00			`}`

start updating the schema for v2 - remove v0 compatibility - convert v1 to v2 - remove the index from blocks (now the cryptographisc design guarantees the order 2021-09-03 22:58:14 +03:00			`message ExpressionV2 {`
replace constraints with expressions Expressions are a superset of constraints, they can support multiple variables, and other operations like additions 2021-01-22 18:00:19 +03:00			`repeated Op ops = 1;`
			`}`

			`message Op {`
			`oneof Content {`
rename ID to Term in the protobuf schema 2021-09-12 16:18:19 +03:00			`TermV2 value = 1;`
replace constraints with expressions Expressions are a superset of constraints, they can support multiple variables, and other operations like additions 2021-01-22 18:00:19 +03:00			`OpUnary unary = 2;`
			`OpBinary Binary = 3;`
			`}`
			`}`

			`message OpUnary {`
			`enum Kind {`
			`Negate = 0;`
support parenthesis in expressions it needs to be suported in the bytecode, to let us print the expressions properly 2021-01-26 12:52:39 +03:00			`Parens = 1;`
missing schema update 2021-02-26 19:55:27 +03:00			`Length = 2;`
replace constraints with expressions Expressions are a superset of constraints, they can support multiple variables, and other operations like additions 2021-01-22 18:00:19 +03:00			`}`

			`required Kind kind = 1;`
			`}`

			`message OpBinary {`
			`enum Kind {`
			`LessThan = 0;`
			`GreaterThan = 1;`
			`LessOrEqual = 2;`
			`GreaterOrEqual = 3;`
			`Equal = 4;`
method syntax for set and string expressions this commit introduces a method-like syntax for these operations: - .starts_with() - .ends_with() - .matches() - .contains() (replacing the In operation) There is no satisfying name to replace the "not in" operation, so it is replaced by a "contains" and negation, like this: "!set.contains($var)". The NotIn operation is removed from the V1 schema 2021-01-26 16:41:15 +03:00			`Contains = 5;`
			`Prefix = 6;`
			`Suffix = 7;`
			`Regex = 8;`
			`Add = 9;`
			`Sub = 10;`
			`Mul = 11;`
			`Div = 12;`
			`And = 13;`
			`Or = 14;`
missing schema update 2021-02-26 19:55:27 +03:00			`Intersection = 15;`
			`Union = 16;`
SPEC: add support for bitwise operators on booleans (#112) Such operators are only valid for v4 blocks Co-authored-by: Geoffroy Couprie <contact@geoffroycouprie.com> 2022-11-08 01:48:55 +03:00			`BitwiseAnd = 17;`
			`BitwiseOr = 18;`
			`BitwiseXor = 19;`
Add `NotEqual` to the protobuf schema 2022-12-27 00:51:25 +03:00			`NotEqual = 20;`
replace constraints with expressions Expressions are a superset of constraints, they can support multiple variables, and other operations like additions 2021-01-22 18:00:19 +03:00			`}`

			`required Kind kind = 1;`
			`}`
add a format to transport verifier state there are two use cases for this: - quickly loading verifier policies from a serialized state instead of manually adding datalog elements one by one through the verifier API. The policies could even be written in a different system then published to running instances dynamically - save the state of a verifier, including ambient data, facts, rules and checks coming from a token, to later load it into another verifier and inspect it 2021-03-04 16:21:06 +03:00
			`message Policy {`
			`enum Kind {`
			`Allow = 0;`
			`Deny = 1;`
			`}`

start updating the schema for v2 - remove v0 compatibility - convert v1 to v2 - remove the index from blocks (now the cryptographisc design guarantees the order 2021-09-03 22:58:14 +03:00			`repeated RuleV2 queries = 1;`
add a format to transport verifier state there are two use cases for this: - quickly loading verifier policies from a serialized state instead of manually adding datalog elements one by one through the verifier API. The policies could even be written in a different system then published to running instances dynamically - save the state of a verifier, including ambient data, facts, rules and checks coming from a token, to later load it into another verifier and inspect it 2021-03-04 16:21:06 +03:00			`required Kind kind = 2;`
			`}`

rename verifier to authorizer 2021-10-06 00:45:38 +03:00			`message AuthorizerPolicies {`
add a format to transport verifier state there are two use cases for this: - quickly loading verifier policies from a serialized state instead of manually adding datalog elements one by one through the verifier API. The policies could even be written in a different system then published to running instances dynamically - save the state of a verifier, including ambient data, facts, rules and checks coming from a token, to later load it into another verifier and inspect it 2021-03-04 16:21:06 +03:00			`repeated string symbols = 1;`
			`optional uint32 version = 2;`
start updating the schema for v2 - remove v0 compatibility - convert v1 to v2 - remove the index from blocks (now the cryptographisc design guarantees the order 2021-09-03 22:58:14 +03:00			`repeated FactV2 facts = 3;`
			`repeated RuleV2 rules = 4;`
			`repeated CheckV2 checks = 5;`
add a format to transport verifier state there are two use cases for this: - quickly loading verifier policies from a serialized state instead of manually adding datalog elements one by one through the verifier API. The policies could even be written in a different system then published to running instances dynamically - save the state of a verifier, including ambient data, facts, rules and checks coming from a token, to later load it into another verifier and inspect it 2021-03-04 16:21:06 +03:00			`repeated Policy policies = 6;`
			`}`
3rd-party: add new protobuf fields and messages - externalSignature allows to attach an optional signature (from a non-ephemeral private key) to biscuit blocks - scope lets blocks and rules specify which facts can be loaded (either through keywords for selecting groups of blocks, or through public keys for blocks signed by a specific key) - publicKeys provides a way to intern public keys in a way similar to symbols. Only public keys referenced in datalog elements can be interned - ThirdPartyBlockRequest / ThirdPartyBlockContents provide a way to add a signed 3rd party block to a given biscuit token without disclosing the token itself. For that, the request needs to provide: - the public key of the last block (needed to pin the signature to a specific biscuit token) - the list of already interned public keys (needed to properly generate the datalog ast). Contrary to public keys, interned symbols are not shared to 3rd party blocks to prevent information leaks. The response provides the serialized block, as well as the associated signature. 2022-04-04 23:15:36 +03:00
			`message ThirdPartyBlockRequest {`
			`required PublicKey previousKey = 1;`
			`repeated PublicKey publicKeys = 2;`
			`}`

			`message ThirdPartyBlockContents {`
			`required bytes payload = 1;`
			`required ExternalSignature externalSignature = 2;`
			`}`
add a new message format for authorizer snapshots (#122) * add a new message format for authorizer snapshots the fact scopes have to be transmitted if we want to replay an authorizers behaviour. AuthorizerPolicies can be kept as a way to share plicies to bootstrap the authorizer * update the format 2023-02-23 00:34:05 +03:00
			`message AuthorizerSnapshot {`
			`required RunLimits limits = 1;`
			`required uint64 executionTime = 2;`
			`required AuthorizerWorld world = 3;`
			`}`

			`message RunLimits {`
			`required uint64 maxFacts = 1;`
			`required uint64 maxIterations = 2;`
			`required uint64 maxTime = 3;`
			`}`

			`message AuthorizerWorld {`
			`optional uint32 version = 1;`
			`repeated string symbols = 2;`
			`repeated PublicKey publicKeys = 3;`
			`repeated SnapshotBlock blocks = 4;`
			`required SnapshotBlock authorizerBlock = 5;`
			`repeated Policy authorizerPolicies = 6;`
			`repeated GeneratedFacts generatedFacts = 7;`
			`required uint64 iterations = 8;`
			`}`

			`message Origin {`
			`oneof Content {`
			`Empty authorizer = 1;`
			`uint32 origin = 2;`
			`}`
			`}`

			`message Empty {}`

			`message GeneratedFacts {`
			`repeated Origin origins = 1;`
			`repeated FactV2 facts = 2;`
			`}`

			`message SnapshotBlock {`
			`optional string context = 1;`
			`optional uint32 version = 2;`
			`repeated FactV2 facts_v2 = 3;`
			`repeated RuleV2 rules_v2 = 4;`
			`repeated CheckV2 checks_v2 = 5;`
			`repeated Scope scope = 6;`
			`optional PublicKey externalKey = 7;`
			`}`