biscuit-auth/biscuit
1
1
Fork 0
mirror of https://github.com/biscuit-auth/biscuit.git synced 2024-10-06 02:27:33 +03:00
Code Issues Packages Projects Releases Wiki Activity

implement scoped rules, remove #authority and #ambient

Browse Source 
the scoped execution model ensures that checks and rules only
have access to facts added or generated in the current or previous
blocks. They cannot be affected by facts from later blocks. Verifier
rules, checks and policies are executed in the context of the authority
block

Since this change can prevent check from the authority block and the
verifier from being affected by facts from later block, we can remove
the #authority and #ambient symbols
This commit is contained in:
Geoffroy Couprie 2021-09-04 16:56:48 +02:00
parent e5ea1c13a1
commit 0175a4e3c5
25 changed files with 616 additions and 535 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
SPECIFICATIONS.md
View File

@ -17,11 +17,8 @@ the token that contains it, represented as a datalog query in biscuit. For the o
to be valid, all of the checks defined in the token and the verifier must succeed
- allow/deny policies: a list of datalog queries that are tested in a sequence
until one of them matches. They can only be defined in the verifier
- block: a list of datalog facts and rules. The first block is the authority
block. The other blocks define caveats
- authority: list of facts and rules defining the initial rights of the token
- ambient: list of facts related to the operation, like which resource is accessed,
the current date, or revocation lists
- block: a list of datalog facts, rules and checks. The first block is the authority
block, used to define the basic rights of a token
- symbol: string that is stored in a table and referred to by its index to save space
@ -145,24 +142,30 @@ A *boolean* is `true` or `false`.
A *set* is a deduplicated list of terms of the same type. It cannot contain
variables or other sets.
### Authority and ambient facts
### Scopes
Facts in Biscuit's language have some specific context.
Since the first block defines the token's rights through facts and rules, and
later blocks can define their own facts and rules, we must ensure the token
cannot increase its rights with later blocks.
Authority facts can only be created in the authority block, either directly
or from rules, and are represented by the `#authority` symbol as the first
element of a fact. They hold the initial rights for the token.
This is done through execution scopes: a block's rules and checks can only
apply on facts created in the current or previous blocks. Facts, rules, checks
and policies of the verifier are executed in the context of the authority block.
Ambient facts can only be provided by the verifier, and are represented by the
`#ambient` symbol as the first element of a fact. They indicate data related
to the operation the token is authorizing.
Example:
- the token contains `right("file1", #read)` in the first block
- the token holder adds a block with the fact `right("file2", #read)`
- the verifier adds:
- `resource("file2")`
- `operation(#read)`
- `check if resource($res), operation($op), right($res, $op)`
Facts can also be created in blocks other than the authority block, but they cannot
be authority or ambient facts.
The verifier's check will fail because when it is evaluated, it only sees
`right("file1", #read)` from the authority block.
### Checks
Checks are logic queries evaluating conditions on authority and ambient facts.
Checks are logic queries evaluating conditions on facts.
To validate an operation, all of a token's checks must succeed.
One block can contain one or more checks.
@ -187,67 +190,66 @@ The second caveat checks that the resource is `file1`.
```
authority:
right(#authority, "file1", #read);
right(#authority, "file2", #read);
right(#authority, "file1", #write);
right("file1", #read);
right("file2", #read);
right("file1", #write);
----------
Block 1:
check if
resource(#ambient, $0),
operation(#ambient, #read),
right(#authority, $0, #read) // restrict to read operations
resource($0),
operation(#read),
right($0, #read) // restrict to read operations
----------
Block 2:
check if
resource(#ambient, "file1") // restrict to file1 resource
resource("file1") // restrict to file1 resource
```
The facts with the `authority` tag can only be defined in the `authority` part of
the token.
The verifier side provides the `resource` and `operation` facts with the `ambient`
fact, with information from the request.
The verifier side provides the `resource` and `operation` facts with information
from the request.
If the verifier provided the facts `resource(#ambient, "file2")` and
`operation(#ambient, #read)`, the rule application of the first check would see
`resource(#ambient, "file2"), operation(#ambient, #read), right(#authority, "file2", #read)`
If the verifier provided the facts `resource("file2")` and
`operation(#read)`, the rule application of the first check would see
`resource("file2"), operation(#read), right("file2", #read)`
with `X = "file2"`, so it would succeed, but the second check would fail
because it expects `resource(#ambient, "file1")`.
because it expects `resource("file1")`.
If the verifier provided the facts `resource(#ambient, "file1")` and
`operation(#ambient, #read)`, both checks would succeed.
If the verifier provided the facts `resource("file1")` and
`operation(#read)`, both checks would succeed.
#### Broad authority rules
In this example, we have a token with very large rights, that will be attenuated
before giving to a user. The authority block can define rules that will generate
facts depending on ambient data. This helps reduce the size of the token.
facts depending on data provided by the verifier. This helps reduce the size of
the token.
```
authority:
// if there is an ambient resource and we own it, we can read it
right(#authority, $0, #read) <- resource(#ambient, $0), owner(#ambient, $1, $0);
right($0, #read) <- resource($0), owner($1, $0);
// if there is an ambient resource and we own it, we can write to it
right(#authority, $0, #write) <- resource(#ambient, $0), owner(#ambient, $1, $0);
right($0, #write) <- resource($0), owner($1, $0);
----------
Block 1:
check if
right(#authority, $0, $1),
resource(#ambient, $0),
operation(#ambient, $1)
right($0, $1),
resource($0),
operation($1)
----------
Block 2:
check if
resource(#ambient, $0),
resource($0),
owner(#alice, $0) // defines a token only usable by alice
```
These rules will define authority facts depending on ambient data.
If we had the ambient facts `resource(#ambient, "file1")` and
`owner(#ambient, #alice, "file1")`, the authority rules will define
`right(#authority, "file1", #read)` and `right(#authority, "file1", #write)`,
These rules will define authority facts depending on verifier data.
If we had the facts `resource("file1")` and
`owner(#alice, "file1")`, the authority rules will define
`right"file1", #read)` and `right("file1", #write)`,
which will allow check 1 and check 2 to succeed.
If the owner ambient fact does not match the restriction in the second check, the
@ -271,17 +273,17 @@ restrict usage based on ambient values:
```
authority:
right(#authority, "/folder/file1", #read);
right(#authority, "/folder/file2", #read);
right(#authority, "/folder2/file3", #read);
right("/folder/file1", #read);
right("/folder/file2", #read);
right("/folder2/file3", #read);
----------
check if resource(#ambient, $0), right(#authority, $0, $1)
check if resource($0), right($0, $1)
----------
check if time(#ambient, $0), $0 < 2019-02-05T23:00:00Z // expiration date
check if time($0), $0 < 2019-02-05T23:00:00Z // expiration date
----------
check if source_IP(#ambient, $0), ["1.2.3.4", "5.6.7.8"].contains($0) // set membership
check if source_IP($0), ["1.2.3.4", "5.6.7.8"].contains($0) // set membership
----------
check if resource(#ambient, $0), $0.starts_with("/folder/") // prefix operation on strings
check if resource($0), $0.starts_with("/folder/") // prefix operation on strings
```
Executing an expression must always return a boolean, and all variables
@ -364,7 +366,7 @@ The cryptographic signature must be checked immediately after deserializing. For
`Biscuit` with a public key signature, the verifier must check that the public key of the
authority block is the root public key it is expecting.
A `Biscuit` or `SealedBiscuit` contains in its`authority` and `blocks` fields
A `Biscuit` or `SealedBiscuit` contains in its `authority` and `blocks` fields
some byte arrays that must be deserialized as a `Block`.
#### Verification process
@ -373,14 +375,13 @@ The verifier will first create a default symbol table, and will append to that t
from the `symbols` field of each block, starting from the `authority` block and all the
following blocks, ordered by their index.
The verifier will create a Datalog "world", and add to this world:
The verifier will create a Datalog "world", and add to this world its own facts and rules:
ambient data from the request, lists of users and roles, etc.
- the facts from the authority block
- the rules from the authority block
- for each following block:
- add the facts from the block. If it finds an `authority` or `ambient` fact, it stops there and
returns an error
- add the rules from the block. If it finds a rule generating `authority` or `ambient` facts, it
stops there and returns an error checking that those facts are not `authority` or `ambient` facts
- add the facts from the block.
- add the rules from the block.
##### Revocation identifiers
@ -394,26 +395,27 @@ the token. They are calculated as follows:
##### Verifying
From there, the verifier can start loading ambient data. First, each block contains a `context`
field that can give some information on the verifier to know which data to load (to avoid
loading all of the users, groups, resources, etc). This field is a text field with no restriction
on its format.
The verifier then adds facts and rules obtained from looking up the context, and provides
facts and rules with the `ambient` tag to describe the request.
To perform the verification, the verifier will:
From there, the verifier can start loading data from each block. First, for the authority block:
- load facts and rules from the block
- run the Datalog engine on the facts and rules that were loaded
- create an error list
- for each verifier check (check provided on the verifier side), validate it. If it fails,
add an error to the error list
- for each block:
- for each check, validate it. If it fails, add an error to the error list
- if the error list is not empty, return the error list
- for each authority check or verifier check, validate it. If it fails, add an error to the error list
- for each allow/deny policy:
- run the query. If it succeeds:
- if it is an allow policy, the verification succeeds, stop here
- if it is a deny policy, the verification fails, stop here
- if no policy matched, the verification fails
- if it is an allow policy, the verification succeeds, store the result and stop here
- if it is a deny policy, the verification fails, store the result and stop here
Then, for each following block:
- remove all the previous rules (so the previous rules do not apply to new facts)
- load facts and rules from the block
- run the Datalog engine on the facts and rules that were loaded
- for each block check, validate it. If it fails, add an error to the error list
Returning the result:
- if the error list is not empty, return the error list
- check policy result:
- if an allow policy matched, the verification succeeds
- if a deny policy matched, the verification fails
- if no policy matched, the verification fails
#### Queries
@ -648,9 +650,6 @@ is the authority block.
Each block can provide facts either from its facts list, or generate
them with its rules list.
The authority block can contain facts marked with the `#authority`
symbol as first id, and rules that generate facts marked with
the `#authority` symbol.
### Symbol table

572
samples/v2/README.md
View File

@ -15,9 +15,9 @@ Biscuit {
version: 2
context: ""
facts: [
right(#authority, "file1", #read),
right(#authority, "file2", #read),
right(#authority, "file1", #write)
right("file1", #read),
right("file2", #read),
right("file1", #write)
]
rules: []
checks: []
@ -30,7 +30,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)
check if resource($0), operation(#read), right($0, #read)
]
}
]
@ -41,24 +41,21 @@ validation:
verifier world:
World {
facts: {
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:2d41aa8d0131f0a9f171ae849f99f78461157101001752852e1731281ad460b3)",
"revocation_id(1, hex:601083ff09e19882d762976dbb9bc98851439052e8c1bf3da1f32718a5a57eed)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file1\", #write)",
"right(#authority, \"file2\", #read)",
"resource(\"file1\")",
"revocation_id(0, hex:d0b78d6ca60f7ecd2b73162cba6442b80cb88ae8ee2faff80ef2ef4a397b3ab1)",
"revocation_id(1, hex:44245305d22048f923864a76f719a689a442f4ebc0e3f49922ecb77a1b181024)",
"right(\"file1\", #read)",
"right(\"file1\", #write)",
"right(\"file2\", #read)",
}
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)",
}
checks: {}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\" })"])
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource($0), operation(#read), right($0, #read)\" })"])
------------------------------
@ -73,7 +70,7 @@ Biscuit {
version: 2
context: ""
facts: [
right(#authority, "file1", #read)
right("file1", #read)
]
rules: []
checks: []
@ -86,7 +83,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)
check if resource($0), operation(#read), right($0, #read)
]
}
]
@ -109,9 +106,9 @@ Biscuit {
version: 2
context: ""
facts: [
right(#authority, "file1", #read),
right(#authority, "file2", #read),
right(#authority, "file1", #write)
right("file1", #read),
right("file2", #read),
right("file1", #write)
]
rules: []
checks: []
@ -124,7 +121,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)
check if resource($0), operation(#read), right($0, #read)
]
}
]
@ -147,9 +144,9 @@ Biscuit {
version: 2
context: ""
facts: [
right(#authority, "file1", #read),
right(#authority, "file2", #read),
right(#authority, "file1", #write)
right("file1", #read),
right("file2", #read),
right("file1", #write)
]
rules: []
checks: []
@ -162,7 +159,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)
check if resource($0), operation(#read), right($0, #read)
]
}
]
@ -185,9 +182,9 @@ Biscuit {
version: 2
context: ""
facts: [
right(#authority, "file1", #read),
right(#authority, "file2", #read),
right(#authority, "file1", #write)
right("file1", #read),
right("file2", #read),
right("file1", #write)
]
rules: []
checks: []
@ -200,7 +197,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)
check if resource($0), operation(#read), right($0, #read)
]
}
]
@ -223,9 +220,9 @@ Biscuit {
version: 2
context: ""
facts: [
right(#authority, "file1", #read),
right(#authority, "file2", #read),
right(#authority, "file1", #write)
right("file1", #read),
right("file2", #read),
right("file1", #write)
]
rules: []
checks: []
@ -238,7 +235,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)
check if resource($0), operation(#read), right($0, #read)
]
}
]
@ -254,9 +251,9 @@ Biscuit {
version: 2
context: ""
facts: [
right(#authority, "file1", #read),
right(#authority, "file2", #read),
right(#authority, "file1", #write)
right("file1", #read),
right("file2", #read),
right("file1", #write)
]
rules: []
checks: []
@ -269,7 +266,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)
check if resource($0), operation(#read), right($0, #read)
]
},
Block {
@ -279,7 +276,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, "file1")
check if resource("file1")
]
}
]
@ -292,78 +289,256 @@ Err(["Format(Signature(InvalidSignature(\"signature error\")))"])
------------------------------
## invalid block fact with authority tag: test7_invalid_block_fact_authority.bc
## scoped rules: test7_scoped_rules.bc
biscuit2 (1 check):
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "read", "write", "check1", "0"]
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "user_id", "owner", "0", "read", "1", "check1"]
authority: Block {
symbols: ["read"]
symbols: ["user_id", "owner"]
version: 2
context: ""
facts: [
right(#authority, "file1", #read)
user_id("alice"),
owner("alice", "file1")
]
rules: []
checks: []
}
blocks: [
Block {
symbols: ["write", "check1", "0"]
symbols: ["0", "read", "1", "check1"]
version: 2
context: ""
facts: [
right(#authority, "file1", #write)
facts: []
rules: [
right($0, #read) <- resource($0), user_id($1), owner($1, $0)
]
rules: []
checks: [
check if operation(#ambient, #read)
check if resource($0), operation(#read), right($0, #read)
]
}
]
}
```
biscuit3 (2 check):
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "user_id", "owner", "0", "read", "1", "check1"]
authority: Block {
symbols: ["user_id", "owner"]
version: 2
context: ""
facts: [
user_id("alice"),
owner("alice", "file1")
]
rules: []
checks: []
}
blocks: [
Block {
symbols: ["0", "read", "1", "check1"]
version: 2
context: ""
facts: []
rules: [
right($0, #read) <- resource($0), user_id($1), owner($1, $0)
]
checks: [
check if resource($0), operation(#read), right($0, #read)
]
}
]
}
```
biscuit3 (2 checks):
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "user_id", "owner", "0", "read", "1", "check1"]
authority: Block {
symbols: ["user_id", "owner"]
version: 2
context: ""
facts: [
user_id("alice"),
owner("alice", "file1")
]
rules: []
checks: []
}
blocks: [
Block {
symbols: ["0", "read", "1", "check1"]
version: 2
context: ""
facts: []
rules: [
right($0, #read) <- resource($0), user_id($1), owner($1, $0)
]
checks: [
check if resource($0), operation(#read), right($0, #read)
]
},
Block {
symbols: []
version: 2
context: ""
facts: [
owner("alice", "file2")
]
rules: []
checks: []
}
]
}
```
validation:
Err(["FailedLogic(InvalidBlockFact(0, \"right(#authority, \\\"file1\\\", #write)\"))"])
verifier world:
World {
facts: {
"operation(#read)",
"owner(\"alice\", \"file1\")",
"owner(\"alice\", \"file2\")",
"resource(\"file2\")",
"revocation_id(0, hex:85ac327fc6703282ec689d3d5cad2f62ba357bc5285012ee4210a6b8ac51dac6)",
"revocation_id(1, hex:fa9013d9973657cd5050185a91f243859d982b6bd79a1fbf0c680e18ac526464)",
"revocation_id(2, hex:d4c38cff9911dedd5ec9535ada28df22c25a7a6a2589ebb1bfc809a4e5dd2548)",
"user_id(\"alice\")",
}
rules: {}
checks: {}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource($0), operation(#read), right($0, #read)\" })"])
------------------------------
## invalid block fact with ambient tag: test8_invalid_block_fact_ambient.bc
## scoped checks: test8_scoped_checks.bc
biscuit2 (1 check):
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "read", "write", "check1", "0"]
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "read", "check1", "0"]
authority: Block {
symbols: ["read"]
version: 2
context: ""
facts: [
right(#authority, "file1", #read)
right("file1", #read)
]
rules: []
checks: []
}
blocks: [
Block {
symbols: ["write", "check1", "0"]
symbols: ["check1", "0"]
version: 2
context: ""
facts: [
right(#ambient, "file1", #write)
]
facts: []
rules: []
checks: [
check if operation(#ambient, #read)
check if resource($0), operation(#read), right($0, #read)
]
}
]
}
```
biscuit3 (2 check):
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "read", "check1", "0"]
authority: Block {
symbols: ["read"]
version: 2
context: ""
facts: [
right("file1", #read)
]
rules: []
checks: []
}
blocks: [
Block {
symbols: ["check1", "0"]
version: 2
context: ""
facts: []
rules: []
checks: [
check if resource($0), operation(#read), right($0, #read)
]
}
]
}
```
biscuit3 (2 checks):
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "read", "check1", "0"]
authority: Block {
symbols: ["read"]
version: 2
context: ""
facts: [
right("file1", #read)
]
rules: []
checks: []
}
blocks: [
Block {
symbols: ["check1", "0"]
version: 2
context: ""
facts: []
rules: []
checks: [
check if resource($0), operation(#read), right($0, #read)
]
},
Block {
symbols: []
version: 2
context: ""
facts: [
right("file2", #read)
]
rules: []
checks: []
}
]
}
```
validation:
Err(["FailedLogic(InvalidBlockFact(0, \"right(#ambient, \\\"file1\\\", #write)\"))"])
verifier world:
World {
facts: {
"operation(#read)",
"resource(\"file2\")",
"revocation_id(0, hex:d82a7c1a18cfa4314b375a87c0a56a3053da388ea98bff667ce4d5400b7aa981)",
"revocation_id(1, hex:80992689d9e68ef103a9d620a107dc38fc020dd7e11238781547d6b8dfd7ad72)",
"revocation_id(2, hex:f6624085e6ea881004795493f67e6335e109dd228a060d05083cc49c88233944)",
"right(\"file1\", #read)",
"right(\"file2\", #read)",
}
rules: {}
checks: {}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource($0), operation(#read), right($0, #read)\" })"])
------------------------------
@ -389,8 +564,8 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, "file1"),
check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00
check if resource("file1"),
check if time($date), $date <= 2018-12-20T00:00:00+00:00
]
}
]
@ -401,55 +576,49 @@ validation:
verifier world:
World {
facts: {
"operation(#ambient, #read)",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:97d9502fe0963f757c0f7e20e7d3a07b13f762c206c77506f4bd60af68565ce1)",
"revocation_id(1, hex:5ccf80411f761b01c08783efede6b86898b920107507bd500c3854c8fe451f35)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"operation(#read)",
"resource(\"file1\")",
"revocation_id(0, hex:d30401ced69d2a2a3ce04bdee201316e7d256b2b44c25e2a2c3db54a226dfa0d)",
"revocation_id(1, hex:53792abfe5845c74575528cc99803c02ab7dedf809f5b9ec5859a2f812c4627d)",
"time(SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
}
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, \"file1\")",
"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00",
}
checks: {}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: \"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00\" })"])
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: \"check if time($date), $date <= 2018-12-20T00:00:00+00:00\" })"])
------------------------------
## authority rules: test10_authority_rules.bc
biscuit2 (1 check):
## verifier scope: test10_verifier_scope.bc
biscuit3 (2 check):
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "1", "read", "owner", "0", "write", "check1", "check2", "alice"]
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "read"]
authority: Block {
symbols: ["1", "read", "owner", "0", "write"]
symbols: ["read"]
version: 2
context: ""
facts: []
rules: [
right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1),
right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)
facts: [
right("file1", #read)
]
rules: []
checks: []
}
blocks: [
Block {
symbols: ["check1", "check2", "alice"]
symbols: []
version: 2
context: ""
facts: []
rules: []
checks: [
check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1),
check if resource(#ambient, $0), owner(#ambient, #alice, $0)
facts: [
right("file2", #read)
]
rules: []
checks: []
}
]
}
@ -459,29 +628,23 @@ validation:
verifier world:
World {
facts: {
"operation(#ambient, #read)",
"owner(#ambient, #alice, \"file1\")",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:615c86ed96ffb3e756cee9a922facef14e7ceedd7833a22474ffa69986a02aab)",
"revocation_id(1, hex:f5948d6b975b1f2e2571557588435445eeb088f6634c54247f0bc267bd11bc2a)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file1\", #write)",
}
privileged rules: {
"right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
"right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
"operation(#read)",
"resource(\"file2\")",
"revocation_id(0, hex:81cec0693dbe65a0e6a97bec0e046629b96ade022bcbf0eb85a4f32fe08af176)",
"revocation_id(1, hex:f478ed76b9c914b8626021362ea9a395fbd5ac5349ac11e200c76dec95271bce)",
"right(\"file1\", #read)",
"right(\"file2\", #read)",
}
rules: {}
checks: {
"check if resource(#ambient, $0), owner(#ambient, #alice, $0)",
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
"check if right($0, $1), resource($0), operation($1)",
}
policies: {
"allow if true",
}
}
Ok(0)
Err(["Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right($0, $1), resource($0), operation($1)\" })"])
------------------------------
@ -496,7 +659,7 @@ Biscuit {
version: 2
context: ""
facts: [
right(#authority, "file1", #read)
right("file1", #read)
]
rules: []
checks: []
@ -511,22 +674,21 @@ validation:
verifier world:
World {
facts: {
"operation(#ambient, #read)",
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:74d206f233bdcadbb6a8bdca0303b0520d75f94944f0dfc1d3b8edb0b3200b53)",
"right(#authority, \"file1\", #read)",
"operation(#read)",
"resource(\"file2\")",
"revocation_id(0, hex:db94822670781ef0678edf5e9b11c5e75fcedb90c2243cd4993415a81b3abb23)",
"right(\"file1\", #read)",
}
privileged rules: {}
rules: {}
checks: {
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
"check if right($0, $1), resource($0), operation($1)",
}
policies: {
"allow if true",
}
}
Err(["Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)\" })"])
Err(["Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right($0, $1), resource($0), operation($1)\" })"])
------------------------------
@ -543,7 +705,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, "file1")
check if resource("file1")
]
}
blocks: [
@ -556,15 +718,12 @@ validation for "file1":
verifier world:
World {
facts: {
"operation(#ambient, #read)",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:6da467f30421f10f2bdd7eacb3ed3ce0741757c1afa8da1775f376dba88a5683)",
"operation(#read)",
"resource(\"file1\")",
"revocation_id(0, hex:3527bbda37830c73381efdeb2c41eac3468240ddb263e7897266cc391c21f37f)",
}
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, \"file1\")",
}
checks: {}
policies: {
"allow if true",
}
@ -575,21 +734,18 @@ validation for "file2":
verifier world:
World {
facts: {
"operation(#ambient, #read)",
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:6da467f30421f10f2bdd7eacb3ed3ce0741757c1afa8da1775f376dba88a5683)",
"operation(#read)",
"resource(\"file2\")",
"revocation_id(0, hex:3527bbda37830c73381efdeb2c41eac3468240ddb263e7897266cc391c21f37f)",
}
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, \"file1\")",
}
checks: {}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, \\\"file1\\\")\" })"])
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(\\\"file1\\\")\" })"])
------------------------------
@ -604,8 +760,8 @@ Biscuit {
version: 2
context: ""
facts: [
right(#authority, "file1", #read),
right(#authority, "file2", #read)
right("file1", #read),
right("file2", #read)
]
rules: []
checks: []
@ -617,11 +773,11 @@ Biscuit {
context: ""
facts: []
rules: [
valid_date("file1") <- time(#ambient, $0), resource(#ambient, "file1"), $0 <= 2030-12-31T12:59:59+00:00,
valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, !["file1"].contains($1)
valid_date("file1") <- time($0), resource("file1"), $0 <= 2030-12-31T12:59:59+00:00,
valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59+00:00, !["file1"].contains($1)
]
checks: [
check if valid_date($0), resource(#ambient, $0)
check if valid_date($0), resource($0)
]
}
]
@ -632,22 +788,16 @@ validation for "file1":
verifier world:
World {
facts: {
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:9a30e5b4f22cdffd389bd06c77c8ef1912604b4ebe3f0de7ceea9f4ddb571da5)",
"revocation_id(1, hex:35dc6e409f6582a669f0d41bf3cd9aa837a19764f0262e3dd8b6d2bdacee5b82)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file2\", #read)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"resource(\"file1\")",
"revocation_id(0, hex:3d5459878dfb4e1dba4e1ff1c585b98435117dd8f27b4402e836405e2073d58d)",
"revocation_id(1, hex:6af4d647ce1df7e80c1cb4736087e21340fa3ed63b0d3f172d25e8e9964489c3)",
"right(\"file1\", #read)",
"right(\"file2\", #read)",
"time(SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"valid_date(\"file1\")",
}
privileged rules: {}
rules: {
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)",
}
checks: {
"check if valid_date($0), resource(#ambient, $0)",
}
rules: {}
checks: {}
policies: {
"allow if true",
}
@ -658,27 +808,21 @@ validation for "file2":
verifier world:
World {
facts: {
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:9a30e5b4f22cdffd389bd06c77c8ef1912604b4ebe3f0de7ceea9f4ddb571da5)",
"revocation_id(1, hex:35dc6e409f6582a669f0d41bf3cd9aa837a19764f0262e3dd8b6d2bdacee5b82)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file2\", #read)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
}
privileged rules: {}
rules: {
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)",
}
checks: {
"check if valid_date($0), resource(#ambient, $0)",
"resource(\"file2\")",
"revocation_id(0, hex:3d5459878dfb4e1dba4e1ff1c585b98435117dd8f27b4402e836405e2073d58d)",
"revocation_id(1, hex:6af4d647ce1df7e80c1cb4736087e21340fa3ed63b0d3f172d25e8e9964489c3)",
"right(\"file1\", #read)",
"right(\"file2\", #read)",
"time(SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
}
rules: {}
checks: {}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if valid_date($0), resource(#ambient, $0)\" })"])
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if valid_date($0), resource($0)\" })"])
------------------------------
@ -695,7 +839,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, $0), $0.matches("file[0-9]+.txt")
check if resource($0), $0.matches("file[0-9]+.txt")
]
}
blocks: [
@ -708,32 +852,26 @@ validation for "file1":
verifier world:
World {
facts: {
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:7d04d352cd30ad2875f003ff2ccc57dc7ec39763f3a823f87c9e26bf40b0310d)",
"resource(\"file1\")",
"revocation_id(0, hex:c1e6da318f99f8ad00d1b6bbfcf56fbd7ffd2b499f5719e6a371ad82d1d94368)",
}
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
}
checks: {}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, $0), $0.matches(\\\"file[0-9]+.txt\\\")\" })"])
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource($0), $0.matches(\\\"file[0-9]+.txt\\\")\" })"])
validation for "file123":
verifier world:
World {
facts: {
"resource(#ambient, \"file123.txt\")",
"revocation_id(0, hex:7d04d352cd30ad2875f003ff2ccc57dc7ec39763f3a823f87c9e26bf40b0310d)",
"resource(\"file123.txt\")",
"revocation_id(0, hex:c1e6da318f99f8ad00d1b6bbfcf56fbd7ffd2b499f5719e6a371ad82d1d94368)",
}
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
}
checks: {}
policies: {
"allow if true",
}
@ -754,7 +892,7 @@ Biscuit {
version: 2
context: ""
facts: [
must_be_present(#authority, "hello")
must_be_present("hello")
]
rules: []
checks: []
@ -769,13 +907,12 @@ validation:
verifier world:
World {
facts: {
"must_be_present(#authority, \"hello\")",
"revocation_id(0, hex:a869933238d941c3c6fd2a6949844a35727741e04865faf66ebdeb0e2cadab40)",
"must_be_present(\"hello\")",
"revocation_id(0, hex:f1aba7009cd19fbc5605ad5a318775bc8bb4c887cc3d00f405689420a8ccdc6a)",
}
privileged rules: {}
rules: {}
checks: {
"check if must_be_present(#authority, $0) or must_be_present($0)",
"check if must_be_present($0) or must_be_present($0)",
}
policies: {
"allow if true",
@ -799,7 +936,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if resource(#ambient, #hello)
check if resource(#hello)
]
}
blocks: [
@ -822,20 +959,17 @@ verifier world:
World {
facts: {
"check1(#test)",
"revocation_id(0, hex:4a366515e159a7577166d8158bdca3c0bb39cbabb4988824ad0c9aab5d3ea402)",
"revocation_id(1, hex:2e8c19fefac5e54b7a8e21bb40eaf8aac70909e48f22c388ebb8cc742065d1dc)",
"revocation_id(0, hex:a4155e1642c441f169f8251cc3c1a1fa6b172543948c0a1a33d6409c28cae987)",
"revocation_id(1, hex:63f977e2f45b998a920fba2bb69af6c02e4f094294dc89bdbaabb88f8a582186)",
}
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, #hello)",
}
checks: {}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, #hello)\" })"])
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#hello)\" })"])
------------------------------
@ -893,40 +1027,10 @@ validation:
verifier world:
World {
facts: {
"revocation_id(0, hex:fde35e855f6e4a1037e6698d3085bef54a71093dc06c2f2a2027e7c126a340d8)",
"revocation_id(0, hex:388e71fd289d831f617872e9c454eac446a88080f34bfbe4da50fbce7144bcda)",
}
privileged rules: {}
rules: {}
checks: {
"check if !false",
"check if \"aaabde\".matches(\"a*c?.e\")",
"check if \"abcD12\" == \"abcD12\"",
"check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")",
"check if #abc == #abc",
"check if 1 + 2 * 3 - 4 / 2 == 5",
"check if 1 < 2",
"check if 1 <= 1",
"check if 1 <= 2",
"check if 2 > 1",
"check if 2 >= 1",
"check if 2 >= 2",
"check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00",
"check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
"check if 3 == 3",
"check if [\"abc\", \"def\"].contains(\"abc\")",
"check if [#hello, #world].contains(#hello)",
"check if [1, 2].contains(2)",
"check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00)",
"check if [false, true].contains(true)",
"check if [hex:12ab, hex:34de].contains(hex:34de)",
"check if false or true",
"check if hex:12ab == hex:12ab",
"check if true",
}
checks: {}
policies: {
"allow if true",
}
@ -949,7 +1053,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if operation(#ambient, #read)
check if operation(#read)
]
}
blocks: [
@ -968,6 +1072,20 @@ Biscuit {
```
validation:
verifier world:
World {
facts: {
"operation(#write)",
"revocation_id(0, hex:2e13a1deb4edc2c841324ab4120351aa8696d455750045511cb94ee243b9c35f)",
"revocation_id(1, hex:628bf94715ce5ca37fe9d49bacee6a13fb77d8fd481b09875757bd567c93f0ca)",
}
rules: {}
checks: {}
policies: {
"allow if true",
}
}
Err(["FailedLogic(InvalidBlockRule(0, \"operation($unbound, #read) <- operation($any1, $any2)\"))"])
@ -985,7 +1103,7 @@ Biscuit {
facts: []
rules: []
checks: [
check if operation(#ambient, #read)
check if operation(#read)
]
}
blocks: [
@ -995,7 +1113,7 @@ Biscuit {
context: ""
facts: []
rules: [
operation($ambient, #read) <- operation($ambient, $any)
operation(#read) <- operation($any)
]
checks: []
}
@ -1007,21 +1125,17 @@ validation:
verifier world:
World {
facts: {
"operation(#ambient, #write)",
"revocation_id(0, hex:345b72b425b0e134ba294e1183e91af519a154fefc8f3a6b788da47668fa90c9)",
"revocation_id(1, hex:5262c65a6042072011eb868c9f47a279264324a2781d3dd38e72f3464dc93348)",
}
privileged rules: {}
rules: {
"operation($ambient, #read) <- operation($ambient, $any)",
}
checks: {
"check if operation(#ambient, #read)",
"operation(#read)",
"operation(#write)",
"revocation_id(0, hex:e0728acdc6aac007be70c2795e681c911fbf1bb0d8063a04258813d3cc36ebd2)",
"revocation_id(1, hex:29226d29e16815d2adae6139b5761515f5fc219dcafbf1e113f03ab1b7134790)",
}
rules: {}
checks: {}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if operation(#ambient, #read)\" })"])
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if operation(#read)\" })"])

376
samples/v2/samples.json
View File

@ -6,31 +6,28 @@
"title": "basic token",
"filename": "test1_basic.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read),\n right(\"file2\", #read),\n right(\"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:2d41aa8d0131f0a9f171ae849f99f78461157101001752852e1731281ad460b3)",
"revocation_id(1, hex:601083ff09e19882d762976dbb9bc98851439052e8c1bf3da1f32718a5a57eed)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file1\", #write)",
"right(#authority, \"file2\", #read)"
"resource(\"file1\")",
"revocation_id(0, hex:d0b78d6ca60f7ecd2b73162cba6442b80cb88ae8ee2faff80ef2ef4a397b3ab1)",
"revocation_id(1, hex:44245305d22048f923864a76f719a689a442f4ebc0e3f49922ecb77a1b181024)",
"right(\"file1\", #read)",
"right(\"file1\", #write)",
"right(\"file2\", #read)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)"
],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\" })"
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource($0), operation(#read), right($0, #read)\" })"
]
}
]
@ -40,7 +37,7 @@
"title": "different root key",
"filename": "test2_different_root_key.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
@ -57,7 +54,7 @@
"title": "invalid signature format",
"filename": "test3_invalid_signature_format.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read),\n right(\"file2\", #read),\n right(\"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
@ -74,7 +71,7 @@
"title": "random block",
"filename": "test4_random_block.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read),\n right(\"file2\", #read),\n right(\"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
@ -91,7 +88,7 @@
"title": "invalid signature",
"filename": "test5_invalid_signature.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read),\n right(\"file2\", #read),\n right(\"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
@ -108,8 +105,8 @@
"title": "reordered blocks",
"filename": "test6_reordered_blocks.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}",
"biscuit3 (2 checks)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\", \"check2\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n },\n\tBlock {\n symbols: [\"check2\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, \"file1\")\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read),\n right(\"file2\", #read),\n right(\"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}",
"biscuit3 (2 checks)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\", \"check2\"]\n authority: Block {\n symbols: [\"read\", \"write\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read),\n right(\"file2\", #read),\n right(\"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n },\n\tBlock {\n symbols: [\"check2\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(\"file1\")\n ]\n }\n ]\n}"
},
"validations": {
"": [
@ -123,34 +120,69 @@
}
},
{
"title": "invalid block fact with authority tag",
"filename": "test7_invalid_block_fact_authority.bc",
"title": "scoped rules",
"filename": "test7_scoped_rules.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"write\", \"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"user_id\", \"owner\", \"0\", \"read\", \"1\", \"check1\"]\n authority: Block {\n symbols: [\"user_id\", \"owner\"]\n version: 2\n context: \"\"\n facts: [\n user_id(\"alice\"),\n owner(\"alice\", \"file1\")\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"0\", \"read\", \"1\", \"check1\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n right($0, #read) <- resource($0), user_id($1), owner($1, $0)\n ]\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}",
"biscuit3 (2 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"user_id\", \"owner\", \"0\", \"read\", \"1\", \"check1\"]\n authority: Block {\n symbols: [\"user_id\", \"owner\"]\n version: 2\n context: \"\"\n facts: [\n user_id(\"alice\"),\n owner(\"alice\", \"file1\")\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"0\", \"read\", \"1\", \"check1\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n right($0, #read) <- resource($0), user_id($1), owner($1, $0)\n ]\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}",
"biscuit3 (2 checks)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"user_id\", \"owner\", \"0\", \"read\", \"1\", \"check1\"]\n authority: Block {\n symbols: [\"user_id\", \"owner\"]\n version: 2\n context: \"\"\n facts: [\n user_id(\"alice\"),\n owner(\"alice\", \"file1\")\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"0\", \"read\", \"1\", \"check1\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n right($0, #read) <- resource($0), user_id($1), owner($1, $0)\n ]\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n },\n\tBlock {\n symbols: []\n version: 2\n context: \"\"\n facts: [\n owner(\"alice\", \"file2\")\n ]\n rules: []\n checks: []\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"facts": [
"operation(#read)",
"owner(\"alice\", \"file1\")",
"owner(\"alice\", \"file2\")",
"resource(\"file2\")",
"revocation_id(0, hex:85ac327fc6703282ec689d3d5cad2f62ba357bc5285012ee4210a6b8ac51dac6)",
"revocation_id(1, hex:fa9013d9973657cd5050185a91f243859d982b6bd79a1fbf0c680e18ac526464)",
"revocation_id(2, hex:d4c38cff9911dedd5ec9535ada28df22c25a7a6a2589ebb1bfc809a4e5dd2548)",
"user_id(\"alice\")"
],
"rules": [],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"FailedLogic(InvalidBlockFact(0, \"right(#authority, \\\"file1\\\", #write)\"))"
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource($0), operation(#read), right($0, #read)\" })"
]
}
]
}
},
{
"title": "invalid block fact with ambient tag",
"filename": "test8_invalid_block_fact_ambient.bc",
"title": "scoped checks",
"filename": "test8_scoped_checks.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"write\", \"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: [\n right(#ambient, \"file1\", #write)\n ]\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}",
"biscuit3 (2 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n }\n ]\n}",
"biscuit3 (2 checks)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"check1\", \"0\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), operation(#read), right($0, #read)\n ]\n },\n\tBlock {\n symbols: []\n version: 2\n context: \"\"\n facts: [\n right(\"file2\", #read)\n ]\n rules: []\n checks: []\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"facts": [
"operation(#read)",
"resource(\"file2\")",
"revocation_id(0, hex:d82a7c1a18cfa4314b375a87c0a56a3053da388ea98bff667ce4d5400b7aa981)",
"revocation_id(1, hex:80992689d9e68ef103a9d620a107dc38fc020dd7e11238781547d6b8dfd7ad72)",
"revocation_id(2, hex:f6624085e6ea881004795493f67e6335e109dd228a060d05083cc49c88233944)",
"right(\"file1\", #read)",
"right(\"file2\", #read)"
],
"rules": [],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"FailedLogic(InvalidBlockFact(0, \"right(#ambient, \\\"file1\\\", #write)\"))"
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource($0), operation(#read), right($0, #read)\" })"
]
}
]
@ -160,23 +192,52 @@
"title": "expired token",
"filename": "test9_expired_token.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"expiration\", \"date\", \"time\"]\n authority: Block {\n symbols: []\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"expiration\", \"date\", \"time\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, \"file1\"),\n check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"expiration\", \"date\", \"time\"]\n authority: Block {\n symbols: []\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"expiration\", \"date\", \"time\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(\"file1\"),\n check if time($date), $date <= 2018-12-20T00:00:00+00:00\n ]\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"operation(#ambient, #read)",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:97d9502fe0963f757c0f7e20e7d3a07b13f762c206c77506f4bd60af68565ce1)",
"revocation_id(1, hex:5ccf80411f761b01c08783efede6b86898b920107507bd500c3854c8fe451f35)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })"
"operation(#read)",
"resource(\"file1\")",
"revocation_id(0, hex:d30401ced69d2a2a3ce04bdee201316e7d256b2b44c25e2a2c3db54a226dfa0d)",
"revocation_id(1, hex:53792abfe5845c74575528cc99803c02ab7dedf809f5b9ec5859a2f812c4627d)",
"time(SystemTime { tv_sec: 1608542592, tv_nsec: 0 })"
],
"rules": [],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: \"check if time($date), $date <= 2018-12-20T00:00:00+00:00\" })"
]
}
]
}
},
{
"title": "verifier scope",
"filename": "test10_verifier_scope.bc",
"print_token": {
"biscuit3 (2 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: []\n version: 2\n context: \"\"\n facts: [\n right(\"file2\", #read)\n ]\n rules: []\n checks: []\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"operation(#read)",
"resource(\"file2\")",
"revocation_id(0, hex:81cec0693dbe65a0e6a97bec0e046629b96ade022bcbf0eb85a4f32fe08af176)",
"revocation_id(1, hex:f478ed76b9c914b8626021362ea9a395fbd5ac5349ac11e200c76dec95271bce)",
"right(\"file1\", #read)",
"right(\"file2\", #read)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, \"file1\")",
"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00"
"check if right($0, $1), resource($0), operation($1)"
],
"policies": [
"allow if true"
@ -184,68 +245,30 @@
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: \"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00\" })"
"Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right($0, $1), resource($0), operation($1)\" })"
]
}
]
}
},
{
"title": "authority rules",
"filename": "test10_authority_rules.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"1\", \"read\", \"owner\", \"0\", \"write\", \"check1\", \"check2\", \"alice\"]\n authority: Block {\n symbols: [\"1\", \"read\", \"owner\", \"0\", \"write\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1),\n right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)\n ]\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"check1\", \"check2\", \"alice\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1),\n check if resource(#ambient, $0), owner(#ambient, #alice, $0)\n ]\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"operation(#ambient, #read)",
"owner(#ambient, #alice, \"file1\")",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:615c86ed96ffb3e756cee9a922facef14e7ceedd7833a22474ffa69986a02aab)",
"revocation_id(1, hex:f5948d6b975b1f2e2571557588435445eeb088f6634c54247f0bc267bd11bc2a)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file1\", #write)"
],
"rules": [],
"privileged_rules": [
"right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
"right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)"
],
"checks": [
"check if resource(#ambient, $0), owner(#ambient, #alice, $0)",
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)"
],
"policies": [
"allow if true"
]
},
{
"Ok": 0
}
]
}
},
{
"title": "verifier authority checks",
"filename": "test11_verifier_authority_caveats.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n \n ]\n}"
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n \n ]\n}"
},
"validations": {
"": [
{
"facts": [
"operation(#ambient, #read)",
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:74d206f233bdcadbb6a8bdca0303b0520d75f94944f0dfc1d3b8edb0b3200b53)",
"right(#authority, \"file1\", #read)"
"operation(#read)",
"resource(\"file2\")",
"revocation_id(0, hex:db94822670781ef0678edf5e9b11c5e75fcedb90c2243cd4993415a81b3abb23)",
"right(\"file1\", #read)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)"
"check if right($0, $1), resource($0), operation($1)"
],
"policies": [
"allow if true"
@ -253,7 +276,7 @@
},
{
"Err": [
"Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)\" })"
"Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right($0, $1), resource($0), operation($1)\" })"
]
}
]
@ -263,21 +286,18 @@
"title": "authority checks",
"filename": "test12_authority_caveats.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\"]\n authority: Block {\n symbols: [\"check1\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, \"file1\")\n ]\n }\n blocks: [\n \n ]\n}"
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\"]\n authority: Block {\n symbols: [\"check1\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(\"file1\")\n ]\n }\n blocks: [\n \n ]\n}"
},
"validations": {
"file1": [
{
"facts": [
"operation(#ambient, #read)",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:6da467f30421f10f2bdd7eacb3ed3ce0741757c1afa8da1775f376dba88a5683)"
"operation(#read)",
"resource(\"file1\")",
"revocation_id(0, hex:3527bbda37830c73381efdeb2c41eac3468240ddb263e7897266cc391c21f37f)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, \"file1\")"
],
"checks": [],
"policies": [
"allow if true"
]
@ -289,22 +309,19 @@
"file2": [
{
"facts": [
"operation(#ambient, #read)",
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:6da467f30421f10f2bdd7eacb3ed3ce0741757c1afa8da1775f376dba88a5683)"
"operation(#read)",
"resource(\"file2\")",
"revocation_id(0, hex:3527bbda37830c73381efdeb2c41eac3468240ddb263e7897266cc391c21f37f)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, \"file1\")"
],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, \\\"file1\\\")\" })"
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(\\\"file1\\\")\" })"
]
}
]
@ -314,28 +331,22 @@
"title": "block rules",
"filename": "test13_block_rules.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"valid_date\", \"time\", \"0\", \"1\", \"check1\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"valid_date\", \"time\", \"0\", \"1\", \"check1\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00,\n valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)\n ]\n checks: [\n check if valid_date($0), resource(#ambient, $0)\n ]\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"valid_date\", \"time\", \"0\", \"1\", \"check1\"]\n authority: Block {\n symbols: [\"read\"]\n version: 2\n context: \"\"\n facts: [\n right(\"file1\", #read),\n right(\"file2\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block {\n symbols: [\"valid_date\", \"time\", \"0\", \"1\", \"check1\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59+00:00,\n valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)\n ]\n checks: [\n check if valid_date($0), resource($0)\n ]\n }\n ]\n}"
},
"validations": {
"file1": [
{
"facts": [
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:9a30e5b4f22cdffd389bd06c77c8ef1912604b4ebe3f0de7ceea9f4ddb571da5)",
"revocation_id(1, hex:35dc6e409f6582a669f0d41bf3cd9aa837a19764f0262e3dd8b6d2bdacee5b82)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file2\", #read)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"resource(\"file1\")",
"revocation_id(0, hex:3d5459878dfb4e1dba4e1ff1c585b98435117dd8f27b4402e836405e2073d58d)",
"revocation_id(1, hex:6af4d647ce1df7e80c1cb4736087e21340fa3ed63b0d3f172d25e8e9964489c3)",
"right(\"file1\", #read)",
"right(\"file2\", #read)",
"time(SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"valid_date(\"file1\")"
],
"rules": [
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)"
],
"privileged_rules": [],
"checks": [
"check if valid_date($0), resource(#ambient, $0)"
],
"rules": [],
"checks": [],
"policies": [
"allow if true"
]
@ -347,28 +358,22 @@
"file2": [
{
"facts": [
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:9a30e5b4f22cdffd389bd06c77c8ef1912604b4ebe3f0de7ceea9f4ddb571da5)",
"revocation_id(1, hex:35dc6e409f6582a669f0d41bf3cd9aa837a19764f0262e3dd8b6d2bdacee5b82)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file2\", #read)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })"
],
"rules": [
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)"
],
"privileged_rules": [],
"checks": [
"check if valid_date($0), resource(#ambient, $0)"
"resource(\"file2\")",
"revocation_id(0, hex:3d5459878dfb4e1dba4e1ff1c585b98435117dd8f27b4402e836405e2073d58d)",
"revocation_id(1, hex:6af4d647ce1df7e80c1cb4736087e21340fa3ed63b0d3f172d25e8e9964489c3)",
"right(\"file1\", #read)",
"right(\"file2\", #read)",
"time(SystemTime { tv_sec: 1608542592, tv_nsec: 0 })"
],
"rules": [],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if valid_date($0), resource(#ambient, $0)\" })"
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if valid_date($0), resource($0)\" })"
]
}
]
@ -378,41 +383,35 @@
"title": "regex_constraint",
"filename": "test14_regex_constraint.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"resource_match\", \"0\"]\n authority: Block {\n symbols: [\"resource_match\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")\n ]\n }\n blocks: [\n \n ]\n}"
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"resource_match\", \"0\"]\n authority: Block {\n symbols: [\"resource_match\", \"0\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource($0), $0.matches(\"file[0-9]+.txt\")\n ]\n }\n blocks: [\n \n ]\n}"
},
"validations": {
"file1": [
{
"facts": [
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:7d04d352cd30ad2875f003ff2ccc57dc7ec39763f3a823f87c9e26bf40b0310d)"
"resource(\"file1\")",
"revocation_id(0, hex:c1e6da318f99f8ad00d1b6bbfcf56fbd7ffd2b499f5719e6a371ad82d1d94368)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")"
],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, $0), $0.matches(\\\"file[0-9]+.txt\\\")\" })"
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource($0), $0.matches(\\\"file[0-9]+.txt\\\")\" })"
]
}
],
"file123": [
{
"facts": [
"resource(#ambient, \"file123.txt\")",
"revocation_id(0, hex:7d04d352cd30ad2875f003ff2ccc57dc7ec39763f3a823f87c9e26bf40b0310d)"
"resource(\"file123.txt\")",
"revocation_id(0, hex:c1e6da318f99f8ad00d1b6bbfcf56fbd7ffd2b499f5719e6a371ad82d1d94368)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")"
],
"checks": [],
"policies": [
"allow if true"
]
@ -427,19 +426,18 @@
"title": "multi queries checks",
"filename": "test15_multi_queries_caveats.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"must_be_present\"]\n authority: Block {\n symbols: [\"must_be_present\"]\n version: 2\n context: \"\"\n facts: [\n must_be_present(#authority, \"hello\")\n ]\n rules: []\n checks: []\n }\n blocks: [\n \n ]\n}"
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"must_be_present\"]\n authority: Block {\n symbols: [\"must_be_present\"]\n version: 2\n context: \"\"\n facts: [\n must_be_present(\"hello\")\n ]\n rules: []\n checks: []\n }\n blocks: [\n \n ]\n}"
},
"validations": {
"": [
{
"facts": [
"must_be_present(#authority, \"hello\")",
"revocation_id(0, hex:a869933238d941c3c6fd2a6949844a35727741e04865faf66ebdeb0e2cadab40)"
"must_be_present(\"hello\")",
"revocation_id(0, hex:f1aba7009cd19fbc5605ad5a318775bc8bb4c887cc3d00f405689420a8ccdc6a)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if must_be_present(#authority, $0) or must_be_present($0)"
"check if must_be_present($0) or must_be_present($0)"
],
"policies": [
"allow if true"
@ -455,28 +453,25 @@
"title": "check head name should be independent from fact names",
"filename": "test16_caveat_head_name.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"hello\"]\n authority: Block {\n symbols: [\"check1\", \"test\", \"hello\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, #hello)\n ]\n }\n blocks: [\n Block {\n symbols: []\n version: 2\n context: \"\"\n facts: [\n check1(#test)\n ]\n rules: []\n checks: []\n }\n ]\n}"
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"hello\"]\n authority: Block {\n symbols: [\"check1\", \"test\", \"hello\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#hello)\n ]\n }\n blocks: [\n Block {\n symbols: []\n version: 2\n context: \"\"\n facts: [\n check1(#test)\n ]\n rules: []\n checks: []\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"check1(#test)",
"revocation_id(0, hex:4a366515e159a7577166d8158bdca3c0bb39cbabb4988824ad0c9aab5d3ea402)",
"revocation_id(1, hex:2e8c19fefac5e54b7a8e21bb40eaf8aac70909e48f22c388ebb8cc742065d1dc)"
"revocation_id(0, hex:a4155e1642c441f169f8251cc3c1a1fa6b172543948c0a1a33d6409c28cae987)",
"revocation_id(1, hex:63f977e2f45b998a920fba2bb69af6c02e4f094294dc89bdbaabb88f8a582186)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, #hello)"
],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, #hello)\" })"
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#hello)\" })"
]
}
]
@ -492,40 +487,10 @@
"": [
{
"facts": [
"revocation_id(0, hex:fde35e855f6e4a1037e6698d3085bef54a71093dc06c2f2a2027e7c126a340d8)"
"revocation_id(0, hex:388e71fd289d831f617872e9c454eac446a88080f34bfbe4da50fbce7144bcda)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if !false",
"check if \"aaabde\".matches(\"a*c?.e\")",
"check if \"abcD12\" == \"abcD12\"",
"check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")",
"check if #abc == #abc",
"check if 1 + 2 * 3 - 4 / 2 == 5",
"check if 1 < 2",
"check if 1 <= 1",
"check if 1 <= 2",
"check if 2 > 1",
"check if 2 >= 1",
"check if 2 >= 2",
"check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00",
"check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
"check if 3 == 3",
"check if [\"abc\", \"def\"].contains(\"abc\")",
"check if [#hello, #world].contains(#hello)",
"check if [1, 2].contains(2)",
"check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00)",
"check if [false, true].contains(true)",
"check if [hex:12ab, hex:34de].contains(hex:34de)",
"check if false or true",
"check if hex:12ab == hex:12ab",
"check if true"
],
"checks": [],
"policies": [
"allow if true"
]
@ -540,11 +505,22 @@
"title": "invalid block rule with unbound_variables",
"filename": "test18_unbound_variables_in_rule.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"read\", \"unbound\", \"any1\", \"any2\"]\n authority: Block {\n symbols: [\"check1\", \"test\", \"read\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n blocks: [\n Block {\n symbols: [\"unbound\", \"any1\", \"any2\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n operation($unbound, #read) <- operation($any1, $any2)\n ]\n checks: []\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"read\", \"unbound\", \"any1\", \"any2\"]\n authority: Block {\n symbols: [\"check1\", \"test\", \"read\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if operation(#read)\n ]\n }\n blocks: [\n Block {\n symbols: [\"unbound\", \"any1\", \"any2\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n operation($unbound, #read) <- operation($any1, $any2)\n ]\n checks: []\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"facts": [
"operation(#write)",
"revocation_id(0, hex:2e13a1deb4edc2c841324ab4120351aa8696d455750045511cb94ee243b9c35f)",
"revocation_id(1, hex:628bf94715ce5ca37fe9d49bacee6a13fb77d8fd481b09875757bd567c93f0ca)"
],
"rules": [],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"FailedLogic(InvalidBlockRule(0, \"operation($unbound, #read) <- operation($any1, $any2)\"))"
@ -557,30 +533,26 @@
"title": "invalid block rule generating an #authority or #ambient symbol with a variable",
"filename": "test19_generating_ambient_from_variables.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"read\", \"any\"]\n authority: Block {\n symbols: [\"check1\", \"test\", \"read\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n blocks: [\n Block {\n symbols: [\"any\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n operation($ambient, #read) <- operation($ambient, $any)\n ]\n checks: []\n }\n ]\n}"
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"read\", \"any\"]\n authority: Block {\n symbols: [\"check1\", \"test\", \"read\"]\n version: 2\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if operation(#read)\n ]\n }\n blocks: [\n Block {\n symbols: [\"any\"]\n version: 2\n context: \"\"\n facts: []\n rules: [\n operation(#read) <- operation($any)\n ]\n checks: []\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"operation(#ambient, #write)",
"revocation_id(0, hex:345b72b425b0e134ba294e1183e91af519a154fefc8f3a6b788da47668fa90c9)",
"revocation_id(1, hex:5262c65a6042072011eb868c9f47a279264324a2781d3dd38e72f3464dc93348)"
],
"rules": [
"operation($ambient, #read) <- operation($ambient, $any)"
],
"privileged_rules": [],
"checks": [
"check if operation(#ambient, #read)"
"operation(#read)",
"operation(#write)",
"revocation_id(0, hex:e0728acdc6aac007be70c2795e681c911fbf1bb0d8063a04258813d3cc36ebd2)",
"revocation_id(1, hex:29226d29e16815d2adae6139b5761515f5fc219dcafbf1e113f03ab1b7134790)"
],
"rules": [],
"checks": [],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if operation(#ambient, #read)\" })"
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if operation(#read)\" })"
]
}
]

BIN
samples/v2/test10_authority_rules.bc
View File

Binary file not shown.

BIN
samples/v2/test10_verifier_scope.bc Normal file
View File

Binary file not shown.

BIN
samples/v2/test11_verifier_authority_caveats.bc
View File

Binary file not shown.

12
samples/v2/test12_authority_caveats.bc
View File

@ -1,6 +1,6 @@

,
check12

"file1"file1 DÖSÍK 6e@­…ºÌé{<7B><>HPc<50>ÍG!è¢Èc\@õcÉñŠ6¸IÁ;†gêÆg<C386>2¸/Ð7ÓYZ.‘¦¢ÊÅe‰ýªÉ»Y¿Ý« R_Di/EV>l""
<ÿðÝthT˜dÕ2f½uôœhÝÌ<C39D>¦îªkn³Â
<EFBFBD>
(
check12

"file1 "file1 ܤë€æ’áÑxã®7äɇ‰H _¾O” U/ù<>§™@&ğ3˜ v¯nùïˆbXŒÆïø3ˆÖ%÷<>c8¬¬úFy8'ö=ÙƒQG£P¶\ŒØªÊ*/İѪšÚw ""
äÈFÏwn*b¹JÖõXˆõ<CB86>oZÌ:œ“ zŞb½3q

BIN
samples/v2/test13_block_rules.bc
View File

Binary file not shown.

15
samples/v2/test14_regex_constraint.bc
View File

@ -1,13 +1,12 @@
µ
O
±
K
resource_match
028
6


024
2




"file[0-9]+.txt
 ;Ú69Xy²oC?þäàB¦sû-+Ì3P1knar@(¸íó%"dOE¾iD²¾¥ýñ¨Ça%h1íì{jç0%Ó]ßw<ú÷/í!˜¥‹ \åØÀŸæÿ‡æñá±lÕnŽ±""
9ŽÓbµ/û9nú½³í·žJ-?ÁúP¹=Úß
 ιÙG„ôÀVµñ©`*kÛÏ)øß_±É<„^dM'™B@ùÙ:Èðy{¢1™®£÷´.ø(:”SAîÊ„ <0B>ÿB`ŒÔŽLËå(ªøjiˆügJ¤7ËŠ­–ì ¬vz""
ÊÆ–·Ö]ï<T¤~°Eqž…2žeçÜ9QSÃ

BIN
samples/v2/test15_multi_queries_caveats.bc
View File

Binary file not shown.

BIN
samples/v2/test16_caveat_head_name.bc
View File

Binary file not shown.

BIN
samples/v2/test17_expressions.bc
View File

Binary file not shown.

BIN
samples/v2/test18_unbound_variables_in_rule.bc
View File

Binary file not shown.

23
samples/v2/test19_generating_ambient_from_variables.bc
View File

@ -1,15 +1,12 @@

.
<EFBFBD>
*
check1
test
read2


  u"^rÊ9SQ&^<5E>«È$¯|à‡V0Äp&>:蟬@39Ù6½ ѽÒØhÌS± y<>͇&Z勼áÖÚ:”IÖ{”ÁNýAº…}±NZC§¯!¾ «•lÉ"#
!
any*
 

 <îཌlÅñ >?Ñ}¯»ç#ñ-0 ØX¬ÉÚç€r@w“;ZZÁæ‘ö¢ÙÞ|Ò™) àørZ½¼Jíx†KÔíL.<9ë]:9˜ŸÃK¥LD*1 ÿIía3""
P›÷§î9ʾ{tð«Uütp´~ªãRúdt¸)
read2

  ýÛèªD¿¦~ Nš$ë˜PZÉ!¨»¡ìü؃×ç@ÿUm Ÿ´|>êš-SL4?^“±ý9Ô‰þfðàHÛqõ†¥ËàEÔ@œÇñˆŠáÁ›ÿOÐòѾ}@È

any*
 
 ´aÂ0cÊLìBlA|3È(ZÀ=¶âRöÔ:øø@T¸uÆ;¸Ó)èåDUQAKy"}ýÔ3r¨Ä„ò"ïh»Ë¨Þƒ¶ÈE  ‰{Ï<>ýÑ€~ÎWÓ<57>{Ž` ""
«©+o\‚¯ °íæ€eȽs²°ü¤­6G¡;ÜcFwaë

BIN
samples/v2/test1_basic.bc
View File

Binary file not shown.

BIN
samples/v2/test2_different_root_key.bc
View File

Binary file not shown.

BIN
samples/v2/test3_invalid_signature_format.bc
View File

Binary file not shown.

BIN
samples/v2/test4_random_block.bc
View File

Binary file not shown.

BIN
samples/v2/test5_invalid_signature.bc
View File

Binary file not shown.

BIN
samples/v2/test6_reordered_blocks.bc
View File

Binary file not shown.

BIN
samples/v2/test7_invalid_block_fact_authority.bc
View File

Binary file not shown.

BIN
samples/v2/test7_scoped_rules.bc Normal file
View File

Binary file not shown.

BIN
samples/v2/test8_invalid_block_fact_ambient.bc
View File

Binary file not shown.

BIN
samples/v2/test8_scoped_checks.bc Normal file
View File

Binary file not shown.

BIN
samples/v2/test9_expired_token.bc
View File

Binary file not shown.