biscuit-auth/biscuit
1
1
Fork 0
mirror of https://github.com/biscuit-auth/biscuit.git synced 2024-08-15 15:10:27 +03:00
Code Issues Packages Projects Releases Wiki Activity

JSON testcases results and rewrite of testcases README

Browse Source
This commit is contained in:
Geoffroy Couprie 2021-09-01 17:27:36 +02:00
parent 5e7e01a744
commit 7bd158a3ed
2 changed files with 937 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

529
samples/v1/README.md
View File

@ -37,26 +37,31 @@ Biscuit {
}
```
validation:
verifier world:
World {
facts: [
facts: {
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:596a24631a8eeec5cbc0d84fc6c22fec1a524c7367bc8926827201ddd218f4bb)",
"revocation_id(1, hex:dec4e0a7f817fe6c5964a18e9f0eae5564c12531b05dc4525f553570519baa87)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file1\", #write)",
"right(#authority, \"file2\", #read)",
]
privileged rules: []
rules: []
checks: [
"Block[1][0]: check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:0478d85ecc0176ecb7c4609216c10be4456bd288b28d1bc2d9ee6247935e968c)",
"unique_revocation_id(1, hex:ac3e75a72e35b936963e77d06a6aee38fc2654084f5a964dd4aaf7b02ae25774)",
}
validation: `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)" })])))`
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)",
}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\" })"])
------------------------------
@ -90,7 +95,9 @@ Biscuit {
}
```
validation: `Err(Format(UnknownPublicKey))`
validation:
Err(["Format(UnknownPublicKey)"])
------------------------------
@ -126,7 +133,9 @@ Biscuit {
}
```
validation: `Err(Format(DeserializationError("deserialization error: invalid size for z = 16 bytes")))`
validation:
Err(["Format(DeserializationError(\"deserialization error: invalid size for z = 16 bytes\"))"])
------------------------------
@ -162,7 +171,9 @@ Biscuit {
}
```
validation: `Err(Format(Signature(InvalidSignature)))`
validation:
Err(["Format(Signature(InvalidSignature))"])
------------------------------
@ -198,7 +209,9 @@ Biscuit {
}
```
validation: `Err(Format(Signature(InvalidSignature)))`
validation:
Err(["Format(Signature(InvalidSignature))"])
------------------------------
@ -234,7 +247,50 @@ Biscuit {
}
```
validation: `Err(InvalidBlockIndex(InvalidBlockIndex { expected: 1, found: 2 }))`
biscuit3 (2 checks):
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "read", "write", "check1", "0", "check2"]
authority: Block[0] {
symbols: ["read", "write"]
version: 1
context: ""
facts: [
right(#authority, "file1", #read),
right(#authority, "file2", #read),
right(#authority, "file1", #write)
]
rules: []
checks: []
}
blocks: [
Block[1] {
symbols: ["check1", "0"]
version: 1
context: ""
facts: []
rules: []
checks: [
check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)
]
},
Block[2] {
symbols: ["check2"]
version: 1
context: ""
facts: []
rules: []
checks: [
check if resource(#ambient, "file1")
]
}
]
}
```
validation:
Err(["InvalidBlockIndex(InvalidBlockIndex { expected: 1, found: 2 })"])
------------------------------
@ -270,7 +326,9 @@ Biscuit {
}
```
validation: `Err(FailedLogic(InvalidBlockFact(0, "right(#authority, \"file1\", #write)")))`
validation:
Err(["FailedLogic(InvalidBlockFact(0, \"right(#authority, \\\"file1\\\", #write)\"))"])
------------------------------
@ -306,7 +364,9 @@ Biscuit {
}
```
validation: `Err(FailedLogic(InvalidBlockFact(0, "right(#ambient, \"file1\", #write)")))`
validation:
Err(["FailedLogic(InvalidBlockFact(0, \"right(#ambient, \\\"file1\\\", #write)\"))"])
------------------------------
@ -339,26 +399,31 @@ Biscuit {
}
```
validation:
verifier world:
World {
facts: [
facts: {
"operation(#ambient, #read)",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:deaf1b539fda04436be70357d4dca8435581661e47d5a6b690054a9e7b63ed09)",
"revocation_id(1, hex:e1ad30e387ff5b866bf631ac3c572256730cba0612d88054a863aa8c0702dbd6)",
"time(#ambient, 2020-12-21T09:23:12+00:00)",
]
privileged rules: []
rules: []
checks: [
"Block[1][0]: check if resource(#ambient, \"file1\")",
"Block[1][1]: check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00",
]
policies: [
"allow if true",
]
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"unique_revocation_id(0, hex:d826759b8f88ad1734983dd8905d2c4ab59174dbbb58deb6b41a185c771c6db9)",
"unique_revocation_id(1, hex:8d83291e5389f2affb822b953712fe4f822d847ba37b7680475795c59ab5eef7)",
}
validation: `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: "check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00" })])))`
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, \"file1\")",
"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00",
}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: \"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00\" })"])
------------------------------
@ -394,9 +459,10 @@ Biscuit {
}
```
validation:
verifier world:
World {
facts: [
facts: {
"operation(#ambient, #read)",
"owner(#ambient, #alice, \"file1\")",
"resource(#ambient, \"file1\")",
@ -404,21 +470,25 @@ World {
"revocation_id(1, hex:9065c0f8a4abad0c01877a2a9427e948688fbe296069eeef021179d5b936e260)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file1\", #write)",
]
privileged rules: [
"unique_revocation_id(0, hex:77ead539aa3809c7e766925bf898b9418c994144ceefc5bc10ff2bc478e3aa74)",
"unique_revocation_id(1, hex:9354cac9510f2e4117f703806b1185ce2e2ef342f1e0f82fc16fb51ea25c93bc)",
}
privileged rules: {
"right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
"right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
]
rules: []
checks: [
"Block[1][0]: check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
"Block[1][1]: check if resource(#ambient, $0), owner(#ambient, #alice, $0)",
]
policies: [
"allow if true",
]
}
validation: `Ok(())`
rules: {}
checks: {
"check if resource(#ambient, $0), owner(#ambient, #alice, $0)",
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
}
policies: {
"allow if true",
}
}
Ok(0)
------------------------------
@ -443,24 +513,28 @@ Biscuit {
}
```
validation:
verifier world:
World {
facts: [
facts: {
"operation(#ambient, #read)",
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:ea25b30574845105fb8def0856560d07182bf5ab14fd4d32040431a69d788534)",
"right(#authority, \"file1\", #read)",
]
privileged rules: []
rules: []
checks: [
"Verifier[0]: check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:28bad2a134eeb69dff4cbc775538ef7d8d5173d1966ee7ab0b9e8a251fcf7de6)",
}
validation: `Err(FailedLogic(FailedChecks([Verifier(FailedVerifierCheck { check_id: 0, rule: "check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)" })])))`
privileged rules: {}
rules: {}
checks: {
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
}
policies: {
"allow if true",
}
}
Err(["Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)\" })"])
------------------------------
@ -485,40 +559,47 @@ Biscuit {
}
```
validation for "file1":
verifier world:
World {
facts: [
facts: {
"operation(#ambient, #read)",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
]
privileged rules: []
rules: []
checks: [
"Block[0][0]: check if resource(#ambient, \"file1\")",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:cb0851f400633efb2cbce563dbfdd95d8eadf01c89d7040d896afe1b993cc92e)",
}
validation for "file1": `Ok(())`
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, \"file1\")",
}
policies: {
"allow if true",
}
}
Ok(0)
validation for "file2":
verifier world:
World {
facts: [
facts: {
"operation(#ambient, #read)",
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
]
privileged rules: []
rules: []
checks: [
"Block[0][0]: check if resource(#ambient, \"file1\")",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:cb0851f400633efb2cbce563dbfdd95d8eadf01c89d7040d896afe1b993cc92e)",
}
validation for "file2": `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if resource(#ambient, \"file1\")" })])))`
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, \"file1\")",
}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, \\\"file1\\\")\" })"])
------------------------------
@ -556,53 +637,62 @@ Biscuit {
}
```
validation for "file1":
verifier world:
World {
facts: [
facts: {
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file2\", #read)",
"time(#ambient, 2020-12-21T09:23:12+00:00)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"unique_revocation_id(0, hex:f3d30b0803140c5d649b6c867e3b92e709f59f7fecae16d82582a752c7a4c27d)",
"unique_revocation_id(1, hex:0089819a8a2e858aaee2a0b2dcc5eb1487d08744a2c72d46371a13861efa04e0)",
"valid_date(\"file1\")",
]
privileged rules: []
rules: [
}
privileged rules: {}
rules: {
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)",
]
checks: [
"Block[1][0]: check if valid_date($0), resource(#ambient, $0)",
]
policies: [
"allow if true",
]
}
validation for "file1": `Ok(())`
checks: {
"check if valid_date($0), resource(#ambient, $0)",
}
policies: {
"allow if true",
}
}
Ok(0)
validation for "file2":
verifier world:
World {
facts: [
facts: {
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file2\", #read)",
"time(#ambient, 2020-12-21T09:23:12+00:00)",
]
privileged rules: []
rules: [
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"unique_revocation_id(0, hex:f3d30b0803140c5d649b6c867e3b92e709f59f7fecae16d82582a752c7a4c27d)",
"unique_revocation_id(1, hex:0089819a8a2e858aaee2a0b2dcc5eb1487d08744a2c72d46371a13861efa04e0)",
}
privileged rules: {}
rules: {
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)",
]
checks: [
"Block[1][0]: check if valid_date($0), resource(#ambient, $0)",
]
policies: [
"allow if true",
]
}
validation for "file2": `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if valid_date($0), resource(#ambient, $0)" })])))`
checks: {
"check if valid_date($0), resource(#ambient, $0)",
}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if valid_date($0), resource(#ambient, $0)\" })"])
------------------------------
@ -627,38 +717,45 @@ Biscuit {
}
```
validation for "file1":
verifier world:
World {
facts: [
facts: {
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
]
privileged rules: []
rules: []
checks: [
"Block[0][0]: check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:2c0433654ba29e119f951e2b453f2d6397546fe9146afd6ed29478829cd34a9b)",
}
validation for "file1": `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")" })])))`
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, $0), $0.matches(\\\"file[0-9]+.txt\\\")\" })"])
validation for "file123":
verifier world:
World {
facts: [
facts: {
"resource(#ambient, \"file123.txt\")",
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
]
privileged rules: []
rules: []
checks: [
"Block[0][0]: check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:2c0433654ba29e119f951e2b453f2d6397546fe9146afd6ed29478829cd34a9b)",
}
validation for "file123.txt": `Ok(())`
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
}
policies: {
"allow if true",
}
}
Ok(0)
------------------------------
@ -683,27 +780,33 @@ Biscuit {
}
```
validation:
verifier world:
World {
facts: [
facts: {
"must_be_present(#authority, \"hello\")",
"revocation_id(0, hex:1ded979c6661e34b09cedf85c778ab0f0304e7c0ca44382348e76147cb1fa3f3)",
]
privileged rules: []
rules: []
checks: [
"Verifier[0]: check if must_be_present(#authority, $0) or must_be_present($0)",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:d82576a159d14b629e74d1b2cbcd53e764c18ad3d3dfc51115fc8172efbe1480)",
}
validation: `Ok(())`
privileged rules: {}
rules: {}
checks: {
"check if must_be_present(#authority, $0) or must_be_present($0)",
}
policies: {
"allow if true",
}
}
Ok(0)
------------------------------
## check head name should be independent from fact names: test16_caveat_head_name.bc
biscuit: Biscuit {
biscuit:
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "check1", "test", "hello"]
authority: Block[0] {
symbols: ["check1", "test", "hello"]
@ -728,28 +831,37 @@ biscuit: Biscuit {
}
]
}
```
validation:
verifier world:
World {
facts: [
facts: {
"check1(#test)",
"revocation_id(0, hex:8f03890eeaa997cd03da71115168e41425b2be82731026225b0c5b87163e4d8e)",
"revocation_id(1, hex:94fff36a9fa4d4149ab1488bf4aa84ed0bab0075cc7d051270367fb9c9688795)",
]
privileged rules: []
rules: []
checks: [
"Block[0][0]: check if resource(#ambient, #hello)",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:83b0b7f0135609102299bd6db8de46722a2c2fcad6a348e684435ba5e528b564)",
"unique_revocation_id(1, hex:17b70d10fee614414e46e06f2aea2c3986c33eae4faee76a05a904d09f2a587e)",
}
validation: `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if resource(#ambient, #hello)" })])))`
privileged rules: {}
rules: {}
checks: {
"check if resource(#ambient, #hello)",
}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, #hello)\" })"])
------------------------------
## test expression syntax and all available operations: test17_expressions.bc
biscuit: Biscuit {
biscuit:
```
Biscuit {
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "query", "abc", "hello", "world"]
authority: Block[0] {
symbols: ["query", "abc", "hello", "world"]
@ -793,49 +905,54 @@ biscuit: Biscuit {
]
}
```
validation:
verifier world:
World {
facts: [
facts: {
"revocation_id(0, hex:28f62066e45ad00c448433083a283d48a14b05cc07adf533d90b216998ae2648)",
]
privileged rules: []
rules: []
checks: [
"Block[0][0]: check if true",
"Block[0][1]: check if !false",
"Block[0][2]: check if false or true",
"Block[0][3]: check if 1 < 2",
"Block[0][4]: check if 2 > 1",
"Block[0][5]: check if 1 <= 2",
"Block[0][6]: check if 1 <= 1",
"Block[0][7]: check if 2 >= 1",
"Block[0][8]: check if 2 >= 2",
"Block[0][9]: check if 3 == 3",
"Block[0][10]: check if 1 + 2 * 3 - 4 / 2 == 5",
"Block[0][11]: check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")",
"Block[0][12]: check if \"aaabde\".matches(\"a*c?.e\")",
"Block[0][13]: check if \"abcD12\" == \"abcD12\"",
"Block[0][14]: check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00",
"Block[0][15]: check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00",
"Block[0][16]: check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00",
"Block[0][17]: check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
"Block[0][18]: check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00",
"Block[0][19]: check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
"Block[0][20]: check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00",
"Block[0][21]: check if #abc == #abc",
"Block[0][22]: check if hex:12ab == hex:12ab",
"Block[0][23]: check if [1, 2].contains(2)",
"Block[0][24]: check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00)",
"Block[0][25]: check if [false, true].contains(true)",
"Block[0][26]: check if [\"abc\", \"def\"].contains(\"abc\")",
"Block[0][27]: check if [hex:12ab, hex:34de].contains(hex:34de)",
"Block[0][28]: check if [#hello, #world].contains(#hello)",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:66a26c68e9554fbe00be14bc2dafd35361292b78006eea6763940d28c4c6c14d)",
}
validation: `Ok(())`
privileged rules: {}
rules: {}
checks: {
"check if !false",
"check if \"aaabde\".matches(\"a*c?.e\")",
"check if \"abcD12\" == \"abcD12\"",
"check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")",
"check if #abc == #abc",
"check if 1 + 2 * 3 - 4 / 2 == 5",
"check if 1 < 2",
"check if 1 <= 1",
"check if 1 <= 2",
"check if 2 > 1",
"check if 2 >= 1",
"check if 2 >= 2",
"check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00",
"check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
"check if 3 == 3",
"check if [\"abc\", \"def\"].contains(\"abc\")",
"check if [#hello, #world].contains(#hello)",
"check if [1, 2].contains(2)",
"check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00)",
"check if [false, true].contains(true)",
"check if [hex:12ab, hex:34de].contains(hex:34de)",
"check if false or true",
"check if hex:12ab == hex:12ab",
"check if true",
}
policies: {
"allow if true",
}
}
Ok(0)
------------------------------
@ -869,7 +986,9 @@ Biscuit {
}
```
validation: `Err(FailedLogic(InvalidBlockRule(0, "operation($unbound, #read) <- operation($any1, $any2)")))`
validation:
Err(["FailedLogic(InvalidBlockRule(0, \"operation($unbound, #read) <- operation($any1, $any2)\"))"])
------------------------------
@ -903,23 +1022,27 @@ Biscuit {
}
```
this rule should not generate a fact with restricted symbols
validation:
verifier world:
World {
facts: [
facts: {
"operation(#ambient, #write)",
"revocation_id(0, hex:4bfc06061aaef82c0ae7b04c9e0842235815eb1247e3601f6e762fbfbf5b8227)",
"revocation_id(1, hex:b8b5c6fe921a9ea1bbfd6563cc8ca659cbdd5d40f27a193858ccab4bea942b50)",
]
privileged rules: []
rules: [
"operation($ambient, #read) <- operation($ambient, $any)",
]
checks: [
"Block[0][0]: check if operation(#ambient, #read)",
]
policies: [
"allow if true",
]
"unique_revocation_id(0, hex:9ec280773834c66a7174b43b0f8ff8e25d3208a7e09be330ee270dc2ab773be7)",
"unique_revocation_id(1, hex:0ed2377dc83fbf8d86d63745d9256d191fa742aad8c89affa0e7433822df2a60)",
}
validation: `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if operation(#ambient, #read)" })])))`
privileged rules: {}
rules: {
"operation($ambient, #read) <- operation($ambient, $any)",
}
checks: {
"check if operation(#ambient, #read)",
}
policies: {
"allow if true",
}
}
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if operation(#ambient, #read)\" })"])

611
samples/v1/samples.json Normal file
View File

@ -0,0 +1,611 @@
{
"root_private_key": "79a33df5e9912e3fa1b7b7d87275c58dc7e8348f45ae783a5aaaf3bceb6bb10e",
"root_public_key": "529e780f28d9181c968b0eab9977ed8494a27a4544c3adc1910f41bb3dc36958",
"testcases": [
{
"title": "basic token",
"filename": "test1_basic.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:596a24631a8eeec5cbc0d84fc6c22fec1a524c7367bc8926827201ddd218f4bb)",
"revocation_id(1, hex:dec4e0a7f817fe6c5964a18e9f0eae5564c12531b05dc4525f553570519baa87)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file1\", #write)",
"right(#authority, \"file2\", #read)",
"unique_revocation_id(0, hex:0478d85ecc0176ecb7c4609216c10be4456bd288b28d1bc2d9ee6247935e968c)",
"unique_revocation_id(1, hex:ac3e75a72e35b936963e77d06a6aee38fc2654084f5a964dd4aaf7b02ae25774)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)"
],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\" })"
]
}
]
}
},
{
"title": "different root key",
"filename": "test2_different_root_key.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"Err": [
"Format(UnknownPublicKey)"
]
}
]
}
},
{
"title": "invalid signature format",
"filename": "test3_invalid_signature_format.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"Err": [
"Format(DeserializationError(\"deserialization error: invalid size for z = 16 bytes\"))"
]
}
]
}
},
{
"title": "random block",
"filename": "test4_random_block.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"Err": [
"Format(Signature(InvalidSignature))"
]
}
]
}
},
{
"title": "invalid signature",
"filename": "test5_invalid_signature.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"Err": [
"Format(Signature(InvalidSignature))"
]
}
]
}
},
{
"title": "reordered blocks",
"filename": "test6_reordered_blocks.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}",
"biscuit3 (2 checks)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\", \"check2\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n },\n\tBlock[2] {\n symbols: [\"check2\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, \"file1\")\n ]\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"Err": [
"InvalidBlockIndex(InvalidBlockIndex { expected: 1, found: 2 })"
]
}
]
}
},
{
"title": "invalid block fact with authority tag",
"filename": "test7_invalid_block_fact_authority.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"write\", \"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"Err": [
"FailedLogic(InvalidBlockFact(0, \"right(#authority, \\\"file1\\\", #write)\"))"
]
}
]
}
},
{
"title": "invalid block fact with ambient tag",
"filename": "test8_invalid_block_fact_ambient.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"write\", \"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: [\n right(#ambient, \"file1\", #write)\n ]\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"Err": [
"FailedLogic(InvalidBlockFact(0, \"right(#ambient, \\\"file1\\\", #write)\"))"
]
}
]
}
},
{
"title": "expired token",
"filename": "test9_expired_token.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"expiration\", \"date\", \"time\"]\n authority: Block[0] {\n symbols: []\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"expiration\", \"date\", \"time\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, \"file1\"),\n check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00\n ]\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"operation(#ambient, #read)",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:deaf1b539fda04436be70357d4dca8435581661e47d5a6b690054a9e7b63ed09)",
"revocation_id(1, hex:e1ad30e387ff5b866bf631ac3c572256730cba0612d88054a863aa8c0702dbd6)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"unique_revocation_id(0, hex:d826759b8f88ad1734983dd8905d2c4ab59174dbbb58deb6b41a185c771c6db9)",
"unique_revocation_id(1, hex:8d83291e5389f2affb822b953712fe4f822d847ba37b7680475795c59ab5eef7)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, \"file1\")",
"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00"
],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: \"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00\" })"
]
}
]
}
},
{
"title": "authority rules",
"filename": "test10_authority_rules.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"1\", \"read\", \"owner\", \"0\", \"write\", \"check1\", \"check2\", \"alice\"]\n authority: Block[0] {\n symbols: [\"1\", \"read\", \"owner\", \"0\", \"write\"]\n version: 1\n context: \"\"\n facts: []\n rules: [\n right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1),\n right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)\n ]\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"check2\", \"alice\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1),\n check if resource(#ambient, $0), owner(#ambient, #alice, $0)\n ]\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"operation(#ambient, #read)",
"owner(#ambient, #alice, \"file1\")",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:20262f14cd4d28aa7e95ec93e94c28faf9aac1e7b720fb47f177aea577b18691)",
"revocation_id(1, hex:9065c0f8a4abad0c01877a2a9427e948688fbe296069eeef021179d5b936e260)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file1\", #write)",
"unique_revocation_id(0, hex:77ead539aa3809c7e766925bf898b9418c994144ceefc5bc10ff2bc478e3aa74)",
"unique_revocation_id(1, hex:9354cac9510f2e4117f703806b1185ce2e2ef342f1e0f82fc16fb51ea25c93bc)"
],
"rules": [],
"privileged_rules": [
"right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
"right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)"
],
"checks": [
"check if resource(#ambient, $0), owner(#ambient, #alice, $0)",
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)"
],
"policies": [
"allow if true"
]
},
{
"Ok": 0
}
]
}
},
{
"title": "verifier authority checks",
"filename": "test11_verifier_authority_caveats.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n \n ]\n}"
},
"validations": {
"": [
{
"facts": [
"operation(#ambient, #read)",
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:ea25b30574845105fb8def0856560d07182bf5ab14fd4d32040431a69d788534)",
"right(#authority, \"file1\", #read)",
"unique_revocation_id(0, hex:28bad2a134eeb69dff4cbc775538ef7d8d5173d1966ee7ab0b9e8a251fcf7de6)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)"
],
"policies": [
"allow if true"
]
},
{
"Err": [
"Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)\" })"
]
}
]
}
},
{
"title": "authority checks",
"filename": "test12_authority_caveats.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\"]\n authority: Block[0] {\n symbols: [\"check1\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, \"file1\")\n ]\n }\n blocks: [\n \n ]\n}"
},
"validations": {
"file1": [
{
"facts": [
"operation(#ambient, #read)",
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
"unique_revocation_id(0, hex:cb0851f400633efb2cbce563dbfdd95d8eadf01c89d7040d896afe1b993cc92e)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, \"file1\")"
],
"policies": [
"allow if true"
]
},
{
"Ok": 0
}
],
"file2": [
{
"facts": [
"operation(#ambient, #read)",
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
"unique_revocation_id(0, hex:cb0851f400633efb2cbce563dbfdd95d8eadf01c89d7040d896afe1b993cc92e)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, \"file1\")"
],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, \\\"file1\\\")\" })"
]
}
]
}
},
{
"title": "block rules",
"filename": "test13_block_rules.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"valid_date\", \"time\", \"0\", \"1\", \"check1\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"valid_date\", \"time\", \"0\", \"1\", \"check1\"]\n version: 1\n context: \"\"\n facts: []\n rules: [\n valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00,\n valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)\n ]\n checks: [\n check if valid_date($0), resource(#ambient, $0)\n ]\n }\n ]\n}"
},
"validations": {
"file1": [
{
"facts": [
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file2\", #read)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"unique_revocation_id(0, hex:f3d30b0803140c5d649b6c867e3b92e709f59f7fecae16d82582a752c7a4c27d)",
"unique_revocation_id(1, hex:0089819a8a2e858aaee2a0b2dcc5eb1487d08744a2c72d46371a13861efa04e0)",
"valid_date(\"file1\")"
],
"rules": [
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)"
],
"privileged_rules": [],
"checks": [
"check if valid_date($0), resource(#ambient, $0)"
],
"policies": [
"allow if true"
]
},
{
"Ok": 0
}
],
"file2": [
{
"facts": [
"resource(#ambient, \"file2\")",
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
"right(#authority, \"file1\", #read)",
"right(#authority, \"file2\", #read)",
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
"unique_revocation_id(0, hex:f3d30b0803140c5d649b6c867e3b92e709f59f7fecae16d82582a752c7a4c27d)",
"unique_revocation_id(1, hex:0089819a8a2e858aaee2a0b2dcc5eb1487d08744a2c72d46371a13861efa04e0)"
],
"rules": [
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)"
],
"privileged_rules": [],
"checks": [
"check if valid_date($0), resource(#ambient, $0)"
],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if valid_date($0), resource(#ambient, $0)\" })"
]
}
]
}
},
{
"title": "regex_constraint",
"filename": "test14_regex_constraint.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"resource_match\", \"0\"]\n authority: Block[0] {\n symbols: [\"resource_match\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")\n ]\n }\n blocks: [\n \n ]\n}"
},
"validations": {
"file1": [
{
"facts": [
"resource(#ambient, \"file1\")",
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
"unique_revocation_id(0, hex:2c0433654ba29e119f951e2b453f2d6397546fe9146afd6ed29478829cd34a9b)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")"
],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, $0), $0.matches(\\\"file[0-9]+.txt\\\")\" })"
]
}
],
"file123": [
{
"facts": [
"resource(#ambient, \"file123.txt\")",
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
"unique_revocation_id(0, hex:2c0433654ba29e119f951e2b453f2d6397546fe9146afd6ed29478829cd34a9b)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")"
],
"policies": [
"allow if true"
]
},
{
"Ok": 0
}
]
}
},
{
"title": "multi queries checks",
"filename": "test15_multi_queries_caveats.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"must_be_present\"]\n authority: Block[0] {\n symbols: [\"must_be_present\"]\n version: 1\n context: \"\"\n facts: [\n must_be_present(#authority, \"hello\")\n ]\n rules: []\n checks: []\n }\n blocks: [\n \n ]\n}"
},
"validations": {
"": [
{
"facts": [
"must_be_present(#authority, \"hello\")",
"revocation_id(0, hex:1ded979c6661e34b09cedf85c778ab0f0304e7c0ca44382348e76147cb1fa3f3)",
"unique_revocation_id(0, hex:d82576a159d14b629e74d1b2cbcd53e764c18ad3d3dfc51115fc8172efbe1480)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if must_be_present(#authority, $0) or must_be_present($0)"
],
"policies": [
"allow if true"
]
},
{
"Ok": 0
}
]
}
},
{
"title": "check head name should be independent from fact names",
"filename": "test16_caveat_head_name.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"hello\"]\n authority: Block[0] {\n symbols: [\"check1\", \"test\", \"hello\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, #hello)\n ]\n }\n blocks: [\n Block[1] {\n symbols: []\n version: 1\n context: \"\"\n facts: [\n check1(#test)\n ]\n rules: []\n checks: []\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"check1(#test)",
"revocation_id(0, hex:8f03890eeaa997cd03da71115168e41425b2be82731026225b0c5b87163e4d8e)",
"revocation_id(1, hex:94fff36a9fa4d4149ab1488bf4aa84ed0bab0075cc7d051270367fb9c9688795)",
"unique_revocation_id(0, hex:83b0b7f0135609102299bd6db8de46722a2c2fcad6a348e684435ba5e528b564)",
"unique_revocation_id(1, hex:17b70d10fee614414e46e06f2aea2c3986c33eae4faee76a05a904d09f2a587e)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if resource(#ambient, #hello)"
],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, #hello)\" })"
]
}
]
}
},
{
"title": "test expression syntax and all available operations",
"filename": "test17_expressions.bc",
"print_token": {
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"query\", \"abc\", \"hello\", \"world\"]\n authority: Block[0] {\n symbols: [\"query\", \"abc\", \"hello\", \"world\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if true,\n check if !false,\n check if false or true,\n check if 1 < 2,\n check if 2 > 1,\n check if 1 <= 2,\n check if 1 <= 1,\n check if 2 >= 1,\n check if 2 >= 2,\n check if 3 == 3,\n check if 1 + 2 * 3 - 4 / 2 == 5,\n check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\"),\n check if \"aaabde\".matches(\"a*c?.e\"),\n check if \"abcD12\" == \"abcD12\",\n check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00,\n check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00,\n check if #abc == #abc,\n check if hex:12ab == hex:12ab,\n check if [1, 2].contains(2),\n check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00),\n check if [false, true].contains(true),\n check if [\"abc\", \"def\"].contains(\"abc\"),\n check if [hex:12ab, hex:34de].contains(hex:34de),\n check if [#hello, #world].contains(#hello)\n ]\n }\n blocks: [\n \n ]\n}"
},
"validations": {
"": [
{
"facts": [
"revocation_id(0, hex:28f62066e45ad00c448433083a283d48a14b05cc07adf533d90b216998ae2648)",
"unique_revocation_id(0, hex:66a26c68e9554fbe00be14bc2dafd35361292b78006eea6763940d28c4c6c14d)"
],
"rules": [],
"privileged_rules": [],
"checks": [
"check if !false",
"check if \"aaabde\".matches(\"a*c?.e\")",
"check if \"abcD12\" == \"abcD12\"",
"check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")",
"check if #abc == #abc",
"check if 1 + 2 * 3 - 4 / 2 == 5",
"check if 1 < 2",
"check if 1 <= 1",
"check if 1 <= 2",
"check if 2 > 1",
"check if 2 >= 1",
"check if 2 >= 2",
"check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00",
"check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00",
"check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
"check if 3 == 3",
"check if [\"abc\", \"def\"].contains(\"abc\")",
"check if [#hello, #world].contains(#hello)",
"check if [1, 2].contains(2)",
"check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00)",
"check if [false, true].contains(true)",
"check if [hex:12ab, hex:34de].contains(hex:34de)",
"check if false or true",
"check if hex:12ab == hex:12ab",
"check if true"
],
"policies": [
"allow if true"
]
},
{
"Ok": 0
}
]
}
},
{
"title": "invalid block rule with unbound_variables",
"filename": "test18_unbound_variables_in_rule.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"read\", \"unbound\", \"any1\", \"any2\"]\n authority: Block[0] {\n symbols: [\"check1\", \"test\", \"read\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n blocks: [\n Block[1] {\n symbols: [\"unbound\", \"any1\", \"any2\"]\n version: 1\n context: \"\"\n facts: []\n rules: [\n operation($unbound, #read) <- operation($any1, $any2)\n ]\n checks: []\n }\n ]\n}"
},
"validations": {
"": [
null,
{
"Err": [
"FailedLogic(InvalidBlockRule(0, \"operation($unbound, #read) <- operation($any1, $any2)\"))"
]
}
]
}
},
{
"title": "invalid block rule generating an #authority or #ambient symbol with a variable",
"filename": "test19_generating_ambient_from_variables.bc",
"print_token": {
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"read\", \"any\"]\n authority: Block[0] {\n symbols: [\"check1\", \"test\", \"read\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n blocks: [\n Block[1] {\n symbols: [\"any\"]\n version: 1\n context: \"\"\n facts: []\n rules: [\n operation($ambient, #read) <- operation($ambient, $any)\n ]\n checks: []\n }\n ]\n}"
},
"validations": {
"": [
{
"facts": [
"operation(#ambient, #write)",
"revocation_id(0, hex:4bfc06061aaef82c0ae7b04c9e0842235815eb1247e3601f6e762fbfbf5b8227)",
"revocation_id(1, hex:b8b5c6fe921a9ea1bbfd6563cc8ca659cbdd5d40f27a193858ccab4bea942b50)",
"unique_revocation_id(0, hex:9ec280773834c66a7174b43b0f8ff8e25d3208a7e09be330ee270dc2ab773be7)",
"unique_revocation_id(1, hex:0ed2377dc83fbf8d86d63745d9256d191fa742aad8c89affa0e7433822df2a60)"
],
"rules": [
"operation($ambient, #read) <- operation($ambient, $any)"
],
"privileged_rules": [],
"checks": [
"check if operation(#ambient, #read)"
],
"policies": [
"allow if true"
]
},
{
"Err": [
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if operation(#ambient, #read)\" })"
]
}
]
}
}
]
}