mirror of
https://github.com/biscuit-auth/biscuit.git
synced 2024-10-26 06:40:35 +03:00
JSON testcases results and rewrite of testcases README
This commit is contained in:
parent
5e7e01a744
commit
7bd158a3ed
@ -37,26 +37,31 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
validation:
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"resource(#ambient, \"file1\")",
|
"resource(#ambient, \"file1\")",
|
||||||
"revocation_id(0, hex:596a24631a8eeec5cbc0d84fc6c22fec1a524c7367bc8926827201ddd218f4bb)",
|
"revocation_id(0, hex:596a24631a8eeec5cbc0d84fc6c22fec1a524c7367bc8926827201ddd218f4bb)",
|
||||||
"revocation_id(1, hex:dec4e0a7f817fe6c5964a18e9f0eae5564c12531b05dc4525f553570519baa87)",
|
"revocation_id(1, hex:dec4e0a7f817fe6c5964a18e9f0eae5564c12531b05dc4525f553570519baa87)",
|
||||||
"right(#authority, \"file1\", #read)",
|
"right(#authority, \"file1\", #read)",
|
||||||
"right(#authority, \"file1\", #write)",
|
"right(#authority, \"file1\", #write)",
|
||||||
"right(#authority, \"file2\", #read)",
|
"right(#authority, \"file2\", #read)",
|
||||||
]
|
"unique_revocation_id(0, hex:0478d85ecc0176ecb7c4609216c10be4456bd288b28d1bc2d9ee6247935e968c)",
|
||||||
privileged rules: []
|
"unique_revocation_id(1, hex:ac3e75a72e35b936963e77d06a6aee38fc2654084f5a964dd4aaf7b02ae25774)",
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Block[1][0]: check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation: `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)" })])))`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\" })"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -90,7 +95,9 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
validation: `Err(Format(UnknownPublicKey))`
|
validation:
|
||||||
|
Err(["Format(UnknownPublicKey)"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -126,7 +133,9 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
validation: `Err(Format(DeserializationError("deserialization error: invalid size for z = 16 bytes")))`
|
validation:
|
||||||
|
Err(["Format(DeserializationError(\"deserialization error: invalid size for z = 16 bytes\"))"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -162,7 +171,9 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
validation: `Err(Format(Signature(InvalidSignature)))`
|
validation:
|
||||||
|
Err(["Format(Signature(InvalidSignature))"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -198,7 +209,9 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
validation: `Err(Format(Signature(InvalidSignature)))`
|
validation:
|
||||||
|
Err(["Format(Signature(InvalidSignature))"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -234,7 +247,50 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
validation: `Err(InvalidBlockIndex(InvalidBlockIndex { expected: 1, found: 2 }))`
|
biscuit3 (2 checks):
|
||||||
|
```
|
||||||
|
Biscuit {
|
||||||
|
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "read", "write", "check1", "0", "check2"]
|
||||||
|
authority: Block[0] {
|
||||||
|
symbols: ["read", "write"]
|
||||||
|
version: 1
|
||||||
|
context: ""
|
||||||
|
facts: [
|
||||||
|
right(#authority, "file1", #read),
|
||||||
|
right(#authority, "file2", #read),
|
||||||
|
right(#authority, "file1", #write)
|
||||||
|
]
|
||||||
|
rules: []
|
||||||
|
checks: []
|
||||||
|
}
|
||||||
|
blocks: [
|
||||||
|
Block[1] {
|
||||||
|
symbols: ["check1", "0"]
|
||||||
|
version: 1
|
||||||
|
context: ""
|
||||||
|
facts: []
|
||||||
|
rules: []
|
||||||
|
checks: [
|
||||||
|
check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)
|
||||||
|
]
|
||||||
|
},
|
||||||
|
Block[2] {
|
||||||
|
symbols: ["check2"]
|
||||||
|
version: 1
|
||||||
|
context: ""
|
||||||
|
facts: []
|
||||||
|
rules: []
|
||||||
|
checks: [
|
||||||
|
check if resource(#ambient, "file1")
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
validation:
|
||||||
|
Err(["InvalidBlockIndex(InvalidBlockIndex { expected: 1, found: 2 })"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -270,7 +326,9 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
validation: `Err(FailedLogic(InvalidBlockFact(0, "right(#authority, \"file1\", #write)")))`
|
validation:
|
||||||
|
Err(["FailedLogic(InvalidBlockFact(0, \"right(#authority, \\\"file1\\\", #write)\"))"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -306,7 +364,9 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
validation: `Err(FailedLogic(InvalidBlockFact(0, "right(#ambient, \"file1\", #write)")))`
|
validation:
|
||||||
|
Err(["FailedLogic(InvalidBlockFact(0, \"right(#ambient, \\\"file1\\\", #write)\"))"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -339,26 +399,31 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
validation:
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"operation(#ambient, #read)",
|
"operation(#ambient, #read)",
|
||||||
"resource(#ambient, \"file1\")",
|
"resource(#ambient, \"file1\")",
|
||||||
"revocation_id(0, hex:deaf1b539fda04436be70357d4dca8435581661e47d5a6b690054a9e7b63ed09)",
|
"revocation_id(0, hex:deaf1b539fda04436be70357d4dca8435581661e47d5a6b690054a9e7b63ed09)",
|
||||||
"revocation_id(1, hex:e1ad30e387ff5b866bf631ac3c572256730cba0612d88054a863aa8c0702dbd6)",
|
"revocation_id(1, hex:e1ad30e387ff5b866bf631ac3c572256730cba0612d88054a863aa8c0702dbd6)",
|
||||||
"time(#ambient, 2020-12-21T09:23:12+00:00)",
|
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
|
||||||
]
|
"unique_revocation_id(0, hex:d826759b8f88ad1734983dd8905d2c4ab59174dbbb58deb6b41a185c771c6db9)",
|
||||||
privileged rules: []
|
"unique_revocation_id(1, hex:8d83291e5389f2affb822b953712fe4f822d847ba37b7680475795c59ab5eef7)",
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Block[1][0]: check if resource(#ambient, \"file1\")",
|
|
||||||
"Block[1][1]: check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation: `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: "check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00" })])))`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if resource(#ambient, \"file1\")",
|
||||||
|
"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: \"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00\" })"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -394,9 +459,10 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
validation:
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"operation(#ambient, #read)",
|
"operation(#ambient, #read)",
|
||||||
"owner(#ambient, #alice, \"file1\")",
|
"owner(#ambient, #alice, \"file1\")",
|
||||||
"resource(#ambient, \"file1\")",
|
"resource(#ambient, \"file1\")",
|
||||||
@ -404,21 +470,25 @@ World {
|
|||||||
"revocation_id(1, hex:9065c0f8a4abad0c01877a2a9427e948688fbe296069eeef021179d5b936e260)",
|
"revocation_id(1, hex:9065c0f8a4abad0c01877a2a9427e948688fbe296069eeef021179d5b936e260)",
|
||||||
"right(#authority, \"file1\", #read)",
|
"right(#authority, \"file1\", #read)",
|
||||||
"right(#authority, \"file1\", #write)",
|
"right(#authority, \"file1\", #write)",
|
||||||
]
|
"unique_revocation_id(0, hex:77ead539aa3809c7e766925bf898b9418c994144ceefc5bc10ff2bc478e3aa74)",
|
||||||
privileged rules: [
|
"unique_revocation_id(1, hex:9354cac9510f2e4117f703806b1185ce2e2ef342f1e0f82fc16fb51ea25c93bc)",
|
||||||
|
}
|
||||||
|
privileged rules: {
|
||||||
"right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
|
"right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
|
||||||
"right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
|
"right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
|
||||||
]
|
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Block[1][0]: check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
|
|
||||||
"Block[1][1]: check if resource(#ambient, $0), owner(#ambient, #alice, $0)",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation: `Ok(())`
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if resource(#ambient, $0), owner(#ambient, #alice, $0)",
|
||||||
|
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(0)
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -443,24 +513,28 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
validation:
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"operation(#ambient, #read)",
|
"operation(#ambient, #read)",
|
||||||
"resource(#ambient, \"file2\")",
|
"resource(#ambient, \"file2\")",
|
||||||
"revocation_id(0, hex:ea25b30574845105fb8def0856560d07182bf5ab14fd4d32040431a69d788534)",
|
"revocation_id(0, hex:ea25b30574845105fb8def0856560d07182bf5ab14fd4d32040431a69d788534)",
|
||||||
"right(#authority, \"file1\", #read)",
|
"right(#authority, \"file1\", #read)",
|
||||||
]
|
"unique_revocation_id(0, hex:28bad2a134eeb69dff4cbc775538ef7d8d5173d1966ee7ab0b9e8a251fcf7de6)",
|
||||||
privileged rules: []
|
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Verifier[0]: check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation: `Err(FailedLogic(FailedChecks([Verifier(FailedVerifierCheck { check_id: 0, rule: "check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)" })])))`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Err(["Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)\" })"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -485,40 +559,47 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
validation for "file1":
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"operation(#ambient, #read)",
|
"operation(#ambient, #read)",
|
||||||
"resource(#ambient, \"file1\")",
|
"resource(#ambient, \"file1\")",
|
||||||
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
|
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
|
||||||
]
|
"unique_revocation_id(0, hex:cb0851f400633efb2cbce563dbfdd95d8eadf01c89d7040d896afe1b993cc92e)",
|
||||||
privileged rules: []
|
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Block[0][0]: check if resource(#ambient, \"file1\")",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation for "file1": `Ok(())`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if resource(#ambient, \"file1\")",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(0)
|
||||||
|
validation for "file2":
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"operation(#ambient, #read)",
|
"operation(#ambient, #read)",
|
||||||
"resource(#ambient, \"file2\")",
|
"resource(#ambient, \"file2\")",
|
||||||
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
|
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
|
||||||
]
|
"unique_revocation_id(0, hex:cb0851f400633efb2cbce563dbfdd95d8eadf01c89d7040d896afe1b993cc92e)",
|
||||||
privileged rules: []
|
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Block[0][0]: check if resource(#ambient, \"file1\")",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation for "file2": `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if resource(#ambient, \"file1\")" })])))`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if resource(#ambient, \"file1\")",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, \\\"file1\\\")\" })"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -556,53 +637,62 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
validation for "file1":
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"resource(#ambient, \"file1\")",
|
"resource(#ambient, \"file1\")",
|
||||||
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
|
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
|
||||||
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
|
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
|
||||||
"right(#authority, \"file1\", #read)",
|
"right(#authority, \"file1\", #read)",
|
||||||
"right(#authority, \"file2\", #read)",
|
"right(#authority, \"file2\", #read)",
|
||||||
"time(#ambient, 2020-12-21T09:23:12+00:00)",
|
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
|
||||||
|
"unique_revocation_id(0, hex:f3d30b0803140c5d649b6c867e3b92e709f59f7fecae16d82582a752c7a4c27d)",
|
||||||
|
"unique_revocation_id(1, hex:0089819a8a2e858aaee2a0b2dcc5eb1487d08744a2c72d46371a13861efa04e0)",
|
||||||
"valid_date(\"file1\")",
|
"valid_date(\"file1\")",
|
||||||
]
|
}
|
||||||
privileged rules: []
|
privileged rules: {}
|
||||||
rules: [
|
rules: {
|
||||||
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
|
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
|
||||||
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)",
|
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)",
|
||||||
]
|
|
||||||
checks: [
|
|
||||||
"Block[1][0]: check if valid_date($0), resource(#ambient, $0)",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation for "file1": `Ok(())`
|
checks: {
|
||||||
|
"check if valid_date($0), resource(#ambient, $0)",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(0)
|
||||||
|
validation for "file2":
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"resource(#ambient, \"file2\")",
|
"resource(#ambient, \"file2\")",
|
||||||
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
|
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
|
||||||
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
|
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
|
||||||
"right(#authority, \"file1\", #read)",
|
"right(#authority, \"file1\", #read)",
|
||||||
"right(#authority, \"file2\", #read)",
|
"right(#authority, \"file2\", #read)",
|
||||||
"time(#ambient, 2020-12-21T09:23:12+00:00)",
|
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
|
||||||
]
|
"unique_revocation_id(0, hex:f3d30b0803140c5d649b6c867e3b92e709f59f7fecae16d82582a752c7a4c27d)",
|
||||||
privileged rules: []
|
"unique_revocation_id(1, hex:0089819a8a2e858aaee2a0b2dcc5eb1487d08744a2c72d46371a13861efa04e0)",
|
||||||
rules: [
|
}
|
||||||
|
privileged rules: {}
|
||||||
|
rules: {
|
||||||
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
|
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
|
||||||
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)",
|
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)",
|
||||||
]
|
|
||||||
checks: [
|
|
||||||
"Block[1][0]: check if valid_date($0), resource(#ambient, $0)",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation for "file2": `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if valid_date($0), resource(#ambient, $0)" })])))`
|
checks: {
|
||||||
|
"check if valid_date($0), resource(#ambient, $0)",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Err(["Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if valid_date($0), resource(#ambient, $0)\" })"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -627,38 +717,45 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
validation for "file1":
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"resource(#ambient, \"file1\")",
|
"resource(#ambient, \"file1\")",
|
||||||
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
|
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
|
||||||
]
|
"unique_revocation_id(0, hex:2c0433654ba29e119f951e2b453f2d6397546fe9146afd6ed29478829cd34a9b)",
|
||||||
privileged rules: []
|
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Block[0][0]: check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation for "file1": `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")" })])))`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, $0), $0.matches(\\\"file[0-9]+.txt\\\")\" })"])
|
||||||
|
validation for "file123":
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"resource(#ambient, \"file123.txt\")",
|
"resource(#ambient, \"file123.txt\")",
|
||||||
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
|
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
|
||||||
]
|
"unique_revocation_id(0, hex:2c0433654ba29e119f951e2b453f2d6397546fe9146afd6ed29478829cd34a9b)",
|
||||||
privileged rules: []
|
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Block[0][0]: check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation for "file123.txt": `Ok(())`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(0)
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -683,27 +780,33 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
validation:
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"must_be_present(#authority, \"hello\")",
|
"must_be_present(#authority, \"hello\")",
|
||||||
"revocation_id(0, hex:1ded979c6661e34b09cedf85c778ab0f0304e7c0ca44382348e76147cb1fa3f3)",
|
"revocation_id(0, hex:1ded979c6661e34b09cedf85c778ab0f0304e7c0ca44382348e76147cb1fa3f3)",
|
||||||
]
|
"unique_revocation_id(0, hex:d82576a159d14b629e74d1b2cbcd53e764c18ad3d3dfc51115fc8172efbe1480)",
|
||||||
privileged rules: []
|
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Verifier[0]: check if must_be_present(#authority, $0) or must_be_present($0)",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation: `Ok(())`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if must_be_present(#authority, $0) or must_be_present($0)",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(0)
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
## check head name should be independent from fact names: test16_caveat_head_name.bc
|
## check head name should be independent from fact names: test16_caveat_head_name.bc
|
||||||
biscuit: Biscuit {
|
biscuit:
|
||||||
|
```
|
||||||
|
Biscuit {
|
||||||
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "check1", "test", "hello"]
|
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "check1", "test", "hello"]
|
||||||
authority: Block[0] {
|
authority: Block[0] {
|
||||||
symbols: ["check1", "test", "hello"]
|
symbols: ["check1", "test", "hello"]
|
||||||
@ -728,28 +831,37 @@ biscuit: Biscuit {
|
|||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
validation:
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"check1(#test)",
|
"check1(#test)",
|
||||||
"revocation_id(0, hex:8f03890eeaa997cd03da71115168e41425b2be82731026225b0c5b87163e4d8e)",
|
"revocation_id(0, hex:8f03890eeaa997cd03da71115168e41425b2be82731026225b0c5b87163e4d8e)",
|
||||||
"revocation_id(1, hex:94fff36a9fa4d4149ab1488bf4aa84ed0bab0075cc7d051270367fb9c9688795)",
|
"revocation_id(1, hex:94fff36a9fa4d4149ab1488bf4aa84ed0bab0075cc7d051270367fb9c9688795)",
|
||||||
]
|
"unique_revocation_id(0, hex:83b0b7f0135609102299bd6db8de46722a2c2fcad6a348e684435ba5e528b564)",
|
||||||
privileged rules: []
|
"unique_revocation_id(1, hex:17b70d10fee614414e46e06f2aea2c3986c33eae4faee76a05a904d09f2a587e)",
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Block[0][0]: check if resource(#ambient, #hello)",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation: `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if resource(#ambient, #hello)" })])))`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if resource(#ambient, #hello)",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, #hello)\" })"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
## test expression syntax and all available operations: test17_expressions.bc
|
## test expression syntax and all available operations: test17_expressions.bc
|
||||||
biscuit: Biscuit {
|
biscuit:
|
||||||
|
```
|
||||||
|
Biscuit {
|
||||||
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "query", "abc", "hello", "world"]
|
symbols: ["authority", "ambient", "resource", "operation", "right", "current_time", "revocation_id", "query", "abc", "hello", "world"]
|
||||||
authority: Block[0] {
|
authority: Block[0] {
|
||||||
symbols: ["query", "abc", "hello", "world"]
|
symbols: ["query", "abc", "hello", "world"]
|
||||||
@ -793,49 +905,54 @@ biscuit: Biscuit {
|
|||||||
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
validation:
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"revocation_id(0, hex:28f62066e45ad00c448433083a283d48a14b05cc07adf533d90b216998ae2648)",
|
"revocation_id(0, hex:28f62066e45ad00c448433083a283d48a14b05cc07adf533d90b216998ae2648)",
|
||||||
]
|
"unique_revocation_id(0, hex:66a26c68e9554fbe00be14bc2dafd35361292b78006eea6763940d28c4c6c14d)",
|
||||||
privileged rules: []
|
|
||||||
rules: []
|
|
||||||
checks: [
|
|
||||||
"Block[0][0]: check if true",
|
|
||||||
"Block[0][1]: check if !false",
|
|
||||||
"Block[0][2]: check if false or true",
|
|
||||||
"Block[0][3]: check if 1 < 2",
|
|
||||||
"Block[0][4]: check if 2 > 1",
|
|
||||||
"Block[0][5]: check if 1 <= 2",
|
|
||||||
"Block[0][6]: check if 1 <= 1",
|
|
||||||
"Block[0][7]: check if 2 >= 1",
|
|
||||||
"Block[0][8]: check if 2 >= 2",
|
|
||||||
"Block[0][9]: check if 3 == 3",
|
|
||||||
"Block[0][10]: check if 1 + 2 * 3 - 4 / 2 == 5",
|
|
||||||
"Block[0][11]: check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")",
|
|
||||||
"Block[0][12]: check if \"aaabde\".matches(\"a*c?.e\")",
|
|
||||||
"Block[0][13]: check if \"abcD12\" == \"abcD12\"",
|
|
||||||
"Block[0][14]: check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00",
|
|
||||||
"Block[0][15]: check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00",
|
|
||||||
"Block[0][16]: check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00",
|
|
||||||
"Block[0][17]: check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
|
|
||||||
"Block[0][18]: check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00",
|
|
||||||
"Block[0][19]: check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
|
|
||||||
"Block[0][20]: check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00",
|
|
||||||
"Block[0][21]: check if #abc == #abc",
|
|
||||||
"Block[0][22]: check if hex:12ab == hex:12ab",
|
|
||||||
"Block[0][23]: check if [1, 2].contains(2)",
|
|
||||||
"Block[0][24]: check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00)",
|
|
||||||
"Block[0][25]: check if [false, true].contains(true)",
|
|
||||||
"Block[0][26]: check if [\"abc\", \"def\"].contains(\"abc\")",
|
|
||||||
"Block[0][27]: check if [hex:12ab, hex:34de].contains(hex:34de)",
|
|
||||||
"Block[0][28]: check if [#hello, #world].contains(#hello)",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation: `Ok(())`
|
privileged rules: {}
|
||||||
|
rules: {}
|
||||||
|
checks: {
|
||||||
|
"check if !false",
|
||||||
|
"check if \"aaabde\".matches(\"a*c?.e\")",
|
||||||
|
"check if \"abcD12\" == \"abcD12\"",
|
||||||
|
"check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")",
|
||||||
|
"check if #abc == #abc",
|
||||||
|
"check if 1 + 2 * 3 - 4 / 2 == 5",
|
||||||
|
"check if 1 < 2",
|
||||||
|
"check if 1 <= 1",
|
||||||
|
"check if 1 <= 2",
|
||||||
|
"check if 2 > 1",
|
||||||
|
"check if 2 >= 1",
|
||||||
|
"check if 2 >= 2",
|
||||||
|
"check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00",
|
||||||
|
"check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00",
|
||||||
|
"check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00",
|
||||||
|
"check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00",
|
||||||
|
"check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00",
|
||||||
|
"check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
|
||||||
|
"check if 3 == 3",
|
||||||
|
"check if [\"abc\", \"def\"].contains(\"abc\")",
|
||||||
|
"check if [#hello, #world].contains(#hello)",
|
||||||
|
"check if [1, 2].contains(2)",
|
||||||
|
"check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00)",
|
||||||
|
"check if [false, true].contains(true)",
|
||||||
|
"check if [hex:12ab, hex:34de].contains(hex:34de)",
|
||||||
|
"check if false or true",
|
||||||
|
"check if hex:12ab == hex:12ab",
|
||||||
|
"check if true",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(0)
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -869,7 +986,9 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
validation: `Err(FailedLogic(InvalidBlockRule(0, "operation($unbound, #read) <- operation($any1, $any2)")))`
|
validation:
|
||||||
|
Err(["FailedLogic(InvalidBlockRule(0, \"operation($unbound, #read) <- operation($any1, $any2)\"))"])
|
||||||
|
|
||||||
|
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
@ -903,23 +1022,27 @@ Biscuit {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
this rule should not generate a fact with restricted symbols
|
validation:
|
||||||
verifier world:
|
verifier world:
|
||||||
World {
|
World {
|
||||||
facts: [
|
facts: {
|
||||||
"operation(#ambient, #write)",
|
"operation(#ambient, #write)",
|
||||||
"revocation_id(0, hex:4bfc06061aaef82c0ae7b04c9e0842235815eb1247e3601f6e762fbfbf5b8227)",
|
"revocation_id(0, hex:4bfc06061aaef82c0ae7b04c9e0842235815eb1247e3601f6e762fbfbf5b8227)",
|
||||||
"revocation_id(1, hex:b8b5c6fe921a9ea1bbfd6563cc8ca659cbdd5d40f27a193858ccab4bea942b50)",
|
"revocation_id(1, hex:b8b5c6fe921a9ea1bbfd6563cc8ca659cbdd5d40f27a193858ccab4bea942b50)",
|
||||||
]
|
"unique_revocation_id(0, hex:9ec280773834c66a7174b43b0f8ff8e25d3208a7e09be330ee270dc2ab773be7)",
|
||||||
privileged rules: []
|
"unique_revocation_id(1, hex:0ed2377dc83fbf8d86d63745d9256d191fa742aad8c89affa0e7433822df2a60)",
|
||||||
rules: [
|
|
||||||
"operation($ambient, #read) <- operation($ambient, $any)",
|
|
||||||
]
|
|
||||||
checks: [
|
|
||||||
"Block[0][0]: check if operation(#ambient, #read)",
|
|
||||||
]
|
|
||||||
policies: [
|
|
||||||
"allow if true",
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
validation: `Err(FailedLogic(FailedChecks([Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if operation(#ambient, #read)" })])))`
|
privileged rules: {}
|
||||||
|
rules: {
|
||||||
|
"operation($ambient, #read) <- operation($ambient, $any)",
|
||||||
|
}
|
||||||
|
checks: {
|
||||||
|
"check if operation(#ambient, #read)",
|
||||||
|
}
|
||||||
|
policies: {
|
||||||
|
"allow if true",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Err(["Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if operation(#ambient, #read)\" })"])
|
||||||
|
|
||||||
|
611
samples/v1/samples.json
Normal file
611
samples/v1/samples.json
Normal file
@ -0,0 +1,611 @@
|
|||||||
|
{
|
||||||
|
"root_private_key": "79a33df5e9912e3fa1b7b7d87275c58dc7e8348f45ae783a5aaaf3bceb6bb10e",
|
||||||
|
"root_public_key": "529e780f28d9181c968b0eab9977ed8494a27a4544c3adc1910f41bb3dc36958",
|
||||||
|
"testcases": [
|
||||||
|
{
|
||||||
|
"title": "basic token",
|
||||||
|
"filename": "test1_basic.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"resource(#ambient, \"file1\")",
|
||||||
|
"revocation_id(0, hex:596a24631a8eeec5cbc0d84fc6c22fec1a524c7367bc8926827201ddd218f4bb)",
|
||||||
|
"revocation_id(1, hex:dec4e0a7f817fe6c5964a18e9f0eae5564c12531b05dc4525f553570519baa87)",
|
||||||
|
"right(#authority, \"file1\", #read)",
|
||||||
|
"right(#authority, \"file1\", #write)",
|
||||||
|
"right(#authority, \"file2\", #read)",
|
||||||
|
"unique_revocation_id(0, hex:0478d85ecc0176ecb7c4609216c10be4456bd288b28d1bc2d9ee6247935e968c)",
|
||||||
|
"unique_revocation_id(1, hex:ac3e75a72e35b936963e77d06a6aee38fc2654084f5a964dd4aaf7b02ae25774)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\" })"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "different root key",
|
||||||
|
"filename": "test2_different_root_key.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
null,
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Format(UnknownPublicKey)"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "invalid signature format",
|
||||||
|
"filename": "test3_invalid_signature_format.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
null,
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Format(DeserializationError(\"deserialization error: invalid size for z = 16 bytes\"))"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "random block",
|
||||||
|
"filename": "test4_random_block.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
null,
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Format(Signature(InvalidSignature))"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "invalid signature",
|
||||||
|
"filename": "test5_invalid_signature.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
null,
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Format(Signature(InvalidSignature))"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "reordered blocks",
|
||||||
|
"filename": "test6_reordered_blocks.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n }\n ]\n}",
|
||||||
|
"biscuit3 (2 checks)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\", \"check2\"]\n authority: Block[0] {\n symbols: [\"read\", \"write\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read),\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read)\n ]\n },\n\tBlock[2] {\n symbols: [\"check2\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, \"file1\")\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
null,
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"InvalidBlockIndex(InvalidBlockIndex { expected: 1, found: 2 })"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "invalid block fact with authority tag",
|
||||||
|
"filename": "test7_invalid_block_fact_authority.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"write\", \"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #write)\n ]\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
null,
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"FailedLogic(InvalidBlockFact(0, \"right(#authority, \\\"file1\\\", #write)\"))"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "invalid block fact with ambient tag",
|
||||||
|
"filename": "test8_invalid_block_fact_ambient.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"write\", \"check1\", \"0\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"write\", \"check1\", \"0\"]\n version: 1\n context: \"\"\n facts: [\n right(#ambient, \"file1\", #write)\n ]\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
null,
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"FailedLogic(InvalidBlockFact(0, \"right(#ambient, \\\"file1\\\", #write)\"))"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "expired token",
|
||||||
|
"filename": "test9_expired_token.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"expiration\", \"date\", \"time\"]\n authority: Block[0] {\n symbols: []\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"expiration\", \"date\", \"time\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, \"file1\"),\n check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"operation(#ambient, #read)",
|
||||||
|
"resource(#ambient, \"file1\")",
|
||||||
|
"revocation_id(0, hex:deaf1b539fda04436be70357d4dca8435581661e47d5a6b690054a9e7b63ed09)",
|
||||||
|
"revocation_id(1, hex:e1ad30e387ff5b866bf631ac3c572256730cba0612d88054a863aa8c0702dbd6)",
|
||||||
|
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
|
||||||
|
"unique_revocation_id(0, hex:d826759b8f88ad1734983dd8905d2c4ab59174dbbb58deb6b41a185c771c6db9)",
|
||||||
|
"unique_revocation_id(1, hex:8d83291e5389f2affb822b953712fe4f822d847ba37b7680475795c59ab5eef7)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if resource(#ambient, \"file1\")",
|
||||||
|
"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: \"check if time(#ambient, $date), $date <= 2018-12-20T00:00:00+00:00\" })"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "authority rules",
|
||||||
|
"filename": "test10_authority_rules.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"1\", \"read\", \"owner\", \"0\", \"write\", \"check1\", \"check2\", \"alice\"]\n authority: Block[0] {\n symbols: [\"1\", \"read\", \"owner\", \"0\", \"write\"]\n version: 1\n context: \"\"\n facts: []\n rules: [\n right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1),\n right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)\n ]\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"check1\", \"check2\", \"alice\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1),\n check if resource(#ambient, $0), owner(#ambient, #alice, $0)\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"operation(#ambient, #read)",
|
||||||
|
"owner(#ambient, #alice, \"file1\")",
|
||||||
|
"resource(#ambient, \"file1\")",
|
||||||
|
"revocation_id(0, hex:20262f14cd4d28aa7e95ec93e94c28faf9aac1e7b720fb47f177aea577b18691)",
|
||||||
|
"revocation_id(1, hex:9065c0f8a4abad0c01877a2a9427e948688fbe296069eeef021179d5b936e260)",
|
||||||
|
"right(#authority, \"file1\", #read)",
|
||||||
|
"right(#authority, \"file1\", #write)",
|
||||||
|
"unique_revocation_id(0, hex:77ead539aa3809c7e766925bf898b9418c994144ceefc5bc10ff2bc478e3aa74)",
|
||||||
|
"unique_revocation_id(1, hex:9354cac9510f2e4117f703806b1185ce2e2ef342f1e0f82fc16fb51ea25c93bc)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [
|
||||||
|
"right(#authority, $1, #read) <- resource(#ambient, $1), owner(#ambient, $0, $1)",
|
||||||
|
"right(#authority, $1, #write) <- resource(#ambient, $1), owner(#ambient, $0, $1)"
|
||||||
|
],
|
||||||
|
"checks": [
|
||||||
|
"check if resource(#ambient, $0), owner(#ambient, #alice, $0)",
|
||||||
|
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Ok": 0
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "verifier authority checks",
|
||||||
|
"filename": "test11_verifier_authority_caveats.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n \n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"operation(#ambient, #read)",
|
||||||
|
"resource(#ambient, \"file2\")",
|
||||||
|
"revocation_id(0, hex:ea25b30574845105fb8def0856560d07182bf5ab14fd4d32040431a69d788534)",
|
||||||
|
"right(#authority, \"file1\", #read)",
|
||||||
|
"unique_revocation_id(0, hex:28bad2a134eeb69dff4cbc775538ef7d8d5173d1966ee7ab0b9e8a251fcf7de6)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Verifier(FailedVerifierCheck { check_id: 0, rule: \"check if right(#authority, $0, $1), resource(#ambient, $0), operation(#ambient, $1)\" })"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "authority checks",
|
||||||
|
"filename": "test12_authority_caveats.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\"]\n authority: Block[0] {\n symbols: [\"check1\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, \"file1\")\n ]\n }\n blocks: [\n \n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"file1": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"operation(#ambient, #read)",
|
||||||
|
"resource(#ambient, \"file1\")",
|
||||||
|
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
|
||||||
|
"unique_revocation_id(0, hex:cb0851f400633efb2cbce563dbfdd95d8eadf01c89d7040d896afe1b993cc92e)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if resource(#ambient, \"file1\")"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Ok": 0
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"file2": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"operation(#ambient, #read)",
|
||||||
|
"resource(#ambient, \"file2\")",
|
||||||
|
"revocation_id(0, hex:a5b6e79d15461ee3c304802c00dfa4237c3702f6dd8a1dd148a7b4dfba18ef40)",
|
||||||
|
"unique_revocation_id(0, hex:cb0851f400633efb2cbce563dbfdd95d8eadf01c89d7040d896afe1b993cc92e)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if resource(#ambient, \"file1\")"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, \\\"file1\\\")\" })"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "block rules",
|
||||||
|
"filename": "test13_block_rules.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"read\", \"valid_date\", \"time\", \"0\", \"1\", \"check1\"]\n authority: Block[0] {\n symbols: [\"read\"]\n version: 1\n context: \"\"\n facts: [\n right(#authority, \"file1\", #read),\n right(#authority, \"file2\", #read)\n ]\n rules: []\n checks: []\n }\n blocks: [\n Block[1] {\n symbols: [\"valid_date\", \"time\", \"0\", \"1\", \"check1\"]\n version: 1\n context: \"\"\n facts: []\n rules: [\n valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00,\n valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)\n ]\n checks: [\n check if valid_date($0), resource(#ambient, $0)\n ]\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"file1": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"resource(#ambient, \"file1\")",
|
||||||
|
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
|
||||||
|
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
|
||||||
|
"right(#authority, \"file1\", #read)",
|
||||||
|
"right(#authority, \"file2\", #read)",
|
||||||
|
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
|
||||||
|
"unique_revocation_id(0, hex:f3d30b0803140c5d649b6c867e3b92e709f59f7fecae16d82582a752c7a4c27d)",
|
||||||
|
"unique_revocation_id(1, hex:0089819a8a2e858aaee2a0b2dcc5eb1487d08744a2c72d46371a13861efa04e0)",
|
||||||
|
"valid_date(\"file1\")"
|
||||||
|
],
|
||||||
|
"rules": [
|
||||||
|
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
|
||||||
|
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)"
|
||||||
|
],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if valid_date($0), resource(#ambient, $0)"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Ok": 0
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"file2": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"resource(#ambient, \"file2\")",
|
||||||
|
"revocation_id(0, hex:d6c50661f8f35fbfdc3daa70f6ca41608d628b245c91ba6d6281805aa9f47774)",
|
||||||
|
"revocation_id(1, hex:c17a3b24a64978db6039d093f1109c63417b2dffc63b972abc69eb61ee28885e)",
|
||||||
|
"right(#authority, \"file1\", #read)",
|
||||||
|
"right(#authority, \"file2\", #read)",
|
||||||
|
"time(#ambient, SystemTime { tv_sec: 1608542592, tv_nsec: 0 })",
|
||||||
|
"unique_revocation_id(0, hex:f3d30b0803140c5d649b6c867e3b92e709f59f7fecae16d82582a752c7a4c27d)",
|
||||||
|
"unique_revocation_id(1, hex:0089819a8a2e858aaee2a0b2dcc5eb1487d08744a2c72d46371a13861efa04e0)"
|
||||||
|
],
|
||||||
|
"rules": [
|
||||||
|
"valid_date(\"file1\") <- time(#ambient, $0), resource(#ambient, \"file1\"), $0 <= 2030-12-31T12:59:59+00:00",
|
||||||
|
"valid_date($1) <- time(#ambient, $0), resource(#ambient, $1), $0 <= 1999-12-31T12:59:59+00:00, ![\"file1\"].contains($1)"
|
||||||
|
],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if valid_date($0), resource(#ambient, $0)"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: \"check if valid_date($0), resource(#ambient, $0)\" })"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "regex_constraint",
|
||||||
|
"filename": "test14_regex_constraint.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"resource_match\", \"0\"]\n authority: Block[0] {\n symbols: [\"resource_match\", \"0\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")\n ]\n }\n blocks: [\n \n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"file1": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"resource(#ambient, \"file1\")",
|
||||||
|
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
|
||||||
|
"unique_revocation_id(0, hex:2c0433654ba29e119f951e2b453f2d6397546fe9146afd6ed29478829cd34a9b)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, $0), $0.matches(\\\"file[0-9]+.txt\\\")\" })"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"file123": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"resource(#ambient, \"file123.txt\")",
|
||||||
|
"revocation_id(0, hex:a3a87a95f62fe215a0a83d462b8bb0e8b030d7d4d933706d19c3461a85bd3e83)",
|
||||||
|
"unique_revocation_id(0, hex:2c0433654ba29e119f951e2b453f2d6397546fe9146afd6ed29478829cd34a9b)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if resource(#ambient, $0), $0.matches(\"file[0-9]+.txt\")"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Ok": 0
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "multi queries checks",
|
||||||
|
"filename": "test15_multi_queries_caveats.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"must_be_present\"]\n authority: Block[0] {\n symbols: [\"must_be_present\"]\n version: 1\n context: \"\"\n facts: [\n must_be_present(#authority, \"hello\")\n ]\n rules: []\n checks: []\n }\n blocks: [\n \n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"must_be_present(#authority, \"hello\")",
|
||||||
|
"revocation_id(0, hex:1ded979c6661e34b09cedf85c778ab0f0304e7c0ca44382348e76147cb1fa3f3)",
|
||||||
|
"unique_revocation_id(0, hex:d82576a159d14b629e74d1b2cbcd53e764c18ad3d3dfc51115fc8172efbe1480)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if must_be_present(#authority, $0) or must_be_present($0)"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Ok": 0
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "check head name should be independent from fact names",
|
||||||
|
"filename": "test16_caveat_head_name.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"hello\"]\n authority: Block[0] {\n symbols: [\"check1\", \"test\", \"hello\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if resource(#ambient, #hello)\n ]\n }\n blocks: [\n Block[1] {\n symbols: []\n version: 1\n context: \"\"\n facts: [\n check1(#test)\n ]\n rules: []\n checks: []\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"check1(#test)",
|
||||||
|
"revocation_id(0, hex:8f03890eeaa997cd03da71115168e41425b2be82731026225b0c5b87163e4d8e)",
|
||||||
|
"revocation_id(1, hex:94fff36a9fa4d4149ab1488bf4aa84ed0bab0075cc7d051270367fb9c9688795)",
|
||||||
|
"unique_revocation_id(0, hex:83b0b7f0135609102299bd6db8de46722a2c2fcad6a348e684435ba5e528b564)",
|
||||||
|
"unique_revocation_id(1, hex:17b70d10fee614414e46e06f2aea2c3986c33eae4faee76a05a904d09f2a587e)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if resource(#ambient, #hello)"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if resource(#ambient, #hello)\" })"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "test expression syntax and all available operations",
|
||||||
|
"filename": "test17_expressions.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"query\", \"abc\", \"hello\", \"world\"]\n authority: Block[0] {\n symbols: [\"query\", \"abc\", \"hello\", \"world\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if true,\n check if !false,\n check if false or true,\n check if 1 < 2,\n check if 2 > 1,\n check if 1 <= 2,\n check if 1 <= 1,\n check if 2 >= 1,\n check if 2 >= 2,\n check if 3 == 3,\n check if 1 + 2 * 3 - 4 / 2 == 5,\n check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\"),\n check if \"aaabde\".matches(\"a*c?.e\"),\n check if \"abcD12\" == \"abcD12\",\n check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00,\n check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00,\n check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00,\n check if #abc == #abc,\n check if hex:12ab == hex:12ab,\n check if [1, 2].contains(2),\n check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00),\n check if [false, true].contains(true),\n check if [\"abc\", \"def\"].contains(\"abc\"),\n check if [hex:12ab, hex:34de].contains(hex:34de),\n check if [#hello, #world].contains(#hello)\n ]\n }\n blocks: [\n \n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"revocation_id(0, hex:28f62066e45ad00c448433083a283d48a14b05cc07adf533d90b216998ae2648)",
|
||||||
|
"unique_revocation_id(0, hex:66a26c68e9554fbe00be14bc2dafd35361292b78006eea6763940d28c4c6c14d)"
|
||||||
|
],
|
||||||
|
"rules": [],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if !false",
|
||||||
|
"check if \"aaabde\".matches(\"a*c?.e\")",
|
||||||
|
"check if \"abcD12\" == \"abcD12\"",
|
||||||
|
"check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")",
|
||||||
|
"check if #abc == #abc",
|
||||||
|
"check if 1 + 2 * 3 - 4 / 2 == 5",
|
||||||
|
"check if 1 < 2",
|
||||||
|
"check if 1 <= 1",
|
||||||
|
"check if 1 <= 2",
|
||||||
|
"check if 2 > 1",
|
||||||
|
"check if 2 >= 1",
|
||||||
|
"check if 2 >= 2",
|
||||||
|
"check if 2019-12-04T09:46:41+00:00 < 2020-12-04T09:46:41+00:00",
|
||||||
|
"check if 2019-12-04T09:46:41+00:00 <= 2020-12-04T09:46:41+00:00",
|
||||||
|
"check if 2020-12-04T09:46:41+00:00 == 2020-12-04T09:46:41+00:00",
|
||||||
|
"check if 2020-12-04T09:46:41+00:00 > 2019-12-04T09:46:41+00:00",
|
||||||
|
"check if 2020-12-04T09:46:41+00:00 >= 2019-12-04T09:46:41+00:00",
|
||||||
|
"check if 2020-12-04T09:46:41+00:00 >= 2020-12-04T09:46:41+00:00",
|
||||||
|
"check if 3 == 3",
|
||||||
|
"check if [\"abc\", \"def\"].contains(\"abc\")",
|
||||||
|
"check if [#hello, #world].contains(#hello)",
|
||||||
|
"check if [1, 2].contains(2)",
|
||||||
|
"check if [2019-12-04T09:46:41+00:00, 2020-12-04T09:46:41+00:00].contains(2020-12-04T09:46:41+00:00)",
|
||||||
|
"check if [false, true].contains(true)",
|
||||||
|
"check if [hex:12ab, hex:34de].contains(hex:34de)",
|
||||||
|
"check if false or true",
|
||||||
|
"check if hex:12ab == hex:12ab",
|
||||||
|
"check if true"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Ok": 0
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "invalid block rule with unbound_variables",
|
||||||
|
"filename": "test18_unbound_variables_in_rule.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"read\", \"unbound\", \"any1\", \"any2\"]\n authority: Block[0] {\n symbols: [\"check1\", \"test\", \"read\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n blocks: [\n Block[1] {\n symbols: [\"unbound\", \"any1\", \"any2\"]\n version: 1\n context: \"\"\n facts: []\n rules: [\n operation($unbound, #read) <- operation($any1, $any2)\n ]\n checks: []\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
null,
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"FailedLogic(InvalidBlockRule(0, \"operation($unbound, #read) <- operation($any1, $any2)\"))"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"title": "invalid block rule generating an #authority or #ambient symbol with a variable",
|
||||||
|
"filename": "test19_generating_ambient_from_variables.bc",
|
||||||
|
"print_token": {
|
||||||
|
"biscuit2 (1 check)": "Biscuit {\n symbols: [\"authority\", \"ambient\", \"resource\", \"operation\", \"right\", \"current_time\", \"revocation_id\", \"check1\", \"test\", \"read\", \"any\"]\n authority: Block[0] {\n symbols: [\"check1\", \"test\", \"read\"]\n version: 1\n context: \"\"\n facts: []\n rules: []\n checks: [\n check if operation(#ambient, #read)\n ]\n }\n blocks: [\n Block[1] {\n symbols: [\"any\"]\n version: 1\n context: \"\"\n facts: []\n rules: [\n operation($ambient, #read) <- operation($ambient, $any)\n ]\n checks: []\n }\n ]\n}"
|
||||||
|
},
|
||||||
|
"validations": {
|
||||||
|
"": [
|
||||||
|
{
|
||||||
|
"facts": [
|
||||||
|
"operation(#ambient, #write)",
|
||||||
|
"revocation_id(0, hex:4bfc06061aaef82c0ae7b04c9e0842235815eb1247e3601f6e762fbfbf5b8227)",
|
||||||
|
"revocation_id(1, hex:b8b5c6fe921a9ea1bbfd6563cc8ca659cbdd5d40f27a193858ccab4bea942b50)",
|
||||||
|
"unique_revocation_id(0, hex:9ec280773834c66a7174b43b0f8ff8e25d3208a7e09be330ee270dc2ab773be7)",
|
||||||
|
"unique_revocation_id(1, hex:0ed2377dc83fbf8d86d63745d9256d191fa742aad8c89affa0e7433822df2a60)"
|
||||||
|
],
|
||||||
|
"rules": [
|
||||||
|
"operation($ambient, #read) <- operation($ambient, $any)"
|
||||||
|
],
|
||||||
|
"privileged_rules": [],
|
||||||
|
"checks": [
|
||||||
|
"check if operation(#ambient, #read)"
|
||||||
|
],
|
||||||
|
"policies": [
|
||||||
|
"allow if true"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Err": [
|
||||||
|
"Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: \"check if operation(#ambient, #read)\" })"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user