Skip to content

Commit

Permalink
ensure that FFI function names are only defined on FFI operations
Browse files Browse the repository at this point in the history
  • Loading branch information
divarvel committed Nov 12, 2024
1 parent f6047ec commit 128c031
Show file tree
Hide file tree
Showing 5 changed files with 121 additions and 61 deletions.
2 changes: 0 additions & 2 deletions biscuit-auth/src/capi.rs
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,6 @@ pub enum ErrorKind {
FormatPublicKeyTableOverlap,
FormatUnknownExternalKey,
FormatUnknownSymbol,
FormatMissingFfiName,
AppendOnSealed,
LogicInvalidBlockRule,
LogicUnauthorized,
Expand Down Expand Up @@ -159,7 +158,6 @@ pub extern "C" fn error_kind() -> ErrorKind {
ErrorKind::FormatUnknownExternalKey
}
Token::Format(Format::UnknownSymbol(_)) => ErrorKind::FormatUnknownSymbol,
Token::Format(Format::MissingFfiName) => ErrorKind::FormatMissingFfiName,
Token::AppendOnSealed => ErrorKind::AppendOnSealed,
Token::AlreadySealed => ErrorKind::AlreadySealed,
Token::Language(_) => ErrorKind::LanguageError,
Expand Down
2 changes: 0 additions & 2 deletions biscuit-auth/src/error.rs
Original file line number Diff line number Diff line change
Expand Up @@ -150,8 +150,6 @@ pub enum Format {
UnknownExternalKey,
#[error("the symbol id was not in the table")]
UnknownSymbol(u64),
#[error("missing FFI name field")]
MissingFfiName,
}

/// Signature errors
Expand Down
134 changes: 78 additions & 56 deletions biscuit-auth/src/format/convert.rs
Original file line number Diff line number Diff line change
Expand Up @@ -738,64 +738,86 @@ pub mod v2 {
use schema::{op, op_binary, op_unary};
Ok(match op.content.as_ref() {
Some(op::Content::Value(id)) => Op::Value(proto_id_to_token_term(id)?),
Some(op::Content::Unary(u)) => match op_unary::Kind::from_i32(u.kind) {
Some(op_unary::Kind::Negate) => Op::Unary(Unary::Negate),
Some(op_unary::Kind::Parens) => Op::Unary(Unary::Parens),
Some(op_unary::Kind::Length) => Op::Unary(Unary::Length),
Some(op_unary::Kind::TypeOf) => Op::Unary(Unary::TypeOf),
Some(op_unary::Kind::Ffi) => match u.ffi_name.as_ref() {
// todo clementd error if ffi name is defined with another kind
Some(n) => Op::Unary(Unary::Ffi(n.to_owned())),
None => return Err(error::Format::MissingFfiName),
},
None => {
return Err(error::Format::DeserializationError(
"deserialization error: unary operation is empty".to_string(),
))
}
},
Some(op::Content::Binary(b)) => match op_binary::Kind::from_i32(b.kind) {
Some(op_binary::Kind::LessThan) => Op::Binary(Binary::LessThan),
Some(op_binary::Kind::GreaterThan) => Op::Binary(Binary::GreaterThan),
Some(op_binary::Kind::LessOrEqual) => Op::Binary(Binary::LessOrEqual),
Some(op_binary::Kind::GreaterOrEqual) => Op::Binary(Binary::GreaterOrEqual),
Some(op_binary::Kind::Equal) => Op::Binary(Binary::Equal),
Some(op_binary::Kind::Contains) => Op::Binary(Binary::Contains),
Some(op_binary::Kind::Prefix) => Op::Binary(Binary::Prefix),
Some(op_binary::Kind::Suffix) => Op::Binary(Binary::Suffix),
Some(op_binary::Kind::Regex) => Op::Binary(Binary::Regex),
Some(op_binary::Kind::Add) => Op::Binary(Binary::Add),
Some(op_binary::Kind::Sub) => Op::Binary(Binary::Sub),
Some(op_binary::Kind::Mul) => Op::Binary(Binary::Mul),
Some(op_binary::Kind::Div) => Op::Binary(Binary::Div),
Some(op_binary::Kind::And) => Op::Binary(Binary::And),
Some(op_binary::Kind::Or) => Op::Binary(Binary::Or),
Some(op_binary::Kind::Intersection) => Op::Binary(Binary::Intersection),
Some(op_binary::Kind::Union) => Op::Binary(Binary::Union),
Some(op_binary::Kind::BitwiseAnd) => Op::Binary(Binary::BitwiseAnd),
Some(op_binary::Kind::BitwiseOr) => Op::Binary(Binary::BitwiseOr),
Some(op_binary::Kind::BitwiseXor) => Op::Binary(Binary::BitwiseXor),
Some(op_binary::Kind::NotEqual) => Op::Binary(Binary::NotEqual),
Some(op_binary::Kind::HeterogeneousEqual) => Op::Binary(Binary::HeterogeneousEqual),
Some(op_binary::Kind::HeterogeneousNotEqual) => {
Op::Binary(Binary::HeterogeneousNotEqual)
Some(op::Content::Unary(u)) => {
match (op_unary::Kind::from_i32(u.kind), u.ffi_name.as_ref()) {
(Some(op_unary::Kind::Negate), None) => Op::Unary(Unary::Negate),
(Some(op_unary::Kind::Parens), None) => Op::Unary(Unary::Parens),
(Some(op_unary::Kind::Length), None) => Op::Unary(Unary::Length),
(Some(op_unary::Kind::TypeOf), None) => Op::Unary(Unary::TypeOf),
(Some(op_unary::Kind::Ffi), Some(n)) => Op::Unary(Unary::Ffi(n.to_owned())),
(Some(op_unary::Kind::Ffi), None) => {
return Err(error::Format::DeserializationError(
"deserialization error: missing ffi name".to_string(),
))
}
(Some(_), Some(_)) => {
return Err(error::Format::DeserializationError(
"deserialization error: ffi name set on a regular unary operation"
.to_string(),
))
}
(None, _) => {
return Err(error::Format::DeserializationError(
"deserialization error: unary operation is empty".to_string(),
))
}
}
Some(op_binary::Kind::LazyAnd) => Op::Binary(Binary::LazyAnd),
Some(op_binary::Kind::LazyOr) => Op::Binary(Binary::LazyOr),
Some(op_binary::Kind::All) => Op::Binary(Binary::All),
Some(op_binary::Kind::Any) => Op::Binary(Binary::Any),
Some(op_binary::Kind::Get) => Op::Binary(Binary::Get),
Some(op_binary::Kind::Ffi) => match b.ffi_name.as_ref() {
// todo clementd error if ffi name is defined with another kind
Some(n) => Op::Binary(Binary::Ffi(n.to_owned())),
None => return Err(error::Format::MissingFfiName),
},
None => {
return Err(error::Format::DeserializationError(
"deserialization error: binary operation is empty".to_string(),
))
}
Some(op::Content::Binary(b)) => {
match (op_binary::Kind::from_i32(b.kind), b.ffi_name.as_ref()) {
(Some(op_binary::Kind::LessThan), None) => Op::Binary(Binary::LessThan),
(Some(op_binary::Kind::GreaterThan), None) => Op::Binary(Binary::GreaterThan),
(Some(op_binary::Kind::LessOrEqual), None) => Op::Binary(Binary::LessOrEqual),
(Some(op_binary::Kind::GreaterOrEqual), None) => {
Op::Binary(Binary::GreaterOrEqual)
}
(Some(op_binary::Kind::Equal), None) => Op::Binary(Binary::Equal),
(Some(op_binary::Kind::Contains), None) => Op::Binary(Binary::Contains),
(Some(op_binary::Kind::Prefix), None) => Op::Binary(Binary::Prefix),
(Some(op_binary::Kind::Suffix), None) => Op::Binary(Binary::Suffix),
(Some(op_binary::Kind::Regex), None) => Op::Binary(Binary::Regex),
(Some(op_binary::Kind::Add), None) => Op::Binary(Binary::Add),
(Some(op_binary::Kind::Sub), None) => Op::Binary(Binary::Sub),
(Some(op_binary::Kind::Mul), None) => Op::Binary(Binary::Mul),
(Some(op_binary::Kind::Div), None) => Op::Binary(Binary::Div),
(Some(op_binary::Kind::And), None) => Op::Binary(Binary::And),
(Some(op_binary::Kind::Or), None) => Op::Binary(Binary::Or),
(Some(op_binary::Kind::Intersection), None) => Op::Binary(Binary::Intersection),
(Some(op_binary::Kind::Union), None) => Op::Binary(Binary::Union),
(Some(op_binary::Kind::BitwiseAnd), None) => Op::Binary(Binary::BitwiseAnd),
(Some(op_binary::Kind::BitwiseOr), None) => Op::Binary(Binary::BitwiseOr),
(Some(op_binary::Kind::BitwiseXor), None) => Op::Binary(Binary::BitwiseXor),
(Some(op_binary::Kind::NotEqual), None) => Op::Binary(Binary::NotEqual),
(Some(op_binary::Kind::HeterogeneousEqual), None) => {
Op::Binary(Binary::HeterogeneousEqual)
}
(Some(op_binary::Kind::HeterogeneousNotEqual), None) => {
Op::Binary(Binary::HeterogeneousNotEqual)
}
(Some(op_binary::Kind::LazyAnd), None) => Op::Binary(Binary::LazyAnd),
(Some(op_binary::Kind::LazyOr), None) => Op::Binary(Binary::LazyOr),
(Some(op_binary::Kind::All), None) => Op::Binary(Binary::All),
(Some(op_binary::Kind::Any), None) => Op::Binary(Binary::Any),
(Some(op_binary::Kind::Get), None) => Op::Binary(Binary::Get),
(Some(op_binary::Kind::Ffi), Some(n)) => Op::Binary(Binary::Ffi(n.to_owned())),
(Some(op_binary::Kind::Ffi), None) => {
return Err(error::Format::DeserializationError(
"deserialization error: missing ffi name".to_string(),
))
}
(Some(_), Some(_)) => {
return Err(error::Format::DeserializationError(
"deserialization error: ffi name set on a regular binary operation"
.to_string(),
))
}
(None, _) => {
return Err(error::Format::DeserializationError(
"deserialization error: binary operation is empty".to_string(),
))
}
}
},
}
Some(op::Content::Closure(op_closure)) => Op::Closure(
op_closure.params.clone(),
op_closure
Expand Down
42 changes: 42 additions & 0 deletions biscuit-auth/src/token/builder.rs
Original file line number Diff line number Diff line change
Expand Up @@ -532,6 +532,25 @@ impl Term {
datalog::Term::Set(s.into_iter().map(|i| i.to_datalog(symbols)).collect())
}
Term::Null => datalog::Term::Null,
Term::Array(a) => {
datalog::Term::Array(a.into_iter().map(|i| i.to_datalog(symbols)).collect())
}
Term::Map(m) => datalog::Term::Map(
m.into_iter()
.map(|(k, i)| {
(
match k {
MapKey::Integer(i) => datalog::MapKey::Integer(i),
MapKey::Str(s) => datalog::MapKey::Str(symbols.insert(&s)),
// The error is caught in the `add_xxx` functions, so this should
// not happen™
MapKey::Parameter(s) => panic!("Remaining parameter {}", &s),
},
i.to_datalog(symbols),
)
})
.collect(),
),
// The error is caught in the `add_xxx` functions, so this should
// not happen™
Term::Parameter(s) => panic!("Remaining parameter {}", &s),
Expand Down Expand Up @@ -565,6 +584,29 @@ impl Term {
.collect::<Result<_, _>>()?,
),
datalog::Term::Null => Term::Null,
datalog::Term::Array(a) => Term::Array(
a.into_iter()
.map(|i| Self::from_datalog(i, symbols))
.collect::<Result<_, _>>()?,
),
datalog::Term::Map(m) => Term::Map(
m.into_iter()
.map(|(k, i)| {
Ok((
match k {
datalog::MapKey::Integer(i) => MapKey::Integer(i),
datalog::MapKey::Str(s) => MapKey::Str(
symbols
.get_symbol(s)
.ok_or(error::Expression::UnknownSymbol(s))?
.to_string(),
),
},
Self::from_datalog(i, symbols)?,
))
})
.collect::<Result<_, _>>()?,
),
})
}
}
Expand Down
2 changes: 1 addition & 1 deletion biscuit-auth/tests/capi.rs
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ biscuit append error? (null)
authorizer creation error? (null)
authorizer add check error? (null)
authorizer add policy error? (null)
authorizer error(code = 22): authorization failed
authorizer error(code = 21): authorization failed
failed checks (2):
Authorizer check 0: check if right("efgh")
Block 1, check 0: check if operation("read")
Expand Down

0 comments on commit 128c031

Please sign in to comment.