samples: add a case with a p256 signature on a third-party block

biscuit-auth/examples/testcases.rs

@@ -167,6 +167,8 @@ fn run(target: String, root_key: Option<String>, test: bool, json: bool) {
 
     add_test_result(&mut results, secp256r1(&target, &root, test));
 
+    add_test_result(&mut results, secp256r1_third_party(&target, &root, test));
+
     if json {
         let s = serde_json::to_string_pretty(&TestCases {
             root_private_key: hex::encode(root.private().to_bytes()),
@@ -2418,6 +2420,67 @@ fn secp256r1(target: &str, root: &KeyPair, test: bool) -> TestResult {
     }
 }
 
+fn secp256r1_third_party(target: &str, root: &KeyPair, test: bool) -> TestResult {
+    let mut rng: StdRng = SeedableRng::seed_from_u64(1234);
+    let title = "ECDSA secp256r1 signature on third-party block".to_string();
+    let filename = "test037_secp256r1_third_party".to_string();
+    let token;
+
+    let external_keypair = KeyPair::new_with_rng(Algorithm::Secp256r1, &mut rng);
+    let keypair2 = KeyPair::new_with_rng(Algorithm::Secp256r1, &mut rng);
+    let biscuit1 = biscuit!(
+        r#"
+        right("file1", "read");
+        right("file2", "read");
+        right("file1", "write");
+        check if from_third(true) trusting {external_pub};
+    "#,
+        external_pub = external_keypair.public(),
+    )
+    .build_with_key_pair(&root, SymbolTable::default(), &keypair2)
+    .unwrap();
+
+    let req = biscuit1.third_party_request().unwrap();
+    let block = req
+        .create_block(
+            &external_keypair.private(),
+            block!(
+                r#" check if resource($0), operation("read"), right($0, "read"); from_third(true);"#
+            ),
+        )
+        .unwrap();
+    let keypair3 = KeyPair::new_with_rng(Algorithm::Secp256r1, &mut rng);
+
+    let biscuit2 = biscuit1
+        .append_third_party_with_keypair(external_keypair.public(), block, keypair3)
+        .unwrap();
+
+    token = print_blocks(&biscuit2);
+
+    let data = write_or_load_testcase(target, &filename, root, &biscuit2, test);
+
+    let mut validations = BTreeMap::new();
+    validations.insert(
+        "".to_string(),
+        validate_token(
+            root,
+            &data[..],
+            r#"
+            resource("file1");
+            operation("read");
+            allow if true;
+        "#,
+        ),
+    );
+
+    TestResult {
+        title,
+        filename,
+        token,
+        validations,
+    }
+}
+
 fn print_blocks(token: &Biscuit) -> Vec<BlockContent> {
     let mut v = Vec::new();
 

biscuit-auth/samples/README.md

@@ -3398,3 +3398,114 @@ World {
 
 result: `Ok(0)`
 
+
+------------------------------
+
+## ECDSA secp256r1 signature on third-party block: test037_secp256r1_third_party.bc
+### token
+
+authority:
+symbols: ["file1", "file2", "from_third"]
+
+public keys: ["secp256r1/025e918fd4463832aea2823dfd9716a36b4d9b1377bd53dd82ddf4c0bc75ed6bbf"]
+
+block version: 4
+
+```
+right("file1", "read");
+right("file2", "read");
+right("file1", "write");
+check if from_third(true) trusting secp256r1/025e918fd4463832aea2823dfd9716a36b4d9b1377bd53dd82ddf4c0bc75ed6bbf;
+```
+
+1:
+symbols: ["from_third", "0"]
+
+public keys: []
+
+external signature by: "secp256r1/025e918fd4463832aea2823dfd9716a36b4d9b1377bd53dd82ddf4c0bc75ed6bbf"
+
+block version: 5
+
+```
+from_third(true);
+check if resource($0), operation("read"), right($0, "read");
+```
+
+### validation
+
+authorizer code:
+```
+resource("file1");
+operation("read");
+
+allow if true;
+```
+
+revocation ids:
+- `70f5402208516fd44cfc9df3dfcfc0a327ee9004f1801ed0a7abdcbbae923d566ddcd2d4a14f4622b35732c4e538af04075cc67ab0888fa2d8923cc668187f0f`
+- `30450220793f95665d9af646339503a073670ea2c352459d2a2c2e14c57565f6c7eaf6bc022100cccadfc37e46755f52bb054ed206d7335067885df599a69431db40e33f33d4cf`
+
+authorizer world:
+```
+World {
+  facts: [
+    Facts {
+        origin: {
+            None,
+        },
+        facts: [
+            "operation(\"read\")",
+            "resource(\"file1\")",
+        ],
+    },
+    Facts {
+        origin: {
+            Some(
+                0,
+            ),
+        },
+        facts: [
+            "right(\"file1\", \"read\")",
+            "right(\"file1\", \"write\")",
+            "right(\"file2\", \"read\")",
+        ],
+    },
+    Facts {
+        origin: {
+            Some(
+                1,
+            ),
+        },
+        facts: [
+            "from_third(true)",
+        ],
+    },
+]
+  rules: []
+  checks: [
+    Checks {
+        origin: Some(
+            0,
+        ),
+        checks: [
+            "check if from_third(true) trusting secp256r1/025e918fd4463832aea2823dfd9716a36b4d9b1377bd53dd82ddf4c0bc75ed6bbf",
+        ],
+    },
+    Checks {
+        origin: Some(
+            1,
+        ),
+        checks: [
+            "check if resource($0), operation(\"read\"), right($0, \"read\")",
+        ],
+    },
+]
+  policies: [
+    "allow if true",
+]
+}
+```
+
+result: `Ok(0)`
+

biscuit-auth/samples/samples.json

@@ -3088,6 +3088,96 @@
           ]
         }
       }
+    },
+    {
+      "title": "ECDSA secp256r1 signature on third-party block",
+      "filename": "test037_secp256r1_third_party.bc",
+      "token": [
+        {
+          "symbols": [
+            "file1",
+            "file2",
+            "from_third"
+          ],
+          "public_keys": [
+            "secp256r1/025e918fd4463832aea2823dfd9716a36b4d9b1377bd53dd82ddf4c0bc75ed6bbf"
+          ],
+          "external_key": null,
+          "code": "right(\"file1\", \"read\");\nright(\"file2\", \"read\");\nright(\"file1\", \"write\");\ncheck if from_third(true) trusting secp256r1/025e918fd4463832aea2823dfd9716a36b4d9b1377bd53dd82ddf4c0bc75ed6bbf;\n",
+          "version": 4
+        },
+        {
+          "symbols": [
+            "from_third",
+            "0"
+          ],
+          "public_keys": [],
+          "external_key": "secp256r1/025e918fd4463832aea2823dfd9716a36b4d9b1377bd53dd82ddf4c0bc75ed6bbf",
+          "code": "from_third(true);\ncheck if resource($0), operation(\"read\"), right($0, \"read\");\n",
+          "version": 5
+        }
+      ],
+      "validations": {
+        "": {
+          "world": {
+            "facts": [
+              {
+                "origin": [
+                  null
+                ],
+                "facts": [
+                  "operation(\"read\")",
+                  "resource(\"file1\")"
+                ]
+              },
+              {
+                "origin": [
+                  0
+                ],
+                "facts": [
+                  "right(\"file1\", \"read\")",
+                  "right(\"file1\", \"write\")",
+                  "right(\"file2\", \"read\")"
+                ]
+              },
+              {
+                "origin": [
+                  1
+                ],
+                "facts": [
+                  "from_third(true)"
+                ]
+              }
+            ],
+            "rules": [],
+            "checks": [
+              {
+                "origin": 0,
+                "checks": [
+                  "check if from_third(true) trusting secp256r1/025e918fd4463832aea2823dfd9716a36b4d9b1377bd53dd82ddf4c0bc75ed6bbf"
+                ]
+              },
+              {
+                "origin": 1,
+                "checks": [
+                  "check if resource($0), operation(\"read\"), right($0, \"read\")"
+                ]
+              }
+            ],
+            "policies": [
+              "allow if true"
+            ]
+          },
+          "result": {
+            "Ok": 0
+          },
+          "authorizer_code": "resource(\"file1\");\noperation(\"read\");\n\nallow if true;\n",
+          "revocation_ids": [
+            "70f5402208516fd44cfc9df3dfcfc0a327ee9004f1801ed0a7abdcbbae923d566ddcd2d4a14f4622b35732c4e538af04075cc67ab0888fa2d8923cc668187f0f",
+            "30450220793f95665d9af646339503a073670ea2c352459d2a2c2e14c57565f6c7eaf6bc022100cccadfc37e46755f52bb054ed206d7335067885df599a69431db40e33f33d4cf"
+          ]
+        }
+      }
     }
   ]
 }