Proto commits in biscuit-auth/biscuit-rust

These 93 commits are when the Protocol Buffers files have changed:

2025-03-10

support for `.try()` operation allows explicitly recovering from errors with a fallback value. The left-hand side is evaluated in a closure, which allows the `try` call to recover from failure and return the fallback value instead.

The documentation is generated from this commit.

2024-11-21

remove previous_key from ThirdPartyBlockRequest Same as for `legacyPublicKeys`, it is now deprecated and should not be set. It is kept in the schema to allow implementations to make sure it is not set.

2024-11-20

add support for ecdsa signatures (#108) This adds suport for ECDSA signatures over the secp256r1 curve, following the specification change at https://github.com/biscuit-auth/biscuit/commit/ed1c53d6db5811dfb9d9e395e95135f7f5660dbe. Key creation now takes an algorithm argument Co-authored-by: Clément Delafargue <clement.delafargue.ext@outscale.com>

Merge branch 'v5' into fipscuit

2024-11-19

intern FFI call names Instead of storing strings directly in the ops, do as we do for everything else and use the symbol table. This required duplicating `biscuit_parser::builder::Binary` and `Unary` in the `biscuit_auth::builder` module (which previously used the definitions from the `datalog` module directly). There is a lot of duplication between `biscuit_parser::builder` and `biscuit_auth::builder`, with a circular-ish dependency (biscuit_auth depends on biscuit parser, but code generated by the `ToTokens` impl blocks in biscuit parser depend on `biscuit_auth::builder`).

wip: datalog foreign function interface prototype This allows using external functions in datalog. This makes it easy to provide custom logic without extending the spec for every use-case, at the expense of portability: behaviour is no longer guaranteed to be consistent cross languages, and some languages won’t be able to support it at all (for instance JS as of now). Todo: - stricter conversions from datalog - feature-gating if possible Open questions: - enum index for the FFI variants (contiguous or not?) - how to provide functions (right now, function pointers: prevent mutability and closing over arguments) - how to provide arguments (right now, datalog::Term, so symbols have to be resolved, and functions returning strings have to register new symbols)

Merge branch 'v5' into fipscuit

signature v1 follow up (#245) * remove unused code * separate authority block payload generation * renaming to legacy_previous_key and legacy_public_keys * add a test for the authority block signature v1

renamin to legacy_previou_key and legacy_public_keys

rename ThirdPartyRequest's previousKey to legacyPublicKey

Signature payload format v1 (#230) This updates the payload construction to follow the format defined in https://github.com/biscuit-auth/biscuit/commit/7e601cb1a1057d6accf763fcf2c31b326aaaeae8 We still allow the old fomat for 3rd party block, but by using a different deserialization function in the API, that will be removed in a future major version. This also refactors payload generation to do it all in the same place with reusable functions, for easier audit and modification

2024-11-05

wip: datalog foreign function interface prototype This allows using external functions in datalog. This makes it easy to provide custom logic without extending the spec for every use-case, at the expense of portability: behaviour is no longer guaranteed to be consistent cross languages, and some languages won’t be able to support it at all (for instance JS as of now). Todo: - stricter conversions from datalog - feature-gating if possible Open questions: - enum index for the FFI variants (contiguous or not?) - how to provide functions (right now, function pointers: prevent mutability and closing over arguments) - how to provide arguments (right now, datalog::Term, so symbols have to be resolved, and functions returning strings have to register new symbols)

2024-11-03

Merge branch 'v5' into fipscuit

Merge branch 'v5' into geal/third-party-reuse

add new Array and Map types (#219) This adds support for the array and map types, supporting more structured datalog terms, that we can generate from JSON data and explore through datalog expressions. The map type allows integers strings and parameters as key. This tries to enforce that all array elements are of the same type, but this is not very strict at the moment, it does not look at lower levels of composite types. **breaking changes**: - in the Datalog language, sets will now be delimited by '{' and '}' instead of '[' and ]'. Arrays are now delimited by '[' and ']' - parameter names now need to start with a letter --------- Co-authored-by: Clement Delafargue <clement.delafargue@outscale.com>

Merge branch 'v5' into map-array

2024-10-22

feat: add `.type()` unary method

2024-10-20

Merge branch 'v5' into fipscuit

2024-10-19

update format

2024-06-08

get operation for arrays

Merge branch 'v5' into map-array

Support for closures (#202) This introduces the closure operations to the Biscuit language, first with the `.all()` and `.any()` operations to add conditions on the elements of a set. It is now possible to use expressions with the following format: ``` check if [1,2,3].all($p -> $p > 0); check if [1,2,3].any($p -> $p > 2); ``` Co-authored-by: Geoffroy Couprie <contact@geoffroycouprie.com>

2024-05-26

Merge branch 'v5' into fipscuit

Merge remote-tracking branch 'origin/v5' into closures

Merge branch 'v5' into map-array

Add HeterogeneousEqual and HeterogeneousNotEqual to binary operation (#220) Context: https://github.com/biscuit-auth/biscuit/issues/130 This introduces the `HeterogeneousEqual` and `HeterogeneousNotEqual` operations, which will not return an error when their operands have different types, contrary to the existing `Equal` and `NotEqual` operations. **breaking change**: this does not change the execution of existing tokens, but changes the text representation of the language. `Equal` was `==` and is now `===`, `NotEqual` was `!=` and is now `!==`, `HeterogeneousEqual` is `==` and `HeterogeneousNotEqual` is `!=` --------- Co-authored-by: Geoffroy Couprie <contact@geoffroycouprie.com> Co-authored-by: Clément Delafargue <clement@delafargue.name>

2024-05-23

introduce a map type it accepts integers, strings and parameters as keys

add a new Array type this tries to enforce that all array elements are of the same type, but this is not very strict at the moment, it does not look at lower levels of composite types. **breaking change**: in the Datalog language, sets will now be delimited by '{' and '}' instead of '[' and ]'. Arrays are now delimited by '[' and ']'

Merge branch 'v5' into closures

Merge branch 'v5' into fipscuit

add support for the null type (#218)

update protobuf enum

Merge branch 'v5' into fipscuit

2024-05-22

add support for the null type

Merge branch 'v5' into closures

wip

2024-05-12

Reject if (#199) * feat: add `reject if` This acts like the opposite of `check if`: if there is a match, then authorization fails. Using `reject if` raises the block version to 5 * fix: run rustfmt on datalog/mod.rs The file contained trailing slashes that made rustfmt crash --------- Co-authored-by: Geoffroy Couprie <contact@geoffroycouprie.com>

2024-01-02

closures: support for any/all, recursive ops, protobuf encoding

2023-12-28

feat: add `reject if` This acts like the opposite of `check if`: if there is a match, then authorization fails. Using `reject if` raises the block version to 5

2023-08-24

Merge branch 'main' into fipscuit

2023-01-29

Refactor authorizer serialization (#127) This separates the `AuthorizerPolicies`, used to load data in an authorizer to perform an authorization, from the `AuthorizerSnapshot`, that serializes an entire authorizer excution, along with the token's data and runtime limits

2022-12-29

add the runtime limits and execution measures to the snapshot

Merge branch 'main' into refactor-authorizer-serialization

add a test to check the generated protobuf code is up to date (#131) * add a test to check the generated protobu code is up to date * update the schema

update the schema

update the schema

2022-12-27

schema refactoring

remove the public key map

2022-12-26

use a SnapshotBlock structure

2022-12-23

origin should be a oneof

refactor snapshots

deserialize

2022-12-20

new authorizer snapshot format

update the schema

2022-11-05

Merge branch 'master' into fipscuit

Check all implementation (#107) * add an enum to checks to differentiate check if and check all * move expression evaluation out of the iterator * implement "check all" "check all" validates that for all the fact sets that it unifies, all the expressions will return true * add a sample for check all * set the block version 4 if it contains "check all"

2022-10-11

start support for p256 signatures

indicate the algorithm of the next private key

2022-09-27

add an enum to checks to differentiate check if and check all

2022-08-14

3rd party (#79) * update prost * update protobuf schema * start implementing 3rd party tokens * basic format changes to follow the new protobuf schema without change of functionality * adapt the datalog engine to support a fact or rule's origin * verify external signatures * store the external key in the block's internal representation * use origins in the authorizer * update the schema * get the list of known public keys * deserialize block level scope * helpers to parse scopes * rule translation * add scopes to datalog rules * move block implementation to its own file * the container field does not need to be an option * store the deserialized protobuf blocks their data can be deserialized later when creating the authorizer * factor block data extraction * cleanup * fix deserialization * fix tests * create a map from public key to block id a public key can be used to sign multiple 3rd party blocks * move the public keys list to the symbol table * handle scopes in builder and parser * dapt the origin depending on the scopes * authorize 3rd party blocks * a public key scope trusts the current block * create third party block requests * create third party block request and content * append_third_party method * fix missing argument * helpers for public key serialization * fix the parser * fix signature of third party responses * fix scope handling * example * move the block builder in the 3rd party request * replace the explicit BTreeSet<usize> with an Origin type this will allow experimentation around the format * replace the explicit BTreeSet<usize> with an Origin type this will allow experimentation around the format * use the scopes from the block * third party block sample * fix * fix warnings * serialize the bock request in another step * missing file * extract public keys from the authority block * print public keys in samples * don't forget to serialize the external signature * check symbols and public keys overlap * fix docs * fixes * stricter usage of symbols unnown symbols now throw errors * the biscuit builder should support block level scopes * throw errors when public key tables overlap * remove unwrap * parse block level scopes * 3rd-party: add support for scope parameter substitution (#83) * 3rd-party: add support for scope parameter substitution (runtime & compile-time) Public keys can now be provided for scopes through parameter substitution. The `add_code_with_params` functions now take an extra parameters hashmap that can hold public keys. Similarly, all the builder structs carry an extra `scope_parameters` hashmap for provided parameters. Macros substitution work a bit differently: term and scope params are not separated: they can be interleaved, and a dedicated trait projects them to an enum (term or scope). This way, the parameter substitution code knows whether to add them as terms or scope elements. The initial plan was to add a blanket Into<Term> => ToAnyParam implementation but that was not possible because of potential overlapping instances. So the solution is to complement each Into<Term> impl with a ToAnyParam impl. Note that block-level parameter subsitution is not supported yet, simply because `add_code` functions don't handle it at all either. * 3rd-party: add support for Request / Contents on UnverifiedBiscuit * 3rd party improvements for CLI (#87) * 3rd-party: add helpers around request / responses The CLI works with raw and base64 payloads, and with `UnverifiedBiscuit`s * 3rd-party: return the list of a token's external public keys The authority cannot carry an external key, so its corresponding entry is always `None`. * fix comment on `revocation_identifiers` revocation ids are now unique * set the block version to 4 when scopes are present (#90) blocks without any 3rd party features should stay at v3 * add the external signature to the data covered by the block signature * fix public key quoting * fix capi Co-authored-by: Clément Delafargue <clement@delafargue.name>

2022-07-15

update the schema

2022-06-27

update protobuf schema

2022-05-19

Move biscuit-rust to a subdirectory In order to colocate all rust biscuit libs in a single repo, the core library has to move to a subdir, so that we can add new libs alongside.

2022-03-15

remove constraints from the schema

2021-10-05

rename verifier to authorizer in docs, C API and spec

2021-09-24

the key must show which algorithm it is using This will open the way to using other curves or signing algorithmd

2021-09-12

rename ID to Term in the protobuf schema

2021-09-06

remove the symbol type, use the symbol table for strings the symbol type was confusing, and with te removal of #authority and #ambient, there is now no reason to keep them. They were a separate kind of string with less operations, that were interned in the symbol table. That symbol table is used to reduce the token's size (not repeating strings, referring to them through integers) and in the Datalog engine for faster unification (it's faster to compare two integers than two strings). Now that symbols are gone, the Datalog engine has been modified to use the symbol table for strings, using the symbols performance boost for all strings

2021-09-05

remove #ambient and #authority symbols, and privileged rules replace test cases test7_invalid_block_fact_authority, test8_invalid_block_fact_ambient.bc and test10_authority_rules.bc with test for scopes: test7_scoped_rules, test7_scoped_rules and test10_verifier_scope

2021-09-03

update the schema for v2 since the new cryptographic design requires a completely different base message format, we can remove v0 and v1 bckwards compatibility

new cryptographic scheme with a chain of Ed25519 signatures this scheme follows a more classical approach, where each block contains its data, the "next public key" and its signature from the previous public key. The token also carries the "next private key", that allows verifying the end of the chain, and appending a new block This scheme also allows sealing in the same message format, by signing the last block again with the last private key

2021-05-06

separate block rules from "privileged rules" normal rules could be used to generate facts with the authority or ambient symbol, by using a variable. We introduce the "privileged rules" member to contain rules from the authority block and the verifier, and run different filters for rule application, to forbid the generation of authority and ambient tags in non privileged rules

2021-03-04

add a format to transport verifier state

2021-02-26

add more expression operations and a sample token testing them

2021-01-26

method syntax for set and string expressions this commit introduces a method-like syntax for these operations: - .starts_with() - .ends_with() - .matches() - .contains() (replacing the In operation) There is no satisfying name to replace the "not in" operation, so it is replaced by a "contains" and negation, like this: "!set.contains($var)". The NotIn operation is removed from the V1 schema

support parenthesis in expressions

2021-01-25

rename caveat to check the meaning of "caveat" was not clear enough for users (outside of those already familiar with macaroons), while "check" is more obvious: in a "checklist", all items must be validated

2021-01-22

replace constraints with expressions

2021-01-08

add the set type

add boolean type

2021-01-06

use oneof in the protobuf schema the format is a bit easier to manipulate, and it reduces token size

2021-01-05

convert ConstraintV1 to use oneof

rename integer constraints * Lower -> LessThan * Larger -> GreaterThan * LowerOrEqual -> LessOrEqual * LargerOrEqual -> GreaterOrEqual

split serialization code for v0 and v1 right now both formats have the same structure, but use different messages

2021-01-04

add a schema version field to blocks see https://github.com/CleverCloud/biscuit/issues/59

2020-09-11

add a byte array basic type it comes with Equal, In and Not In constraints

2020-08-07

add a byte array basic type it comes with Equal, In and Not In constraints

2020-01-03

support caveats with multiple queries a query can express AND conditions, but not OR. Some caveats might need OR conditions (example: checking the presence of any of 2 different facts with different format). To implement it, we need caveats to hold multiple queries. If at east one of those queries succeeds, the caveat succeeds. This could be implemented with intermediate rules, but we would need to check that blocks do not interfer with the results of those rules (by pregenerating facts, etc)

2019-11-25

implement regex constraints

2019-11-22

add the context field this field allows us to add some metadata, like a user id, to query data from a database and get facts to inject into the token for the validation, instead of loading most of the data every time

2019-10-28

a block can now have rules and caveats at the same time this way the authority block can have caveats, and the later blocks can provide rules to generate their facts

2019-09-04

use aggregated gamma signatures instead of VRF

2019-04-01

move to protobuf