Proto commits in biscuit-auth/biscuit

These 54 commits are when the Protocol Buffers files have changed:

2025-03-10

add missing samples - third-party block with secp256r1 signature - try operation

The documentation is generated from this commit.

2024-11-27

Merge branch 'main' into dev

2024-11-21

clarify datalog versions (3.x) improve a bit the specification for third-party block version constraints

2024-11-20

Support for ECDSA signatures on curve secp256r1 (#165) This adds support for ECDSA signatures based on secp256r1. This will make it easier for biscuit tokens to work in environments with FIPS requirements, or with HSMs

Merge branch 'dev' into fipscuit

2024-11-19

ffi: intern function names

Signature payload format v1 (#175) This introduces a new way to construct the payload for block signatures and external signatures: - prefixes are used to recognize each type of signature: `BLOCK` or `EXTERNAL` - prefixes are used to separate each part of the payload - external signature payloads contain the signature of the previous block instead of the current block's public key - block signatures now contain the signature of the previous block too - the previous payload format for block signatures. is deprecated Still supported, but will be removed in a future major version - the previous payload format for external signatures is not supported anymore Co-authored-by: Clément Delafargue <clement.delafargue@outscale.com>

2024-11-15

Merge branch 'dev' into geal/payload-v1

2024-11-11

update format and samples

2024-11-08

specifcy FFI operations

Update schema.proto with maps and arrays Also explictly document the `Get` binary operation

2024-10-25

update samples and schema based on the latest v5 branch in biscuit-rust

2024-05-20

introduce ECDSA signatures with secp256r1

2023-02-22

add a new message format for authorizer snapshots (#122) * add a new message format for authorizer snapshots the fact scopes have to be transmitted if we want to replay an authorizers behaviour. AuthorizerPolicies can be kept as a way to share plicies to bootstrap the authorizer * update the format

2023-01-07

update the format

Merge branch 'master' into authorizer-snapshot

2022-12-26

Add `NotEqual` to the protobuf schema

2022-12-22

missing update to the schema for "check all" (#121) Co-authored-by: Clément Delafargue <clement@delafargue.name>

2022-12-20

add a new message format for authorizer snapshots the fact scopes have to be transmitted if we want to replay an authorizers behaviour. AuthorizerPolicies can be kept as a way to share plicies to bootstrap the authorizer

replace None with One

Update schema.proto Co-authored-by: Clément Delafargue <clement@delafargue.name>

missing update to the schema for "check all"

2022-11-07

SPEC: add support for bitwise operators on booleans (#112) Such operators are only valid for v4 blocks Co-authored-by: Geoffroy Couprie <contact@geoffroycouprie.com>

Merge branch 'master' into bitwise-operators

3rd party: improve Scope pb definition The stored value is the index of a public key, not a block index

3rd-party: add new protobuf fields and messages - externalSignature allows to attach an optional signature (from a non-ephemeral private key) to biscuit blocks - scope lets blocks and rules specify which facts can be loaded (either through keywords for selecting groups of blocks, or through public keys for blocks signed by a specific key) - publicKeys provides a way to intern public keys in a way similar to symbols. Only public keys referenced in datalog elements can be interned - ThirdPartyBlockRequest / ThirdPartyBlockContents provide a way to add a signed 3rd party block to a given biscuit token without disclosing the token itself. For that, the request needs to provide: - the public key of the last block (needed to pin the signature to a specific biscuit token) - the list of already interned public keys (needed to properly generate the datalog ast). Contrary to public keys, interned symbols are not shared to 3rd party blocks to prevent information leaks. The response provides the serialized block, as well as the associated signature.

2022-10-26

SPEC: add support for bitwise operators on booleans Such operators are only valid for v4 blocks, but the v4 version selection part has not been merged yet (it's in the 3rd-party PR)

2022-07-15

3rd party: improve Scope pb definition The stored value is the index of a public key, not a block index

2022-04-23

3rd-party: add new protobuf fields and messages - externalSignature allows to attach an optional signature (from a non-ephemeral private key) to biscuit blocks - scope lets blocks and rules specify which facts can be loaded (either through keywords for selecting groups of blocks, or through public keys for blocks signed by a specific key) - publicKeys provides a way to intern public keys in a way similar to symbols. Only public keys referenced in datalog elements can be interned - ThirdPartyBlockRequest / ThirdPartyBlockContents provide a way to add a signed 3rd party block to a given biscuit token without disclosing the token itself. For that, the request needs to provide: - the public key of the last block (needed to pin the signature to a specific biscuit token) - the list of already interned public keys (needed to properly generate the datalog ast). Contrary to public keys, interned symbols are not shared to 3rd party blocks to prevent information leaks. The response provides the serialized block, as well as the associated signature.

2022-03-22

proto: remove now-unused constraints (#101)

2021-10-05

rename verifier to authorizer

2021-09-24

the key is now serialized with an enum indicating its algorithm this will open the way t other urves or algorithms, like P256

2021-09-12

rename ID to Term in the protobuf schema

2021-09-06

remove the symbol type symbols were a kind of strings with less available operations and some specific optimizations: they store in index into a symbol table carried by the token, to reduce size by avoiding repetitions. They were too confusing for users, and now that #authority and #ambient are gone, we can remove them completely. The symbol table was useful though, so now the symbol table is used for all predicate names and strings

2021-09-03

start updating the schema for v2 - remove v0 compatibility - convert v1 to v2 - remove the index from blocks (now the cryptographisc design guarantees the order

new cryptographic scheme

2021-03-04

add a format to transport verifier state there are two use cases for this: - quickly loading verifier policies from a serialized state instead of manually adding datalog elements one by one through the verifier API. The policies could even be written in a different system then published to running instances dynamically - save the state of a verifier, including ambient data, facts, rules and checks coming from a token, to later load it into another verifier and inspect it

2021-02-26

missing schema update

2021-01-26

method syntax for set and string expressions this commit introduces a method-like syntax for these operations: - .starts_with() - .ends_with() - .matches() - .contains() (replacing the In operation) There is no satisfying name to replace the "not in" operation, so it is replaced by a "contains" and negation, like this: "!set.contains($var)". The NotIn operation is removed from the V1 schema

support parenthesis in expressions it needs to be suported in the bytecode, to let us print the expressions properly

2021-01-25

rename caveat to check, introduce allow/deny policies and new syntax the meaning of "caveat" was not clear enough for users (outside of those already familiar with macaroons), while "check" is more obvious: in a "checklist", all items must be validated. Allow and deny policies can be added only in the verifier (not in tokens so there's no format change here). They use rules under the hood like checks, and are tested one by one until one of them matches. A default policy should be added to the verifier, otherwise it will return the NoMatchingPolicy error. To keep the current behaviour of accepting the request once all checks have been validated, we use the default policy "allow if true", that only contains the expression "true". At last, we introduce a new syntax for checks and policies: caveat1($0) <- resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read) is rewritten as: check if resource(#ambient, $0), operation(#ambient, #read), right(#authority, $0, #read) Similarly, allow and deny policies use "allow if" and "deny if" prefixes. If a check contains multiple rules, they are separated with "or". All of those keywords are case insensitive.

2021-01-22

replace constraints with expressions Expressions are a superset of constraints, they can support multiple variables, and other operations like additions

2021-01-08

add the set type

add boolean type

2021-01-06

use oneof in the Protobuf schema this simplifies the format, using oneof instead of a 'Kind' enum with optional fields. Additionally, it reduces token size

2021-01-05

rename integer constraints

duplicate messages for v1 currently the messages have the same structure as v0, but they will change significantly

2021-01-04

version field in block format this changes the Protobuf format to add a version field to blocks, set to 0 for now. This change will ship in the 0.9 version of the Rust version. When deserializing a token, we wil check the version field. if not present, we assume the block is at version 0. A token can contain blocks with different versions, so a token generated by an old library can be attenuated by a newer one. If the version is higher than the maximum one for the library, the token will be rejected

2020-09-11

Add the byte array type this will be useful to transport arbitrary data in the token without encoding it in base 64

a Caveat can now contain multiple rules This allows us to implement "OR" for caveats: one of the provided rules has to succeed

2019-11-25

update the schema

2019-10-29

format modification: every block can have rules and facts before: - rules in an authority block are authority facts generation rules - rules in other blocks are caveats now: - rules in an authority block are authority facts generation rules - rules in other block are facts generation rules for this block's validation - caveats in the authority block are tested once at the beginning of the validation - caveats in an other block are specific to that block's validation

2019-09-04

update the schema for aggregated gamma signatures the new signatures are smaller

2019-04-01

move to protobuf