From 838a36456d87191d4338e7133b92461e26414d56 Mon Sep 17 00:00:00 2001 From: Clement Delafargue Date: Wed, 3 Jul 2024 15:09:49 +0200 Subject: [PATCH 1/3] test: update samples --- biscuit/test/samples/current/README.md | 18 ++++++------- biscuit/test/samples/current/samples.json | 24 ++++++++++++------ .../samples/current/test024_third_party.bc | Bin 458 -> 458 bytes .../current/test026_public_keys_interning.bc | Bin 1316 -> 1547 bytes 4 files changed, 25 insertions(+), 17 deletions(-) diff --git a/biscuit/test/samples/current/README.md b/biscuit/test/samples/current/README.md index 0e61691..e5fbafe 100644 --- a/biscuit/test/samples/current/README.md +++ b/biscuit/test/samples/current/README.md @@ -1841,7 +1841,7 @@ allow if true; revocation ids: - `470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03` -- `93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405` +- `342167bc54bc642b6718a276875e55b6d39e9b21e4ce13b926a3d398b6c057fc436385bf4c817a16f9ecdf0b0d950e8b8258a20aeb3fd8896c5e9c1f0a53da03` authorizer world: ``` @@ -2041,7 +2041,7 @@ check if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755 1: symbols: [] -public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"] +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] external signature by: "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" @@ -2055,7 +2055,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5 2: symbols: [] -public keys: [] +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" @@ -2068,7 +2068,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5 3: symbols: [] -public keys: [] +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" @@ -2081,7 +2081,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5 4: symbols: [] -public keys: ["ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"] +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"] ``` query(4); @@ -2103,10 +2103,10 @@ allow if true; revocation ids: - `3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04` -- `45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400` -- `179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703` -- `edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d` -- `6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07` +- `6528db2c9a561ada9086268549a600a8a52ff434ea8183812623eec0e9b6c5d3c41ab7868808623021d92294d583afdf92f4354bcdaa1bc50453e1b89afd630d` +- `5d5679fe69bfe74b7919323515e9ecba9d01422b16be9341b57f88e695b2bb0bd7966b781001d2b9e00ee618fdc239c96e17e32cb379f13f12d6bd7b1b47ad04` +- `c37bf24c063f0310eccab8864e48dbeffcdd7240b4f8d1e01eba4fc703e6c9082b845bb55543b10f008dc7f4e78540411912ac1f36fa2aa90011dca40f323b09` +- `3f675d6c364e06405d4868c904e40f3d81c32b083d91586db814d4cb4bf536b4ba209d82f11b4cb6da293b60b20d6122fc3e0e08e80c381dee83edd848211900` authorizer world: ``` diff --git a/biscuit/test/samples/current/samples.json b/biscuit/test/samples/current/samples.json index acae28a..d97790a 100644 --- a/biscuit/test/samples/current/samples.json +++ b/biscuit/test/samples/current/samples.json @@ -1798,7 +1798,7 @@ "authorizer_code": "allow if true;\n", "revocation_ids": [ "470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03", - "93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405" + "342167bc54bc642b6718a276875e55b6d39e9b21e4ce13b926a3d398b6c057fc436385bf4c817a16f9ecdf0b0d950e8b8258a20aeb3fd8896c5e9c1f0a53da03" ] } } @@ -1939,26 +1939,34 @@ { "symbols": [], "public_keys": [ - "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" + "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" ], "external_key": "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", "code": "query(1);\nquery(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], - "public_keys": [], + "public_keys": [ + "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" + ], "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "code": "query(2);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], - "public_keys": [], + "public_keys": [ + "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" + ], "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "code": "query(3);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], "public_keys": [ + "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136" ], "external_key": null, @@ -2082,10 +2090,10 @@ "authorizer_code": "check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\n\ndeny if query(3);\ndeny if query(1, 2);\ndeny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\nallow if true;\n", "revocation_ids": [ "3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04", - "45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400", - "179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703", - "edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d", - "6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07" + "6528db2c9a561ada9086268549a600a8a52ff434ea8183812623eec0e9b6c5d3c41ab7868808623021d92294d583afdf92f4354bcdaa1bc50453e1b89afd630d", + "5d5679fe69bfe74b7919323515e9ecba9d01422b16be9341b57f88e695b2bb0bd7966b781001d2b9e00ee618fdc239c96e17e32cb379f13f12d6bd7b1b47ad04", + "c37bf24c063f0310eccab8864e48dbeffcdd7240b4f8d1e01eba4fc703e6c9082b845bb55543b10f008dc7f4e78540411912ac1f36fa2aa90011dca40f323b09", + "3f675d6c364e06405d4868c904e40f3d81c32b083d91586db814d4cb4bf536b4ba209d82f11b4cb6da293b60b20d6122fc3e0e08e80c381dee83edd848211900" ] } } diff --git a/biscuit/test/samples/current/test024_third_party.bc b/biscuit/test/samples/current/test024_third_party.bc index 7bca415c6f4aeff3f27628adbaa6211f6e263493..d2aef52815e08c1d47cfaaec9ad0b8eaa1bc13e4 100644 GIT binary patch delta 149 zcmV;G0BZlr1Ih!Cxd8={xziGHPFJ%uTceGU^8b6lYjwA DDLF|c delta 149 zcmV;G0BZlr1Ih!Cxd8-`xLCT|;|b}> z%G?Sj#b8epkq@pvEYN@lR@=B?SrtgW zV^p2!&o#v7y*c4|mM^o6M_}!R0WSsp4EnTt{TxTWP@!Q)c>ZFTKI$ z8n(0|HCj$n>(PnFTYn$(eskd3wC?9C`-3g2zTN!0+_K<;QLR;6FRO^E-&dZ=ZyD9u z?=o?90DUl7ib<6y*GDla)yIZa{>$9|+`CfJ$W-*@n_Y7mowUXFO?KQ`-|=kfrrq4v zr)5_NFkagEfbW^a-$Rxs^TZ$PY_9xhFLZ5hwY2+M7LevNg^q|dI*wSk9{@1e4uW`9LOEWUq&z0OaNh!U&xp~*jxgR%7;$Shkx2+&oW>*eJEYL2uEZV%?HJ;TmrpS(M60sXpR+HJ76($$4_&M08$L5&%u{p$gWSnGq!f)GnSewIkVnpr^kt?UYznX2? or7*YYqqNVqTbkAhn|KqI{@C$xyx_5reb@Zrnb^rhX delta 627 zcmeC?S;9482m4JXt`!i(pVw?y=j>@H<1lCqRuKyZm zx7lC0`pk4ehw5a_H3<^?w=gJWa5>~GogeS{`oZscj-T88wbcqbJDWVEK2Da(nfB?( z!Um0>$7J+w+<2ZQt?+*?H`|J6TiHL4ANH&Z-L}(0k4@$>V-$M6HWDn8 z9hp>dxcNAfM!ooaR)3ptHMiAE84V-XNopO@4@->rId*bK^$NOEbZ^Y``YL;!8RXtO+4Z{HS(@K`tV(tIo%CEFT;`tNLCeRj z_9{`%VQXUZ7(WJT@A~xPi}hiV&)e7k+{dz&(eG~m+%H>BXR)VJaPUHA zTn<)e(WrmBI;3K5TG-_Lvlk<Yvmj!{b%zx^MV}AuXE_}v-rPzZbvU_)Vo-caIWN|(ROF64_;!C z4~jSceCyWN)xYe4_sJQj)zSr59cr7QzyGw8+V5>Mf=k#I)OyyifgQ{$b%c>CYVv;; ztI6@K9u8Sa1{sDgZ@;jsHoiS=d&KeDYZE5(>*}^YvfL!Faf(l9)BfB#>3=Jp|I|2C fum7J<@6m&`N8|(_9A5q6`p)cm_t+;tXH@|Jec${W From aca2c4cf83fb8761a01bdcb6f377e6a44112b9f8 Mon Sep 17 00:00:00 2001 From: Clement Delafargue Date: Wed, 3 Jul 2024 15:13:21 +0200 Subject: [PATCH 2/3] isolate public key interning in third-party blocks --- biscuit/src/Auth/Biscuit/ProtoBufAdapter.hs | 84 +++++++++++---------- biscuit/src/Auth/Biscuit/Symbols.hs | 4 - biscuit/src/Auth/Biscuit/Token.hs | 19 ++--- 3 files changed, 53 insertions(+), 54 deletions(-) diff --git a/biscuit/src/Auth/Biscuit/ProtoBufAdapter.hs b/biscuit/src/Auth/Biscuit/ProtoBufAdapter.hs index e4fa1a0..e652292 100644 --- a/biscuit/src/Auth/Biscuit/ProtoBufAdapter.hs +++ b/biscuit/src/Auth/Biscuit/ProtoBufAdapter.hs @@ -1,5 +1,6 @@ {-# LANGUAGE DataKinds #-} {-# LANGUAGE LambdaCase #-} +{-# LANGUAGE MultiWayIf #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} @@ -25,13 +26,12 @@ module Auth.Biscuit.ProtoBufAdapter , thirdPartyBlockContentsToPb ) where -import Control.Monad (when) +import Control.Monad (unless, when) import Control.Monad.State (StateT, get, lift, modify) -import Data.Bitraversable (bisequence) import Data.ByteString (ByteString) import Data.Int (Int64) import qualified Data.List.NonEmpty as NE -import Data.Maybe (isNothing) +import Data.Maybe (isJust, isNothing) import qualified Data.Set as Set import qualified Data.Text as T import Data.Time (UTCTime) @@ -110,17 +110,17 @@ pbToBlock ePk PB.Block{..} = do -- but use the global public keys table: -- symbols defined in 3rd party blocks are not visible -- to following blocks, but public keys are - when (isNothing ePk) $ modify (registerNewSymbols blockSymbols) - modify (registerNewPublicKeys $ foldMap pure ePk <> blockPks) + when (isNothing ePk) $ do + modify (registerNewSymbols blockSymbols) + modify (registerNewPublicKeys blockPks) currentSymbols <- get let symbolsForCurrentBlock = - -- third party blocks use an isolated symbol table, - -- but use the global public keys table. + -- third party blocks use an isolated symbol and public keys table, -- 3rd party blocks don't see previously defined - -- symbols, but see previously defined public keys + -- symbols or public keys if isNothing ePk then currentSymbols - else registerNewSymbols blockSymbols $ forgetSymbols currentSymbols + else registerNewPublicKeys blockPks $ registerNewSymbols blockSymbols newSymbolTable let bContext = PB.getField context bVersion = PB.getField version lift $ do @@ -129,18 +129,25 @@ pbToBlock ePk PB.Block{..} = do bRules <- traverse (pbToRule s) $ PB.getField rules_v2 bChecks <- traverse (pbToCheck s) $ PB.getField checks_v2 bScope <- Set.fromList <$> traverse (pbToScope s) (PB.getField scope) - let isV3 = isNothing ePk - && Set.null bScope - && all ruleHasNoScope bRules - && all (queryHasNoScope . cQueries) bChecks - && all isCheckOne bChecks - && all ruleHasNoV4Operators bRules - && all (queryHasNoV4Operators . cQueries) bChecks - case (bVersion, isV3) of - (Just 4, _) -> pure Block {..} - (Just 3, True) -> pure Block {..} - (Just 3, False) -> - Left "Biscuit v4 fields are present, but the block version is 3." + let v5Plus = isJust ePk + v4Plus = not $ and + [ Set.null bScope + , all ruleHasNoScope bRules + , all (queryHasNoScope . cQueries) bChecks + , all isCheckOne bChecks + , all ruleHasNoV4Operators bRules + , all (queryHasNoV4Operators . cQueries) bChecks + ] + case (bVersion, v4Plus, v5Plus) of + (Just 5, _, _) -> pure Block {..} + (Just 4, _, False) -> pure Block {..} + (Just 4, _, True) -> + Left "Biscuit v5 features are present, but the block version is 4." + (Just 3, False, False) -> pure Block {..} + (Just 3, True, False) -> + Left "Biscuit v4 features are present, but the block version is 3." + (Just 3, _, True) -> + Left "Biscuit v5 features are present, but the block version is 3." _ -> Left $ "Unsupported biscuit version: " <> maybe "0" show bVersion <> ". Only versions 3 and 4 are supported" @@ -148,13 +155,15 @@ pbToBlock ePk PB.Block{..} = do -- along with the newly defined symbols blockToPb :: Bool -> Symbols -> Block -> (BlockSymbols, PB.Block) blockToPb hasExternalPk existingSymbols b@Block{..} = - let isV3 = not hasExternalPk - && Set.null bScope - && all ruleHasNoScope bRules - && all (queryHasNoScope . cQueries) bChecks - && all isCheckOne bChecks - && all ruleHasNoV4Operators bRules - && all (queryHasNoV4Operators . cQueries) bChecks + let v4Plus = not $ and + [Set.null bScope + , all ruleHasNoScope bRules + , all (queryHasNoScope . cQueries) bChecks + , all isCheckOne bChecks + , all ruleHasNoV4Operators bRules + , all (queryHasNoV4Operators . cQueries) bChecks + ] + v5Plus = hasExternalPk bSymbols = buildSymbolTable existingSymbols b s = reverseSymbols $ addFromBlock existingSymbols bSymbols symbols = PB.putField $ getSymbolList bSymbols @@ -164,8 +173,9 @@ blockToPb hasExternalPk existingSymbols b@Block{..} = checks_v2 = PB.putField $ checkToPb s <$> bChecks scope = PB.putField $ scopeToPb s <$> Set.toList bScope pksTable = PB.putField $ publicKeyToPb <$> getPkList bSymbols - version = PB.putField $ if isV3 then Just 3 - else Just 4 + version = PB.putField $ if | v5Plus -> Just 5 + | v4Plus -> Just 4 + | otherwise -> Just 3 in (bSymbols, PB.Block {..}) pbToFact :: Symbols -> PB.FactV2 -> Either String Fact @@ -415,17 +425,15 @@ binaryToPb = PB.OpBinary . PB.putField . \case BitwiseXor -> PB.BitwiseXor NotEqual -> PB.NotEqual -pbToThirdPartyBlockRequest :: PB.ThirdPartyBlockRequest -> Either String (Crypto.PublicKey, [Crypto.PublicKey]) +pbToThirdPartyBlockRequest :: PB.ThirdPartyBlockRequest -> Either String Crypto.PublicKey pbToThirdPartyBlockRequest PB.ThirdPartyBlockRequest{previousPk, pkTable} = do - bisequence - ( pbToPublicKey $ PB.getField previousPk - , traverse pbToPublicKey $ PB.getField pkTable - ) + unless (null $ PB.getField pkTable) $ Left "Public key table provided in third-party block request" + pbToPublicKey $ PB.getField previousPk -thirdPartyBlockRequestToPb :: (Crypto.PublicKey, [Crypto.PublicKey]) -> PB.ThirdPartyBlockRequest -thirdPartyBlockRequestToPb (previousPk, pkTable) = PB.ThirdPartyBlockRequest +thirdPartyBlockRequestToPb :: Crypto.PublicKey -> PB.ThirdPartyBlockRequest +thirdPartyBlockRequestToPb previousPk = PB.ThirdPartyBlockRequest { previousPk = PB.putField $ publicKeyToPb previousPk - , pkTable = PB.putField $ publicKeyToPb <$> pkTable + , pkTable = PB.putField [] } pbToThirdPartyBlockContents :: PB.ThirdPartyBlockContents -> Either String (ByteString, Crypto.Signature, Crypto.PublicKey) diff --git a/biscuit/src/Auth/Biscuit/Symbols.hs b/biscuit/src/Auth/Biscuit/Symbols.hs index dffb1e4..295ca26 100644 --- a/biscuit/src/Auth/Biscuit/Symbols.hs +++ b/biscuit/src/Auth/Biscuit/Symbols.hs @@ -15,7 +15,6 @@ module Auth.Biscuit.Symbols , addFromBlock , registerNewSymbols , registerNewPublicKeys - , forgetSymbols , reverseSymbols , getSymbolList , getPkList @@ -139,9 +138,6 @@ registerNewPublicKeys newPks s@Symbols{publicKeys} = let newPkMap = Map.fromList $ zip [getNextPublicKeyOffset s..] (newPks \\ elems publicKeys) in s { publicKeys = publicKeys <> newPkMap } -forgetSymbols :: Symbols -> Symbols -forgetSymbols s = s { symbols = commonSymbols } - -- | Reverse a symbol table reverseSymbols :: Symbols -> ReverseSymbols reverseSymbols (Symbols sm pkm) = diff --git a/biscuit/src/Auth/Biscuit/Token.hs b/biscuit/src/Auth/Biscuit/Token.hs index a3149d1..ec47402 100644 --- a/biscuit/src/Auth/Biscuit/Token.hs +++ b/biscuit/src/Auth/Biscuit/Token.hs @@ -306,26 +306,21 @@ addSignedBlock :: SecretKey -> Biscuit Open check -> IO (Biscuit Open check) addSignedBlock eSk block b@Biscuit{..} = do - let symbolsForCurrentBlock = forgetSymbols $ registerNewPublicKeys [toPublic eSk] symbols - (newSymbols, blockSerialized) = PB.encodeBlock <$> blockToPb True symbolsForCurrentBlock block + let (_, blockSerialized) = PB.encodeBlock <$> blockToPb True newSymbolTable block lastBlock = NE.last (authority :| blocks) (_, _, lastPublicKey, _) = lastBlock Open p = proof (signedBlock, nextSk) <- signExternalBlock p eSk lastPublicKey blockSerialized pure $ b { blocks = blocks <> [toParsedSignedBlock block signedBlock] - , symbols = registerNewPublicKeys (getPkList newSymbols) symbols , proof = Open nextSk } mkThirdPartyBlock' :: SecretKey - -> [PublicKey] -> PublicKey -> Block -> (ByteString, Signature, PublicKey) -mkThirdPartyBlock' eSk pkTable lastPublicKey block = - let symbolsForCurrentBlock = registerNewPublicKeys [toPublic eSk] $ - registerNewPublicKeys pkTable newSymbolTable - (_, payload) = PB.encodeBlock <$> blockToPb True symbolsForCurrentBlock block +mkThirdPartyBlock' eSk lastPublicKey block = + let (_, payload) = PB.encodeBlock <$> blockToPb True newSymbolTable block (eSig, ePk) = sign3rdPartyBlock eSk lastPublicKey payload in (payload, eSig, ePk) @@ -336,17 +331,17 @@ mkThirdPartyBlock :: SecretKey -> Block -> Either String ByteString mkThirdPartyBlock eSk req block = do - (previousPk, pkTable) <- pbToThirdPartyBlockRequest =<< PB.decodeThirdPartyBlockRequest req - pure $ PB.encodeThirdPartyBlockContents . thirdPartyBlockContentsToPb $ mkThirdPartyBlock' eSk pkTable previousPk block + previousPk<- pbToThirdPartyBlockRequest =<< PB.decodeThirdPartyBlockRequest req + pure $ PB.encodeThirdPartyBlockContents . thirdPartyBlockContentsToPb $ mkThirdPartyBlock' eSk previousPk block -- | Generate a third-party block request. It can be used in -- conjunction with 'mkThirdPartyBlock' to generate a -- third-party block, which can be then appended to a token with -- 'applyThirdPartyBlock'. mkThirdPartyBlockReq :: Biscuit proof check -> ByteString -mkThirdPartyBlockReq Biscuit{authority,blocks,symbols} = +mkThirdPartyBlockReq Biscuit{authority,blocks} = let (_, _ , lastPk, _) = NE.last $ authority :| blocks - in PB.encodeThirdPartyBlockRequest $ thirdPartyBlockRequestToPb (lastPk, getPkTable symbols) + in PB.encodeThirdPartyBlockRequest $ thirdPartyBlockRequestToPb lastPk -- | Given a base64-encoded third-party block, append it to a token. applyThirdPartyBlock :: Biscuit Open check -> ByteString -> Either String (IO (Biscuit Open check)) From 1fc1646cb4dcc61b0cb10f703ef02f7cd8b43ffa Mon Sep 17 00:00:00 2001 From: Clement Delafargue Date: Wed, 31 Jul 2024 10:27:35 +0200 Subject: [PATCH 3/3] 0.4.0.0 --- biscuit-servant/ChangeLog.md | 4 ++++ biscuit-servant/biscuit-servant.cabal | 4 ++-- biscuit/ChangeLog.md | 6 ++++++ biscuit/biscuit-haskell.cabal | 2 +- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/biscuit-servant/ChangeLog.md b/biscuit-servant/ChangeLog.md index 49bec8a..e200d7c 100644 --- a/biscuit-servant/ChangeLog.md +++ b/biscuit-servant/ChangeLog.md @@ -1,5 +1,9 @@ # Changelog for biscuit-servant +## 0.4.0.0 + +- use biscuit-haskell 0.4.0.0 + ## 0.3.0.1 - use biscuit-haskell 0.3.0.1 diff --git a/biscuit-servant/biscuit-servant.cabal b/biscuit-servant/biscuit-servant.cabal index f5ee011..10cf924 100644 --- a/biscuit-servant/biscuit-servant.cabal +++ b/biscuit-servant/biscuit-servant.cabal @@ -1,7 +1,7 @@ cabal-version: 2.0 name: biscuit-servant -version: 0.3.0.1 +version: 0.4.0.0 category: Security synopsis: Servant support for the Biscuit security token description: Please see the README on GitHub at @@ -34,7 +34,7 @@ library ghc-options: -Wall build-depends: base >= 4.7 && <5, - biscuit-haskell >= 0.3 && < 0.4, + biscuit-haskell >= 0.4 && < 0.5, bytestring >= 0.10 && <0.12, mtl >= 2.2 && < 2.4, text >= 1.2 && <3, diff --git a/biscuit/ChangeLog.md b/biscuit/ChangeLog.md index 01c8b43..af68a58 100644 --- a/biscuit/ChangeLog.md +++ b/biscuit/ChangeLog.md @@ -1,5 +1,11 @@ # Changelog for biscuit-haskell +## 0.4.0.0 + +- abort authorization on evaluation error as mandated by the spec +- use utf8 byte count in `{string}.length()` as mandated by the spec +- fix security issue with third-party blocks public key interning, see [advisory](https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m) + ## 0.3.0.1 - GHC 9.6 and 9.8 support diff --git a/biscuit/biscuit-haskell.cabal b/biscuit/biscuit-haskell.cabal index 907fd6b..b8123d7 100644 --- a/biscuit/biscuit-haskell.cabal +++ b/biscuit/biscuit-haskell.cabal @@ -1,7 +1,7 @@ cabal-version: 2.0 name: biscuit-haskell -version: 0.3.0.1 +version: 0.4.0.0 category: Security synopsis: Library support for the Biscuit security token description: Please see the README on GitHub at