public void TestGetRevocationIds()
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
KeyPair root = new KeyPair(rng);
SymbolTable symbols = Biscuit.Token.Biscuit.DefaultSymbolTable();
BlockBuilder authority_builder = new BlockBuilder(0, symbols);
Guid uuid1 = Guid.Parse("0b6d033d-83da-437f-a078-1a44890018bc");
authority_builder.AddFact(Utils.Fact("revocation_id", Arrays.AsList(Utils.Strings(uuid1.ToString()))));
Biscuit.Token.Biscuit biscuit = Biscuit.Token.Biscuit.Make(rng, root, Biscuit.Token.Biscuit.DefaultSymbolTable(), authority_builder.Build()).Right;
BlockBuilder builder = biscuit.CreateBlock();
builder.AddFact(Utils.Fact(
"right",
Arrays.AsList(Utils.Symbol("topic"), Utils.Symbol("tenant"), Utils.Symbol("namespace"), Utils.Symbol("topic"), Utils.Symbol("produce"))
));
Guid uuid2 = Guid.Parse("46a103de-ee65-4d04-936b-9111eac7dd3b");
builder.AddFact(Utils.Fact("revocation_id", Arrays.AsList(Utils.Strings(uuid2.ToString()))));
string attenuatedB64 = biscuit.Attenuate(rng, new KeyPair(rng), builder.Build()).Right.SerializeBase64().Right;
Biscuit.Token.Biscuit b = Biscuit.Token.Biscuit.FromBase64(attenuatedB64).Right;
Verifier v1 = b.Verify(root.ToPublicKey()).Right;
List <Guid> revokedIds = v1.GetRevocationIdentifiers().Right.Select(s => Guid.Parse(s)).ToList();
Assert.IsTrue(revokedIds.Contains(uuid1));
Assert.IsTrue(revokedIds.Contains(uuid2));
}
public void TestMultipleAttenuation()
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
KeyPair root = new KeyPair(rng);
SymbolTable symbols = Biscuit.Token.Biscuit.DefaultSymbolTable();
BlockBuilder authority_builder = new BlockBuilder(0, symbols);
DateTime date = DateTime.Now;
authority_builder.AddFact(Utils.Fact("revocation_id", Arrays.AsList(Utils.Date(date))));
Biscuit.Token.Biscuit biscuit = Biscuit.Token.Biscuit.Make(rng, root, Biscuit.Token.Biscuit.DefaultSymbolTable(), authority_builder.Build()).Right;
BlockBuilder builder = biscuit.CreateBlock();
builder.AddFact(Utils.Fact(
"right",
Arrays.AsList(Utils.Symbol("topic"), Utils.Symbol("tenant"), Utils.Symbol("namespace"), Utils.Symbol("topic"), Utils.Symbol("produce"))
));
string attenuatedB64 = biscuit.Attenuate(rng, new KeyPair(rng), builder.Build()).Right.SerializeBase64().Right;
Console.WriteLine("attenuated: " + attenuatedB64);
var attenuatedB64Biscuit = Biscuit.Token.Biscuit.FromBase64(attenuatedB64);
Assert.IsTrue(attenuatedB64Biscuit.IsRight);
string attenuated2B64 = biscuit.Attenuate(rng, new KeyPair(rng), builder.Build()).Right.SerializeBase64().Right;
Console.WriteLine("attenuated2: " + attenuated2B64);
var attenuated2B64Biscuit = Biscuit.Token.Biscuit.FromBase64(attenuated2B64);
Assert.IsTrue(attenuated2B64Biscuit.IsRight);
}
public void TestBuild()
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
KeyPair root = new KeyPair(rng);
SymbolTable symbols = Biscuit.Token.Biscuit.DefaultSymbolTable();
BlockBuilder authority_builder = new BlockBuilder(0, symbols);
authority_builder.AddFact(Utils.Fact("revocation_id", Arrays.AsList(Utils.Date(DateTime.Now))));
authority_builder.AddFact(Utils.Fact("right", Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("admin"))));
authority_builder.AddRule(Utils.ConstrainedRule("right",
Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("namespace"), Utils.Var("tenant"), Utils.Var("namespace"), Utils.Var("operation")),
Arrays.AsList(Utils.Pred("ns_operation", Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("namespace"), Utils.Var("tenant"), Utils.Var("namespace"), Utils.Var("operation")))),
Arrays.AsList <ExpressionBuilder>(
new ExpressionBuilder.Binary(
ExpressionBuilder.Op.Contains,
new ExpressionBuilder.Value(Utils.Var("operation")),
new ExpressionBuilder.Value(new Term.Set(new HashSet <Term>(Arrays.AsList <Term>(
Utils.Symbol("create_topic"),
Utils.Symbol("get_topic"),
Utils.Symbol("get_topics")
)))))
)
));
authority_builder.AddRule(Utils.ConstrainedRule("right",
Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("topic"), Utils.Var("tenant"), Utils.Var("namespace"), Utils.Var("topic"), Utils.Var("operation")),
Arrays.AsList(Utils.Pred("topic_operation", Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("topic"), Utils.Var("tenant"), Utils.Var("namespace"), Utils.Var("topic"), Utils.Var("operation")))),
Arrays.AsList <ExpressionBuilder>(
new ExpressionBuilder.Binary(
ExpressionBuilder.Op.Contains,
new ExpressionBuilder.Value(Utils.Var("operation")),
new ExpressionBuilder.Value(new Term.Set(new HashSet <Term>(Arrays.AsList(
Utils.Symbol("lookup")
)))))
)
));
Biscuit.Token.Biscuit rootBiscuit = Biscuit.Token.Biscuit.Make(rng, root, symbols, authority_builder.Build()).Right;
Console.WriteLine(rootBiscuit.Print());
Assert.IsNotNull(rootBiscuit);
}
public void TestSealedTokens()
{
byte[] seed = { 0, 0, 0, 0 };
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(seed);
Console.WriteLine("preparing the authority block");
KeyPair root = new KeyPair(rng);
SymbolTable symbols = Biscuit.Token.Biscuit.DefaultSymbolTable();
BlockBuilder authority_builder = new BlockBuilder(0, symbols);
authority_builder.AddFact(Utils.Fact("right", Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("file1"), Utils.Symbol("read"))));
authority_builder.AddFact(Utils.Fact("right", Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("file2"), Utils.Symbol("read"))));
authority_builder.AddFact(Utils.Fact("right", Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("file1"), Utils.Symbol("write"))));
Biscuit.Token.Biscuit b = Biscuit.Token.Biscuit.Make(rng, root, Biscuit.Token.Biscuit.DefaultSymbolTable(), authority_builder.Build()).Right;
Console.WriteLine(b.Print());
Console.WriteLine("serializing the first token");
byte[] data = b.Serialize().Right;
Console.Write("data len: ");
Console.WriteLine(data.Length);
//Console.WriteLine(hex(data));
Console.WriteLine("deserializing the first token");
Biscuit.Token.Biscuit deser = Biscuit.Token.Biscuit.FromBytes(data).Right;
Console.WriteLine(deser.Print());
// SECOND BLOCK
Console.WriteLine("preparing the second block");
KeyPair keypair2 = new KeyPair(rng);
BlockBuilder builder = deser.CreateBlock();
builder.AddCheck(Utils.Check(Utils.Rule(
"caveat1",
Arrays.AsList(Utils.Var("resource")),
Arrays.AsList(
Utils.Pred("resource", Arrays.AsList(Utils.Symbol("ambient"), Utils.Var("resource"))),
Utils.Pred("operation", Arrays.AsList(Utils.Symbol("ambient"), Utils.Symbol("read"))),
Utils.Pred("right", Arrays.AsList(Utils.Symbol("authority"), Utils.Var("resource"), Utils.Symbol("read")))
)
)));
Biscuit.Token.Biscuit b2 = deser.Attenuate(rng, keypair2, builder.Build()).Right;
Console.WriteLine(b2.Print());
Console.WriteLine("sealing the second token");
byte[] testkey = Encoding.UTF8.GetBytes("testkey");
var sealedd = b2.Seal(testkey).Right;
Console.Write("sealed data len: ");
Console.WriteLine(sealedd.Length);
Console.WriteLine("deserializing the sealed token with an invalid key");
Error e = Biscuit.Token.Biscuit.FromSealed(sealedd, Encoding.UTF8.GetBytes("not this key")).Left;
Console.WriteLine(e);
Assert.AreEqual(new SealedSignature(), e);
Console.WriteLine("deserializing the sealed token with a valid key");
Biscuit.Token.Biscuit deser2 = Biscuit.Token.Biscuit.FromSealed(sealedd, Encoding.UTF8.GetBytes("testkey")).Right;
Console.WriteLine(deser2.Print());
Console.WriteLine("trying to attenuate to a sealed token");
_ = deser2.CreateBlock();
_ = deser2.Attenuate(rng, keypair2, builder.Build()).Left;
Verifier v = deser2.VerifySealed().Right;
Console.WriteLine(v.PrintWorld());
}
public void TestBasic()
{
byte[] seed = { 0, 0, 0, 0 };
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(seed);
Console.WriteLine("preparing the authority block");
KeyPair root = new KeyPair(rng);
SymbolTable symbols = Biscuit.Token.Biscuit.DefaultSymbolTable();
BlockBuilder authority_builder = new BlockBuilder(0, symbols);
authority_builder.AddFact(Utils.Fact("right", Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("file1"), Utils.Symbol("read"))));
authority_builder.AddFact(Utils.Fact("right", Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("file2"), Utils.Symbol("read"))));
authority_builder.AddFact(Utils.Fact("right", Arrays.AsList(Utils.Symbol("authority"), Utils.Symbol("file1"), Utils.Symbol("write"))));
Biscuit.Token.Biscuit b = Biscuit.Token.Biscuit.Make(rng, root, Biscuit.Token.Biscuit.DefaultSymbolTable(), authority_builder.Build()).Right;
Console.WriteLine(b.Print());
Console.WriteLine("serializing the first token");
byte[] data = b.Serialize().Right;
Console.Write("data len: ");
Console.WriteLine(data.Length);
//Console.WriteLine(hex(data));
Console.WriteLine("deserializing the first token");
Biscuit.Token.Biscuit deser = Biscuit.Token.Biscuit.FromBytes(data).Right;
Console.WriteLine(deser.Print());
// SECOND BLOCK
Console.WriteLine("preparing the second block");
KeyPair keypair2 = new KeyPair(rng);
BlockBuilder builder = deser.CreateBlock();
builder.AddCheck(Utils.Check(Utils.Rule(
"caveat1",
Arrays.AsList(Utils.Var("resource")),
Arrays.AsList(
Utils.Pred("resource", Arrays.AsList(Utils.Symbol("ambient"), Utils.Var("resource"))),
Utils.Pred("operation", Arrays.AsList(Utils.Symbol("ambient"), Utils.Symbol("read"))),
Utils.Pred("right", Arrays.AsList(Utils.Symbol("authority"), Utils.Var("resource"), Utils.Symbol("read")))
)
)));
Biscuit.Token.Biscuit b2 = deser.Attenuate(rng, keypair2, builder.Build()).Right;
Console.WriteLine(b2.Print());
Console.WriteLine("serializing the second token");
byte[] data2 = b2.Serialize().Right;
Console.Write("data len: ");
Console.WriteLine(data2.Length);
//Console.WriteLine(hex(data2));
Console.WriteLine("deserializing the second token");
Biscuit.Token.Biscuit deser2 = Biscuit.Token.Biscuit.FromBytes(data2).Right;
Console.WriteLine(deser2.Print());
// THIRD BLOCK
Console.WriteLine("preparing the third block");
KeyPair keypair3 = new KeyPair(rng);
BlockBuilder builder3 = deser2.CreateBlock();
builder3.AddCheck(Utils.Check(Utils.Rule(
"caveat2",
Arrays.AsList(Utils.Symbol("file1")),
Arrays.AsList(
Utils.Pred("resource", Arrays.AsList(Utils.Symbol("ambient"), Utils.Symbol("file1")))
)
)));
Biscuit.Token.Biscuit b3 = deser2.Attenuate(rng, keypair3, builder3.Build()).Right;
Console.WriteLine(b3.Print());
Console.WriteLine("serializing the third token");
byte[] data3 = b3.Serialize().Right;
Console.Write("data len: ");
Console.WriteLine(data3.Length);
//Console.WriteLine(hex(data3));
Console.WriteLine("deserializing the third token");
Biscuit.Token.Biscuit final_token = Biscuit.Token.Biscuit.FromBytes(data3).Right;
Console.WriteLine(final_token.Print());
// check
Console.WriteLine("will check the token for resource=file1 and operation=read");
SymbolTable check_symbols = new SymbolTable(final_token.Symbols);
List <Fact> ambient_facts = Arrays.AsList(
Utils.Fact("resource", Arrays.AsList(Utils.Symbol("ambient"), Utils.Symbol("file1"))).Convert(check_symbols),
Utils.Fact("operation", Arrays.AsList(Utils.Symbol("ambient"), Utils.Symbol("read"))).Convert(check_symbols)
);
Either <Error, Dictionary <string, HashSet <Fact> > > res = final_token.Check(check_symbols, ambient_facts,
new List <Rule>(), new List <Check>(), new Dictionary <string, Rule>());
Assert.IsTrue(res.IsRight);
Console.WriteLine("will check the token for resource=file2 and operation=write");
SymbolTable check_symbols2 = new SymbolTable(final_token.Symbols);
List <Fact> ambient_facts2 = Arrays.AsList(
Utils.Fact("resource", Arrays.AsList(Utils.Symbol("ambient"), Utils.Symbol("file2"))).Convert(check_symbols2),
Utils.Fact("operation", Arrays.AsList(Utils.Symbol("ambient"), Utils.Symbol("write"))).Convert(check_symbols2)
);
Either <Error, Dictionary <string, HashSet <Fact> > > res2 = final_token.Check(check_symbols2, ambient_facts2,
new List <Rule>(), new List <Check>(), new Dictionary <string, Rule>());
Assert.IsTrue(res2.IsLeft);
Console.WriteLine(res2.Left);
Assert.AreEqual(
new FailedLogic(new LogicError.FailedChecks(Arrays.AsList <FailedCheck>(
new FailedCheck.FailedBlock(1, 0, "check if resource(#ambient, $resource), operation(#ambient, #read), right(#authority, $resource, #read)"),
new FailedCheck.FailedBlock(2, 0, "check if resource(#ambient, #file1)")
))),
res2.Left);
}
