Skip to content

Commit

Permalink
ensure that FFI function names are only defined on FFI operations
Browse files Browse the repository at this point in the history
  • Loading branch information
@divarvel
divarvel committed Oct 25, 2024
1 parent aa7e2bd commit 7d1297d
Show file tree
Hide file tree
Showing 4 changed files with 78 additions and 60 deletions.
2 changes: 0 additions & 2 deletions biscuit-auth/src/capi.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,6 @@ pub enum ErrorKind {
FormatPublicKeyTableOverlap,
FormatUnknownExternalKey,
FormatUnknownSymbol,
FormatMissingFfiName,
AppendOnSealed,
LogicInvalidBlockRule,
LogicUnauthorized,
Expand Down Expand Up @@ -159,7 +158,6 @@ pub extern "C" fn error_kind() -> ErrorKind {
ErrorKind::FormatUnknownExternalKey
}
Token::Format(Format::UnknownSymbol(_)) => ErrorKind::FormatUnknownSymbol,
Token::Format(Format::MissingFfiName) => ErrorKind::FormatMissingFfiName,
Token::AppendOnSealed => ErrorKind::AppendOnSealed,
Token::AlreadySealed => ErrorKind::AlreadySealed,
Token::Language(_) => ErrorKind::LanguageError,
Expand Down
2 changes: 0 additions & 2 deletions biscuit-auth/src/error.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,8 +150,6 @@ pub enum Format {
UnknownExternalKey,
#[error("the symbol id was not in the table")]
UnknownSymbol(u64),
#[error("missing FFI name field")]
MissingFfiName,
}

/// Signature errors
Expand Down
132 changes: 77 additions & 55 deletions biscuit-auth/src/format/convert.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -678,63 +678,85 @@ pub mod v2 {
use schema::{op, op_binary, op_unary};
Ok(match op.content.as_ref() {
Some(op::Content::Value(id)) => Op::Value(proto_id_to_token_term(id)?),
Some(op::Content::Unary(u)) => match op_unary::Kind::from_i32(u.kind) {
Some(op_unary::Kind::Negate) => Op::Unary(Unary::Negate),
Some(op_unary::Kind::Parens) => Op::Unary(Unary::Parens),
Some(op_unary::Kind::Length) => Op::Unary(Unary::Length),
Some(op_unary::Kind::TypeOf) => Op::Unary(Unary::TypeOf),
Some(op_unary::Kind::Ffi) => match u.ffi_name.as_ref() {
// todo clementd error if ffi name is defined with another kind
Some(n) => Op::Unary(Unary::Ffi(n.to_owned())),
None => return Err(error::Format::MissingFfiName),
},
None => {
return Err(error::Format::DeserializationError(
"deserialization error: unary operation is empty".to_string(),
))
}
},
Some(op::Content::Binary(b)) => match op_binary::Kind::from_i32(b.kind) {
Some(op_binary::Kind::LessThan) => Op::Binary(Binary::LessThan),
Some(op_binary::Kind::GreaterThan) => Op::Binary(Binary::GreaterThan),
Some(op_binary::Kind::LessOrEqual) => Op::Binary(Binary::LessOrEqual),
Some(op_binary::Kind::GreaterOrEqual) => Op::Binary(Binary::GreaterOrEqual),
Some(op_binary::Kind::Equal) => Op::Binary(Binary::Equal),
Some(op_binary::Kind::Contains) => Op::Binary(Binary::Contains),
Some(op_binary::Kind::Prefix) => Op::Binary(Binary::Prefix),
Some(op_binary::Kind::Suffix) => Op::Binary(Binary::Suffix),
Some(op_binary::Kind::Regex) => Op::Binary(Binary::Regex),
Some(op_binary::Kind::Add) => Op::Binary(Binary::Add),
Some(op_binary::Kind::Sub) => Op::Binary(Binary::Sub),
Some(op_binary::Kind::Mul) => Op::Binary(Binary::Mul),
Some(op_binary::Kind::Div) => Op::Binary(Binary::Div),
Some(op_binary::Kind::And) => Op::Binary(Binary::And),
Some(op_binary::Kind::Or) => Op::Binary(Binary::Or),
Some(op_binary::Kind::Intersection) => Op::Binary(Binary::Intersection),
Some(op_binary::Kind::Union) => Op::Binary(Binary::Union),
Some(op_binary::Kind::BitwiseAnd) => Op::Binary(Binary::BitwiseAnd),
Some(op_binary::Kind::BitwiseOr) => Op::Binary(Binary::BitwiseOr),
Some(op_binary::Kind::BitwiseXor) => Op::Binary(Binary::BitwiseXor),
Some(op_binary::Kind::NotEqual) => Op::Binary(Binary::NotEqual),
Some(op_binary::Kind::HeterogeneousEqual) => Op::Binary(Binary::HeterogeneousEqual),
Some(op_binary::Kind::HeterogeneousNotEqual) => {
Op::Binary(Binary::HeterogeneousNotEqual)
Some(op::Content::Unary(u)) => {
match (op_unary::Kind::from_i32(u.kind), u.ffi_name.as_ref()) {
(Some(op_unary::Kind::Negate), None) => Op::Unary(Unary::Negate),
(Some(op_unary::Kind::Parens), None) => Op::Unary(Unary::Parens),
(Some(op_unary::Kind::Length), None) => Op::Unary(Unary::Length),
(Some(op_unary::Kind::TypeOf), None) => Op::Unary(Unary::TypeOf),
(Some(op_unary::Kind::Ffi), Some(n)) => Op::Unary(Unary::Ffi(n.to_owned())),

Check warning on line 687 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L687 

Added line #L687 was not covered by tests
(Some(op_unary::Kind::Ffi), None) => {
return Err(error::Format::DeserializationError(
"deserialization error: missing ffi name".to_string(),

Check warning on line 690 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L689-L690 

Added lines #L689 - L690 were not covered by tests
))
}
(Some(_), Some(_)) => {
return Err(error::Format::DeserializationError(
"deserialization error: ffi name set on a regular unary operation"

Check warning on line 695 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L694-L695 

Added lines #L694 - L695 were not covered by tests
.to_string(),
))
}
(None, _) => {
return Err(error::Format::DeserializationError(
"deserialization error: unary operation is empty".to_string(),

Check warning on line 701 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L700-L701 

Added lines #L700 - L701 were not covered by tests
))
}
}
Some(op_binary::Kind::LazyAnd) => Op::Binary(Binary::LazyAnd),
Some(op_binary::Kind::LazyOr) => Op::Binary(Binary::LazyOr),
Some(op_binary::Kind::All) => Op::Binary(Binary::All),
Some(op_binary::Kind::Any) => Op::Binary(Binary::Any),
Some(op_binary::Kind::Ffi) => match b.ffi_name.as_ref() {
// todo clementd error if ffi name is defined with another kind
Some(n) => Op::Binary(Binary::Ffi(n.to_owned())),
None => return Err(error::Format::MissingFfiName),
},
None => {
return Err(error::Format::DeserializationError(
"deserialization error: binary operation is empty".to_string(),
))
}
Some(op::Content::Binary(b)) => {
match (op_binary::Kind::from_i32(b.kind), b.ffi_name.as_ref()) {
(Some(op_binary::Kind::LessThan), None) => Op::Binary(Binary::LessThan),
(Some(op_binary::Kind::GreaterThan), None) => Op::Binary(Binary::GreaterThan),
(Some(op_binary::Kind::LessOrEqual), None) => Op::Binary(Binary::LessOrEqual),
(Some(op_binary::Kind::GreaterOrEqual), None) => {
Op::Binary(Binary::GreaterOrEqual)
}
(Some(op_binary::Kind::Equal), None) => Op::Binary(Binary::Equal),
(Some(op_binary::Kind::Contains), None) => Op::Binary(Binary::Contains),
(Some(op_binary::Kind::Prefix), None) => Op::Binary(Binary::Prefix),
(Some(op_binary::Kind::Suffix), None) => Op::Binary(Binary::Suffix),
(Some(op_binary::Kind::Regex), None) => Op::Binary(Binary::Regex),
(Some(op_binary::Kind::Add), None) => Op::Binary(Binary::Add),
(Some(op_binary::Kind::Sub), None) => Op::Binary(Binary::Sub),
(Some(op_binary::Kind::Mul), None) => Op::Binary(Binary::Mul),
(Some(op_binary::Kind::Div), None) => Op::Binary(Binary::Div),
(Some(op_binary::Kind::And), None) => Op::Binary(Binary::And),
(Some(op_binary::Kind::Or), None) => Op::Binary(Binary::Or),

Check warning on line 724 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L723-L724 

Added lines #L723 - L724 were not covered by tests
(Some(op_binary::Kind::Intersection), None) => Op::Binary(Binary::Intersection),
(Some(op_binary::Kind::Union), None) => Op::Binary(Binary::Union),
(Some(op_binary::Kind::BitwiseAnd), None) => Op::Binary(Binary::BitwiseAnd),

Check warning on line 727 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L727 

Added line #L727 was not covered by tests
(Some(op_binary::Kind::BitwiseOr), None) => Op::Binary(Binary::BitwiseOr),
(Some(op_binary::Kind::BitwiseXor), None) => Op::Binary(Binary::BitwiseXor),
(Some(op_binary::Kind::NotEqual), None) => Op::Binary(Binary::NotEqual),
(Some(op_binary::Kind::HeterogeneousEqual), None) => {
Op::Binary(Binary::HeterogeneousEqual)
}
(Some(op_binary::Kind::HeterogeneousNotEqual), None) => {
Op::Binary(Binary::HeterogeneousNotEqual)
}
(Some(op_binary::Kind::LazyAnd), None) => Op::Binary(Binary::LazyAnd),
(Some(op_binary::Kind::LazyOr), None) => Op::Binary(Binary::LazyOr),
(Some(op_binary::Kind::All), None) => Op::Binary(Binary::All),
(Some(op_binary::Kind::Any), None) => Op::Binary(Binary::Any),
(Some(op_binary::Kind::Ffi), Some(n)) => Op::Binary(Binary::Ffi(n.to_owned())),

Check warning on line 741 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L741 

Added line #L741 was not covered by tests
(Some(op_binary::Kind::Ffi), None) => {
return Err(error::Format::DeserializationError(
"deserialization error: missing ffi name".to_string(),

Check warning on line 744 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L743-L744 

Added lines #L743 - L744 were not covered by tests
))
}
(Some(_), Some(_)) => {
return Err(error::Format::DeserializationError(
"deserialization error: ffi name set on a regular binary operation"

Check warning on line 749 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L748-L749 

Added lines #L748 - L749 were not covered by tests
.to_string(),
))
}
(None, _) => {
return Err(error::Format::DeserializationError(
"deserialization error: binary operation is empty".to_string(),

Check warning on line 755 in biscuit-auth/src/format/convert.rs

View check run for this annotation

Codecov / codecov/patch

biscuit-auth/src/format/convert.rs#L754-L755 

Added lines #L754 - L755 were not covered by tests
))
}
}
},
}
Some(op::Content::Closure(op_closure)) => Op::Closure(
op_closure.params.clone(),
op_closure
Expand Down
2 changes: 1 addition & 1 deletion biscuit-auth/tests/capi.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ biscuit append error? (null)
authorizer creation error? (null)
authorizer add check error? (null)
authorizer add policy error? (null)
authorizer error(code = 22): authorization failed
authorizer error(code = 21): authorization failed
failed checks (2):
Authorizer check 0: check if right("efgh")
Block 1, check 0: check if operation("read")
Expand Down

0 comments on commit 7d1297d

Please sign in to comment.