biscuit-auth · divarvel · Oct 2, 2024 · Oct 22, 2024 · Oct 22, 2024 · Oct 24, 2024
diff --git a/biscuit-auth/examples/testcases.rs b/biscuit-auth/examples/testcases.rs
@@ -10,9 +10,14 @@
 use biscuit::Authorizer;
 use biscuit::{builder::*, builder_ext::*, Biscuit};
 use biscuit::{KeyPair, PrivateKey, PublicKey};
+use biscuit_auth::builder;
+use biscuit_auth::datalog::ExternFunc;
+use biscuit_auth::datalog::RunLimits;
 use prost::Message;
 use rand::prelude::*;
 use serde::Serialize;
+use std::collections::HashMap;
+use std::sync::Arc;
 use std::{
     collections::{BTreeMap, BTreeSet},
     fs::File,
@@ -157,6 +162,9 @@
     add_test_result(&mut results, type_of(&target, &root, test));
 
     add_test_result(&mut results, array_map(&target, &root, test));
+
+    add_test_result(&mut results, ffi(&target, &root, test));
+
     if json {
         let s = serde_json::to_string_pretty(&TestCases {
             root_private_key: hex::encode(root.private().to_bytes()),
@@ -297,6 +305,15 @@
 }
 
 fn validate_token(root: &KeyPair, data: &[u8], authorizer_code: &str) -> Validation {
+    validate_token_with_limits(root, data, authorizer_code, RunLimits::default())
+}
+
+fn validate_token_with_limits(
+    root: &KeyPair,
+    data: &[u8],
+    authorizer_code: &str,
+    run_limits: RunLimits,
+) -> Validation {
     let token = match Biscuit::from(&data[..], &root.public()) {
         Ok(t) => t,
         Err(e) => {
@@ -331,7 +348,7 @@
         }
     };
 
-    let res = authorizer.authorize();
+    let res = authorizer.authorize_with_limits(run_limits);
     //println!("authorizer world:\n{}", authorizer.print_world());
     let (_, _, _, policies) = authorizer.dump();
     let snapshot = authorizer.snapshot().unwrap();
@@ -2269,6 +2286,56 @@
     }
 }
 
+fn ffi(target: &str, root: &KeyPair, test: bool) -> TestResult {
+    let mut rng: StdRng = SeedableRng::seed_from_u64(1234);
+    let title = "test ffi calls (v6 blocks)".to_string();
+    let filename = "test035_ffi".to_string();
+    let token;
+
+    let biscuit =
+        biscuit!(r#"check if true.extern::test(), "a".extern::test("a") == "equal strings""#)
+            .build_with_rng(&root, SymbolTable::default(), &mut rng)
+            .unwrap();
+    token = print_blocks(&biscuit);
+
+    let data = write_or_load_testcase(target, &filename, root, &biscuit, test);
+
+    let mut validations = BTreeMap::new();
+    validations.insert(
+        "".to_string(),
+        validate_token_with_limits(
+            root,
+            &data[..],
+            "allow if true",
+            RunLimits {
+                extern_funcs: HashMap::from([(
+                    "test".to_string(),
+                    ExternFunc::new(Arc::new(|left, right| match (left, right) {
+                        (t, None) => Ok(t),
+                        (builder::Term::Str(left), Some(builder::Term::Str(right)))
+                            if left == right =>
+                        {
+                            Ok(builder::Term::Str("equal strings".to_string()))
+                        }
+                        (builder::Term::Str(_), Some(builder::Term::Str(_))) => {
+                            Ok(builder::Term::Str("different strings".to_string()))
+                        }
+                        _ => Err("unsupported operands".to_string()),
+                    })),
+                )]),
+                ..Default::default()
+            },
+        ),
+    );
+
+    TestResult {
+        title,
+        filename,
+        token,
+        validations,
+    }
+}
+
 fn print_blocks(token: &Biscuit) -> Vec<BlockContent> {
     let mut v = Vec::new();
 

diff --git a/biscuit-auth/samples/README.md b/biscuit-auth/samples/README.md
@@ -3139,3 +3139,51 @@ World {
 
 result: `Ok(0)`
 
+
+------------------------------
+
+## test ffi calls (v6 blocks): test035_ffi.bc
+### token
+
+authority:
+symbols: ["test", "a", "equal strings"]
+
+public keys: []
+
+```
+check if true.extern::test(), "a".extern::test("a") == "equal strings";
+```
+
+### validation
+
+authorizer code:
+```
+allow if true;
+```
+
+revocation ids:
+- `faf26fe6f5dfa08c114a0a29321405b6fb7be79b0d80694d27925f7deb01effe5707600e42fd74f9a1d2920466446d51949155f4548f0fd68f3e9326c7e12404`
+
+authorizer world:
+```
+World {
+  facts: []
+  rules: []
+  checks: [
+    Checks {
+        origin: Some(
+            0,
+        ),
+        checks: [
+            "check if true.extern::test(), \"a\".extern::test(\"a\") == \"equal strings\"",
+        ],
+    },
+]
+  policies: [
+    "allow if true",
+]
+}
+```
+
+result: `Ok(0)`
+
diff --git a/biscuit-auth/samples/samples.json b/biscuit-auth/samples/samples.json
@@ -2913,6 +2913,48 @@
           ]
         }
       }
+    },
+    {
+      "title": "test ffi calls (v6 blocks)",
+      "filename": "test035_ffi.bc",
+      "token": [
+        {
+          "symbols": [
+            "test",
+            "a",
+            "equal strings"
+          ],
+          "public_keys": [],
+          "external_key": null,
+          "code": "check if true.extern::test(), \"a\".extern::test(\"a\") == \"equal strings\";\n"
+        }
+      ],
+      "validations": {
+        "": {
+          "world": {
+            "facts": [],
+            "rules": [],
+            "checks": [
+              {
+                "origin": 0,
+                "checks": [
+                  "check if true.extern::test(), \"a\".extern::test(\"a\") == \"equal strings\""
+                ]
+              }
+            ],
+            "policies": [
+              "allow if true"
+            ]
+          },
+          "result": {
+            "Ok": 0
+          },
+          "authorizer_code": "allow if true;\n",
+          "revocation_ids": [
+            "faf26fe6f5dfa08c114a0a29321405b6fb7be79b0d80694d27925f7deb01effe5707600e42fd74f9a1d2920466446d51949155f4548f0fd68f3e9326c7e12404"
+          ]
+        }
+      }
     }
   ]
 }
diff --git a/biscuit-auth/samples/test035_ffi.bc b/biscuit-auth/samples/test035_ffi.bc