search

biscuit-auth / biscuit-rust

Rust implementation of the Biscuit authorization token
https://www.biscuitsec.org
207 stars 28 forks source link

samples validation failure #157

Closed Geal closed 1 year ago

Geal commented 1 year ago

when running the samples generation with the `--test option, I get different keys than what was displayed at creation. This does not change the result of the validation though, so probably an issue when printing the keys

< left / > right
 Biscuit {
     symbols: []
     public keys: ["
<a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25
>229697541ba393f2a30559ef12b6d7d2403c8d9fe9b8164024894b5cc58638c9
 "]
     authority: Block {
             symbols: []
             version: 4
             context: ""
             external key: 
             public keys: ["
<a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25
>229697541ba393f2a30559ef12b6d7d2403c8d9fe9b8164024894b5cc58638c9
 "]
             scopes: []
             facts: [
                 right("read")
             ]
             rules: []
             checks: [
                 check if group("admin") trusting ed25519/
<a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25
>229697541ba393f2a30559ef12b6d7d2403c8d9fe9b8164024894b5cc58638c9

             ]
         }
     blocks: [
         Block {
             symbols: []
             version: 4
             context: ""
             external key: 
<a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25
>229697541ba393f2a30559ef12b6d7d2403c8d9fe9b8164024894b5cc58638c9

             public keys: []
             scopes: []
             facts: [
                 group("admin")
             ]
             rules: []
             checks: [
                 check if right("read")
             ]
         }
     ]
 }

< left / > right
 Biscuit {
     symbols: []
     public keys: ["
<3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59", "ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", "2e0118e63beb7731dab5119280ddb117234d0cdc41b7dd5dc4241bcbbb585d14
>a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25", "b7e2c7cea042431f9e7e0e0decd8503d58569330e6ed6eaa13187f518102a284", "3c1c4fa6c463ba8fb4ab60ec907d0282425d1e6c2e153df941fb917cfb877c2b
 "]
     authority: Block {
             symbols: []
             version: 4
             context: ""
             external key: 
             public keys: ["
<3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59
>a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25
 "]
             scopes: []
             facts: [
                 query(0)
             ]
             rules: []
             checks: [
                 check if true trusting previous, ed25519/
<3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59
>a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25

             ]
         }
     blocks: [
         Block {
             symbols: []
             version: 4
             context: ""
             external key: 
<3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59
<            public keys: ["ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee
>a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25
>            public keys: ["b7e2c7cea042431f9e7e0e0decd8503d58569330e6ed6eaa13187f518102a284
 "]
             scopes: []
             facts: [
                 query(1)
             ]
             rules: [
                 query(1, 2) <- query(1), query(2) trusting ed25519/
<ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee
>b7e2c7cea042431f9e7e0e0decd8503d58569330e6ed6eaa13187f518102a284

             ]
             checks: [
                 check if query(2), query(3) trusting ed25519/
<ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee,
<                check if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59
>b7e2c7cea042431f9e7e0e0decd8503d58569330e6ed6eaa13187f518102a284,
>                check if query(1) trusting ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25

             ]
         },
    Block {
             symbols: []
             version: 4
             context: ""
             external key: 
<ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee
>b7e2c7cea042431f9e7e0e0decd8503d58569330e6ed6eaa13187f518102a284

             public keys: []
             scopes: []
             facts: [
                 query(2)
             ]
             rules: []
             checks: [
                 check if query(2), query(3) trusting ed25519/
<ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee,
<                check if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59
>b7e2c7cea042431f9e7e0e0decd8503d58569330e6ed6eaa13187f518102a284,
>                check if query(1) trusting ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25

             ]
         },
    Block {
             symbols: []
             version: 4
             context: ""
             external key: 
<ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee
>b7e2c7cea042431f9e7e0e0decd8503d58569330e6ed6eaa13187f518102a284

             public keys: []
             scopes: []
             facts: [
                 query(3)
             ]
             rules: []
             checks: [
                 check if query(2), query(3) trusting ed25519/
<ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee,
<                check if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59
>b7e2c7cea042431f9e7e0e0decd8503d58569330e6ed6eaa13187f518102a284,
>                check if query(1) trusting ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25

             ]
         },
    Block {
             symbols: []
             version: 4
             context: ""
             external key: 
             public keys: ["
<2e0118e63beb7731dab5119280ddb117234d0cdc41b7dd5dc4241bcbbb585d14
>3c1c4fa6c463ba8fb4ab60ec907d0282425d1e6c2e153df941fb917cfb877c2b
 "]
             scopes: []
             facts: [
                 query(4)
             ]
             rules: []
             checks: [
                 check if query(2) trusting ed25519/
<ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee,
<                check if query(4) trusting ed25519/2e0118e63beb7731dab5119280ddb117234d0cdc41b7dd5dc4241bcbbb585d14
>b7e2c7cea042431f9e7e0e0decd8503d58569330e6ed6eaa13187f518102a284,
>                check if query(4) trusting ed25519/3c1c4fa6c463ba8fb4ab60ec907d0282425d1e6c2e153df941fb917cfb877c2b

             ]
         }
     ]
 }
Geal commented 1 year ago

this only affects the third party block and pub key interning tests

Geal commented 1 year ago

this is not an issue in biscuit crypto, but with the rng in the testcases. The same generator is passed from one sample generation to the next, so if there's a difference somewhere in its usage between the generation and the test, then it will generate different token. When creating a deterministic rng specifically for this test, the bug disappears

Geal commented 1 year ago

fixed by #159