biscuit-auth / biscuit-rust

Rust implementation of the Biscuit authorization token
https://www.biscuitsec.org
208 stars 30 forks source link

Hidden state in `Authorizer` #194

Open divarvel opened 1 year ago

divarvel commented 1 year ago

An Authorizer value wraps a datalog::World value, which contains facts and rules used for datalog evaluation. The Authorizer struct also contains an (optional) Vec<Block> representing a token (it is optional because an Authorizer can be created without a token. It also contains a BlockBuilder which contains facts, rules and checks added to the authorizer, as well as a Vec<Policy> containing policies added to the authorizer.

After calling authorize(), the World value contains facts from the token blocks, facts from the authorizer block builder and facts generated by rules.

The issue is that the World value does not always contain facts and rules from the authorizer builder:

So, depending on whether authorize() and query() have been called, the authorizer world can be in various states:

this makes relying on World contents tricky.

Open questions:

This affects #192 and #193

divarvel commented 1 year ago

after thinking things through and experimenting, here's what I think: