samples: add a sample exercising integer overflow cases (#134)

biscuit-auth/examples/testcases.rs

@@ -110,6 +110,8 @@ fn main() {
 
     results.push(public_keys_interning(&mut rng, &target, &root, test));
 
+    results.push(integer_wraparound(&mut rng, &target, &root, test));
+
     if json {
         let s = serde_json::to_string_pretty(&TestCases {
             root_private_key: hex::encode(root.private().to_bytes()),
@@ -1976,6 +1978,57 @@ fn public_keys_interning<T: Rng + CryptoRng>(
     }
 }
 
+fn integer_wraparound<T: Rng + CryptoRng>(
+    rng: &mut T,
+    target: &str,
+    root: &KeyPair,
+    test: bool,
+) -> TestResult {
+    let title = "integer wraparound".to_string();
+    let filename = "test027_integer_wraparound.bc".to_string();
+    let token;
+
+    let biscuit = biscuit!(
+        r#"
+          // integer overflows must abort evaluating the whole expression
+          // todo update this test when integer overflows abort
+          // the whole datalog evaluation
+          check if true || 10000000000 * 10000000000 != 0;
+          check if true || 9223372036854775807 + 1 != 0;
+          check if true || -9223372036854775808 - 1 != 0;
+    "#
+    )
+    .build_with_rng(&root, SymbolTable::default(), rng)
+    .unwrap();
+
+    token = print_blocks(&biscuit);
+
+    let data = if test {
+        let v = load_testcase(target, "test027_integer_wraparound");
+        let expected = Biscuit::from(&v[..], root.public()).unwrap();
+        print_diff(&biscuit.print(), &expected.print());
+        v
+    } else {
+        let data = biscuit.to_vec().unwrap();
+        write_testcase(target, "test027_integer_wraparound", &data[..]);
+
+        data
+    };
+
+    let mut validations = BTreeMap::new();
+    validations.insert(
+        "".to_string(),
+        validate_token(root, &data[..], &format!(r#"allow if true;"#)),
+    );
+
+    TestResult {
+        title,
+        filename,
+        token,
+        validations,
+    }
+}
+
 fn print_blocks(token: &Biscuit) -> Vec<BlockContent> {
     let mut v = Vec::new();
 

biscuit-auth/samples/README.md

@@ -1617,3 +1617,48 @@ World {
 
 result: `Ok(3)`
 
+
+------------------------------
+
+## integer wraparound: test027_integer_wraparound.bc
+### token
+
+authority:
+symbols: []
+
+public keys: []
+
+```
+check if true || 10000000000 * 10000000000 != 0;
+check if true || 9223372036854775807 + 1 != 0;
+check if true || -9223372036854775808 - 1 != 0;
+```
+
+### validation
+
+authorizer code:
+```
+allow if true;
+```
+
+revocation ids:
+- `70d8941198ab5daa445a11357994d93278876ee95b6500f4c4a265ad668a0111440942b762e02513e471d40265d586ea76209921068524f588dc46eb4260db07`
+
+authorizer world:
+```
+World {
+  facts: {}
+  rules: {}
+  checks: {
+    "check if true || -9223372036854775808 - 1 != 0",
+    "check if true || 10000000000 * 10000000000 != 0",
+    "check if true || 9223372036854775807 + 1 != 0",
+}
+  policies: {
+    "allow if true",
+}
+}
+```
+
+result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if true || 10000000000 * 10000000000 != 0" }), Block(FailedBlockCheck { block_id: 0, check_id: 1, rule: "check if true || 9223372036854775807 + 1 != 0" }), Block(FailedBlockCheck { block_id: 0, check_id: 2, rule: "check if true || -9223372036854775808 - 1 != 0" })] }))`
+

biscuit-auth/samples/samples.json

@@ -1589,6 +1589,72 @@
           ]
         }
       }
+    },
+    {
+      "title": "integer wraparound",
+      "filename": "test027_integer_wraparound.bc",
+      "token": [
+        {
+          "symbols": [],
+          "public_keys": [],
+          "external_key": null,
+          "code": "check if true || 10000000000 * 10000000000 != 0;\ncheck if true || 9223372036854775807 + 1 != 0;\ncheck if true || -9223372036854775808 - 1 != 0;\n"
+        }
+      ],
+      "validations": {
+        "": {
+          "world": {
+            "facts": [],
+            "rules": [],
+            "checks": [
+              "check if true || -9223372036854775808 - 1 != 0",
+              "check if true || 10000000000 * 10000000000 != 0",
+              "check if true || 9223372036854775807 + 1 != 0"
+            ],
+            "policies": [
+              "allow if true"
+            ]
+          },
+          "result": {
+            "Err": {
+              "FailedLogic": {
+                "Unauthorized": {
+                  "policy": {
+                    "Allow": 0
+                  },
+                  "checks": [
+                    {
+                      "Block": {
+                        "block_id": 0,
+                        "check_id": 0,
+                        "rule": "check if true || 10000000000 * 10000000000 != 0"
+                      }
+                    },
+                    {
+                      "Block": {
+                        "block_id": 0,
+                        "check_id": 1,
+                        "rule": "check if true || 9223372036854775807 + 1 != 0"
+                      }
+                    },
+                    {
+                      "Block": {
+                        "block_id": 0,
+                        "check_id": 2,
+                        "rule": "check if true || -9223372036854775808 - 1 != 0"
+                      }
+                    }
+                  ]
+                }
+              }
+            }
+          },
+          "authorizer_code": "allow if true;\n",
+          "revocation_ids": [
+            "70d8941198ab5daa445a11357994d93278876ee95b6500f4c4a265ad668a0111440942b762e02513e471d40265d586ea76209921068524f588dc46eb4260db07"
+          ]
+        }
+      }
     }
   ]
 }