diff --git a/biscuit-auth/examples/testcases.rs b/biscuit-auth/examples/testcases.rs index e2ca1e31..ad614ce0 100644 --- a/biscuit-auth/examples/testcases.rs +++ b/biscuit-auth/examples/testcases.rs @@ -110,6 +110,8 @@ fn main() { results.push(public_keys_interning(&mut rng, &target, &root, test)); + results.push(integer_wraparound(&mut rng, &target, &root, test)); + if json { let s = serde_json::to_string_pretty(&TestCases { root_private_key: hex::encode(root.private().to_bytes()), @@ -1976,6 +1978,57 @@ fn public_keys_interning( } } +fn integer_wraparound( + rng: &mut T, + target: &str, + root: &KeyPair, + test: bool, +) -> TestResult { + let title = "integer wraparound".to_string(); + let filename = "test027_integer_wraparound.bc".to_string(); + let token; + + let biscuit = biscuit!( + r#" + // integer overflows must abort evaluating the whole expression + // todo update this test when integer overflows abort + // the whole datalog evaluation + check if true || 10000000000 * 10000000000 != 0; + check if true || 9223372036854775807 + 1 != 0; + check if true || -9223372036854775808 - 1 != 0; + "# + ) + .build_with_rng(&root, SymbolTable::default(), rng) + .unwrap(); + + token = print_blocks(&biscuit); + + let data = if test { + let v = load_testcase(target, "test027_integer_wraparound"); + let expected = Biscuit::from(&v[..], root.public()).unwrap(); + print_diff(&biscuit.print(), &expected.print()); + v + } else { + let data = biscuit.to_vec().unwrap(); + write_testcase(target, "test027_integer_wraparound", &data[..]); + + data + }; + + let mut validations = BTreeMap::new(); + validations.insert( + "".to_string(), + validate_token(root, &data[..], &format!(r#"allow if true;"#)), + ); + + TestResult { + title, + filename, + token, + validations, + } +} + fn print_blocks(token: &Biscuit) -> Vec { let mut v = Vec::new(); diff --git a/biscuit-auth/samples/README.md b/biscuit-auth/samples/README.md index 97b975b5..5eb15ea8 100644 --- a/biscuit-auth/samples/README.md +++ b/biscuit-auth/samples/README.md @@ -1617,3 +1617,48 @@ World { result: `Ok(3)` + +------------------------------ + +## integer wraparound: test027_integer_wraparound.bc +### token + +authority: +symbols: [] + +public keys: [] + +``` +check if true || 10000000000 * 10000000000 != 0; +check if true || 9223372036854775807 + 1 != 0; +check if true || -9223372036854775808 - 1 != 0; +``` + +### validation + +authorizer code: +``` +allow if true; +``` + +revocation ids: +- `70d8941198ab5daa445a11357994d93278876ee95b6500f4c4a265ad668a0111440942b762e02513e471d40265d586ea76209921068524f588dc46eb4260db07` + +authorizer world: +``` +World { + facts: {} + rules: {} + checks: { + "check if true || -9223372036854775808 - 1 != 0", + "check if true || 10000000000 * 10000000000 != 0", + "check if true || 9223372036854775807 + 1 != 0", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if true || 10000000000 * 10000000000 != 0" }), Block(FailedBlockCheck { block_id: 0, check_id: 1, rule: "check if true || 9223372036854775807 + 1 != 0" }), Block(FailedBlockCheck { block_id: 0, check_id: 2, rule: "check if true || -9223372036854775808 - 1 != 0" })] }))` + diff --git a/biscuit-auth/samples/samples.json b/biscuit-auth/samples/samples.json index 08f0d927..fa73a879 100644 --- a/biscuit-auth/samples/samples.json +++ b/biscuit-auth/samples/samples.json @@ -1589,6 +1589,72 @@ ] } } + }, + { + "title": "integer wraparound", + "filename": "test027_integer_wraparound.bc", + "token": [ + { + "symbols": [], + "public_keys": [], + "external_key": null, + "code": "check if true || 10000000000 * 10000000000 != 0;\ncheck if true || 9223372036854775807 + 1 != 0;\ncheck if true || -9223372036854775808 - 1 != 0;\n" + } + ], + "validations": { + "": { + "world": { + "facts": [], + "rules": [], + "checks": [ + "check if true || -9223372036854775808 - 1 != 0", + "check if true || 10000000000 * 10000000000 != 0", + "check if true || 9223372036854775807 + 1 != 0" + ], + "policies": [ + "allow if true" + ] + }, + "result": { + "Err": { + "FailedLogic": { + "Unauthorized": { + "policy": { + "Allow": 0 + }, + "checks": [ + { + "Block": { + "block_id": 0, + "check_id": 0, + "rule": "check if true || 10000000000 * 10000000000 != 0" + } + }, + { + "Block": { + "block_id": 0, + "check_id": 1, + "rule": "check if true || 9223372036854775807 + 1 != 0" + } + }, + { + "Block": { + "block_id": 0, + "check_id": 2, + "rule": "check if true || -9223372036854775808 - 1 != 0" + } + } + ] + } + } + } + }, + "authorizer_code": "allow if true;\n", + "revocation_ids": [ + "70d8941198ab5daa445a11357994d93278876ee95b6500f4c4a265ad668a0111440942b762e02513e471d40265d586ea76209921068524f588dc46eb4260db07" + ] + } + } } ] } diff --git a/biscuit-auth/samples/test027_integer_wraparound.bc b/biscuit-auth/samples/test027_integer_wraparound.bc new file mode 100644 index 00000000..fc3a5853 Binary files /dev/null and b/biscuit-auth/samples/test027_integer_wraparound.bc differ