From 1bf87b03b28c597e74c5786b03b91b255f8393d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Delafargue?= Date: Sun, 29 Jan 2023 15:51:04 +0100 Subject: [PATCH] samples: add a sample exercising integer overflow cases (#134) --- biscuit-auth/examples/testcases.rs | 53 ++++++++++++++ biscuit-auth/samples/README.md | 45 ++++++++++++ biscuit-auth/samples/samples.json | 66 ++++++++++++++++++ .../samples/test027_integer_wraparound.bc | Bin 0 -> 329 bytes 4 files changed, 164 insertions(+) create mode 100644 biscuit-auth/samples/test027_integer_wraparound.bc diff --git a/biscuit-auth/examples/testcases.rs b/biscuit-auth/examples/testcases.rs index e2ca1e31..ad614ce0 100644 --- a/biscuit-auth/examples/testcases.rs +++ b/biscuit-auth/examples/testcases.rs @@ -110,6 +110,8 @@ fn main() { results.push(public_keys_interning(&mut rng, &target, &root, test)); + results.push(integer_wraparound(&mut rng, &target, &root, test)); + if json { let s = serde_json::to_string_pretty(&TestCases { root_private_key: hex::encode(root.private().to_bytes()), @@ -1976,6 +1978,57 @@ fn public_keys_interning( } } +fn integer_wraparound( + rng: &mut T, + target: &str, + root: &KeyPair, + test: bool, +) -> TestResult { + let title = "integer wraparound".to_string(); + let filename = "test027_integer_wraparound.bc".to_string(); + let token; + + let biscuit = biscuit!( + r#" + // integer overflows must abort evaluating the whole expression + // todo update this test when integer overflows abort + // the whole datalog evaluation + check if true || 10000000000 * 10000000000 != 0; + check if true || 9223372036854775807 + 1 != 0; + check if true || -9223372036854775808 - 1 != 0; + "# + ) + .build_with_rng(&root, SymbolTable::default(), rng) + .unwrap(); + + token = print_blocks(&biscuit); + + let data = if test { + let v = load_testcase(target, "test027_integer_wraparound"); + let expected = Biscuit::from(&v[..], root.public()).unwrap(); + print_diff(&biscuit.print(), &expected.print()); + v + } else { + let data = biscuit.to_vec().unwrap(); + write_testcase(target, "test027_integer_wraparound", &data[..]); + + data + }; + + let mut validations = BTreeMap::new(); + validations.insert( + "".to_string(), + validate_token(root, &data[..], &format!(r#"allow if true;"#)), + ); + + TestResult { + title, + filename, + token, + validations, + } +} + fn print_blocks(token: &Biscuit) -> Vec { let mut v = Vec::new(); diff --git a/biscuit-auth/samples/README.md b/biscuit-auth/samples/README.md index 97b975b5..5eb15ea8 100644 --- a/biscuit-auth/samples/README.md +++ b/biscuit-auth/samples/README.md @@ -1617,3 +1617,48 @@ World { result: `Ok(3)` + +------------------------------ + +## integer wraparound: test027_integer_wraparound.bc +### token + +authority: +symbols: [] + +public keys: [] + +``` +check if true || 10000000000 * 10000000000 != 0; +check if true || 9223372036854775807 + 1 != 0; +check if true || -9223372036854775808 - 1 != 0; +``` + +### validation + +authorizer code: +``` +allow if true; +``` + +revocation ids: +- `70d8941198ab5daa445a11357994d93278876ee95b6500f4c4a265ad668a0111440942b762e02513e471d40265d586ea76209921068524f588dc46eb4260db07` + +authorizer world: +``` +World { + facts: {} + rules: {} + checks: { + "check if true || -9223372036854775808 - 1 != 0", + "check if true || 10000000000 * 10000000000 != 0", + "check if true || 9223372036854775807 + 1 != 0", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if true || 10000000000 * 10000000000 != 0" }), Block(FailedBlockCheck { block_id: 0, check_id: 1, rule: "check if true || 9223372036854775807 + 1 != 0" }), Block(FailedBlockCheck { block_id: 0, check_id: 2, rule: "check if true || -9223372036854775808 - 1 != 0" })] }))` + diff --git a/biscuit-auth/samples/samples.json b/biscuit-auth/samples/samples.json index 08f0d927..fa73a879 100644 --- a/biscuit-auth/samples/samples.json +++ b/biscuit-auth/samples/samples.json @@ -1589,6 +1589,72 @@ ] } } + }, + { + "title": "integer wraparound", + "filename": "test027_integer_wraparound.bc", + "token": [ + { + "symbols": [], + "public_keys": [], + "external_key": null, + "code": "check if true || 10000000000 * 10000000000 != 0;\ncheck if true || 9223372036854775807 + 1 != 0;\ncheck if true || -9223372036854775808 - 1 != 0;\n" + } + ], + "validations": { + "": { + "world": { + "facts": [], + "rules": [], + "checks": [ + "check if true || -9223372036854775808 - 1 != 0", + "check if true || 10000000000 * 10000000000 != 0", + "check if true || 9223372036854775807 + 1 != 0" + ], + "policies": [ + "allow if true" + ] + }, + "result": { + "Err": { + "FailedLogic": { + "Unauthorized": { + "policy": { + "Allow": 0 + }, + "checks": [ + { + "Block": { + "block_id": 0, + "check_id": 0, + "rule": "check if true || 10000000000 * 10000000000 != 0" + } + }, + { + "Block": { + "block_id": 0, + "check_id": 1, + "rule": "check if true || 9223372036854775807 + 1 != 0" + } + }, + { + "Block": { + "block_id": 0, + "check_id": 2, + "rule": "check if true || -9223372036854775808 - 1 != 0" + } + } + ] + } + } + } + }, + "authorizer_code": "allow if true;\n", + "revocation_ids": [ + "70d8941198ab5daa445a11357994d93278876ee95b6500f4c4a265ad668a0111440942b762e02513e471d40265d586ea76209921068524f588dc46eb4260db07" + ] + } + } } ] } diff --git a/biscuit-auth/samples/test027_integer_wraparound.bc b/biscuit-auth/samples/test027_integer_wraparound.bc new file mode 100644 index 0000000000000000000000000000000000000000..fc3a585377f8ea88e9c5eed3cf4f4ac99dd19d8e GIT binary patch literal 329 zcmWey#Kg6oQG&(DipzqFi9=e-h>L}b$$*iIgNsd|;l%m{sz@vrDJBkXkh}l`7liuzE(YN=__#t+_10_8LR&<>lfQXn+BrHlSq?&0Lt8g;Y2ggcK&* z@;P&z%fH!l?d8>*OC~D0GrUxox=UlD@!mY8^Lv$xr5p-wOc9*1I(C&yl%Q$ll$%Bs z?RhVwQyIP-S(Lgqt&366h0|$!(gRiDCxus-Qm?kXDpQ!L$kwXzwd0Q4Yo~`F>p n3g%~*YxN1UZ0vY7-D~?2g_9SV?Osfom%