forked from biscuit-auth/biscuit-go
-
Notifications
You must be signed in to change notification settings - Fork 0
/
example_test.go
124 lines (97 loc) · 3.09 KB
/
example_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package biscuit_test
import (
"crypto/ed25519"
"crypto/rand"
"fmt"
"github.com/biscuit-auth/biscuit-go/v2"
"github.com/biscuit-auth/biscuit-go/v2/parser"
)
func ExampleBiscuit() {
rng := rand.Reader
publicRoot, privateRoot, _ := ed25519.GenerateKey(rng)
authority, err := parser.FromStringBlockWithParams(`
right("/a/file1.txt", {read});
right("/a/file1.txt", {write});
right("/a/file2.txt", {read});
right("/a/file3.txt", {write});
`, map[string]biscuit.Term{"read": biscuit.String("read"), "write": biscuit.String("write")})
if err != nil {
panic(fmt.Errorf("failed to parse authority block: %v", err))
}
builder := biscuit.NewBuilder(privateRoot)
builder.AddBlock(authority)
b, err := builder.Build()
if err != nil {
panic(fmt.Errorf("failed to build biscuit: %v", err))
}
token, err := b.Serialize()
if err != nil {
panic(fmt.Errorf("failed to serialize biscuit: %v", err))
}
fmt.Printf("Token1 length: %d\n", len(token))
deser, err := biscuit.Unmarshal(token)
if err != nil {
panic(fmt.Errorf("failed to deserialize biscuit: %v", err))
}
blockBuilder := deser.CreateBlock()
block, err := parser.FromStringBlockWithParams(`
check if resource($file), operation($permission), [{read}].contains($permission);`,
map[string]biscuit.Term{"read": biscuit.String("read")})
if err != nil {
panic(fmt.Errorf("failed to parse block: %v", err))
}
blockBuilder.AddBlock(block)
b2, err := deser.Append(rng, blockBuilder.Build())
if err != nil {
panic(fmt.Errorf("failed to append: %v", err))
}
token2, err := b2.Serialize()
if err != nil {
panic(fmt.Errorf("failed to serialize biscuit: %v", err))
}
fmt.Printf("Token2 length: %d\n", len(token2))
// Verify
b2, err = biscuit.Unmarshal(token2)
if err != nil {
panic(fmt.Errorf("failed to deserialize token: %v", err))
}
v1, err := b2.Authorizer(publicRoot)
if err != nil {
panic(fmt.Errorf("failed to create verifier: %v", err))
}
authorizer, err := parser.FromStringAuthorizerWithParams(`
resource({res});
operation({op});
allow if right({res}, {op});
`, map[string]biscuit.Term{"res": biscuit.String("/a/file1.txt"), "op": biscuit.String("read")})
if err != nil {
panic(fmt.Errorf("failed to parse authorizer: %v", err))
}
v1.AddAuthorizer(authorizer)
if err := v1.Authorize(); err != nil {
// fmt.Println(v1.PrintWorld())
fmt.Println("forbidden to read /a/file1.txt")
} else {
//fmt.Println(v1.PrintWorld())
fmt.Println("allowed to read /a/file1.txt")
}
v1, _ = b2.Authorizer(publicRoot)
authorizer, err = parser.FromStringAuthorizerWithParams(`
resource({res});
operation({op});
allow if right({res}, {op});
`, map[string]biscuit.Term{"res": biscuit.String("/a/file1.txt"), "op": biscuit.String("write")})
if err != nil {
panic(fmt.Errorf("failed to parse authorizer: %v", err))
}
v1.AddAuthorizer(authorizer)
if err := v1.Authorize(); err != nil {
fmt.Println("forbidden to write /a/file1.txt")
} else {
fmt.Println("allowed to write /a/file1.txt")
}
// Output: Token1 length: 251
// Token2 length: 433
// allowed to read /a/file1.txt
// forbidden to write /a/file1.txt
}