[BREAKING] Separate biscuit-proto to own crate

Cargo.toml

@@ -1,5 +1,5 @@
 [workspace]
-members = ["biscuit-auth", "biscuit-quote", "biscuit-parser", "biscuit-capi"]
+members = ["biscuit-auth", "biscuit-proto", "biscuit-quote", "biscuit-parser", "biscuit-capi"]
 resolver = "2"
 
 # Used by capi crate

biscuit-auth/Cargo.toml

@@ -4,7 +4,6 @@ version = "6.0.0"
 description = "an authorization token with decentralized verification and offline attenuation"
 authors = ["Geoffroy Couprie <contact@geoffroycouprie.com>"]
 edition = "2018"
-build = "build.rs"
 license = "Apache-2.0"
 documentation = "https://docs.rs/biscuit-auth"
 homepage = "https://github.com/biscuit-auth/biscuit"
@@ -29,7 +28,7 @@ pem = ["ed25519-dalek/pem", "ed25519-dalek/pkcs8"]
 rand_core = "^0.6"
 sha2 = "^0.9"
 prost = "0.10"
-prost-types = "0.10"
+biscuit-proto = { version = "0.1.0", path = "../biscuit-proto" }
 regex = { version = "1.5", default-features = false, features = ["std"] }
 nom = { version = "7", default-features = false, features = ["std"] }
 hex = "0.4"
@@ -59,14 +58,10 @@ bencher = "0.1.5"
 rand = "0.8"
 chrono = { version = "0.4.26", features = ["serde", "clock"] }
 colored-diff = "0.2.3"
-prost-build = "0.10"
 serde = { version = "1.0.130", features = ["derive"] }
 serde_json = "1.0.67"
 codspeed-bencher-compat = "2.6.0"
 
-#[build-dependencies]
-#prost-build = "0.10"
-
 [[example]]
 name = "testcases"
 required-features = ["serde-error"]

biscuit-auth/examples/testcases.rs

@@ -9,10 +9,9 @@ extern crate biscuit_auth as biscuit;
 use biscuit::builder::BlockBuilder;
 use biscuit::datalog::SymbolTable;
 use biscuit::error;
-use biscuit::format::convert;
 use biscuit::macros::*;
 use biscuit::{builder::*, builder_ext::*, Biscuit};
-use biscuit::{KeyPair, PrivateKey, PublicKey};
+use biscuit::{KeyPair, PrivateKey};
 use biscuit_auth::builder;
 use biscuit_auth::builder::Algorithm;
 use biscuit_auth::datalog::ExternFunc;
@@ -22,12 +21,7 @@ use rand::prelude::*;
 use serde::Serialize;
 use std::collections::HashMap;
 use std::sync::Arc;
-use std::{
-    collections::{BTreeMap, BTreeSet},
-    fs::File,
-    io::Write,
-    time::*,
-};
+use std::{collections::BTreeMap, fs::File, io::Write, time::*};
 
 fn main() {
     let mut args = std::env::args();
@@ -294,7 +288,7 @@ struct AuthorizerWorld {
 
 #[derive(Debug, Serialize, PartialEq, Eq, PartialOrd, Ord)]
 struct Facts {
-    origin: BTreeSet<Option<usize>>,
+    origin: Vec<Option<usize>>,
     facts: Vec<String>,
 }
 
@@ -371,102 +365,37 @@ fn validate_token_with_limits_and_external_functions(
 
     let res = authorizer.authorize_with_limits(run_limits);
     //println!("authorizer world:\n{}", authorizer.print_world());
-    let (_, _, _, policies) = authorizer.dump();
-    let snapshot = authorizer.snapshot().unwrap();
-
-    let symbols = SymbolTable::from_symbols_and_public_keys(
-        snapshot.world.symbols,
-        snapshot
-            .world
-            .public_keys
-            .iter()
-            .map(|k| PublicKey::from_proto(k).unwrap())
-            .collect(),
-    )
-    .unwrap();
+    let facts_with_origin = authorizer.dump_facts_with_origins();
+    let rules_with_origin = authorizer.dump_rules_with_origins();
+    let checks_with_origin = authorizer.dump_checks_with_origins();
+    let policies = authorizer.dump_policies();
 
     let mut authorizer_facts = Vec::new();
     let mut authorizer_rules = Vec::new();
     let mut authorizer_checks = Vec::new();
-    for (i, block) in snapshot.world.blocks.iter().enumerate() {
-        let mut rules: Vec<String> = Vec::new();
-        for rule in block.rules.iter() {
-            let r =
-                convert::proto_rule_to_token_rule(rule, snapshot.world.version.unwrap()).unwrap();
-            rules.push(symbols.print_rule(&r.0));
-        }
-        if !rules.is_empty() {
-            rules.sort();
-            authorizer_rules.push(Rules {
-                origin: Some(i),
-                rules,
-            });
-        }
-
-        let mut checks = Vec::new();
-        for check in block.checks.iter() {
-            let c = convert::proto_check_to_token_check(check, snapshot.world.version.unwrap())
-                .unwrap();
-            checks.push(symbols.print_check(&c));
-        }
-        if !checks.is_empty() {
-            checks.sort();
-            authorizer_checks.push(Checks {
-                origin: Some(i),
-                checks,
-            });
-        }
-    }
-
-    let mut rules: Vec<String> = Vec::new();
-    for rule in snapshot.world.authorizer_block.rules {
-        let r = convert::proto_rule_to_token_rule(&rule, snapshot.world.version.unwrap()).unwrap();
 
-        rules.push(symbols.print_rule(&r.0));
-    }
-    if !rules.is_empty() {
+    for (origin, rules) in rules_with_origin {
+        let mut rules: Vec<String> = rules.into_iter().map(|r| r.to_string()).collect();
         rules.sort();
         authorizer_rules.push(Rules {
-            origin: Some(usize::MAX),
+            origin: Some(origin.unwrap_or(usize::MAX)),
             rules,
         });
     }
 
-    let mut checks = Vec::new();
-    for check in snapshot.world.authorizer_block.checks {
-        let c =
-            convert::proto_check_to_token_check(&check, snapshot.world.version.unwrap()).unwrap();
-        checks.push(symbols.print_check(&c));
-    }
-    if !checks.is_empty() {
+    for (origin, checks) in checks_with_origin {
+        let mut checks: Vec<String> = checks.into_iter().map(|c| c.to_string()).collect();
         checks.sort();
         authorizer_checks.push(Checks {
-            origin: Some(usize::MAX),
+            origin: Some(origin.unwrap_or(usize::MAX)),
             checks,
         });
     }
 
-    for factset in snapshot.world.generated_facts {
-        use biscuit_auth::format::schema::origin::Content;
-        let mut origin = BTreeSet::new();
-
-        for o in factset.origins {
-            match o.content.unwrap() {
-                Content::Authorizer(_) => origin.insert(None),
-                Content::Origin(i) => origin.insert(Some(i as usize)),
-            };
-        }
-
-        let mut facts = Vec::new();
-
-        for fact in factset.facts {
-            let f = convert::proto_fact_to_token_fact(&fact).unwrap();
-            facts.push(symbols.print_fact(&f));
-        }
-        if !facts.is_empty() {
-            facts.sort();
-            authorizer_facts.push(Facts { origin, facts });
-        }
+    for (origin, facts) in facts_with_origin {
+        let mut facts: Vec<String> = facts.into_iter().map(|f| f.to_string()).collect();
+        facts.sort();
+        authorizer_facts.push(Facts { origin, facts });
     }
     authorizer_facts.sort();
 
@@ -663,8 +592,8 @@ fn invalid_signature_format(target: &str, root: &KeyPair, test: bool) -> TestRes
     let data = if test {
         load_testcase(target, &filename)
     } else {
-        let serialized = biscuit2.container();
-        let mut proto = serialized.to_proto();
+        let serialized = biscuit2.to_vec().unwrap();
+        let mut proto = biscuit_proto::Biscuit::decode(&serialized[..]).unwrap();
         proto.authority.signature.truncate(16);
         let mut data = Vec::new();
         proto.encode(&mut data).unwrap();
@@ -714,8 +643,8 @@ fn random_block(target: &str, root: &KeyPair, test: bool) -> TestResult {
     let data = if test {
         load_testcase(target, &filename)
     } else {
-        let serialized = biscuit2.container();
-        let mut proto = serialized.to_proto();
+        let serialized = biscuit2.to_vec().unwrap();
+        let mut proto = biscuit_proto::Biscuit::decode(&serialized[..]).unwrap();
         let arr: [u8; 32] = rng.gen();
         proto.blocks[0].block = Vec::from(&arr[..]);
         let mut data = Vec::new();
@@ -766,8 +695,8 @@ fn invalid_signature(target: &str, root: &KeyPair, test: bool) -> TestResult {
     let data = if test {
         load_testcase(target, &filename)
     } else {
-        let serialized = biscuit2.container();
-        let mut proto = serialized.to_proto();
+        let serialized = biscuit2.to_vec().unwrap();
+        let mut proto = biscuit_proto::Biscuit::decode(&serialized[..]).unwrap();
         proto.authority.signature[0] += 1;
         let mut data = Vec::new();
         proto.encode(&mut data).unwrap();

biscuit-auth/src/crypto/ed25519.rs

@@ -275,7 +275,7 @@ impl PartialEq for PublicKey {
 
 impl Hash for PublicKey {
     fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
-        (crate::format::schema::public_key::Algorithm::Ed25519 as i32).hash(state);
+        (biscuit_proto::public_key::Algorithm::Ed25519 as i32).hash(state);
         self.0.to_bytes().hash(state);
     }
 }

biscuit-auth/src/crypto/mod.rs

@@ -12,7 +12,6 @@
 //! The implementation is based on [ed25519_dalek](https://github.com/dalek-cryptography/ed25519-dalek).
 #![allow(non_snake_case)]
 use crate::builder::Algorithm;
-use crate::format::schema;
 use crate::format::ThirdPartyVerificationMode;
 
 use super::error;
@@ -60,13 +59,13 @@ impl KeyPair {
     /// deserializes from a byte array
     pub fn from_bytes(
         bytes: &[u8],
-        algorithm: schema::public_key::Algorithm,
+        algorithm: biscuit_proto::public_key::Algorithm,
     ) -> Result<Self, error::Format> {
         match algorithm {
-            schema::public_key::Algorithm::Ed25519 => {
+            biscuit_proto::public_key::Algorithm::Ed25519 => {
                 Ok(KeyPair::Ed25519(ed25519::KeyPair::from_bytes(bytes)?))
             }
-            schema::public_key::Algorithm::Secp256r1 => {
+            biscuit_proto::public_key::Algorithm::Secp256r1 => {
                 Ok(KeyPair::P256(p256::KeyPair::from_bytes(bytes)?))
             }
         }
@@ -145,10 +144,10 @@ impl KeyPair {
         }
     }
 
-    pub fn algorithm(&self) -> crate::format::schema::public_key::Algorithm {
+    pub fn algorithm(&self) -> Algorithm {
         match self {
-            KeyPair::Ed25519(_) => crate::format::schema::public_key::Algorithm::Ed25519,
-            KeyPair::P256(_) => crate::format::schema::public_key::Algorithm::Secp256r1,
+            KeyPair::Ed25519(_) => Algorithm::Ed25519,
+            KeyPair::P256(_) => Algorithm::Secp256r1,
         }
     }
 }
@@ -199,8 +198,8 @@ impl PrivateKey {
     /// serializes to an hex-encoded string, prefixed with the key algorithm
     pub fn to_prefixed_string(&self) -> String {
         let algorithm = match self.algorithm() {
-            schema::public_key::Algorithm::Ed25519 => "ed25519-private",
-            schema::public_key::Algorithm::Secp256r1 => "secp256r1-private",
+            Algorithm::Ed25519 => "ed25519-private",
+            Algorithm::Secp256r1 => "secp256r1-private",
         };
         format!("{algorithm}/{}", self.to_bytes_hex())
     }
@@ -272,10 +271,10 @@ impl PrivateKey {
         }
     }
 
-    pub fn algorithm(&self) -> crate::format::schema::public_key::Algorithm {
+    pub fn algorithm(&self) -> Algorithm {
         match self {
-            PrivateKey::Ed25519(_) => crate::format::schema::public_key::Algorithm::Ed25519,
-            PrivateKey::P256(_) => crate::format::schema::public_key::Algorithm::Secp256r1,
+            PrivateKey::Ed25519(_) => Algorithm::Ed25519,
+            PrivateKey::P256(_) => Algorithm::Secp256r1,
         }
     }
 }
@@ -315,12 +314,12 @@ impl PublicKey {
         Self::from_bytes(&bytes, algorithm)
     }
 
-    pub fn from_proto(key: &schema::PublicKey) -> Result<Self, error::Format> {
-        if key.algorithm == schema::public_key::Algorithm::Ed25519 as i32 {
+    pub(crate) fn from_proto(key: &biscuit_proto::PublicKey) -> Result<Self, error::Format> {
+        if key.algorithm == biscuit_proto::public_key::Algorithm::Ed25519 as i32 {
             Ok(PublicKey::Ed25519(ed25519::PublicKey::from_bytes(
                 &key.key,
             )?))
-        } else if key.algorithm == schema::public_key::Algorithm::Secp256r1 as i32 {
+        } else if key.algorithm == biscuit_proto::public_key::Algorithm::Secp256r1 as i32 {
             Ok(PublicKey::P256(p256::PublicKey::from_bytes(&key.key)?))
         } else {
             Err(error::Format::DeserializationError(format!(
@@ -330,8 +329,8 @@ impl PublicKey {
         }
     }
 
-    pub fn to_proto(&self) -> schema::PublicKey {
-        schema::PublicKey {
+    pub(crate) fn to_proto(&self) -> biscuit_proto::PublicKey {
+        biscuit_proto::PublicKey {
             algorithm: self.algorithm() as i32,
             key: self.to_bytes(),
         }
@@ -393,10 +392,10 @@ impl PublicKey {
         }
     }
 
-    pub fn algorithm(&self) -> crate::format::schema::public_key::Algorithm {
+    pub fn algorithm(&self) -> Algorithm {
         match self {
-            PublicKey::Ed25519(_) => crate::format::schema::public_key::Algorithm::Ed25519,
-            PublicKey::P256(_) => crate::format::schema::public_key::Algorithm::Secp256r1,
+            PublicKey::Ed25519(_) => Algorithm::Ed25519,
+            PublicKey::P256(_) => Algorithm::Secp256r1,
         }
     }
 

biscuit-auth/src/crypto/p256.rs

@@ -286,7 +286,7 @@ impl PublicKey {
 
 impl Hash for PublicKey {
     fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
-        (crate::format::schema::public_key::Algorithm::Secp256r1 as i32).hash(state);
+        (biscuit_proto::public_key::Algorithm::Secp256r1 as i32).hash(state);
         self.to_bytes().hash(state);
     }
 }

biscuit-auth/src/datalog/expression.rs

@@ -8,10 +8,7 @@ use super::{MapKey, SymbolIndex, Term};
 use super::{SymbolTable, TemporarySymbolTable};
 use regex::Regex;
 use std::sync::Arc;
-use std::{
-    collections::HashMap,
-    convert::TryFrom,
-};
+use std::{collections::HashMap, convert::TryFrom};
 
 #[derive(Clone)]
 pub struct ExternFunc(