feat: add support for third-party requests

Author: Naccomy

biscuit_test.py

@@ -217,7 +217,7 @@ def choose_key(kid):
         elif kid == 1:
             return root.public_key
         else:
-            raise Exception("Unknown key identifier") 
+            raise Exception("Unknown key identifier")
 
     biscuit_builder0 = BiscuitBuilder("user({id})", { 'id': "1234" })
     token0 = biscuit_builder0.build(other_root.private_key).to_base64()
@@ -386,10 +386,10 @@ def test_biscuit_inspection():
     builder.set_root_key_id(42)
     token2 = builder.build(kp.private_key).append(BlockBuilder('test(false);'))
     print(token2.to_base64())
-    
+
     utoken1 = UnverifiedBiscuit.from_base64(token1.to_base64())
     utoken2 = UnverifiedBiscuit.from_base64(token2.to_base64())
-    
+
     assert utoken1.root_key_id() is None
     assert utoken2.root_key_id() == 42
 
@@ -469,8 +469,10 @@ def test_append_third_party():
     biscuit = biscuit_builder.build(root_kp.private_key)
 
     third_party_kp = KeyPair()
-    third_party_block = BlockBuilder("external_fact({fact})", { 'fact': "56" })
-    biscuit_with_third_party_block = biscuit.append_third_party(third_party_kp, third_party_block)
+    new_block = BlockBuilder("external_fact({fact})", { 'fact': "56" })
+    third_party_request = biscuit.third_party_request()
+    third_party_block = third_party_request.create_block(third_party_kp.private_key, new_block)
+    biscuit_with_third_party_block = biscuit.append_third_party(third_party_kp.public_key, third_party_block)
 
     assert repr(biscuit_with_third_party_block.block_external_key(1)) == repr(third_party_kp.public_key)
 
@@ -480,8 +482,11 @@ def test_read_third_party_facts():
     biscuit = biscuit_builder.build(root_kp.private_key)
 
     third_party_kp = KeyPair()
-    third_party_block = BlockBuilder("external_fact({fact})", { 'fact': "56" })
-    biscuit_with_third_party_block = biscuit.append_third_party(third_party_kp, third_party_block)
+    new_block = BlockBuilder("external_fact({fact})", { 'fact': "56" })
+    third_party_request = biscuit.third_party_request()
+    third_party_block = third_party_request.create_block(third_party_kp.private_key, new_block)
+    biscuit_with_third_party_block = biscuit.append_third_party(third_party_kp.public_key, third_party_block)
+
 
     authorizer  = AuthorizerBuilder("allow if true").build(biscuit_with_third_party_block)
     rule = Rule(f"ext_fact($fact) <- external_fact($fact) trusting {third_party_kp.public_key}")

src/lib.rs

@@ -11,6 +11,8 @@ use ::biscuit_auth::builder::MapKey;
 use ::biscuit_auth::datalog::ExternFunc;
 use ::biscuit_auth::AuthorizerBuilder;
 use ::biscuit_auth::RootKeyProvider;
+use ::biscuit_auth::ThirdPartyBlock;
+use ::biscuit_auth::ThirdPartyRequest;
 use ::biscuit_auth::UnverifiedBiscuit;
 use chrono::DateTime;
 use chrono::Duration;
@@ -397,36 +399,36 @@ impl PyBiscuit {
             .map(PyBiscuit)
     }
 
-    /// Create a new `Biscuit` by appending a third party attenuation block
+    /// Create a new `Biscuit` by appending a third-party attenuation block
     ///
-    /// :param kp: keypair used to sign the block
-    /// :type kp: KeyPair
-    /// :param block: a builder for the new block
-    /// :type block: BlockBuilder
+    /// :param external_key: the public key of the third-party that signed the block.
+    /// :type external_key: PublicKey
+    /// :param block: the third party block to append
+    /// :type block: ThirdPartyBlock
     /// :return: the attenuated biscuit
     /// :rtype: Biscuit
     pub fn append_third_party(
         &self,
-        kp: &PyKeyPair,
-        block: &PyBlockBuilder,
+        external_key: &PyPublicKey,
+        block: &PyThirdPartyBlock,
     ) -> PyResult<PyBiscuit> {
-        let third_party_block = self
-            .0
-            .third_party_request()
-            .and_then(|req| {
-                req.create_block(
-                    &kp.private_key().0,
-                    block.0.clone().expect("builder already consumed"),
-                )
-            })
-            .map_err(|e| BiscuitBuildError::new_err(e.to_string()))?;
-
         self.0
-            .append_third_party(kp.public_key().0, third_party_block)
+            .append_third_party(external_key.0, block.0.clone())
             .map_err(|e| BiscuitBuildError::new_err(e.to_string()))
             .map(PyBiscuit)
     }
 
+    /// Create a third-party request for generating third-party blocks.
+    ///
+    /// :return: the third-party request
+    /// :rtype: ThirdPartyRequest
+    pub fn third_party_request(&self) -> PyResult<PyThirdPartyRequest> {
+        self.0
+            .third_party_request()
+            .map_err(|e| BiscuitBuildError::new_err(e.to_string()))
+            .map(|request| PyThirdPartyRequest(Some(request)))
+    }
+
     /// The revocation ids of the token, encoded as hexadecimal strings
     #[getter]
     pub fn revocation_ids(&self) -> Vec<String> {
@@ -1063,6 +1065,41 @@ impl PyBlockBuilder {
     }
 }
 
+#[pyclass(name = "ThirdPartyRequest")]
+pub struct PyThirdPartyRequest(Option<ThirdPartyRequest>);
+
+#[pymethods]
+impl PyThirdPartyRequest {
+    /// Create a third-party block
+    ///
+    /// :param private_key: the third-party's private key used to sign the block
+    /// :type external_key: PrivateKey
+    /// :param block: the block builder to be signed
+    /// :type block: BlockBuilder
+    /// :return: a signed block that can be appended to a Biscuit
+    /// :rtype: ThirdPartyBlock
+    ///
+    /// :note: this method consumes the `ThirdPartyRequest` object.
+    pub fn create_block(
+        &mut self,
+        private_key: &PyPrivateKey,
+        block: &PyBlockBuilder,
+    ) -> PyResult<PyThirdPartyBlock> {
+        self.0
+            .take()
+            .expect("third party request already consumed")
+            .create_block(
+                &private_key.0,
+                block.0.clone().expect("builder already consumed"),
+            )
+            .map_err(|e| BiscuitBuildError::new_err(e.to_string()))
+            .map(PyThirdPartyBlock)
+    }
+}
+
+#[pyclass(name = "ThirdPartyBlock")]
+pub struct PyThirdPartyBlock(ThirdPartyBlock);
+
 /// ed25519 keypair
 #[pyclass(name = "KeyPair")]
 pub struct PyKeyPair(KeyPair);