Merge pull request #263 from biscuit-auth/unverified-external-public

`UnverifiedBiscuit.external_public_keys()` now returns `PublicKey`s
biscuit-auth · Jan 27, 2025 · c5188e1 · c5188e1
2 parents 89ca84a + 1066bd5
commit c5188e1
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 7 deletions.
diff --git a/biscuit-auth/CHANGELOG.md b/biscuit-auth/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Support for P256 signatures (#108)
 - `query_exactly_once()` (#260) (Baran Yildirim)
 - include algorithm prefix in public/private key strings (#261)
+- `UnverifiedBiscuit.external_public_keys()` now returns `PublicKey`s, not byte vecs (#263)
 
 # `5.0.0`
 

diff --git a/biscuit-auth/src/token/unverified.rs b/biscuit-auth/src/token/unverified.rs
@@ -216,16 +216,11 @@ impl UnverifiedBiscuit {
     /// Blocks carrying an external public key are _third-party blocks_
     /// and their contents can be trusted as coming from the holder of
     /// the corresponding private key
-    pub fn external_public_keys(&self) -> Vec<Option<Vec<u8>>> {
+    pub fn external_public_keys(&self) -> Vec<Option<PublicKey>> {
         let mut res = vec![None];
 
         for block in self.container.blocks.iter() {
-            res.push(
-                block
-                    .external_signature
-                    .as_ref()
-                    .map(|sig| sig.public_key.to_bytes().to_vec()),
-            );
+            res.push(block.external_signature.as_ref().map(|sig| sig.public_key));
         }
 
         res
@@ -379,3 +374,44 @@ impl UnverifiedBiscuit {
         self.append_third_party(&decoded)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use crate::{BiscuitBuilder, BlockBuilder, KeyPair};
+
+    use super::UnverifiedBiscuit;
+
+    #[test]
+    fn consistent_with_biscuit() {
+        let root_key = KeyPair::new();
+        let external_key = KeyPair::new();
+        let biscuit = BiscuitBuilder::new()
+            .fact("test(true)")
+            .unwrap()
+            .build(&root_key)
+            .unwrap()
+            .append(BlockBuilder::new().fact("test(false)").unwrap())
+            .unwrap();
+        let req = biscuit.third_party_request().unwrap();
+        let res = req
+            .create_block(
+                &external_key.private(),
+                BlockBuilder::new().fact("third_party(true)").unwrap(),
+            )
+            .unwrap();
+        let biscuit = biscuit
+            .append_third_party(external_key.public(), res)
+            .unwrap();
+
+        let unverified = UnverifiedBiscuit::from_base64(biscuit.to_base64().unwrap()).unwrap();
+
+        unverified.clone().verify(root_key.public()).unwrap();
+
+        assert_eq!(unverified.blocks, biscuit.blocks);
+
+        assert_eq!(
+            unverified.external_public_keys(),
+            biscuit.external_public_keys()
+        );
+    }
+}