wip: demo structured data in exceptions

Author: divarvel

biscuit_test.py

@@ -4,7 +4,7 @@
 
 import pytest
 
-from biscuit_auth import Algorithm, KeyPair, Authorizer, AuthorizerBuilder, Biscuit, BiscuitBuilder, BlockBuilder, Check, Fact, KeyPair, Policy, PrivateKey, PublicKey, Rule, UnverifiedBiscuit
+from biscuit_auth import Algorithm, KeyPair, Authorizer, AuthorizerBuilder, Biscuit, BiscuitBuilder, BlockBuilder, Check, Fact, KeyPair, Policy, PrivateKey, PublicKey, Rule, UnverifiedBiscuit, AuthorizationError
 
 def test_fact():
     fact = Fact('fact(1, true, "", "Test", hex:aabbcc, 2023-04-29T01:00:00Z)')
@@ -237,6 +237,16 @@ def choose_key(kid):
     except:
       pass
 
+def test_authorizer_exception():
+    authorizer = AuthorizerBuilder("check if true; reject if true; allow if false; deny if true;").build_unauthenticated()
+    try:
+        authorizer.authorize()
+        assert false
+    except AuthorizationError as e:
+        (args,) = e.args
+        assert args['policy_id'] == {'code': 'deny if true', 'policy_id': 1}
+        assert args['checks'] == [{'authorizer_check': True, 'block_id': None, 'check_id': 1, 'code': 'reject if true'}]
+
 def test_complete_lifecycle():
     private_key = PrivateKey("ed25519-private/473b5189232f3f597b5c2f3f9b0d5e28b1ee4e7cce67ec6b7fbf5984157a6b97")
     root = KeyPair.from_private_key(private_key)

src/lib.rs

@@ -9,6 +9,7 @@
 #![allow(clippy::useless_conversion)]
 use ::biscuit_auth::builder::MapKey;
 use ::biscuit_auth::datalog::ExternFunc;
+use ::biscuit_auth::error::MatchedPolicy;
 use ::biscuit_auth::AuthorizerBuilder;
 use ::biscuit_auth::RootKeyProvider;
 use ::biscuit_auth::UnverifiedBiscuit;
@@ -38,6 +39,27 @@ create_exception!(
     AuthorizationError,
     pyo3::exceptions::PyException
 );
+
+#[derive(IntoPyObject)]
+struct AuthorizationErrorData {
+    policy_id: Option<MatchedPolicyData>,
+    checks: Vec<FailedCheckData>,
+}
+
+#[derive(IntoPyObject)]
+struct MatchedPolicyData {
+    policy_id: usize,
+    code: String,
+}
+
+#[derive(IntoPyObject)]
+struct FailedCheckData {
+    authorizer_check: bool,
+    block_id: Option<u32>,
+    check_id: u32,
+    code: String,
+}
+
 create_exception!(
     biscuit_auth,
     BiscuitBuildError,
@@ -786,9 +808,37 @@ impl PyAuthorizer {
     /// :return: the index of the matched allow rule
     /// :rtype: int
     pub fn authorize(&mut self) -> PyResult<usize> {
-        self.0
-            .authorize()
-            .map_err(|error| AuthorizationError::new_err(error.to_string()))
+        self.0.authorize().map_err(|error| match error {
+            error::Token::FailedLogic(error::Logic::Unauthorized {
+                policy: MatchedPolicy::Deny(pid),
+                checks,
+            }) => AuthorizationError::new_err(AuthorizationErrorData {
+                policy_id: Some(MatchedPolicyData {
+                    policy_id: pid,
+                    code: self.0.dump().3.get(pid).unwrap().to_string(),
+                }),
+                checks: checks
+                    .into_iter()
+                    .map(|c| match c {
+                        error::FailedCheck::Block(failed_block_check) => FailedCheckData {
+                            authorizer_check: false,
+                            block_id: Some(failed_block_check.block_id),
+                            check_id: failed_block_check.check_id,
+                            code: failed_block_check.rule,
+                        },
+                        error::FailedCheck::Authorizer(failed_authorizer_check) => {
+                            FailedCheckData {
+                                authorizer_check: true,
+                                block_id: None,
+                                check_id: failed_authorizer_check.check_id,
+                                code: failed_authorizer_check.rule,
+                            }
+                        }
+                    })
+                    .collect(),
+            }),
+            _ => AuthorizationError::new_err(error.to_string()),
+        })
     }
 
     /// Query the authorizer by returning all the `Fact`s generated by the provided `Rule`. The generated facts won't be