Update default symbol table as last edit to v2

[clementd-fretlink]

tl;dr:

Set the default symbol table to:

• read
• write
• resource
• operation
• right
• time
• role
• owner
• tenant
• namespace
• user
• team
• service
• admin
• email
• group
• member
• ip_address
• client
• client_ip
• domain
• path
• version
• cluster
• node
• hostname
• nonce

Context

The following default symbol table is defined in the spec:

• authority
• ambient
• resource
• operation
• right
• time
• revocation_id

Unfortunately, the rust implementation (used by python and node), and the other implementations copied from it (java, go, …) use a different table (current_time instead of time). Only the haskell implementation uses the same table as defined by the spec.
In addition to the implementations, time is used pervasively for TTL checks (in documentation, and in the TTL helpers provided by the CLI tool).

So we have two choices here:

• align the spec (and the haskell impl) to what other implementations do, update the rust CLI tool, the docs, the samples
• fix the rust, java, go implementations to align with the spec, considering that v2 biscuits have not been deployed in the wild yet

I think we have a small window where we can fix the implementations, before v2 tokens start to be deployed. That would also let us adapt the default symbol table to v2 use, something we forgot to do when working on v2 (authority and ambient symbols are not used anymore, for instance). I'm not sure revocation_id is useful as well, since we typically want to handle revocation outside datalog.

Another thing that would be nice, is to offset the indices of interned strings in tokens, to provide future us with more flexibility wrt default symbols.

Given the current status of v2 use, I think we have a window to ship a few improvements and avoid keeping cruft around, but if that's too late, it's perfectly ok to just align the spec with what's already done.

Related PRs

• Make default symbol table conform to the spec biscuit-go#86
• Make default symbol table conform to the spec biscuit-rust#58
• https://github.com/CleverCloud/biscuit-java/pull/38

[Geal]

we will also update the symbol table to remove the now unused authority and ambient, to replace them with the more common read and write

[divarvel]

i suggest replacing revocation_id with role as well.

Revocation ids are typically handled outside datalog, and have little value being embedded in the token anyway.

[KannarFr]

I suggest adding owner, tenant, namespace, WDYT?

[Geal]

user, team, service?

[divarvel]

Admin, email, group, member
ip_address, domain, path, version

[Geal]

I added samples with more symbols in #96 69b2981

next commit in that PR will be about reserving some indexes to grow the default symbol table in the future. Symbols added by a block will start at the 1024 index

[Geal]

48d96aa this commit implements the offsets.
I added query to the default symbols, since it is used by checks as default head name

[divarvel]

That's a good addition in general.

is it actually carried by the token itself? The haskell implementation (and the protobuf AST for that matter) don't require heads for checks / policies queries