swipl-devel VS biscuit-rust

Still, there are many useful tools based on these ideas, used by programmers and mathematicians alike. What you describe sounds rather like Datalog (e.g. Soufflé Datalog), where you supply some rules and an initial fact, and the system repeatedly expands out the set of facts until nothing new can be derived. (This has to be finite, if you want to get anywhere.) In Prolog (e.g. SWI Prolog) you also supply a set of rules and facts, but instead of a fact as your starting point, you give a query containing some unknown variables, and the system tries to find an assignment of the variables that proves the query. And finally there is a rich array of theorem provers and proof assistants such as Agda, Coq, Lean, and Twelf, which can all be used to help check your reasoning or explore new ideas.

SWIProlog[1] has so far been my go to due to the extensive support system it has. However, I've been meaning to explore higher order logic a bit and Ciao[2] caught my attention there, with sugar for function-like notation and higher order programming including "lambda" style predicate expressions .... and it compiles down to executable. The function notation in this context is along the same lines as Mozart/Oz and can be convenient. Not explore the higher order aspects much though.

[1]: https://www.swi-prolog.org/

[2]: https://en.wikipedia.org/wiki/Ciao_(programming_language)

?- version(). Welcome to SWI-Prolog (threaded, 64 bits, version 9.0.0)SWI-Prolog comes with ABSOLUTELY NO WARRANTY. This is free software. Please run ?- license. for legal details.For online help and background, visit https://www.swi-prolog.org For built-in help, use ?- help(Topic). or ?- apropos(Word). true. ?- del(a, L, [1,2,3]). L = [a, 1, 2, 3] ; L = [1, a, 2, 3] ; L = [1, 2, a, 3] ; L = [1, 2, 3, a] ; false.

$ swipl Welcome to SWI-Prolog (threaded, 64 bits, version 8.5.10) SWI-Prolog comes with ABSOLUTELY NO WARRANTY. This is free software. Please run ?- license. for legal details. For online help and background, visit https://www.swi-prolog.org For built-in help, use ?- help(Topic). or ?- apropos(Word). ?- [fm2gp_primes]. true. ?- time( setup_call_cleanup(open('prolog-primes.txt', write, Out), with_output_to(Out, primes(500_000)), close(Out)) ). % 8,766,852 inferences, 1.055 CPU in 1.198 seconds (88% CPU, 8311018 Lips) Out = (0x600000648100).

The utilities in dgc/bacics.pl that you linked yourself are not too advanced, too quickly. Understanding those is exactly what you need in order to be able to write useful grammars for two reasons. They show how to approach many common issues with DCGs; and you know what building blocks you have at your disposal. I feel you discarded those too fast and strongly suggest you try to revisit them.

- And last but not least... the ability to convert authorization logic into SQL [4]. Which is done by having the language return constraints over any unbound (free) variables.

To me this is what makes logic programming exciting for authorization. It gives you this small kernel of declarative programming, and gives you a ton of freedom to build on top.

[1] https://www.swi-prolog.org/

(Btw. I'm using SWI Prolog.)

Welcome to SWI-Prolog (threaded, 64 bits, version 8.0.2) SWI-Prolog comes with ABSOLUTELY NO WARRANTY. This is free software. Please run ?- license. for legal details. For online help and background, visit http://www.swi-prolog.org For built-in help, use ?- help(Topic). or ?- apropos(Word). ?- use_module(library(lists)). true. ?- clumped([a,a,a,b,b,c], Rs). ERROR: Undefined procedure: clumped/2 (DWIM could not correct goal) ?-

Many library predicates do the argument reordering to take advantage of this special case argument indexing as explained in the answer by u/mycl. For example library(apply) in SWI-Prolog. is full of those.

> We have a post on this coming soon! The short version is that Polar is a logic language based on Prolog/Datalog/miniKanren. And logic languages are a particularly good fit for representing the branching conditional logic you often see in authorization configurations.

Ha, I've been playing around with Biscuits (https://www.biscuitsec.org/) and was writing up a blog post on using them in a git forge. When I saw the Polar data units described as "facts" and read your end to end example (https://www.osohq.com/docs/tutorials/end-to-end-example) I thought "Oh this looks very similar". I will say - I do like how Polar seems to type stuff and provide some concepts that Biscuits force you to build out on your own, that's pretty neat.

What is the proof of identity in Polar? Is it something like a token in Biscuits? I'm curious if you can do things like add caveats to reduce what the token is capable of as it gets handed off to different systems. I consider that one of the "killer use cases" of biscuits.

I ported biscuit-java to Kotlin for an internal project. In the course of doing so, I went from a naive superfan to a somewhat grizzled advocate. Here's my high level summary:

Why Biscuit instead of JWTs?

tl;dr, Biscuit (and Macaroons) can attenuate, JWTs can't.

Read: https://fly.io/blog/api-tokens-a-tedious-survey/

What does this mean? Let's say you're given a token to access System A and B whenever and however you want. You can create a new token from your token (attenuate) that only gives access to System A for the next 5 minutes.

Basically: attenuation gives a capability system.

Why Biscuit instead of Macaroons

tl;dr Biscuits are easier to understand (and implement) than Macaroons.

Watch: https://www.youtube.com/watch?v=MZFv62qz8R

Macaroons are clunky and hard to work with in practice. That's probably not a feature you want in your choice of token technology.

Biscuits contain simple facts and clear policies written in Datalog.

Why NOT Biscuits

Immaturity.

- AFAIK there is no compliance suite for all the Biscuit libraries linked https://www.biscuitsec.org/; and as such, unsurprisingly, there are corner case incompatibilities, especially in the authorization language parsers and Datalog expressions/operators.

- The Datalog runtime limits are user-defined. What is the maximum number of facts, application iterations, or even timeouts? That's up to you.

- Biscuit v2 (v3-4 in the proto) is the Official Latest Version. Some of the libraries support the older versions to varying degrees.. and the way that backwards compatibility is implemented gave me pause.

- Whole sections of the specification are `TODO`.

- The Datalog data types are bounded by the underlying protobuf definitions; and the libraries use the language native data types. There are casts and undefined behaviour at the extremes.

- Many of the libraries do little things like calling the equivalent of `Time.now()` internally. IMHO this sort thing should be stateless.

- There's heaps of tests, which is great! But, I didn't see any fuzz or property tests, which is less great.

Summary

Biscuits neatly package several simple and solid technologies: datalog, ed25519, protobufs. Once the ecosystem is mature, it'll be incredible.

> The point of JWT vs opaque tokens is that you can just inspect the token itself to derive permissions without hitting any sessions in DB, right?

As I understand it, de-centralized verification isn't a necessary characteristic of a JWT. There are token constructions that make that a priority, however[0].

[0]: https://www.biscuitsec.org/

a C compatible library thanks to cargo-c

I like the Datalog-based policy language used in Biscuits.

https://www.biscuitsec.org/

Has anyone tried https://www.biscuitsec.org/ ?

I haven't seen it much discussed, and seems to solve a lot of issues from JWT