New Security Rules Language -- Blaze compiler

[Tom Larkworthy]

Firebasers -

We are in the process of making our Security Rules both easier to write and more powerful. To that end, we've built a tool that allows you to write your security rules in a more user-friendly syntax and then compiles that syntax into JSON.

This tool is called the Blaze compiler, and we're making the beta version of it available immediately here:

https://github.com/firebase/blaze_compiler

The headline features are:-

• Rules are specified in a more user-friendly YAML syntax
  
Terser security expression syntax (e.g array notation for child dereferencing)

• Reusable predicates (boolean functions) within expressions, allowing for rules re-use
  
• Reusable models allow schema to be written once and used multiple places
• Access control is now a separate concern from constraints
Inline tests to help verify correctness at compile time
Specify Firebase layout with typed JSON schema models

Embed global functional constraints in the schema

I'm very keen to hear your thoughts and improvements. Please post your thoughts to the group or email me directly (tlark...@firebase.com). Don't hold back -- we want to make writing Firebase rules the best possible experience, so if there's anything you like, dislike, or think can be improved, we want to know about it.

I am maintaining a change log at the top of the readme so you can see at a glance whether the syntax has changed significantly if something evolves (I'll also post updates to this thread).

Please remember that this is a work-in-progress, so you'll likely find some rough edges (for starters, the error messages are still a bit lacking). Also keep in mind that we're doing a ton of other work on our end to improve all aspects of authentication and security, and we know this compiler is just a start. Expect to see our security features improve by leaps and bounds over the coming months.

I hope to hear from you soon -

Tom

[nat...@bugherd.com]

Sounds great, would it be possible to use JSON instead of yaml for those of us for find yaml a little on the 'special whitespace' side?

[Erik Beeson]

Hi Nathan,

I believe you can use the JSON syntax in place of YAML if you prefer, since JSON *is* valid YAML. See here:

http://en.wikipedia.org/wiki/YAML#JSON

Though I haven't actually tried it with the Blaze compiler.

--Erik

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tom Larkworthy]

Yes JSON is valid yaml. I quite often switch to JSON syntax for small inline objects where I don't want a carriage return. Internally the YAML is converted to a JSON for processing, so I could consider an alternative processing path to enforce pure JSON.

Tom

[Tom Larkworthy]

So I just pushed an update so you can now write rules in json and it doesn't go through the YAML preprocessor. It detects json files by looking the file extension ".json"

The mail example expressed in json is also added to the repo (see https://github.com/firebase/blaze_compiler/blob/master/examples/mail_example.json)

FYI, if you install js-yaml with npm install -g, you can convert a yaml to a json at the command line with js-yaml <filepath>

you can, as discussed, mix and match json inside a YAML file, but this ensures your rules are pure JSON if that is important.

Thanks for the feedback Nathan, if anybody else has feedback, feature requests or grumbles, post them here or direct to me

Tom

[Tom Larkworthy]

Hi all,

I have just updated the blaze_compiler with much improved error messages, so hopefully it will be easier to trace input errors. Its also on npm now, though I still recommend doing a local git pull as per the readme. Thanks for the feedback so far, if you haven't spoken with me so far, get in touch and help us make authoring security as simple as possible.

If you are unsure about whether you have the schema correct, don't forget blaze has inline tests. Create an (non)examples block anywhere in the hierarchy and the compiler will throw an error if your examples don't match the schema layout, its very handy for sanity checks and documenting the intended layout of a Firebase.

Tom