Copyright	© Clément Delafargue 2021
License	MIT
Maintainer	clement@delafargue.name
Safe Haskell	None
Language	Haskell2010

Auth.Biscuit.Token

Description

Module defining the main biscuit-related operations

Synopsis

data Biscuit = Biscuit {
- symbols :: Symbols
- authority :: (PublicKey, ExistingBlock)
- blocks :: [(PublicKey, ExistingBlock)]
- signature :: Signature
}
data ParseError
data VerificationError
- = SignatureError
- | DatalogError ExecutionError
type ExistingBlock = (ByteString, Block)
mkBiscuit :: Keypair -> Block -> IO Biscuit
addBlock :: Block -> Biscuit -> IO Biscuit
checkBiscuitSignature :: Biscuit -> PublicKey -> IO Bool
parseBiscuit :: ByteString -> Either ParseError Biscuit
serializeBiscuit :: Biscuit -> ByteString
verifyBiscuit :: Biscuit -> Verifier -> PublicKey -> IO (Either VerificationError Query)
verifyBiscuitWithLimits :: Limits -> Biscuit -> Verifier -> PublicKey -> IO (Either VerificationError Query)
data BlockWithRevocationIds = BlockWithRevocationIds {
- bBlock :: Block
- genericRevocationId :: ByteString
- uniqueRevocationId :: ByteString
}
getRevocationIds :: Biscuit -> IO (NonEmpty BlockWithRevocationIds)

Documentation

data Biscuit Source #

A parsed biscuit

Constructors

Biscuit

Fields

symbols :: Symbols
The symbols already defined in the contained blocks
authority :: (PublicKey, ExistingBlock)
The authority block, along with the associated public key. The public key is kept around since it's embedded in the serialized biscuit, but should not be used for verification. An externally provided public key should be used instead.
blocks :: [(PublicKey, ExistingBlock)]
The extra blocks, along with the public keys needed
signature :: Signature

Instances

Instances details

Eq Biscuit Source #
Instance details Defined in Auth.Biscuit.Token Methods (==) :: Biscuit -> Biscuit -> Bool # (/=) :: Biscuit -> Biscuit -> Bool #
Show Biscuit Source #
Instance details Defined in Auth.Biscuit.Token Methods showsPrec :: Int -> Biscuit -> ShowS # show :: Biscuit -> String # showList :: [Biscuit] -> ShowS #

data ParseError Source #

Errors that can happen when parsing a biscuit

Constructors

InvalidHexEncoding	The provided ByteString is not hex-encoded
InvalidB64Encoding	The provided ByteString is not base64-encoded
InvalidProtobufSer String	The provided ByteString does not contain properly serialized protobuf values
InvalidProtobuf String	The bytestring was correctly deserialized from protobuf, but the values can't be turned into a proper biscuit

Instances

Instances details

Eq ParseError Source #
Instance details Defined in Auth.Biscuit.Token Methods (==) :: ParseError -> ParseError -> Bool # (/=) :: ParseError -> ParseError -> Bool #
Show ParseError Source #
Instance details Defined in Auth.Biscuit.Token Methods showsPrec :: Int -> ParseError -> ShowS # show :: ParseError -> String # showList :: [ParseError] -> ShowS #

data VerificationError Source #

An error that can happen when verifying a biscuit

Constructors

SignatureError	The signature is invalid
DatalogError ExecutionError	The checks and policies could not be verified

Instances

Instances details

Eq VerificationError Source #
Instance details Defined in Auth.Biscuit.Token Methods (==) :: VerificationError -> VerificationError -> Bool # (/=) :: VerificationError -> VerificationError -> Bool #
Show VerificationError Source #
Instance details Defined in Auth.Biscuit.Token Methods showsPrec :: Int -> VerificationError -> ShowS # show :: VerificationError -> String # showList :: [VerificationError] -> ShowS #

type ExistingBlock = (ByteString, Block) Source #

Protobuf serialization does not have a guaranteed deterministic behaviour, so we need to keep the initial serialized payload around in order to compute a new signature when adding a block.

mkBiscuit :: Keypair -> Block -> IO Biscuit Source #

Create a new biscuit with the provided authority block

addBlock :: Block -> Biscuit -> IO Biscuit Source #

Add a block to an existing biscuit. The block will be signed with a randomly-generated keypair

checkBiscuitSignature :: Biscuit -> PublicKey -> IO Bool Source #

Only check a biscuit signature. This can be used to perform an early check, before bothering with constructing a verifier.

parseBiscuit :: ByteString -> Either ParseError Biscuit Source #

Parse a biscuit from a raw bytestring.

serializeBiscuit :: Biscuit -> ByteString Source #

Serialize a biscuit to a raw bytestring

verifyBiscuit :: Biscuit -> Verifier -> PublicKey -> IO (Either VerificationError Query) Source #

Same as verifyBiscuitWithLimits, but with default limits (1ms timeout, max 1000 facts, max 100 iterations)

verifyBiscuitWithLimits :: Limits -> Biscuit -> Verifier -> PublicKey -> IO (Either VerificationError Query) Source #

Given a provided verifier (a set of facts, rules, checks and policies), and a public key, verify a biscuit:

make sure the biscuit has been signed with the private key associated to the public key
make sure the biscuit is valid for the provided verifier

data BlockWithRevocationIds Source #

A parsed block, along with the associated revocation ids.

Constructors

BlockWithRevocationIds
Fields bBlock :: Block The parsed block genericRevocationId :: ByteString Generic revocation id (depends on the block contents and its primary key) uniqueRevocationId :: ByteString Unique revocation id (specific to the token)

getRevocationIds :: Biscuit -> IO (NonEmpty BlockWithRevocationIds) Source #

Compute the revocation ids for a given biscuit