biscuit-haskell-0.1.1.0: Library support for the Biscuit security token
Copyright© Clément Delafargue 2021
LicenseMIT
Maintainerclement@delafargue.name
Safe HaskellNone
LanguageHaskell2010

Auth.Biscuit.Token

Description

Module defining the main biscuit-related operations

Synopsis

Documentation

data Biscuit Source #

A parsed biscuit

Constructors

Biscuit 

Fields

  • symbols :: Symbols

    The symbols already defined in the contained blocks

  • authority :: (PublicKey, ExistingBlock)

    The authority block, along with the associated public key. The public key is kept around since it's embedded in the serialized biscuit, but should not be used for verification. An externally provided public key should be used instead.

  • blocks :: [(PublicKey, ExistingBlock)]

    The extra blocks, along with the public keys needed

  • signature :: Signature
     

Instances

Instances details
Eq Biscuit Source # 
Instance details

Defined in Auth.Biscuit.Token

Methods

(==) :: Biscuit -> Biscuit -> Bool #

(/=) :: Biscuit -> Biscuit -> Bool #

Show Biscuit Source # 
Instance details

Defined in Auth.Biscuit.Token

data ParseError Source #

Errors that can happen when parsing a biscuit

Constructors

InvalidHexEncoding

The provided ByteString is not hex-encoded

InvalidB64Encoding

The provided ByteString is not base64-encoded

InvalidProtobufSer String

The provided ByteString does not contain properly serialized protobuf values

InvalidProtobuf String

The bytestring was correctly deserialized from protobuf, but the values can't be turned into a proper biscuit

Instances

Instances details
Eq ParseError Source # 
Instance details

Defined in Auth.Biscuit.Token

Show ParseError Source # 
Instance details

Defined in Auth.Biscuit.Token

data VerificationError Source #

An error that can happen when verifying a biscuit

Constructors

SignatureError

The signature is invalid

DatalogError ExecutionError

The checks and policies could not be verified

type ExistingBlock = (ByteString, Block) Source #

Protobuf serialization does not have a guaranteed deterministic behaviour, so we need to keep the initial serialized payload around in order to compute a new signature when adding a block.

mkBiscuit :: Keypair -> Block -> IO Biscuit Source #

Create a new biscuit with the provided authority block

addBlock :: Block -> Biscuit -> IO Biscuit Source #

Add a block to an existing biscuit. The block will be signed with a randomly-generated keypair

checkBiscuitSignature :: Biscuit -> PublicKey -> IO Bool Source #

Only check a biscuit signature. This can be used to perform an early check, before bothering with constructing a verifier.

parseBiscuit :: ByteString -> Either ParseError Biscuit Source #

Parse a biscuit from a raw bytestring.

serializeBiscuit :: Biscuit -> ByteString Source #

Serialize a biscuit to a raw bytestring

verifyBiscuit :: Biscuit -> Verifier -> PublicKey -> IO (Either VerificationError Query) Source #

Same as verifyBiscuitWithLimits, but with default limits (1ms timeout, max 1000 facts, max 100 iterations)

verifyBiscuitWithLimits :: Limits -> Biscuit -> Verifier -> PublicKey -> IO (Either VerificationError Query) Source #

Given a provided verifier (a set of facts, rules, checks and policies), and a public key, verify a biscuit:

  • make sure the biscuit has been signed with the private key associated to the public key
  • make sure the biscuit is valid for the provided verifier

data BlockWithRevocationIds Source #

A parsed block, along with the associated revocation ids.

Constructors

BlockWithRevocationIds 

Fields

getRevocationIds :: Biscuit -> IO (NonEmpty BlockWithRevocationIds) Source #

Compute the revocation ids for a given biscuit