Safe Haskell	None
Language	Haskell2010

Auth.Biscuit.Datalog.ScopedExecutor

Synopsis

type BlockWithRevocationId = (Block, ByteString)
runAuthorizer :: BlockWithRevocationId -> [BlockWithRevocationId] -> Authorizer -> IO (Either ExecutionError AuthorizationSuccess)
runAuthorizerWithLimits :: Limits -> BlockWithRevocationId -> [BlockWithRevocationId] -> Authorizer -> IO (Either ExecutionError AuthorizationSuccess)
runAuthorizerNoTimeout :: Limits -> BlockWithRevocationId -> [BlockWithRevocationId] -> Authorizer -> Either ExecutionError AuthorizationSuccess
data World = World {
- facts :: Set Fact
- rules :: Set Rule
}
computeAllFacts :: World -> StateT ComputeState (Either PureExecError) ()
runFactGeneration :: Limits -> World -> Either PureExecError (Set Fact)
data PureExecError
- = Facts
- | Iterations
data AuthorizationSuccess = AuthorizationSuccess {
- matchedAllowQuery :: MatchedQuery
- authorityFacts :: Set Fact
- allGeneratedFacts :: Set Fact
- limits :: Limits
}
getBindings :: AuthorizationSuccess -> Set Bindings
queryAuthorizerFacts :: AuthorizationSuccess -> Query -> Set Bindings
getVariableValues :: (Ord t, FromValue t) => Set Bindings -> Text -> Set t
getSingleVariableValue :: (Ord t, FromValue t) => Set Bindings -> Text -> Maybe t

Documentation

type BlockWithRevocationId = (Block, ByteString) Source #

runAuthorizer Source #

Arguments

:: BlockWithRevocationId	The authority block
-> [BlockWithRevocationId]	The extra blocks
-> Authorizer	A authorizer
-> IO (Either ExecutionError AuthorizationSuccess)

Given a series of blocks and an authorizer, ensure that all the checks and policies match

runAuthorizerWithLimits Source #

Arguments

:: Limits	custom limits
-> BlockWithRevocationId	The authority block
-> [BlockWithRevocationId]	The extra blocks
-> Authorizer	A authorizer
-> IO (Either ExecutionError AuthorizationSuccess)

Given a series of blocks and an authorizer, ensure that all the checks and policies match, with provided execution constraints

runAuthorizerNoTimeout :: Limits -> BlockWithRevocationId -> [BlockWithRevocationId] -> Authorizer -> Either ExecutionError AuthorizationSuccess Source #

data World Source #

Constructors

World
Fields facts :: Set Fact rules :: Set Rule

Instances

Instances details

Show World Source #
Instance details Defined in Auth.Biscuit.Datalog.ScopedExecutor Methods showsPrec :: Int -> World -> ShowS # show :: World -> String # showList :: [World] -> ShowS #
Semigroup World Source #
Instance details Defined in Auth.Biscuit.Datalog.ScopedExecutor Methods (<>) :: World -> World -> World # sconcat :: NonEmpty World -> World # stimes :: Integral b => b -> World -> World #
Monoid World Source #
Instance details Defined in Auth.Biscuit.Datalog.ScopedExecutor Methods mempty :: World # mappend :: World -> World -> World # mconcat :: [World] -> World #

computeAllFacts :: World -> StateT ComputeState (Either PureExecError) () Source #

runFactGeneration :: Limits -> World -> Either PureExecError (Set Fact) Source #

data PureExecError Source #

A subset of ExecutionError that can only happen during fact generation

Constructors

Facts
Iterations

Instances

Instances details

Eq PureExecError Source #
Instance details Defined in Auth.Biscuit.Datalog.ScopedExecutor Methods (==) :: PureExecError -> PureExecError -> Bool # (/=) :: PureExecError -> PureExecError -> Bool #
Show PureExecError Source #
Instance details Defined in Auth.Biscuit.Datalog.ScopedExecutor Methods showsPrec :: Int -> PureExecError -> ShowS # show :: PureExecError -> String # showList :: [PureExecError] -> ShowS #

data AuthorizationSuccess Source #

Proof that a biscuit was authorized successfully. In addition to the matched allow query, the generated facts are kept around for further querying. Since only authority facts can be trusted, they are kept separate.

Constructors

AuthorizationSuccess

Fields

matchedAllowQuery :: MatchedQuery
The allow query that matched
authorityFacts :: Set Fact
All the facts generated by the authority block (and the authorizer)
allGeneratedFacts :: Set Fact
All the facts that were generated by the biscuit. Be careful, the biscuit signature check only guarantees that authorityFacts are signed with the corresponding SecretKey.
limits :: Limits
Limits used when running datalog. It is kept around to allow further datalog computation when querying facts

Instances

Instances details

Eq AuthorizationSuccess Source #
Instance details Defined in Auth.Biscuit.Datalog.ScopedExecutor Methods (==) :: AuthorizationSuccess -> AuthorizationSuccess -> Bool # (/=) :: AuthorizationSuccess -> AuthorizationSuccess -> Bool #
Show AuthorizationSuccess Source #
Instance details Defined in Auth.Biscuit.Datalog.ScopedExecutor Methods showsPrec :: Int -> AuthorizationSuccess -> ShowS # show :: AuthorizationSuccess -> String # showList :: [AuthorizationSuccess] -> ShowS #

getBindings :: AuthorizationSuccess -> Set Bindings Source #

Get the matched variables from the allow query used to authorize the biscuit. This can be used in conjuction with getVariableValues or getSingleVariableValue to extract the actual values

queryAuthorizerFacts :: AuthorizationSuccess -> Query -> Set Bindings Source #

Query the facts generated by the authority and authorizer blocks during authorization. This can be used in conjuction with getVariableValues and getSingleVariableValue to retrieve actual values.

⚠ Only the facts generated by the authority and authorizer blocks are queried. Block facts are not queried (since they can't be trusted).

💁 If the facts you want to query are part of an allow query in the authorizer, you can directly get values from AuthorizationSuccess.

getVariableValues :: (Ord t, FromValue t) => Set Bindings -> Text -> Set t Source #

Extract a set of values from a matched variable for a specific type. Returning Set Value allows to get all values, whatever their type.

getSingleVariableValue :: (Ord t, FromValue t) => Set Bindings -> Text -> Maybe t Source #

Extract exactly one value from a matched variable. If the variable has 0 matches or more than one match, Nothing will be returned