Generate a new random SecretKey

Create a public key from a secret key

An Ed25519 Secret key

An Ed25519 public key

Serialize a SecretKey to a hex-encoded bytestring

Serialize a PublicKey to a hex-encoded bytestring

Read a SecretKey from an hex bytestring

Read a PublicKey from an hex bytestring

Serialize a SecretKey to raw bytes, without any encoding

Serialize a PublicKey to raw bytes, without any encoding

Read a SecretKey from raw bytes

Read a PublicKey from raw bytes

Create a new biscuit with the provided authority block. Such a biscuit is Open to further attenuation.

Compile-time parser for a block expression, intended to be used with the QuasiQuotes extension.

A typical use of block looks like this:

let fileName = "data.pdf"
 in [block|
      // datalog can reference haskell variables with ${variableName}
      resource(${fileName});
      rule($variable) <- fact($value), other_fact($value);
      check if operation("read");
    |]

Build a block containing an explicit context value. The context of a block can't be parsed from datalog currently, so you'll need an explicit call to blockContext to add it

    [block|check if time($t), $t < 2021-01-01;|]
 <> blockContext "ttl-check"

A parsed biscuit. The proof type param can be one of Open, Sealed or OpenOrSealed. It describes whether a biscuit is open to further attenuation, or sealed and not modifyable further.

The check type param can be either Verified or Unverified and keeps track of whether the blocks signatures (and final proof) have been verified with a given root PublicKey.

The constructor is not exposed in order to ensure that Biscuit values can only be created by trusted code paths.

This datatype represents the final proof of a biscuit, which can be either open or sealed. This is the typical state of a biscuit that's been parsed.

This datatype represents the final proof of a biscuit statically known to be open (capable of being attenuated further). In that case the proof is a secret key that can be used to sign a new block.

This datatype represents the final proof of a biscuit statically known to be sealed (not capable of being attenuated further). In that case the proof is a signature proving that the party who sealed the token did know the last secret key.

Proof that a biscuit had its signatures verified with the carried root PublicKey

Marker that a biscuit was parsed without having its signatures verified. Such a biscuit cannot be trusted yet.

This class allows functions working on both open and sealed biscuits to accept indifferently OpenOrSealed, Open or Sealed biscuits. It has no laws, it only projects Open and Sealed to the general OpenOrSealed case.

A biscuit block, containing facts, rules and checks.

Block has a Monoid instance, which is the expected way to build composite blocks (eg if you need to generate a list of facts):

-- build a block from multiple variables v1, v2, v3
[block| value(${v1}); |] <>
[block| value(${v2}); |] <>
[block| value(${v3}); |]

Parse a biscuit from a URL-compatible base 64 encoded bytestring

Parse a biscuit from a raw bytestring. If you want to parse from a URL-compatible base 64 bytestring, consider using parseB64 instead. The biscuit signature is verified with the provided PublicKey before completely decoding blocks The revocation ids are not verified before completely decoding blocks. If you need to check revocation ids before decoding blocks, use parseWith (or parseB64With instead).

Parse a biscuit, with explicitly supplied parsing options:

• encoding (RawBytes or UrlBase64)
• revocation check
• public key (based on the token's rootKeyId field)

If you don't need dynamic public key selection or revocation checks, you can use parse or parseB64 instead.

The biscuit signature is verified with the selected PublicKey before completely decoding blocks

Parse a biscuit without performing any signatures check. This function is intended to provide tooling (eg adding a block, or inspecting a biscuit) without having to verify its signatures. Running an Authorizer is not possible without checking signatures. checkBiscuitSignatures allows a delayed signature check. For normal auth workflows, please use parseWith (or parse, or parseB64) instead, as they check signatures before completely parsing the biscuit.

Check the signatures (and final proof) of an already parsed biscuit. These checks normally happen during the parsing phase, but can be delayed (or even ignored) in some cases. This fuction allows to turn a Unverified Biscuit into a Verified one after it has been parsed with parseBiscuitUnverified.

Biscuits can be transmitted as raw bytes, or as base64-encoded text. This datatype lets the parser know about the expected encoding.

Parsing a biscuit involves various steps. This data type allows configuring those steps.

Helper for building a revocation check from a static list, suitable for use with parseWith and ParserConfig.

Serialize a biscuit to URL-compatible base 64, as recommended by the spec

Serialize a biscuit to a binary format. If you intend to send the biscuit over a text channel, consider using serializeB64 instead

Decode a base16-encoded bytestring, reporting errors via MonadFail

Add a block to an existing biscuit. Only Open biscuits can be attenuated; the newly created biscuit is Open as well.

Turn an Open biscuit into a Sealed one, preventing it from being attenuated further. A Sealed biscuit cannot be turned into an Open one.

Turn a Biscuit statically known to be Open into a more generic OpenOrSealed Biscuit (essentially forgetting about the fact it's Open)

Turn a Biscuit statically known to be Sealed into a more generic OpenOrSealed Biscuit (essentially forgetting about the fact it's Sealed)

Try to turn a Biscuit that may be open or sealed into a biscuit that's statically known to be Open.

Try to turn a Biscuit that may be open or sealed into a biscuit that's statically known to be Sealed.

Compile-time parser for an authorizer expression, intended to be used with the QuasiQuotes extension.

A typical use of authorizer looks like this:

do
  now <- getCurrentTime
  pure [authorizer|
         // datalog can reference haskell variables with ${variableName}
         current_time(${now});
         // authorizers can contain facts, rules and checks like blocks, but
         // also declare policies. While every check has to pass for a biscuit to
         // be valid, policies are tried in order. The first one to match decides
         // if the token is valid or not
         allow if resource("file1");
         deny if true;
       |]

A biscuit authorizer, containing, facts, rules, checks and policies

Given a biscuit with a verified signature and an authorizer (a set of facts, rules, checks and policies), verify a biscuit:

• all the checks declared in the biscuit and authorizer must pass
• an allow policy provided by the authorizer has to match (policies are tried in order)
• the datalog computation must happen in an alloted time, with a capped number of generated facts and a capped number of iterations

checks and policies declared in the authorizer only operate on the authority block. Facts declared by extra blocks cannot interfere with previous blocks.

Specific runtime limits can be specified by using authorizeBiscuitWithLimits. authorizeBiscuit uses a set of defaults defined in defaultLimits.

Generic version of authorizeBiscuitWithLimits which takes custom Limits.

Settings for the executor runtime restrictions. See defaultLimits for default values.

Default settings for the executor restrictions. - 1000 facts - 100 iterations - 1000μs max - regexes are allowed - facts and rules are allowed in blocks

Errors that can happen when parsing a biscuit. Since complete parsing of a biscuit requires a signature check, an invalid signature check is a parsing error

An error that can happen while running a datalog verification. The datalog computation itself can be aborted by runtime failsafe mechanisms, or it can run to completion but fail to fullfil checks and policies (ResultError).

Proof that a biscuit was authorized successfully. In addition to the matched allow query, the generated facts are kept around for further querying. Since only authority facts can be trusted, they are kept separate.

A datalog query that was matched, along with the values that matched

Compile-time parser for a query expression, intended to be used with the QuasiQuotes extension.

A typical use of query looks like this:

[query|user($user_id) or group($group_id)|]

Query the facts generated by the authority and authorizer blocks during authorization. This can be used in conjuction with getVariableValues and getSingleVariableValue to retrieve actual values.

⚠ Only the facts generated by the authority and authorizer blocks are queried. Block facts are not queried (since they can't be trusted).

💁 If the facts you want to query are part of an allow query in the authorizer, you can directly get values from AuthorizationSuccess.

Get the matched variables from the allow query used to authorize the biscuit. This can be used in conjuction with getVariableValues or getSingleVariableValue to extract the actual values

Extract a set of values from a matched variable for a specific type. Returning Set Value allows to get all values, whatever their type.

Extract exactly one value from a matched variable. If the variable has 0 matches or more than one match, Nothing will be returned

This class describes how to turn a haskell value into a datalog value. | This is used when slicing a haskell variable in a datalog expression

This class describes how to turn a datalog value into a regular haskell value.

In a regular AST, slices have already been eliminated

A single datalog item. | This can be a value, a set of items, or a slice (a value that will be injected later), | depending on the context

Extract the list of revocation ids from a biscuit. To reject revoked biscuits, please use parseWith instead. This function should only be used for debugging purposes.

Retrieve the PublicKey which was used to verify the Biscuit signatures