biscuit-haskell-0.2.1.0: Library support for the Biscuit security token
Copyright© Clément Delafargue 2021
LicenseMIT
Maintainerclement@delafargue.name
Safe HaskellNone
LanguageHaskell2010

Auth.Biscuit

Description

Haskell implementation for the Biscuit token.

Synopsis

The biscuit auth token

Biscuit is a bearer token, allowing offline attenuation (meaning that anyone having a token can craft a new, more restricted token), and PublicKey verification. Token rights and attenuation are expressed using a logic language, derived from datalog. Such a language can describe facts (things we know about the world), rules (describing how to derive new facts from existing ones) and checks (ensuring that facts hold). Facts and checks let you describe access control rules, while rules make them modular. Authorizer policies lets the verifying party ensure that a provided biscuit grants access to the required operations.

Here's how to create a biscuit token:

-- Biscuit Open Verified means the token has valid signatures
-- and is open to further restriction
buildToken :: Keypair -> IO (Biscuit Open Verified)
buildToken keypair =
  -- the logic language has its own syntax, which can be typed directly in haskell
  -- source code thanks to QuasiQuotes. The datalog snippets are parsed at compile
  -- time, so a datalog error results in a compilation error, not a runtime error
  mkBiscuit keypair [block|
      // the two first lines describe facts:
      // the token holder is identified as `user_1234`
      user("user_1234");
      // the token holder is granted access to resource `file1`
      resource("file1");
      // this last line defines a restriction: properties that need
      // to be verified for the token to be verified:
      // the token can only be used before a specified date
      check if time($time), $time < 2021-05-08T00:00:00Z;
   |]

Here's how to attenuate a biscuit token:

restrictToken :: Biscuit Open Verified -> IO Biscuit Open Verified
restrictToken =
  addBlock [block|
      // restrict the token to local use only
      check if user_ip_address("127.0.0.1");
   |]

To verify a biscuit token, we need two things:

  • a public key, that will let us verify the token has been emitted by a trusted authority
  • an authorizer, that will make sure all the checks declared in the token are fulfilled, as well as providing its own checks, and policies which decide if the token is verified or not

Here's how to verify a base64-serialized biscuit token:

verifyToken :: PublicKey -> ByteString -> IO Bool
verifyToken publicKey token = do
  -- complete parsing is only attempted if signatures can be verified,
  -- that's the reason why 'parseB64' takes a public key as a parameter
  parseResult <- parseB64 publicKey token
  case parseResult of
    Left e -> print e $> False
    Right biscuit -> do
      now <- getCurrentTime
      let verif = [authorizer|
               // the datalog snippets can reference haskell variables
               // with the ${variableName} syntax
               time(${now});

               // policies are tried in order. The first matching policy
               // will decide if the token is valid or not. If no policies
               // match, the token will fail validation
               allow if resource("file1");
               // catch-all policy if the previous ones did not match
               deny if true;
            |]
      result <- authorizeBiscuit biscuit [authorizer|current_time()|]
      case result of
        Left e -> print e $> False
        Right _ -> pure True

Creating keypairs

Biscuits rely on public key cryptography: biscuits are signed with a secret key only known to the party which emits it. Verifying a biscuit, on the other hand, can be done with a public key that can be widely distributed. A private key and its corresponding public key is called a keypair, but since a public key can be deterministically computed from a private key, owning a private key is the same as owning a keypair.

newSecret :: IO SecretKey Source #

Generate a new random SecretKey

toPublic :: SecretKey -> PublicKey #

Create a public key from a secret key

data SecretKey #

An Ed25519 Secret key

Instances

Instances details
Eq SecretKey 
Instance details

Defined in Crypto.PubKey.Ed25519

Show SecretKey 
Instance details

Defined in Crypto.PubKey.Ed25519

NFData SecretKey 
Instance details

Defined in Crypto.PubKey.Ed25519

Methods

rnf :: SecretKey -> () #

ByteArrayAccess SecretKey 
Instance details

Defined in Crypto.PubKey.Ed25519

Methods

length :: SecretKey -> Int #

withByteArray :: SecretKey -> (Ptr p -> IO a) -> IO a #

copyByteArrayToPtr :: SecretKey -> Ptr p -> IO () #

data PublicKey #

An Ed25519 public key

Instances

Instances details
Eq PublicKey 
Instance details

Defined in Crypto.PubKey.Ed25519

Show PublicKey 
Instance details

Defined in Crypto.PubKey.Ed25519

NFData PublicKey 
Instance details

Defined in Crypto.PubKey.Ed25519

Methods

rnf :: PublicKey -> () #

ByteArrayAccess PublicKey 
Instance details

Defined in Crypto.PubKey.Ed25519

Methods

length :: PublicKey -> Int #

withByteArray :: PublicKey -> (Ptr p -> IO a) -> IO a #

copyByteArrayToPtr :: PublicKey -> Ptr p -> IO () #

Parsing and serializing keypairs

serializeSecretKeyHex :: SecretKey -> ByteString Source #

Serialize a SecretKey to a hex-encoded bytestring

serializePublicKeyHex :: PublicKey -> ByteString Source #

Serialize a PublicKey to a hex-encoded bytestring

parseSecretKeyHex :: ByteString -> Maybe SecretKey Source #

Read a SecretKey from an hex bytestring

parsePublicKeyHex :: ByteString -> Maybe PublicKey Source #

Read a PublicKey from an hex bytestring

serializeSecretKey :: SecretKey -> ByteString Source #

Serialize a SecretKey to raw bytes, without any encoding

serializePublicKey :: PublicKey -> ByteString Source #

Serialize a PublicKey to raw bytes, without any encoding

Creating a biscuit

The core of a biscuit is its authority block. This block declares facts and rules and is signed by its creator with a secret key. In addition to this trusted, authority block, a biscuit may carry extra blocks that can only restrict what it can do. By default, biscuits can be restricted, but it's possible to seal a biscuit and prevent further modifications.

Blocks are defined with a logic language (datalog) that can be used directly from haskell with the QuasiQuotes extension.

mkBiscuit :: SecretKey -> Block -> IO (Biscuit Open Verified) Source #

Create a new biscuit with the provided authority block. Such a biscuit is Open to further attenuation.

mkBiscuitWith :: Maybe Int -> SecretKey -> Block -> IO (Biscuit Open Verified) Source #

Create a new biscuit with the provided authority block and root key id. Such a biscuit is Open to further attenuation.

block :: QuasiQuoter Source #

Compile-time parser for a block expression, intended to be used with the QuasiQuotes extension.

A typical use of block looks like this:

let fileName = "data.pdf"
 in [block|
      // datalog can reference haskell variables with ${variableName}
      resource(${fileName});
      rule($variable) <- fact($value), other_fact($value);
      check if operation("read");
    |]

blockContext :: Text -> Block Source #

Build a block containing an explicit context value. The context of a block can't be parsed from datalog currently, so you'll need an explicit call to blockContext to add it

    [block|check if time($t), $t < 2021-01-01;|]
 <> blockContext "ttl-check"

data Biscuit proof check Source #

A parsed biscuit. The proof type param can be one of Open, Sealed or OpenOrSealed. It describes whether a biscuit is open to further attenuation, or sealed and not modifyable further.

The check type param can be either Verified or Unverified and keeps track of whether the blocks signatures (and final proof) have been verified with a given root PublicKey.

The constructor is not exposed in order to ensure that Biscuit values can only be created by trusted code paths.

Instances

Instances details
(Eq proof, Eq check) => Eq (Biscuit proof check) Source # 
Instance details

Defined in Auth.Biscuit.Token

Methods

(==) :: Biscuit proof check -> Biscuit proof check -> Bool #

(/=) :: Biscuit proof check -> Biscuit proof check -> Bool #

(Show proof, Show check) => Show (Biscuit proof check) Source # 
Instance details

Defined in Auth.Biscuit.Token

Methods

showsPrec :: Int -> Biscuit proof check -> ShowS #

show :: Biscuit proof check -> String #

showList :: [Biscuit proof check] -> ShowS #

data OpenOrSealed Source #

This datatype represents the final proof of a biscuit, which can be either open or sealed. This is the typical state of a biscuit that's been parsed.

Instances

Instances details
Eq OpenOrSealed Source # 
Instance details

Defined in Auth.Biscuit.Token

Show OpenOrSealed Source # 
Instance details

Defined in Auth.Biscuit.Token

BiscuitProof OpenOrSealed Source # 
Instance details

Defined in Auth.Biscuit.Token

data Open Source #

This datatype represents the final proof of a biscuit statically known to be open (capable of being attenuated further). In that case the proof is a secret key that can be used to sign a new block.

Instances

Instances details
BiscuitProof Open Source # 
Instance details

Defined in Auth.Biscuit.Token

data Sealed Source #

This datatype represents the final proof of a biscuit statically known to be sealed (not capable of being attenuated further). In that case the proof is a signature proving that the party who sealed the token did know the last secret key.

Instances

Instances details
BiscuitProof Sealed Source # 
Instance details

Defined in Auth.Biscuit.Token

data Verified Source #

Proof that a biscuit had its signatures verified with the carried root PublicKey

Instances

Instances details
Eq Verified Source # 
Instance details

Defined in Auth.Biscuit.Token

Show Verified Source # 
Instance details

Defined in Auth.Biscuit.Token

data Unverified Source #

Marker that a biscuit was parsed without having its signatures verified. Such a biscuit cannot be trusted yet.

Instances

Instances details
Eq Unverified Source # 
Instance details

Defined in Auth.Biscuit.Token

Show Unverified Source # 
Instance details

Defined in Auth.Biscuit.Token

class BiscuitProof a Source #

This class allows functions working on both open and sealed biscuits to accept indifferently OpenOrSealed, Open or Sealed biscuits. It has no laws, it only projects Open and Sealed to the general OpenOrSealed case.

Minimal complete definition

toPossibleProofs

Instances

Instances details
BiscuitProof Sealed Source # 
Instance details

Defined in Auth.Biscuit.Token

BiscuitProof Open Source # 
Instance details

Defined in Auth.Biscuit.Token

BiscuitProof OpenOrSealed Source # 
Instance details

Defined in Auth.Biscuit.Token

type Block = Block' 'RegularString Source #

A biscuit block, containing facts, rules and checks.

Block has a Monoid instance, which is the expected way to build composite blocks (eg if you need to generate a list of facts):

-- build a block from multiple variables v1, v2, v3
[block| value(${v1}); |] <>
[block| value(${v2}); |] <>
[block| value(${v3}); |]

Parsing and serializing biscuits

parseB64 :: PublicKey -> ByteString -> Either ParseError (Biscuit OpenOrSealed Verified) Source #

Parse a biscuit from a URL-compatible base 64 encoded bytestring

parse :: PublicKey -> ByteString -> Either ParseError (Biscuit OpenOrSealed Verified) Source #

Parse a biscuit from a raw bytestring. If you want to parse from a URL-compatible base 64 bytestring, consider using parseB64 instead. The biscuit signature is verified with the provided PublicKey before completely decoding blocks The revocation ids are not verified before completely decoding blocks. If you need to check revocation ids before decoding blocks, use parseWith (or parseB64With instead).

parseWith :: Applicative m => ParserConfig m -> ByteString -> m (Either ParseError (Biscuit OpenOrSealed Verified)) Source #

Parse a biscuit, with explicitly supplied parsing options:

  • encoding (RawBytes or UrlBase64)
  • revocation check
  • public key (based on the token's rootKeyId field)

If you don't need dynamic public key selection or revocation checks, you can use parse or parseB64 instead.

The biscuit signature is verified with the selected PublicKey before completely decoding blocks

parseBiscuitUnverified :: ByteString -> Either ParseError (Biscuit OpenOrSealed Unverified) Source #

Parse a biscuit without performing any signatures check. This function is intended to provide tooling (eg adding a block, or inspecting a biscuit) without having to verify its signatures. Running an Authorizer is not possible without checking signatures. checkBiscuitSignatures allows a delayed signature check. For normal auth workflows, please use parseWith (or parse, or parseB64) instead, as they check signatures before completely parsing the biscuit.

checkBiscuitSignatures :: BiscuitProof proof => (Maybe Int -> PublicKey) -> Biscuit proof Unverified -> Either ParseError (Biscuit proof Verified) Source #

Check the signatures (and final proof) of an already parsed biscuit. These checks normally happen during the parsing phase, but can be delayed (or even ignored) in some cases. This fuction allows to turn a Unverified Biscuit into a Verified one after it has been parsed with parseBiscuitUnverified.

data BiscuitEncoding Source #

Biscuits can be transmitted as raw bytes, or as base64-encoded text. This datatype lets the parser know about the expected encoding.

Constructors

RawBytes 
UrlBase64 

data ParserConfig m Source #

Parsing a biscuit involves various steps. This data type allows configuring those steps.

Constructors

ParserConfig 

Fields

fromRevocationList :: (Applicative m, Foldable t) => t ByteString -> Set ByteString -> m Bool Source #

Helper for building a revocation check from a static list, suitable for use with parseWith and ParserConfig.

serializeB64 :: BiscuitProof p => Biscuit p Verified -> ByteString Source #

Serialize a biscuit to URL-compatible base 64, as recommended by the spec

serialize :: BiscuitProof p => Biscuit p Verified -> ByteString Source #

Serialize a biscuit to a binary format. If you intend to send the biscuit over a text channel, consider using serializeB64 instead

fromHex :: MonadFail m => ByteString -> m ByteString Source #

Decode a base16-encoded bytestring, reporting errors via MonadFail

Attenuating biscuits

By default, biscuits can be attenuated. It means that any party that holds a biscuit can craft a new biscuit with fewer rights. A common example is taking a long-lived biscuit and adding a short TTL right before sending it over the wire.

addBlock :: Block -> Biscuit Open check -> IO (Biscuit Open check) Source #

Add a block to an existing biscuit. Only Open biscuits can be attenuated; the newly created biscuit is Open as well.

An Open biscuit can be turned into a Sealed one, meaning it won't be possible to attenuate it further.

mkBiscuit creates Open biscuits, while parse returns an OpenOrSealed biscuit (since when you're verifying a biscuit, you're not caring about whether it can be extended further or not). authorizeBiscuit does not care whether a biscuit is Open or Sealed and can be used with both. addBlock and seal only work with Open biscuits.

seal :: Biscuit Open check -> Biscuit Sealed check Source #

Turn an Open biscuit into a Sealed one, preventing it from being attenuated further. A Sealed biscuit cannot be turned into an Open one.

fromOpen :: Biscuit Open check -> Biscuit OpenOrSealed check Source #

Turn a Biscuit statically known to be Open into a more generic OpenOrSealed Biscuit (essentially forgetting about the fact it's Open)

fromSealed :: Biscuit Sealed check -> Biscuit OpenOrSealed check Source #

Turn a Biscuit statically known to be Sealed into a more generic OpenOrSealed Biscuit (essentially forgetting about the fact it's Sealed)

asOpen :: Biscuit OpenOrSealed check -> Maybe (Biscuit Open check) Source #

Try to turn a Biscuit that may be open or sealed into a biscuit that's statically known to be Open.

asSealed :: Biscuit OpenOrSealed check -> Maybe (Biscuit Sealed check) Source #

Try to turn a Biscuit that may be open or sealed into a biscuit that's statically known to be Sealed.

Verifying a biscuit

Verifying a biscuit requires providing a list of policies (allow or deny), which will decide if the biscuit is accepted. Policies are tried in order, and the first one to match decides whether the biscuit is accepted.

In addition to policies, an authorizer typically provides facts (such as the current time) so that checks and policies can be verified.

The authorizer checks and policies only see the content of the authority (first) block. Extra blocks can only carry restrictions and cannot interfere with the authority facts.

authorizer :: QuasiQuoter Source #

Compile-time parser for an authorizer expression, intended to be used with the QuasiQuotes extension.

A typical use of authorizer looks like this:

do
  now <- getCurrentTime
  pure [authorizer|
         // datalog can reference haskell variables with ${variableName}
         current_time(${now});
         // authorizers can contain facts, rules and checks like blocks, but
         // also declare policies. While every check has to pass for a biscuit to
         // be valid, policies are tried in order. The first one to match decides
         // if the token is valid or not
         allow if resource("file1");
         deny if true;
       |]

type Authorizer = Authorizer' 'RegularString Source #

A biscuit authorizer, containing, facts, rules, checks and policies

authorizeBiscuit :: Biscuit proof Verified -> Authorizer -> IO (Either ExecutionError AuthorizationSuccess) Source #

Given a biscuit with a verified signature and an authorizer (a set of facts, rules, checks and policies), verify a biscuit:

  • all the checks declared in the biscuit and authorizer must pass
  • an allow policy provided by the authorizer has to match (policies are tried in order)
  • the datalog computation must happen in an alloted time, with a capped number of generated facts and a capped number of iterations

checks and policies declared in the authorizer only operate on the authority block. Facts declared by extra blocks cannot interfere with previous blocks.

Specific runtime limits can be specified by using authorizeBiscuitWithLimits. authorizeBiscuit uses a set of defaults defined in defaultLimits.

data Limits Source #

Settings for the executor runtime restrictions. See defaultLimits for default values.

Constructors

Limits 

Fields

Instances

Instances details
Eq Limits Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

Methods

(==) :: Limits -> Limits -> Bool #

(/=) :: Limits -> Limits -> Bool #

Show Limits Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

defaultLimits :: Limits Source #

Default settings for the executor restrictions. - 1000 facts - 100 iterations - 1000μs max - regexes are allowed - facts and rules are allowed in blocks

data ParseError Source #

Errors that can happen when parsing a biscuit. Since complete parsing of a biscuit requires a signature check, an invalid signature check is a parsing error

Constructors

InvalidHexEncoding

The provided ByteString is not hex-encoded

InvalidB64Encoding

The provided ByteString is not base64-encoded

InvalidProtobufSer Bool String

The provided ByteString does not contain properly serialized protobuf values

InvalidProtobuf Bool String

The bytestring was correctly deserialized from protobuf, but the values can't be turned into a proper biscuit

InvalidSignatures

The signatures were invalid

InvalidProof

The biscuit final proof was invalid

RevokedBiscuit

The biscuit has been revoked

Instances

Instances details
Eq ParseError Source # 
Instance details

Defined in Auth.Biscuit.Token

Show ParseError Source # 
Instance details

Defined in Auth.Biscuit.Token

data ExecutionError Source #

An error that can happen while running a datalog verification. The datalog computation itself can be aborted by runtime failsafe mechanisms, or it can run to completion but fail to fullfil checks and policies (ResultError).

Constructors

Timeout

Verification took too much time

TooManyFacts

Too many facts were generated during evaluation

TooManyIterations

Evaluation did not converge in the alloted number of iterations

InvalidRule

Some rules were malformed: every variable present in their head must appear in their body

ResultError ResultError

The evaluation ran to completion, but checks and policies were not fulfilled.

data AuthorizationSuccess Source #

Proof that a biscuit was authorized successfully. In addition to the matched allow query, the generated facts are kept around for further querying. Since only authority facts can be trusted, they are kept separate.

Constructors

AuthorizationSuccess 

Fields

data MatchedQuery Source #

A datalog query that was matched, along with the values that matched

Constructors

MatchedQuery 

Instances

Instances details
Eq MatchedQuery Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

Show MatchedQuery Source # 
Instance details

Defined in Auth.Biscuit.Datalog.Executor

query :: QuasiQuoter Source #

Compile-time parser for a query expression, intended to be used with the QuasiQuotes extension.

A typical use of query looks like this:

[query|user($user_id) or group($group_id)|]

queryAuthorizerFacts :: AuthorizationSuccess -> Query -> Set Bindings Source #

Query the facts generated by the authority and authorizer blocks during authorization. This can be used in conjuction with getVariableValues and getSingleVariableValue to retrieve actual values.

⚠ Only the facts generated by the authority and authorizer blocks are queried. Block facts are not queried (since they can't be trusted).

💁 If the facts you want to query are part of an allow query in the authorizer, you can directly get values from AuthorizationSuccess.

getBindings :: AuthorizationSuccess -> Set Bindings Source #

Get the matched variables from the allow query used to authorize the biscuit. This can be used in conjuction with getVariableValues or getSingleVariableValue to extract the actual values

getVariableValues :: (Ord t, FromValue t) => Set Bindings -> Text -> Set t Source #

Extract a set of values from a matched variable for a specific type. Returning Set Value allows to get all values, whatever their type.

getSingleVariableValue :: (Ord t, FromValue t) => Set Bindings -> Text -> Maybe t Source #

Extract exactly one value from a matched variable. If the variable has 0 matches or more than one match, Nothing will be returned

class ToTerm t where Source #

This class describes how to turn a haskell value into a datalog value. | This is used when slicing a haskell variable in a datalog expression

Methods

toTerm :: t -> Term' inSet pof 'RegularString Source #

How to turn a value into a datalog item

Instances

Instances details
ToTerm Bool Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

toTerm :: forall (inSet :: IsWithinSet) (pof :: PredicateOrFact). Bool -> Term' inSet pof 'RegularString Source #

ToTerm Int Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

toTerm :: forall (inSet :: IsWithinSet) (pof :: PredicateOrFact). Int -> Term' inSet pof 'RegularString Source #

ToTerm Integer Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

toTerm :: forall (inSet :: IsWithinSet) (pof :: PredicateOrFact). Integer -> Term' inSet pof 'RegularString Source #

ToTerm ByteString Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

toTerm :: forall (inSet :: IsWithinSet) (pof :: PredicateOrFact). ByteString -> Term' inSet pof 'RegularString Source #

ToTerm Text Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

toTerm :: forall (inSet :: IsWithinSet) (pof :: PredicateOrFact). Text -> Term' inSet pof 'RegularString Source #

ToTerm UTCTime Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

toTerm :: forall (inSet :: IsWithinSet) (pof :: PredicateOrFact). UTCTime -> Term' inSet pof 'RegularString Source #

class FromValue t where Source #

This class describes how to turn a datalog value into a regular haskell value.

Methods

fromValue :: Value -> Maybe t Source #

Instances

Instances details
FromValue Bool Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

FromValue Int Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

FromValue Integer Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

FromValue ByteString Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

FromValue Text Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

FromValue UTCTime Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

FromValue Value Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

type Term = Term' 'NotWithinSet 'InPredicate 'RegularString Source #

In a regular AST, slices have already been eliminated

data Term' (inSet :: IsWithinSet) (pof :: PredicateOrFact) (ctx :: ParsedAs) Source #

A single datalog item. | This can be a value, a set of items, or a slice (a value that will be injected later), | depending on the context

Constructors

Variable (VariableType inSet pof)

A variable (eg. $0)

LInteger Int

An integer literal (eg. 42)

LString Text

A string literal (eg. "file1")

LDate UTCTime

A date literal (eg. 2021-05-26T18:00:00Z)

LBytes ByteString

A hex literal (eg. hex:ff9900)

LBool Bool

A bool literal (eg. true)

Antiquote (SliceType ctx)

A slice (eg. ${name})

TermSet (SetType inSet ctx)

A set (eg. [true, false])

Instances

Instances details
FromValue Value Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

(Lift (VariableType inSet pof), Lift (SetType inSet ctx), Lift (SliceType ctx)) => Lift (Term' inSet pof ctx :: Type) Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

lift :: Term' inSet pof ctx -> Q Exp #

liftTyped :: Term' inSet pof ctx -> Q (TExp (Term' inSet pof ctx)) #

(Eq (VariableType inSet pof), Eq (SliceType ctx), Eq (SetType inSet ctx)) => Eq (Term' inSet pof ctx) Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

(==) :: Term' inSet pof ctx -> Term' inSet pof ctx -> Bool #

(/=) :: Term' inSet pof ctx -> Term' inSet pof ctx -> Bool #

(Ord (VariableType inSet pof), Ord (SliceType ctx), Ord (SetType inSet ctx)) => Ord (Term' inSet pof ctx) Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

compare :: Term' inSet pof ctx -> Term' inSet pof ctx -> Ordering #

(<) :: Term' inSet pof ctx -> Term' inSet pof ctx -> Bool #

(<=) :: Term' inSet pof ctx -> Term' inSet pof ctx -> Bool #

(>) :: Term' inSet pof ctx -> Term' inSet pof ctx -> Bool #

(>=) :: Term' inSet pof ctx -> Term' inSet pof ctx -> Bool #

max :: Term' inSet pof ctx -> Term' inSet pof ctx -> Term' inSet pof ctx #

min :: Term' inSet pof ctx -> Term' inSet pof ctx -> Term' inSet pof ctx #

(Show (VariableType inSet pof), Show (SliceType ctx), Show (SetType inSet ctx)) => Show (Term' inSet pof ctx) Source # 
Instance details

Defined in Auth.Biscuit.Datalog.AST

Methods

showsPrec :: Int -> Term' inSet pof ctx -> ShowS #

show :: Term' inSet pof ctx -> String #

showList :: [Term' inSet pof ctx] -> ShowS #

Retrieving information from a biscuit

getRevocationIds :: Biscuit proof check -> NonEmpty ByteString Source #

Extract the list of revocation ids from a biscuit. To reject revoked biscuits, please use parseWith instead. This function should only be used for debugging purposes.

getVerifiedBiscuitPublicKey :: Biscuit a Verified -> PublicKey Source #

Retrieve the PublicKey which was used to verify the Biscuit signatures