Struct BiscuitConfig 

pub struct BiscuitConfig { /* private fields */ }

Cheap-to-clone biscuit configuration. Wraps the active keypair + history behind an RwLock so a future rotate lands without breaking inflight callers.

Implementations

impl BiscuitConfig

pub fn from_active(active: ActiveRootKey, history: Vec<HistoryRootKey>) -> Self

Construct from an explicit active root keypair. Useful for tests and for engine boot’s “load row, build config” path.

pub fn generate_ephemeral() -> Self

Generate a fresh ephemeral Ed25519 root keypair without touching any DB. The default for crate::ctx::AuthCtx::new callers that don’t have a persistent root key yet — engine boot replaces this with the loaded-or-generated row via crate::ctx::AuthCtx::with_biscuit.

pub fn from_pem(pem: &str) -> Result<Self>

Construct from an existing root keypair PEM (the format KeyPair::to_private_key_pem emits). Used by engine boot when the auth.biscuit_root_keys row carries a stored private key.

pub fn active_kid(&self) -> String

Borrow the active root key id (kid). Cheap; clones one short string under the read lock.

pub fn public_pem(&self) -> Result<String>

Render the active root public key as a PEM string for distribution to standalone verifiers (mobile clients, edge services). Stable as long as the active row in auth.biscuit_root_keys doesn’t rotate.

pub fn active_public_key(&self) -> PublicKey

Borrow the active root public key. Useful for test reconstruction and for the public_pem helper.

pub fn issue<F>(&self, build: F) -> Result<String>

where F: FnOnce(BiscuitBuilder) -> Result<BiscuitBuilder, Token>,

Issue a fresh biscuit via the supplied builder closure. The closure receives an empty BiscuitBuilder and returns the completed builder; we sign + base64-URL-encode it for the wire.

Example:

let token = cfg.issue(|b| b.fact("user(\"alice\")"))?;

pub fn verify<F>(&self, token: &str, build: F) -> Result<()>

where F: FnOnce(AuthorizerBuilder) -> Result<AuthorizerBuilder, Token>,

Verify a biscuit and run the supplied authorizer against it. The closure receives a fresh AuthorizerBuilder; add policies + checks via its builder methods, returning the completed builder. We then build the authorizer against the parsed token and call authorize.

Ok(()) means the token was syntactically valid, signed by a known root key, and matched at least one allow policy without triggering any deny / failed check.

Trait Implementations

impl Clone for BiscuitConfig

fn clone(&self) -> BiscuitConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.