Struct biscuit_auth::Authorizer

pub struct Authorizer<'t> { /* private fields */ }

used to check authorization policies on a token

can be created from Biscuit::authorizer or Authorizer::new

Implementations

impl<'t> Authorizer<'t>

pub fn new() -> Result<Self, Logic>

creates a new empty authorizer

this can be used to check policies when:

• there is no token (unauthenticated case)
• there is a lot of data to load in the authorizer on each check

In the latter case, we can create an empty authorizer, load it with the facts, rules and checks, and each time a token must be checked, clone the authorizer and load the token with Authorizer::add_token

pub fn from(slice: &[u8]) -> Result<Self, Token>

creates an Authorizer from a serialized crate::format::schema::AuthorizerPolicies

pub fn add_token(&mut self, token: &'t Biscuit) -> Result<(), Token>

add a token to an empty authorizer

pub fn save(&self) -> Result<Vec<u8>, Token>

serializes a authorizer’s content

you can use this to save a set of policies and load them quickly before verification, or to store a verification context to debug it later

pub fn add_fact<F: TryInto<Fact>>(&mut self, fact: F) -> Result<(), Token> where
    Token: From<<F as TryInto<Fact>>::Error>, 

add a fact to the authorizer

pub fn add_rule<R: TryInto<Rule>>(&mut self, rule: R) -> Result<(), Token> where
    Token: From<<R as TryInto<Rule>>::Error>, 

add a rule to the authorizer

pub fn add_code<T: AsRef<str>>(&mut self, source: T) -> Result<(), Token>

adds some datalog code to the authorizer

extern crate biscuit_auth as biscuit;

use biscuit::Authorizer;

let mut authorizer = Authorizer::new().unwrap();

authorizer.add_code(r#"
  resource("/file1.txt");

  check if user(1234);

  // default allow
  allow if true;
"#).expect("should parse correctly");

pub fn query<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>(
    &mut self,
    rule: R
) -> Result<Vec<T>, Token> where
    Token: From<<R as TryInto<Rule>>::Error>, 

run a query over the authorizer’s Datalog engine to gather data

this only sees facts from the authorizer and the authority block

let keypair = KeyPair::new();
let mut builder = Biscuit::builder(&keypair);
builder.add_authority_fact("user(\"John Doe\", 42)");

let biscuit = builder.build().unwrap();

let mut authorizer = biscuit.authorizer().unwrap();
let res: Vec<(String, i64)> = authorizer.query("data($name, $id) <- user($name, $id)").unwrap();

pub fn query_with_limits<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>(
    &mut self,
    rule: R,
    limits: AuthorizerLimits
) -> Result<Vec<T>, Token> where
    Token: From<<R as TryInto<Rule>>::Error>, 

run a query over the authorizer’s Datalog engine to gather data

this only sees facts from the authorizer and the authority block

this method can specify custom runtime limits

pub fn query_all<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>(
    &mut self,
    rule: R
) -> Result<Vec<T>, Token> where
    Token: From<<R as TryInto<Rule>>::Error>, 

run a query over the authorizer’s Datalog engine to gather data

this has access to the facts generated when evaluating all the blocks

let keypair = KeyPair::new();
let mut builder = Biscuit::builder(&keypair);
builder.add_authority_fact("user(\"John Doe\", 42)");

let biscuit = builder.build().unwrap();

let mut authorizer = biscuit.authorizer().unwrap();
let res: Vec<(String, i64)> = authorizer.query("data($name, $id) <- user($name, $id)").unwrap();

pub fn query_all_with_limits<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>(
    &mut self,
    rule: R,
    limits: AuthorizerLimits
) -> Result<Vec<T>, Token> where
    Token: From<<R as TryInto<Rule>>::Error>, 

run a query over the authorizer’s Datalog engine to gather data

this has access to the facts generated when evaluating all the blocks

this method can specify custom runtime limits

pub fn add_check<C: TryInto<Check>>(&mut self, check: C) -> Result<(), Token> where
    Token: From<<C as TryInto<Check>>::Error>, 

add a check to the authorizer

pub fn set_time(&mut self)

adds a fact with the current time

pub fn add_policy<P: TryInto<Policy>>(&mut self, policy: P) -> Result<(), Token> where
    Token: From<<P as TryInto<Policy>>::Error>, 

add a policy to the authorizer

pub fn allow(&mut self) -> Result<(), Token>

adds a allow if true policy

pub fn deny(&mut self) -> Result<(), Token>

adds a deny if true policy

pub fn authorize(&mut self) -> Result<usize, Token>

verifies the checks and policiies

on error, this can return a list of all the failed checks or deny policy on success, it returns the index of the policy that matched

pub fn authorize_with_limits(
    &mut self,
    limits: AuthorizerLimits
) -> Result<usize, Token>

verifies the checks and policiies

on error, this can return a list of all the failed checks or deny policy

this method can specify custom runtime limits

pub fn print_world(&self) -> String

prints the content of the authorizer

pub fn dump(&self) -> (Vec<Fact>, Vec<Rule>, Vec<Check>, Vec<Policy>)

returns all of the data loaded in the authorizer

Trait Implementations

impl<'t> Clone for Authorizer<'t>

fn clone(&self) -> Authorizer<'t>

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.