Struct biscuit_auth::Authorizer

source · 
pub struct Authorizer { /* private fields */ }
Expand description

used to check authorization policies on a token

can be created from Biscuit::authorizer or Authorizer::new

Implementations§

source§

impl Authorizer

source

pub fn from_snapshot(input: AuthorizerSnapshot) -> Result<Self, Token>

source

pub fn from_raw_snapshot(input: &[u8]) -> Result<Self, Token>

source

pub fn from_base64_snapshot(input: &str) -> Result<Self, Token>

source

pub fn snapshot(&self) -> Result<AuthorizerSnapshot, Format>

source

pub fn to_raw_snapshot(&self) -> Result<Vec<u8>, Format>

source

pub fn to_base64_snapshot(&self) -> Result<String, Format>

source§

impl Authorizer

source

pub fn new() -> Self

creates a new empty authorizer

this can be used to check policies when:

  • there is no token (unauthenticated case)
  • there is a lot of data to load in the authorizer on each check

In the latter case, we can create an empty authorizer, load it with the facts, rules and checks, and each time a token must be checked, clone the authorizer and load the token with Authorizer::add_token

source

pub fn from(data: &[u8]) -> Result<Self, Token>

creates an Authorizer from a serialized crate::format::schema::AuthorizerPolicies

source

pub fn add_token(&mut self, token: &Biscuit) -> Result<(), Token>

add a token to an empty authorizer

source

pub fn save(&self) -> Result<AuthorizerPolicies, Token>

serializes a authorizer’s content

you can use this to save a set of policies and load them quickly before verification. This will not store data obtained or generated from a token.

source

pub fn merge(&mut self, other: Authorizer)

Add the rules, facts, checks, and policies of another Authorizer. If a token has already been added to other, it is not merged into self.

source

pub fn merge_block(&mut self, other: BlockBuilder)

Add the rules, facts, and checks of another BlockBuilder.

source

pub fn add_fact<F: TryInto<Fact>>(&mut self, fact: F) -> Result<(), Token>where Token: From<<F as TryInto<Fact>>::Error>,

source

pub fn add_rule<Ru: TryInto<Rule>>(&mut self, rule: Ru) -> Result<(), Token>where Token: From<<Ru as TryInto<Rule>>::Error>,

source

pub fn add_check<C: TryInto<Check>>(&mut self, check: C) -> Result<(), Token>where Token: From<<C as TryInto<Check>>::Error>,

source

pub fn add_code<T: AsRef<str>>(&mut self, source: T) -> Result<(), Token>

adds some datalog code to the authorizer

extern crate biscuit_auth as biscuit;

use biscuit::Authorizer;

let mut authorizer = Authorizer::new();

authorizer.add_code(r#"
  resource("/file1.txt");

  check if user(1234);

  // default allow
  allow if true;
"#).expect("should parse correctly");
source

pub fn add_code_with_params<T: AsRef<str>>( &mut self, source: T, params: HashMap<String, Term>, scope_params: HashMap<String, PublicKey> ) -> Result<(), Token>

source

pub fn add_scope(&mut self, scope: Scope)

source

pub fn limits(&self) -> &AuthorizerLimits

Returns the runtime limits of the authorizer

Those limits cover all the executions under the authorize, query and query_all methods

source

pub fn set_limits(&mut self, limits: AuthorizerLimits)

Sets the runtime limits of the authorizer

Those limits cover all the executions under the authorize, query and query_all methods

source

pub fn query<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>( &mut self, rule: R ) -> Result<Vec<T>, Token>where Token: From<<R as TryInto<Rule>>::Error>,

run a query over the authorizer’s Datalog engine to gather data

let keypair = KeyPair::new();
let mut builder = Biscuit::builder();
builder.add_fact("user(\"John Doe\", 42)");

let biscuit = builder.build(&keypair).unwrap();

let mut authorizer = biscuit.authorizer().unwrap();
let res: Vec<(String, i64)> = authorizer.query("data($name, $id) <- user($name, $id)").unwrap();
source

pub fn query_with_limits<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>( &mut self, rule: R, limits: AuthorizerLimits ) -> Result<Vec<T>, Token>where Token: From<<R as TryInto<Rule>>::Error>,

run a query over the authorizer’s Datalog engine to gather data

this only sees facts from the authorizer and the authority block

this method overrides the authorizer’s runtime limits, just for this calls

source

pub fn query_all<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>( &mut self, rule: R ) -> Result<Vec<T>, Token>where Token: From<<R as TryInto<Rule>>::Error>,

run a query over the authorizer’s Datalog engine to gather data

this has access to the facts generated when evaluating all the blocks

let keypair = KeyPair::new();
let mut builder = Biscuit::builder();
builder.add_fact("user(\"John Doe\", 42)");

let biscuit = builder.build(&keypair).unwrap();

let mut authorizer = biscuit.authorizer().unwrap();
let res: Vec<(String, i64)> = authorizer.query("data($name, $id) <- user($name, $id)").unwrap();
source

pub fn query_all_with_limits<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>( &mut self, rule: R, limits: AuthorizerLimits ) -> Result<Vec<T>, Token>where Token: From<<R as TryInto<Rule>>::Error>,

run a query over the authorizer’s Datalog engine to gather data

this has access to the facts generated when evaluating all the blocks

this method overrides the authorizer’s runtime limits, just for this calls

source

pub fn set_time(&mut self)

adds a fact with the current time

source

pub fn add_policy<P: TryInto<Policy>>(&mut self, policy: P) -> Result<(), Token>where Token: From<<P as TryInto<Policy>>::Error>,

add a policy to the authorizer

source

pub fn allow(&mut self) -> Result<(), Token>

todo remove, it’s covered in BuilderExt adds a allow if true policy

source

pub fn deny(&mut self) -> Result<(), Token>

adds a deny if true policy

source

pub fn execution_time(&self) -> Duration

returns the elapsed execution time

source

pub fn iterations(&self) -> u64

returns the number of fact generation iterations

source

pub fn fact_count(&self) -> usize

returns the number of facts

source

pub fn authorize(&mut self) -> Result<usize, Token>

verifies the checks and policies

on error, this can return a list of all the failed checks or deny policy on success, it returns the index of the policy that matched

source

pub fn authorize_with_limits( &mut self, limits: AuthorizerLimits ) -> Result<usize, Token>

TODO: consume the input to prevent further direct use verifies the checks and policies

on error, this can return a list of all the failed checks or deny policy

this method overrides the authorizer’s runtime limits, just for this calls

source

pub fn print_world(&self) -> String

prints the content of the authorizer

source

pub fn dump(&self) -> (Vec<Fact>, Vec<Rule>, Vec<Check>, Vec<Policy>)

returns all of the data loaded in the authorizer

source

pub fn dump_code(&self) -> String

Trait Implementations§

source§

impl AuthorizerExt for Authorizer

source§

fn add_allow_all(&mut self)

source§

fn add_deny_all(&mut self)

source§

impl BuilderExt for Authorizer

source§

fn add_resource(&mut self, name: &str)

source§

fn check_resource(&mut self, name: &str)

source§

fn add_operation(&mut self, name: &str)

source§

fn check_operation(&mut self, name: &str)

source§

fn check_resource_prefix(&mut self, prefix: &str)

source§

fn check_resource_suffix(&mut self, suffix: &str)

source§

fn check_expiration_date(&mut self, exp: SystemTime)

source§

impl Clone for Authorizer

source§

fn clone(&self) -> Authorizer

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Display for Authorizer

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for Twhere T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for Twhere U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> Same<T> for T

§

type Output = T

Should always be Self
source§

impl<T> ToOwned for Twhere T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T> ToString for Twhere T: Display + ?Sized,

source§

default fn to_string(&self) -> String

Converts the given value to a String. Read more
source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for Twhere V: MultiLane<T>,

§

fn vzip(self) -> V