Struct biscuit_auth::Authorizer
source · pub struct Authorizer { /* private fields */ }
Expand description
used to check authorization policies on a token
can be created from Biscuit::authorizer or Authorizer::new
Implementations§
source§impl Authorizer
impl Authorizer
pub fn from_snapshot(input: AuthorizerSnapshot) -> Result<Self, Token>
pub fn from_raw_snapshot(input: &[u8]) -> Result<Self, Token>
pub fn from_base64_snapshot(input: &str) -> Result<Self, Token>
pub fn snapshot(&self) -> Result<AuthorizerSnapshot, Format>
pub fn to_raw_snapshot(&self) -> Result<Vec<u8>, Format>
pub fn to_base64_snapshot(&self) -> Result<String, Format>
source§impl Authorizer
impl Authorizer
sourcepub fn new() -> Self
pub fn new() -> Self
creates a new empty authorizer
this can be used to check policies when:
- there is no token (unauthenticated case)
- there is a lot of data to load in the authorizer on each check
In the latter case, we can create an empty authorizer, load it
with the facts, rules and checks, and each time a token must be checked,
clone the authorizer and load the token with Authorizer::add_token
sourcepub fn from(data: &[u8]) -> Result<Self, Token>
pub fn from(data: &[u8]) -> Result<Self, Token>
creates an Authorizer
from a serialized crate::format::schema::AuthorizerPolicies
sourcepub fn add_token(&mut self, token: &Biscuit) -> Result<(), Token>
pub fn add_token(&mut self, token: &Biscuit) -> Result<(), Token>
add a token to an empty authorizer
sourcepub fn save(&self) -> Result<AuthorizerPolicies, Token>
pub fn save(&self) -> Result<AuthorizerPolicies, Token>
serializes a authorizer’s content
you can use this to save a set of policies and load them quickly before verification. This will not store data obtained or generated from a token.
sourcepub fn merge(&mut self, other: Authorizer)
pub fn merge(&mut self, other: Authorizer)
Add the rules, facts, checks, and policies of another Authorizer
.
If a token has already been added to other
, it is not merged into self
.
sourcepub fn merge_block(&mut self, other: BlockBuilder)
pub fn merge_block(&mut self, other: BlockBuilder)
Add the rules, facts, and checks of another BlockBuilder
.
pub fn add_fact<F: TryInto<Fact>>(&mut self, fact: F) -> Result<(), Token>where Token: From<<F as TryInto<Fact>>::Error>,
pub fn add_rule<Ru: TryInto<Rule>>(&mut self, rule: Ru) -> Result<(), Token>where Token: From<<Ru as TryInto<Rule>>::Error>,
pub fn add_check<C: TryInto<Check>>(&mut self, check: C) -> Result<(), Token>where Token: From<<C as TryInto<Check>>::Error>,
sourcepub fn add_code<T: AsRef<str>>(&mut self, source: T) -> Result<(), Token>
pub fn add_code<T: AsRef<str>>(&mut self, source: T) -> Result<(), Token>
adds some datalog code to the authorizer
extern crate biscuit_auth as biscuit;
use biscuit::Authorizer;
let mut authorizer = Authorizer::new();
authorizer.add_code(r#"
resource("/file1.txt");
check if user(1234);
// default allow
allow if true;
"#).expect("should parse correctly");
pub fn add_code_with_params<T: AsRef<str>>( &mut self, source: T, params: HashMap<String, Term>, scope_params: HashMap<String, PublicKey> ) -> Result<(), Token>
pub fn add_scope(&mut self, scope: Scope)
sourcepub fn limits(&self) -> &AuthorizerLimits
pub fn limits(&self) -> &AuthorizerLimits
Returns the runtime limits of the authorizer
Those limits cover all the executions under the authorize
, query
and query_all
methods
sourcepub fn set_limits(&mut self, limits: AuthorizerLimits)
pub fn set_limits(&mut self, limits: AuthorizerLimits)
Sets the runtime limits of the authorizer
Those limits cover all the executions under the authorize
, query
and query_all
methods
sourcepub fn query<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>(
&mut self,
rule: R
) -> Result<Vec<T>, Token>where
Token: From<<R as TryInto<Rule>>::Error>,
pub fn query<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>( &mut self, rule: R ) -> Result<Vec<T>, Token>where Token: From<<R as TryInto<Rule>>::Error>,
run a query over the authorizer’s Datalog engine to gather data
let keypair = KeyPair::new();
let mut builder = Biscuit::builder();
builder.add_fact("user(\"John Doe\", 42)");
let biscuit = builder.build(&keypair).unwrap();
let mut authorizer = biscuit.authorizer().unwrap();
let res: Vec<(String, i64)> = authorizer.query("data($name, $id) <- user($name, $id)").unwrap();
sourcepub fn query_with_limits<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>(
&mut self,
rule: R,
limits: AuthorizerLimits
) -> Result<Vec<T>, Token>where
Token: From<<R as TryInto<Rule>>::Error>,
pub fn query_with_limits<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>( &mut self, rule: R, limits: AuthorizerLimits ) -> Result<Vec<T>, Token>where Token: From<<R as TryInto<Rule>>::Error>,
run a query over the authorizer’s Datalog engine to gather data
this only sees facts from the authorizer and the authority block
this method overrides the authorizer’s runtime limits, just for this calls
sourcepub fn query_all<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>(
&mut self,
rule: R
) -> Result<Vec<T>, Token>where
Token: From<<R as TryInto<Rule>>::Error>,
pub fn query_all<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>( &mut self, rule: R ) -> Result<Vec<T>, Token>where Token: From<<R as TryInto<Rule>>::Error>,
run a query over the authorizer’s Datalog engine to gather data
this has access to the facts generated when evaluating all the blocks
let keypair = KeyPair::new();
let mut builder = Biscuit::builder();
builder.add_fact("user(\"John Doe\", 42)");
let biscuit = builder.build(&keypair).unwrap();
let mut authorizer = biscuit.authorizer().unwrap();
let res: Vec<(String, i64)> = authorizer.query("data($name, $id) <- user($name, $id)").unwrap();
sourcepub fn query_all_with_limits<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>(
&mut self,
rule: R,
limits: AuthorizerLimits
) -> Result<Vec<T>, Token>where
Token: From<<R as TryInto<Rule>>::Error>,
pub fn query_all_with_limits<R: TryInto<Rule>, T: TryFrom<Fact, Error = E>, E: Into<Token>>( &mut self, rule: R, limits: AuthorizerLimits ) -> Result<Vec<T>, Token>where Token: From<<R as TryInto<Rule>>::Error>,
run a query over the authorizer’s Datalog engine to gather data
this has access to the facts generated when evaluating all the blocks
this method overrides the authorizer’s runtime limits, just for this calls
sourcepub fn add_policy<P: TryInto<Policy>>(&mut self, policy: P) -> Result<(), Token>where
Token: From<<P as TryInto<Policy>>::Error>,
pub fn add_policy<P: TryInto<Policy>>(&mut self, policy: P) -> Result<(), Token>where Token: From<<P as TryInto<Policy>>::Error>,
add a policy to the authorizer
sourcepub fn allow(&mut self) -> Result<(), Token>
pub fn allow(&mut self) -> Result<(), Token>
todo remove, it’s covered in BuilderExt
adds a allow if true
policy
sourcepub fn execution_time(&self) -> Duration
pub fn execution_time(&self) -> Duration
returns the elapsed execution time
sourcepub fn iterations(&self) -> u64
pub fn iterations(&self) -> u64
returns the number of fact generation iterations
sourcepub fn fact_count(&self) -> usize
pub fn fact_count(&self) -> usize
returns the number of facts
verifies the checks and policies
on error, this can return a list of all the failed checks or deny policy on success, it returns the index of the policy that matched
TODO: consume the input to prevent further direct use verifies the checks and policies
on error, this can return a list of all the failed checks or deny policy
this method overrides the authorizer’s runtime limits, just for this calls
sourcepub fn print_world(&self) -> String
pub fn print_world(&self) -> String
prints the content of the authorizer
sourcepub fn dump(&self) -> (Vec<Fact>, Vec<Rule>, Vec<Check>, Vec<Policy>)
pub fn dump(&self) -> (Vec<Fact>, Vec<Rule>, Vec<Check>, Vec<Policy>)
returns all of the data loaded in the authorizer
pub fn dump_code(&self) -> String
Trait Implementations§
source§impl AuthorizerExt for Authorizer
impl AuthorizerExt for Authorizer
fn add_allow_all(&mut self)
fn add_deny_all(&mut self)
source§impl BuilderExt for Authorizer
impl BuilderExt for Authorizer
fn add_resource(&mut self, name: &str)
fn check_resource(&mut self, name: &str)
fn add_operation(&mut self, name: &str)
fn check_operation(&mut self, name: &str)
fn check_resource_prefix(&mut self, prefix: &str)
fn check_resource_suffix(&mut self, suffix: &str)
fn check_expiration_date(&mut self, exp: SystemTime)
source§impl Clone for Authorizer
impl Clone for Authorizer
source§fn clone(&self) -> Authorizer
fn clone(&self) -> Authorizer
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read more