hessra_token_authz/lib.rs
1//! # Hessra Token Authorization
2//!
3//! Authorization token implementation for the Hessra authentication system.
4//!
5//! This crate provides functionality for creating, verifying and attesting authorization
6//! tokens (biscuit tokens) used in the Hessra authentication system. It supports advanced
7//! features like service chain attestation and multi-party authorization.
8//!
9//! ## Features
10//!
11//! - Token creation: Create authorization tokens with configurable time settings
12//! - Token verification: Verify tokens using identity-based (requires subject) or capability-based (derives subject from token) modes
13//! - Service chain attestation: Add service node attestations to tokens
14//! - Multi-party authorization: Create tokens requiring multiple party attestations
15//! - WASM compatibility: WIP WASM bindings for token verification
16//!
17//! ## Verification Modes
18//!
19//! ### Identity-Based Verification
20//!
21//! Traditional verification requires an explicit subject (identity) parameter. The verifier
22//! checks if the token grants the specific subject access to the resource and operation.
23//!
24//! ### Capability-Based Verification
25//!
26//! Capability-based verification does not require a subject parameter. Instead, the subject
27//! is derived from the token's rights using a Datalog rule. This is useful for services that
28//! only care about whether a request has authorization for an action, not who is making the
29//! request. For example, a telemetry service might only need to verify write permission,
30//! regardless of the identity writing the data.
31//!
32//! ## Usage
33//!
34//! ```no_run
35//! use hessra_token_authz::{create_biscuit, verify_token_local, biscuit_key_from_string};
36//! use hessra_token_core::{TokenTimeConfig, KeyPair, encode_token};
37//!
38//! fn main() -> Result<(), hessra_token_core::TokenError> {
39//! // Create a new token
40//! let keypair = KeyPair::new();
41//! let token = create_biscuit(
42//! "user123".to_string(),
43//! "resource456".to_string(),
44//! "read".to_string(),
45//! keypair,
46//! TokenTimeConfig::default(),
47//! ).map_err(|e| hessra_token_core::TokenError::generic(e.to_string()))?;
48//!
49//! // Verify the token
50//! let token_string = encode_token(&token);
51//! let public_key = biscuit_key_from_string("ed25519/01234567890abcdef".to_string())?;
52//! verify_token_local(&token_string, public_key, "user123", "resource456", "read")?;
53//!
54//! println!("Token creation and verification successful!");
55//! Ok(())
56//! }
57//! ```
58
59mod attenuate;
60mod attest;
61mod mint;
62mod revocation;
63mod verify;
64
65// Re-export all authorization-specific functionality
66pub use attenuate::{add_prefix_restriction, add_prefix_restriction_to_token};
67pub use attest::{
68 add_multi_party_attestation, add_multi_party_attestation_to_token, add_service_node_attestation,
69};
70pub use mint::{
71 create_biscuit, create_multi_party_biscuit, create_multi_party_biscuit_with_time,
72 create_multi_party_token, create_multi_party_token_with_time, create_raw_multi_party_biscuit,
73 create_service_chain_biscuit, create_service_chain_token, create_service_chain_token_with_time,
74 create_token, create_token_with_time, HessraAuthorization,
75};
76pub use revocation::{get_authorization_revocation_id, get_authorization_revocation_id_from_bytes};
77pub use verify::{
78 biscuit_key_from_string, verify_biscuit_local, verify_capability_biscuit_local,
79 verify_capability_token_local, verify_service_chain_biscuit_local,
80 verify_service_chain_capability_biscuit_local, verify_service_chain_capability_token_local,
81 verify_service_chain_token_local, verify_token_local, AuthorizationVerifier, ServiceNode,
82};
83
84// Re-export commonly needed types from core
85pub use hessra_token_core::{
86 decode_token, encode_token, parse_token, public_key_from_pem_file, Biscuit, KeyPair, PublicKey,
87 TokenError, TokenTimeConfig,
88};