hessra_token/
token.rs

1use biscuit_auth::{Biscuit, PublicKey};
2
3use crate::error::TokenError;
4use crate::utils::decode_token;
5use crate::verify::{verify_biscuit_local, verify_service_chain_biscuit_local, ServiceNode};
6
7/// Verify a base64-encoded token string
8///
9/// This is a convenience function that decodes the token string and calls verify_biscuit_local
10///
11/// # Arguments
12///
13/// * `token_string` - Base64 encoded token string
14/// * `public_key` - The public key used to verify the token signature
15/// * `subject` - The subject (user) identifier to verify authorization for
16/// * `resource` - The resource identifier to verify authorization against
17///
18/// # Returns
19///
20/// * `Ok(())` - If the token is valid and grants access to the resource
21/// * `Err(TokenError)` - If verification fails for any reason
22pub fn verify_token(
23    token_string: &str,
24    public_key: PublicKey,
25    subject: &str,
26    resource: &str,
27) -> Result<(), TokenError> {
28    let token_bytes = decode_token(token_string)?;
29    verify_biscuit_local(
30        token_bytes,
31        public_key,
32        subject.to_string(),
33        resource.to_string(),
34    )
35}
36
37/// Verify a base64-encoded token string with service chain validation
38///
39/// This is a convenience function that decodes the token string and calls verify_service_chain_biscuit_local
40///
41/// # Arguments
42///
43/// * `token_string` - Base64 encoded token string
44/// * `public_key` - The public key used to verify the token signature
45/// * `subject` - The subject (user) identifier to verify authorization for
46/// * `resource` - The resource identifier to verify authorization against
47/// * `service_nodes` - List of service nodes that should have attested the token
48/// * `component` - Optional component to verify up to in the service chain
49///
50/// # Returns
51///
52/// * `Ok(())` - If the token is valid and grants access to the resource
53/// * `Err(TokenError)` - If verification fails for any reason
54pub fn verify_service_chain_token(
55    token_string: &str,
56    public_key: PublicKey,
57    subject: &str,
58    resource: &str,
59    service_nodes: Vec<ServiceNode>,
60    component: Option<String>,
61) -> Result<(), TokenError> {
62    let token_bytes = decode_token(token_string)?;
63    verify_service_chain_biscuit_local(
64        token_bytes,
65        public_key,
66        subject.to_string(),
67        resource.to_string(),
68        service_nodes,
69        component,
70    )
71}
72
73/// Extracts and parses a Biscuit token from a base64 string
74///
75/// This is useful when you need to inspect the token contents directly
76///
77/// # Arguments
78///
79/// * `token_string` - Base64 encoded token string
80/// * `public_key` - The public key used to verify the token signature
81///
82/// # Returns
83///
84/// The parsed Biscuit token or an error
85pub fn parse_token(token_string: &str, public_key: PublicKey) -> Result<Biscuit, TokenError> {
86    let token_bytes = decode_token(token_string)?;
87    Biscuit::from(&token_bytes, public_key).map_err(TokenError::biscuit_error)
88}