hessra-token 0.6.3

Hessra biscuit token SDK for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347

# Hessra Token

Unified token library for Hessra authentication and authorization.

This crate provides a combined interface for both authorization tokens and identity tokens
used in the Hessra system. It re-exports functionality from the specialized token crates
and is designed to be WASM-compatible with no networking dependencies.

## Crate Structure

This is an umbrella crate that re-exports:

- `hessra-token-core`: Shared utilities and types
- `hessra-token-authz`: Authorization token functionality
- `hessra-token-identity`: Identity token functionality

## Features

### Authorization Tokens

- **Token creation**: Create new tokens with configurable time settings and operations
- **Multi-party tokens**: Create tokens that require signoffs from multiple authorization services
- **Token verification**: Verify tokens without contacting the authorization server
- **Token attestation**: Add service node attestations to tokens
- **Multi-party attestation**: Add attestations for multi-party authorization workflows

### Identity Tokens

- **Hierarchical identities**: URI-based identity system with delegation support
- **Identity token creation**: Create identity tokens for authentication
- **Identity delegation**: Attenuate tokens to sub-identities with restricted permissions
- **Offline verification**: Verify identity tokens locally using public keys

### General

- **WASM compatibility**: Can be compiled to WebAssembly for use in browsers (via the `wasm` feature)
- **No network dependencies**: Pure token operations without requiring network access

## Usage

### Creating Tokens

```rust
use hessra_token::{create_biscuit, create_service_chain_biscuit, TokenTimeConfig, KeyPair};

fn main() -> Result<(), hessra_token::TokenError> {
    // Create a key pair for token signing
    let keypair = KeyPair::new();

    // Create a basic token with default time settings (5 minutes)
    let token = create_biscuit(
        "user123".to_string(),
        "resource456".to_string(),
        "read".to_string(),
        keypair,
        TokenTimeConfig::default(),
    )?;

    // Create a token with custom time settings
    let custom_time = TokenTimeConfig {
        start_time: Some(chrono::Utc::now().timestamp()),
        duration: 3600, // 1 hour
    };

    let custom_token = create_biscuit(
        "user123".to_string(),
        "resource456".to_string(),
        "read".to_string(),
        keypair,
        custom_time,
    )?;

    println!("Tokens created successfully!");
    Ok(())
}
```

### Creating Service Chain Tokens

```rust
use hessra_token::{create_service_chain_biscuit, ServiceNode, KeyPair};

fn main() -> Result<(), hessra_token::TokenError> {
    let keypair = KeyPair::new();

    // Define service nodes in the chain
    let service_nodes = vec![
        ServiceNode {
            component: "auth_service".to_string(),
            public_key: "ed25519/service1key".to_string(),
        },
        ServiceNode {
            component: "payment_service".to_string(),
            public_key: "ed25519/service2key".to_string(),
        },
    ];

    // Create a service chain token
    let token = create_service_chain_biscuit(
        "user123".to_string(),
        "resource456".to_string(),
        "read".to_string(),
        keypair,
        &service_nodes,
    )?;

    println!("Service chain token created successfully!");
    Ok(())
}
```

### Basic Token Verification

```rust
use hessra_token::{verify_token, biscuit_key_from_string};

fn main() -> Result<(), hessra_token::TokenError> {
    // Your URL-safe base64-encoded token
    let token_base64 = "YOUR_TOKEN_STRING";

    // Parse public key from string format (ed25519/{hex} or secp256r1/{hex})
    let public_key = biscuit_key_from_string("ed25519/01234567890abcdef".to_string())?;

    // Verify the token
    verify_token(token_base64, public_key, "user123", "resource456", "read")?;

    println!("Token verification successful!");
    Ok(())
}
```

### Service Chain Verification

For tokens that need to be verified against a chain of service nodes:

```rust
use hessra_token::{verify_service_chain_token, biscuit_key_from_string, ServiceNode};

fn main() -> Result<(), hessra_token::TokenError> {
    let token_base64 = "YOUR_TOKEN_STRING";
    let public_key = biscuit_key_from_string("ed25519/01234567890abcdef".to_string())?;

    // Define the service chain
    let service_nodes = vec![
        ServiceNode {
            component: "service1".to_string(),
            public_key: "ed25519/service1pubkey".to_string(),
        },
        ServiceNode {
            component: "service2".to_string(),
            public_key: "ed25519/service2pubkey".to_string(),
        },
    ];

    // Verify the token with service chain
    verify_service_chain_token(
        token_base64,
        public_key,
        "user123",
        "resource456",
        "write",
        service_nodes,
        None, // Verify full chain, or specify a component to verify up to
    )?;

    println!("Token verification successful!");
    Ok(())
}
```

### Multi-Party Token Creation

Create tokens that require signoffs from multiple authorization services:

```rust
use hessra_token::{create_multi_party_token, ServiceNode, KeyPair, TokenTimeConfig};

fn main() -> Result<(), hessra_token::TokenError> {
    let keypair = KeyPair::new();

    // Define multi-party signers
    let multi_party_nodes = vec![
        ServiceNode {
            component: "finance_approval".to_string(),
            public_key: "ed25519/finance_service_key".to_string(),
        },
        ServiceNode {
            component: "security_approval".to_string(),
            public_key: "ed25519/security_service_key".to_string(),
        },
    ];

    // Create a multi-party token
    let token = create_multi_party_token(
        "user123".to_string(),
        "sensitive_resource".to_string(),
        "admin".to_string(),
        keypair,
        &multi_party_nodes,
    )?;

    println!("Multi-party token created: {}", token);
    Ok(())
}
```

### Token Attestation

To add service node attestations to tokens:

```rust
use hessra_token::{add_service_node_attestation, decode_token, encode_token, KeyPair, PublicKey};

fn main() -> Result<(), hessra_token::TokenError> {
    let token_base64 = "YOUR_TOKEN_STRING";
    let token_bytes = decode_token(token_base64)?;

    // Public key for token verification
    let public_key = PublicKey::from_bytes(b"example_key", biscuit_auth::Algorithm::Ed25519)?;

    // Service node key pair
    let service_keypair = KeyPair::new();

    // Add service node attestation
    let attested_token = add_service_node_attestation(
        token_bytes,
        public_key,
        "my-service",
        &service_keypair,
    )?;

    // Encode back to URL-safe base64 for storage or transmission
    let attested_token_base64 = encode_token(&attested_token);

    println!("Token attestation: {}", attested_token_base64);
    Ok(())
}
```

### Multi-Party Token Attestation

Add attestations for multi-party authorization workflows:

```rust
use hessra_token::{add_multi_party_attestation_to_token, KeyPair};

fn main() -> Result<(), hessra_token::TokenError> {
    let token_base64 = "YOUR_MULTI_PARTY_TOKEN";

    // Service key pair for attestation
    let service_keypair = KeyPair::new();

    // Add multi-party attestation
    let attested_token = add_multi_party_attestation_to_token(
        token_base64,
        service_keypair.public(),
        "finance_approval",
        &service_keypair,
    )?;

    println!("Multi-party attested token: {}", attested_token);
    Ok(())
}
```

## WebAssembly Support

To compile with WebAssembly support, enable the `wasm` feature:

```toml
[dependencies]
hessra-token = { version = "0.6", features = ["wasm"] }
```

## Lower-level API

If you need more control, lower-level functions are also available:

- `verify_biscuit_local` - Directly verify binary token data
- `verify_service_chain_biscuit_local` - Verify binary token data with service chain
- `parse_token` - Parse a URL-safe base64 token string into a Biscuit for inspection
- `decode_token` - Convert URL-safe base64 encoded token to binary data
- `encode_token` - Convert binary token data to URL-safe base64 string

## Development

This crate is part of the Hessra SDK refactoring project. It provides the token functionality
that was previously part of the monolithic SDK.

## Token Operations

The library supports specifying operations when creating and verifying tokens. Common operations include:

- `read`: Read access to a resource
- `write`: Write access to a resource
- `delete`: Delete access to a resource
- `admin`: Administrative access to a resource

You can define your own operations as needed for your application.

## Service Chain Tokens

For service chain tokens, you can specify operations in the same way:

```rust
use hessra_token::{create_service_chain_token, verify_service_chain_token_local, ServiceNode};

let nodes = vec![
    ServiceNode {
        component: "auth_service".to_string(),
        public_key: "ed25519/...".to_string(),
    }
];

let token = create_service_chain_token(
    "user123".to_string(),
    "resource456".to_string(),
    "read".to_string(),
    keypair,
    &nodes,
)?;

verify_service_chain_token_local(
    &token,
    public_key,
    "user123",
    "resource456",
    "read",
    nodes,
    None,
)?;
```

## Low-Level Functions

If you need more control, lower-level functions are also available:

- `verify_biscuit_local` - Directly verify binary token data
- `verify_service_chain_biscuit_local` - Verify binary token data with service chain
- `parse_token` - Parse a URL-safe base64 token string into a Biscuit for inspection
- `decode_token` - Convert URL-safe base64 encoded token to binary data
- `encode_token` - Convert binary token data to URL-safe base64 string

## Development

This crate is part of the Hessra SDK refactoring project. It provides the token functionality
that was previously part of the monolithic SDK.