libmacaroon 0.1.0

Macaroons (bearer credentials with contextual caveats) in pure Rust, with first-party and third-party caveats, WASM support, and cross-language interop.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

use crate::crypto;
use crate::error::MacaroonError;
use crate::ByteString;
use crate::Result;
use crypto::MacaroonKey;
use std::fmt::Debug;

#[derive(Clone, Debug, PartialEq, Eq)]
pub enum Caveat {
    FirstParty(FirstParty),
    ThirdParty(ThirdParty),
}

#[derive(Clone, Debug, PartialEq, Eq)]
pub struct FirstParty {
    predicate: ByteString,
}

impl FirstParty {
    pub fn predicate(&self) -> &[u8] {
        &self.predicate.0
    }
}

#[derive(Clone, Debug, PartialEq, Eq)]
pub struct ThirdParty {
    id: ByteString,
    verifier_id: ByteString,
    location: String,
}

impl ThirdParty {
    pub fn id(&self) -> &[u8] {
        &self.id.0
    }
    pub fn verifier_id(&self) -> &[u8] {
        &self.verifier_id.0
    }
    pub fn location(&self) -> &str {
        &self.location
    }
}

impl Caveat {
    pub(crate) fn sign(&self, key: &MacaroonKey) -> MacaroonKey {
        match self {
            Self::FirstParty(fp) => crypto::hmac(key, &fp.predicate),
            Self::ThirdParty(tp) => crypto::hmac2(key, &tp.verifier_id, &tp.id),
        }
    }

    /// Returns the inner [`FirstParty`] if this is a first-party caveat.
    ///
    /// Lets callers skip an explicit `match` when they already know (or want
    /// to filter for) the caveat kind.
    pub fn as_first_party(&self) -> Option<&FirstParty> {
        match self {
            Self::FirstParty(fp) => Some(fp),
            Self::ThirdParty(_) => None,
        }
    }

    /// Returns the inner [`ThirdParty`] if this is a third-party caveat.
    pub fn as_third_party(&self) -> Option<&ThirdParty> {
        match self {
            Self::ThirdParty(tp) => Some(tp),
            Self::FirstParty(_) => None,
        }
    }
}

pub(crate) fn new_first_party(predicate: ByteString) -> Caveat {
    Caveat::FirstParty(FirstParty { predicate })
}

pub(crate) fn new_third_party(id: ByteString, verifier_id: ByteString, location: &str) -> Caveat {
    Caveat::ThirdParty(ThirdParty {
        id,
        verifier_id,
        location: String::from(location),
    })
}

#[derive(Default)]
pub(crate) struct CaveatBuilder {
    id: Option<ByteString>,
    verifier_id: Option<ByteString>,
    location: Option<String>,
}

impl CaveatBuilder {
    pub(crate) fn new() -> Self {
        Default::default()
    }

    pub(crate) fn add_id(&mut self, id: ByteString) {
        self.id = Some(id);
    }

    pub(crate) fn has_id(&self) -> bool {
        self.id.is_some()
    }

    pub(crate) fn add_verifier_id(&mut self, vid: ByteString) {
        self.verifier_id = Some(vid);
    }

    pub(crate) fn add_location(&mut self, location: String) {
        self.location = Some(location);
    }

    pub(crate) fn has_location(&self) -> bool {
        self.location.is_some()
    }

    pub(crate) fn build(self) -> Result<Caveat> {
        let id = self
            .id
            .ok_or(MacaroonError::IncompleteCaveat("no identifier found"))?;
        match (self.verifier_id, self.location) {
            (None, None) => Ok(new_first_party(id)),
            (Some(vid), Some(location)) => Ok(new_third_party(id, vid, &location)),
            (None, Some(_)) => Err(MacaroonError::IncompleteCaveat("no verifier ID found")),
            (Some(_), None) => Err(MacaroonError::IncompleteCaveat("no location found")),
        }
    }
}