Skip to main content

Crate hessra_cap_token

Crate hessra_cap_token 

Source
Expand description

§Hessra Capability Token

Capability token implementation for the Hessra authorization system.

This crate provides functionality for creating, verifying, and attenuating capability tokens (biscuit tokens). Capability tokens follow the principle that presenting the capability IS the authorization – no subject verification is required by default.

§Key Design

The authority block contains:

right(subject, resource, operation);
check if resource($res), operation($op), right($sub, $res, $op);
check if time($time), $time < expiration;

Note: subject is NOT checked by default. The right fact retains the subject for auditing purposes, but the verifier only needs to provide resource and operation.

§Optional Subject Verification

When stronger guarantees are needed, the verifier can opt into subject checking:

CapabilityVerifier::new(token, public_key, "resource".into(), "read".into())
    .with_subject("alice".into())  // optional subject check
    .verify();

Structs§

Biscuit
This structure represents a valid Biscuit token
CapabilityVerifier
Builder for verifying Hessra capability tokens with flexible configuration.
DesignationBuilder
Builder for adding designation blocks to capability tokens.
HessraCapability
Builder for creating Hessra capability tokens with flexible configuration.
TokenTimeConfig
TokenTimeConfig allows control over token creation times and durations This is used to create tokens with custom start times and durations for testing purposes. In the future, this can be enhanced to support variable length tokens, such as long-lived bearer tokens.

Enums§

KeyPair
pair of cryptographic keys used to sign a token’s block
PublicKey
the public part of a KeyPair
TokenError
Detailed error type for hessra-token operations with specific failure information

Functions§

biscuit_key_from_string
Takes a public key encoded as a string in the format “ed25519/…” or “secp256r1/…” and returns a PublicKey.
decode_token
Decode a URL-safe base64 encoded token string to binary
encode_token
Encode binary token data to URL-safe base64 string
get_capability_revocation_id
Get the revocation ID for a capability token
get_capability_revocation_id_from_bytes
Get the revocation ID from raw token bytes
parse_token
Extracts and parses a Biscuit token from a URL-safe base64 string
public_key_from_pem_file