Expand description
§Hessra Capability Token
Capability token implementation for the Hessra authorization system.
This crate provides functionality for creating, verifying, and attenuating capability tokens (biscuit tokens). Capability tokens follow the principle that presenting the capability IS the authorization – no subject verification is required by default.
§Key Design
The authority block contains:
right(subject, resource, operation);
check if resource($res), operation($op), right($sub, $res, $op);
check if time($time), $time < expiration;Note: subject is NOT checked by default. The right fact retains the subject
for auditing purposes, but the verifier only needs to provide resource and operation.
§Optional Subject Verification
When stronger guarantees are needed, the verifier can opt into subject checking:
CapabilityVerifier::new(token, public_key, "resource".into(), "read".into())
.with_subject("alice".into()) // optional subject check
.verify();Structs§
- Biscuit
- This structure represents a valid Biscuit token
- Capability
Amendment - A pending amendment to an existing capability.
- Capability
Verifier - Builder for verifying Hessra capability tokens with flexible configuration.
- Hessra
Capability - Builder for minting Hessra capability tokens.
- Revocation
Id - A revocation identifier for a Biscuit token block
- Token
Time Config - TokenTimeConfig allows control over token creation times and durations This is used to create tokens with custom start times and durations for testing purposes. In the future, this can be enhanced to support variable length tokens, such as long-lived bearer tokens.
Enums§
- KeyPair
- pair of cryptographic keys used to sign a token’s block
- Public
Key - the public part of a KeyPair
- Token
Error - Detailed error type for hessra-token operations with specific failure information
Functions§
- biscuit_
key_ from_ string - Takes a public key encoded as a string in the format “ed25519/…” or “secp256r1/…” and returns a PublicKey.
- decode_
token - Decode a URL-safe base64 encoded token string to binary
- encode_
token - Encode binary token data to URL-safe base64 string
- get_
capability_ revocation_ id - Get the revocation ID for a capability token
- get_
capability_ revocation_ id_ from_ bytes - Get the revocation ID from raw token bytes
- get_
revocation_ ids - Extract all revocation IDs from a Biscuit token
- latest_
revocation_ id - Get the revocation ID of a capability’s most recent block.
- parse_
token - Extracts and parses a Biscuit token from a URL-safe base64 string
- public_
key_ from_ pem_ file