hessra_cap_token/lib.rs
1//! # Hessra Capability Token
2//!
3//! Capability token implementation for the Hessra authorization system.
4//!
5//! This crate provides functionality for creating, verifying, and attenuating capability
6//! tokens (biscuit tokens). Capability tokens follow the principle that presenting the
7//! capability IS the authorization -- no subject verification is required by default.
8//!
9//! ## Key Design
10//!
11//! The authority block contains:
12//! ```datalog
13//! right(subject, resource, operation);
14//! check if resource($res), operation($op), right($sub, $res, $op);
15//! check if time($time), $time < expiration;
16//! ```
17//!
18//! Note: `subject` is NOT checked by default. The `right` fact retains the subject
19//! for auditing purposes, but the verifier only needs to provide `resource` and `operation`.
20//!
21//! ## Optional Subject Verification
22//!
23//! When stronger guarantees are needed, the verifier can opt into subject checking:
24//! ```rust,no_run
25//! # use hessra_cap_token::CapabilityVerifier;
26//! # use hessra_token_core::KeyPair;
27//! # let keypair = KeyPair::new();
28//! # let public_key = keypair.public();
29//! # let token = String::new();
30//! CapabilityVerifier::new(token, public_key, "resource".into(), "read".into())
31//! .with_subject("alice".into()) // optional subject check
32//! .verify();
33//! ```
34
35pub(crate) mod attenuate;
36mod mint;
37mod revocation;
38pub(crate) mod verify;
39
40pub use attenuate::DesignationBuilder;
41pub use mint::HessraCapability;
42pub use revocation::{get_capability_revocation_id, get_capability_revocation_id_from_bytes};
43pub use verify::{CapabilityVerifier, biscuit_key_from_string};
44
45// Re-export commonly needed types from core
46pub use hessra_token_core::{
47 Biscuit, KeyPair, PublicKey, TokenError, TokenTimeConfig, decode_token, encode_token,
48 parse_token, public_key_from_pem_file,
49};