The highest tagged major version is
README
¶
biscuit-go
biscuit-go is an implementation of Biscuit in Go. It aims to be fully compatible with other existing implementations, so that tokens issued by, for example, the Rust version, could be validated by this library and vice versa.
Documentation and specifications
- biscuit website for documentation and examples
- biscuit specification
- biscuit-rust for some more technical details.
Usage
Create a biscuit
rng := rand.Reader
publicRoot, privateRoot, _ := ed25519.GenerateKey(rng)
builder := biscuit.NewBuilder(privateRoot)
fact1, err := parser.FromStringFact(`right("/a/file1.txt", "read")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
err := builder.AddAuthorityFact(fact1)
if err != nil {
panic(fmt.Errorf("failed to add authority facts: %v", err))
}
// ... add more authority facts, rules, caveats...
b, err := builder.Build()
if err != nil {
panic(fmt.Errorf("failed to build biscuit: %v", err))
}
token, err := b.Serialize()
if err != nil {
panic(fmt.Errorf("failed to serialize biscuit: %v", err))
}
// token is now a []byte, ready to be shared
Attenuate a biscuit
b, err = biscuit.Unmarshal(token)
if err != nil {
panic(fmt.Errorf("failed to deserialize biscuit: %v", err))
}
// Attenuate the biscuit by appending a new block to it
blockBuilder := b.CreateBlock()
blockBuilder.AddFact(biscuit.Fact{/* ... */})
// ... add more facts, rules, caveats...
attenuatedBiscuit, err := b.Append(rng, blockBuilder.Build())
if err != nil {
panic(fmt.Errorf("failed to append: %v", err))
}
attenuatedToken, err := b.Serialize()
if err != nil {
panic(fmt.Errorf("failed to serialize biscuit: %v", err))
}
// token is now a []byte attenuation of the original token, and ready to be shared
Verify a biscuit
b, err := biscuit.Unmarshal(token)
if err != nil {
panic(fmt.Errorf("failed to deserialize token: %v", err))
}
authorizer, err := b.Authorizer(publicRoot)
if err != nil {
panic(fmt.Errorf("failed to verify token and create authorizer: %v", err))
}
fact1, err := parser.FromStringFact(`resource("/a/file1.txt")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
auhorizer.AddFact(fact1)
// ... add more ambient facts, rules, caveats...
authorizer.AddPolicy(biscuit.DefaultAllowPolicy)
if err := authorizer.Authorize(); err != nil {
fmt.Printf("failed authorizing token: %v\n", err)
} else {
fmt.Println("success authorizing token")
}
Using biscuit-go grammar
To ease adding facts, rules, or caveats, a simple grammar and a parser are available, allowing to declare biscuit elements as plain strings. See GRAMMAR reference for the complete syntax.
p := parser.New()
b.AddFact(p.Must().Fact(`resource("/a/file1.txt")`))
b.AddRule(p.Must().Rule(`
can_read($file)
<- resource($file)
$file.starts_with("/a/")
`))
Examples
- example_test.go for a simple use case
- experiments folder for more advanced or specific use cases examples.
License
Licensed under Apache License, Version 2.0.
Documentation
¶
Index ¶
- Constants
- Variables
- func WihtRandom(rng io.Reader) builderOption
- func WithSymbols(symbols *datalog.SymbolTable) builderOption
- type Authorizer
- type BinaryOp
- type Biscuit
- func (b *Biscuit) Append(rng io.Reader, block *Block) (*Biscuit, error)
- func (b *Biscuit) Authorizer(root ed25519.PublicKey) (Authorizer, error)
- func (b *Biscuit) BlockCount() int
- func (b *Biscuit) Checks() [][]datalog.Check
- func (b *Biscuit) CreateBlock() BlockBuilder
- func (b *Biscuit) GetBlockID(fact Fact) (int, error)
- func (b *Biscuit) RevocationIds() [][]byte
- func (b *Biscuit) Seal(rng io.Reader) (*Biscuit, error)
- func (b *Biscuit) Serialize() ([]byte, error)
- func (b *Biscuit) String() string
- type Block
- type BlockBuilder
- type Bool
- type Builder
- type Bytes
- type Check
- type Date
- type Expression
- type Fact
- type FactSet
- type Integer
- type Op
- type OpType
- type Policy
- type PolicyKind
- type Predicate
- type Rule
- type Set
- type String
- type Term
- type TermType
- type UnaryOp
- type Unmarshaler
- type Value
- type Variable
Examples ¶
Constants ¶
View Source
const ( PolicyKindAllow = iota PolicyKindDeny )
View Source
const MaxSchemaVersion uint32 = 2
Variables ¶
View Source
var ( ErrMissingSymbols = errors.New("biscuit: missing symbols") ErrPolicyDenied = errors.New("biscuit: denied by policy") ErrNoMatchingPolicy = errors.New("biscuit: denied by no matching policies") )
View Source
var ( // ErrSymbolTableOverlap is returned when multiple blocks declare the same symbols ErrSymbolTableOverlap = errors.New("biscuit: symbol table overlap") // ErrInvalidAuthorityIndex occurs when an authority block index is not 0 ErrInvalidAuthorityIndex = errors.New("biscuit: invalid authority index") // ErrInvalidAuthorityFact occurs when an authority fact is an ambient fact ErrInvalidAuthorityFact = errors.New("biscuit: invalid authority fact") // ErrInvalidBlockFact occurs when a block fact provides an authority or ambient fact ErrInvalidBlockFact = errors.New("biscuit: invalid block fact") // ErrInvalidBlockRule occurs when a block rule generate an authority or ambient fact ErrInvalidBlockRule = errors.New("biscuit: invalid block rule") // ErrEmptyKeys is returned when verifying a biscuit having no keys ErrEmptyKeys = errors.New("biscuit: empty keys") // ErrUnknownPublicKey is returned when verifying a biscuit with the wrong public key ErrUnknownPublicKey = errors.New("biscuit: unknown public key") ErrInvalidSignature = errors.New("biscuit: invalid signature") ErrInvalidSignatureSize = errors.New("biscuit: invalid signature size") ErrInvalidKeySize = errors.New("biscuit: invalid key size") UnsupportedAlgorithm = errors.New("biscuit: unsupported signature algorithm") )
View Source
var ( ErrDuplicateFact = errors.New("biscuit: fact already exists") ErrInvalidBlockIndex = errors.New("biscuit: invalid block index") )
View Source
var ( // DefaultAllowPolicy allows the biscuit to verify sucessfully as long as all its rules generate some facts. DefaultAllowPolicy = Policy{Kind: PolicyKindAllow, Queries: []Rule{{Head: Predicate{Name: "true"}}}} // DefaultDenyPolicy makes the biscuit verification fail in all cases. DefaultDenyPolicy = Policy{Kind: PolicyKindDeny, Queries: []Rule{{Head: Predicate{Name: "true"}}}} )
View Source
var ErrFactNotFound = errors.New("biscuit: fact not found")
Functions ¶
func WihtRandom ¶
func WithSymbols ¶
func WithSymbols(symbols *datalog.SymbolTable) builderOption
Types ¶
type Authorizer ¶
type Authorizer interface {
AddFact(fact Fact)
AddRule(rule Rule)
AddCheck(check Check)
AddPolicy(policy Policy)
Authorize() error
Query(rule Rule) (FactSet, error)
Biscuit() *Biscuit
Reset()
PrintWorld() string
LoadPolicies([]byte) error
SerializePolicies() ([]byte, error)
}
func NewVerifier ¶
func NewVerifier(b *Biscuit) (Authorizer, error)
type Biscuit ¶
type Biscuit struct {
// contains filtered or unexported fields
}
Biscuit represents a valid Biscuit token It contains multiple `Block` elements, the associated symbol table, and a serialized version of this data
Example ¶
rng := rand.Reader
publicRoot, privateRoot, _ := ed25519.GenerateKey(rng)
builder := biscuit.NewBuilder(privateRoot)
fact1, err := parser.FromStringFact(`right("/a/file1.txt", "read")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
err = builder.AddAuthorityFact(fact1)
if err != nil {
panic(fmt.Errorf("failed to add authority facts: %v", err))
}
fact2, err := parser.FromStringFact(`right("/a/file1.txt", "write")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
err = builder.AddAuthorityFact(fact2)
if err != nil {
panic(fmt.Errorf("failed to add authority facts: %v", err))
}
fact3, err := parser.FromStringFact(`right("/a/file2.txt", "read")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
err = builder.AddAuthorityFact(fact3)
if err != nil {
panic(fmt.Errorf("failed to add authority facts: %v", err))
}
fact4, err := parser.FromStringFact(`right("/a/file3.txt", "write")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
err = builder.AddAuthorityFact(fact4)
if err != nil {
panic(fmt.Errorf("failed to add authority facts: %v", err))
}
b, err := builder.Build()
if err != nil {
panic(fmt.Errorf("failed to build biscuit: %v", err))
}
token, err := b.Serialize()
if err != nil {
panic(fmt.Errorf("failed to serialize biscuit: %v", err))
}
fmt.Printf("Token1 length: %d\n", len(token))
deser, err := biscuit.Unmarshal(token)
if err != nil {
panic(fmt.Errorf("failed to deserialize biscuit: %v", err))
}
blockBuilder := deser.CreateBlock()
check, err := parser.FromStringCheck(`check if resource($file), operation($permission), ["read"].contains($permission)`)
if err != nil {
panic(fmt.Errorf("failed to parse check: %v", err))
}
err = blockBuilder.AddCheck(check)
if err != nil {
panic(fmt.Errorf("failed to add block check: %v", err))
}
b2, err := deser.Append(rng, blockBuilder.Build())
if err != nil {
panic(fmt.Errorf("failed to append: %v", err))
}
token2, err := b2.Serialize()
if err != nil {
panic(fmt.Errorf("failed to serialize biscuit: %v", err))
}
fmt.Printf("Token2 length: %d\n", len(token2))
// Verify
b2, err = biscuit.Unmarshal(token2)
if err != nil {
panic(fmt.Errorf("failed to deserialize token: %v", err))
}
v1, err := b2.Authorizer(publicRoot)
if err != nil {
panic(fmt.Errorf("failed to create verifier: %v", err))
}
vfact1, err := parser.FromStringFact(`resource("/a/file1.txt")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier fact: %v", err))
}
v1.AddFact(vfact1)
vfact2, err := parser.FromStringFact(`operation("read")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier fact: %v", err))
}
v1.AddFact(vfact2)
policy, err := parser.FromStringPolicy(`allow if resource("/a/file1.txt")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier policy: %v", err))
}
v1.AddPolicy(policy)
if err := v1.Authorize(); err != nil {
fmt.Println(v1.PrintWorld())
fmt.Println("forbidden to read /a/file1.txt")
} else {
//fmt.Println(v1.PrintWorld())
fmt.Println("allowed to read /a/file1.txt")
}
v1, _ = b2.Authorizer(publicRoot)
vfact1, err = parser.FromStringFact(`resource("/a/file1.txt")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier fact: %v", err))
}
v1.AddFact(vfact1)
vfact2, err = parser.FromStringFact(`operation("write")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier fact: %v", err))
}
v1.AddFact(vfact2)
policy, err = parser.FromStringPolicy(`allow if resource("/a/file1.txt")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier policy: %v", err))
}
v1.AddPolicy(policy)
if err := v1.Authorize(); err != nil {
fmt.Println("forbidden to write /a/file1.txt")
} else {
fmt.Println("allowed to write /a/file1.txt")
}
Output: Token1 length: 260 Token2 length: 446 allowed to read /a/file1.txt forbidden to write /a/file1.txt
func New ¶
func New(rng io.Reader, root ed25519.PrivateKey, baseSymbols *datalog.SymbolTable, authority *Block) (*Biscuit, error)
func (*Biscuit) Authorizer ¶
func (b *Biscuit) Authorizer(root ed25519.PublicKey) (Authorizer, error)
Checks the signature and creates an Authorizer The Authorizer can then test the authorizaion policies and accept or refuse the request
func (*Biscuit) BlockCount ¶
func (*Biscuit) CreateBlock ¶
func (b *Biscuit) CreateBlock() BlockBuilder
func (*Biscuit) GetBlockID ¶
GetBlockID returns the first block index containing a fact starting from the authority block and then each block in the order they were added. ErrFactNotFound is returned when no block contains the fact.
func (*Biscuit) RevocationIds ¶
type BlockBuilder ¶
type BlockBuilder interface {
AddFact(fact Fact) error
AddRule(rule Rule) error
AddCheck(check Check) error
SetContext(string)
Build() *Block
}
func NewBlockBuilder ¶
func NewBlockBuilder(baseSymbols *datalog.SymbolTable) BlockBuilder
type Builder ¶
type Builder interface {
AddAuthorityFact(fact Fact) error
AddAuthorityRule(rule Rule) error
AddAuthorityCheck(check Check) error
Build() (*Biscuit, error)
}
func NewBuilder ¶
func NewBuilder(root ed25519.PrivateKey, opts ...builderOption) Builder
type Expression ¶
type Expression []Op
type Policy ¶
type Policy struct {
Queries []Rule
Kind PolicyKind
}
type PolicyKind ¶
type PolicyKind byte
type Rule ¶
type Rule struct {
Head Predicate
Body []Predicate
Expressions []Expression
}
type Unmarshaler ¶
type Unmarshaler struct {
Symbols *datalog.SymbolTable
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.