Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Rust

The Rust version of Biscuit can be found on Github, crates.io and on docs.rs.

Install

In Cargo.toml:

biscuit-auth = "6.0"

Create a root key

use biscuit_auth::KeyPair;

let root_keypair = KeyPair::new();

Create a token


use biscuit_auth::{error, macros::*, Biscuit, KeyPair};

fn create_token(root: &KeyPair) -> Result<Biscuit, error::Token> {
    let user_id = "1234";
    // the authority block can be built from a datalog snippet
    // the snippet is parsed at compile-time, efficient building
    // code is generated
    let mut authority = biscuit!(
      r#"
      // parameters can directly reference in-scope variables
      user({user_id});

      // parameters can be manually supplied as well
      right({user_id}, "file1", {operation});
      "#,
      operation = "read",
    );

    // it is possible to modify a builder by adding a datalog snippet
    authority = biscuit_merge!(
      authority,
      r#"check if operation("read");"#
    );

    authority.build(&root)
}

Create an authorizer

use biscuit_auth::{builder_ext::AuthorizerExt, error, macros::*, Biscuit};

fn authorize(token: &Biscuit) -> Result<(), error::Token> {
    let operation = "read";

    // same as the `biscuit!` macro. There is also a `authorizer_merge!`
    // macro for dynamic authorizer construction
    let mut authorizer = authorizer!(r#"operation({operation});"#)
        // register a fact containing the current time for TTL checks
        .time()
        // add a `allow if true;` policy
        // meaning that we are relying entirely on checks carried in the token itself
        .allow_all()
        .build(token)?;

    // link the token to the authorizer
    let result = authorizer.authorize(token);

    // store the authorization context
    println!("{}", authorizer.to_base64_snapshot()?);

    let _ = result?;
    Ok(())
}

Restore an authorizer (or an authorizer builder) from a snapshot

use biscuit_auth::Authorizer;

fn display(snapshot: &str) {
  // this contains only the authorizer block and can be used to authorize a token
  let authorizer_builder = AuthorizerBuilder::from_base64_snapshot(snapshot).unwrap();
  println!("{authorizer_builder}");

  // this contains the whole authorizer context and can only inspected and queried
  let authorizer = Authorizer::from_base64_snapshot(snapshot).unwrap();
  println!("{authorizer}");
}

Attenuate a token

use biscuit_auth::{builder_ext::BuilderExt, error, macros::*, Biscuit};
use std::time::{Duration, SystemTime};

fn attenuate(token: &Biscuit) -> Result<Biscuit, error::Token> {
    let res = "file1";
    // same as `biscuit!` and `authorizer!`, a `block_merge!` macro is available
    let builder = block!(r#"check if resource({res});"#)
        .check_expiration_date(SystemTime::now() + Duration::from_secs(60));

    token.append(builder)
}

Seal a token

let sealed_token = token.seal()?;

Reject revoked tokens

The Biscuit::revocation_identifiers method returns the list of revocation identifiers as byte arrays. Don't forget to parse them from a textual representation (hexadecimal) if you store them as text values (biscuit-cli displays revocation IDs as hexadecimal strings).

Do not compare base64-encoded values of revocation identifiers since canonicity is not guaranteed (different base64 encodings can map to the same revocation id).

let identifiers: Vec<Vec<u8>> = token.revocation_identifiers();

Query data from the authorizer

The Authorizer::query method takes a rule as argument and extract the data from generated facts as tuples.

let res: Vec<(String, i64)> =
    authorizer.query("data($name, $id) <- user($name, $id)").unwrap();