Rust

How to use the Biscuit Rust crate

The Rust version of Biscuit can be found on Github, crates.io and on docs.rs.

Install

In Cargo.toml:

biscuit-auth = "2.1"

Create a root key

use biscuit_auth::KeyPair;

let root_keypair = KeyPair::new();

Create a token


use biscuit_auth::{Biscuit, KeyPair, error};

fn create_token(root: &KeyPair) -> Result<Biscuit, error::Token> {
    let mut builder = Biscuit::builder(root);
    builder.add_authority_fact(r#"user("1234")"#)?;
    builder.add_authority_check_(r#"check if operation("read");"#)?;
    
    builder.build()
}

Create an authorizer

use biscuit_auth::{Biscuit, error, builder::Fact};

fn authorize(token: &Biscuit) -> Result<(), error::Token> {
    let mut authorizer = token.authorizer()?;

    // add a time($date) fact with the current date
    authorizer.set_time()?;

    // facts can be created directly from a string generated with `format!()`
    // but this way is safer if you create facts from user data,because it
    // prevents injections
    let mut operation: Fact = "operation($op)".try_into()?;
    operation.set("op", "read")?;

    authorizer.add_fact(operation)?;
    authorizer.allow()?;

    authorizer.authorize()?;

    Ok(())
}

Attenuate a token

use biscuit_auth::{Biscuit, error, builder::Check};
use std::time::{Duration, SystemTime};

fn attenuate(token: &Biscuit) -> Result<Biscuit, error::Token> {
    let mut builder = token.create_block();

    builder.add_check("check if time($time), $time < $ttl")?;
    builder.set("ttl", System::now() + Duration::from_secs(60))?;
    
    token.append(builder)
}

Seal a token

let sealed_token = token.seal()?;

Reject revoked tokens

The Biscuit::revocation_identifiers method returns the list of revocation identifiers as byte arrays.

let identifiers: Vec<Vec<u8>> = token.revocation_identifiers();

Query data from the authorizer

The Authorizer::query method takes a rule as argument and extract the data from generated facts as tuples.

let res: Vec<(String, i64)> =
    authorizer.query("data($name, $id) <- user($name, $id)").unwrap();