Comments (5)
could you show an example of this use?
from biscuit-rust.
Of course: https://www.biscuitsec.org/docs/Usage/haskell/#query-data-from-the-authorizer
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE QuasiQuotes #-}
import Auth.Biscuit
checkBiscuit :: Biscuit -> IO Text
checkBiscuit b =
result <- authorizeBiscuit b [authorizer| allow if user($user); |]
case result of
Left a -> throwError …
Right success ->
case getSingleVariableValue (getBindings success) "user" of
Just userId -> pure userId
-- ^ this will only match if a unique user id is
-- retrieved from the matched variables
Nothing -> throwError …
the general idea is that the success value returned when the biscuit was authorized carries the bindings that matched the allow query. With a couple helpers, it makes it easy to get regular values. In the example, i've used helpers that only succeed if there is a unique binding for a given variable, but lower-level access is possible.
The alternative is to query the authorizer after success, with a dedicated query:
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE QuasiQuotes #-}
import Auth.Biscuit
checkBiscuit :: Biscuit -> IO Text
checkBiscuit b =
result <- authorizeBiscuit b [authorizer| allow if true; |]
case result of
Left a -> throwError …
Right success ->
case getSingleVariableValue (queryAuthorizerFacts success [query|user($user)|]) "user" of
Just userId -> pure userId
-- ^ this will only match if a unique user id is
-- retrieved from the matched variables
Nothing -> throwError …
but in many cases, it's better to run all checks in the authorizer, rather than having an extra step that can fail afterwards: if we want tokens with a defined user id, we might as well enforce it in the allow query directly.
from biscuit-rust.
I see, that would be useful. The rust library behaves differently though, it stops at the first match instead of trying them all
from biscuit-rust.
Do you mean "the first policy that matches", or "the first binding map within a policy"? (Since policies can contain several "or" clauses)
from biscuit-rust.
The first binding within a policy. If there are multiple variable combinations that a policy could match, it will stop at the first one. The goal is to find at least one match for authorization, while queries are there if we want all the possible matches
from biscuit-rust.
Related Issues (20)
- Parsing chained method calls HOT 1
- Datalog boolean expression == does not evaluate properly HOT 3
- CLI long execution time HOT 3
- boolean logic should be lazy
- samples validation failure HOT 3
- Make biscuit-auth token::RootKeyProviter public HOT 3
- use separate version git tags for the different crates
- Detect free variables in expressions
- `RUSTSEC-2022-0093` security advisory
- Support heterogeneous sets
- `query_exactly_one()`
- Can't query facts added with authorizer_merge! HOT 2
- Non-deterministic output of `Authorizer.dump_code()` HOT 1
- Hidden state in `Authorizer` HOT 1
- Merging block builders with scope annotations
- Consider adding `impl TryFrom<Fact> for String` HOT 1
- Create new release HOT 1
- Proposal: Use padding free Base64 encoding/decoding HOT 4
- Proposal: add generic interface for external key registries HOT 2
- Cleanup free variables detection HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from biscuit-rust.