[github/fretlink/hmacaroons.git] / src / Crypto / Macaroon.hs

{-# LANGUAGE OverloadedStrings #-}
{-|
Module      : Crypto.Macaroon
Copyright   : (c) 2015 Julien Tanguy
License     : BSD3

Maintainer  : julien.tanguy@jhome.fr
Stability   : experimental
Portability : portable

Pure haskell implementations of macaroons.

Warning: this implementation has not been audited by security experts.
Do not use in production


References:

- Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
- Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
-}
module Crypto.Macaroon (
    -- * Types
      Macaroon
    , Caveat
    , Secret
    , Key
    , Location
    , Sig
    -- * Accessing functions
    -- ** Macaroons
    , location
    , identifier
    , caveats
    , signature
    -- ** Caveats
    , cl
    , cid
    , vid

    -- * Create Macaroons
    , create
    , inspect
    , addFirstPartyCaveat
    -- , addThirdPartyCaveat
    ) where

-- import           Crypto.Cipher.AES
import           Crypto.Hash
import           Data.Byteable
import qualified Data.ByteString            as BS
import qualified Data.ByteString.Base64.URL as B64
import qualified Data.ByteString.Char8      as B8

import           Crypto.Macaroon.Internal

-- | Create a Macaroon from its key, identifier and location
create :: Secret -> Key -> Location -> Macaroon
create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
  where
    derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)

-- | Inspect a macaroon's contents. For debugging purposes.
inspect :: Macaroon -> String
inspect = show

-- | Add a first party Caveat to a Macaroon, with its identifier
addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m

-- |Add a third party Caveat to a Macaroon, using its location, identifier and
-- verification key
-- addThirdPartyCaveat :: Key
--                     -> Key
--                     -> Location
--                     -> Macaroon
--                     -> Macaroon
-- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
--   where
--     vid = encryptECB (initAES (signature m)) key
Commit	Line	Data
f6781456 JT	1	{-# LANGUAGE OverloadedStrings #-}
	2	{-\|
	3	Module : Crypto.Macaroon
	4	Copyright : (c) 2015 Julien Tanguy
	5	License : BSD3
	6
	7	Maintainer : julien.tanguy@jhome.fr
	8	Stability : experimental
	9	Portability : portable
	10
f6781456 JT	11	Pure haskell implementations of macaroons.
	12
	13	Warning: this implementation has not been audited by security experts.
2aede11a	14	Do not use in production
f6781456 JT	15
	16
	17	References:
	18
	19	- Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
	20	- Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
f6781456 JT	21	-}
	22	module Crypto.Macaroon (
	23	-- * Types
	24	Macaroon
	25	, Caveat
86f38823	26	, Secret
f6781456 JT	27	, Key
f6781456 JT	28	, Location
1971e224	29	, Sig
f6781456 JT	30	-- * Accessing functions
	31	-- ** Macaroons
	32	, location
	33	, identifier
	34	, caveats
	35	, signature
	36	-- ** Caveats
86f38823 JT	37	, cl
	38	, cid
	39	, vid
f6781456 JT	40
	41	-- * Create Macaroons
	42	, create
	43	, inspect
	44	, addFirstPartyCaveat
26d38f73	45	-- , addThirdPartyCaveat
f6781456 JT	46	) where
f6781456 JT	47
8505c3d3	48	-- import Crypto.Cipher.AES
f6781456 JT	49	import Crypto.Hash
	50	import Data.Byteable
	51	import qualified Data.ByteString as BS
	52	import qualified Data.ByteString.Base64.URL as B64
	53	import qualified Data.ByteString.Char8 as B8
f6781456 JT	54
	55	import Crypto.Macaroon.Internal
	56
	57	-- \| Create a Macaroon from its key, identifier and location
86f38823	58	create :: Secret -> Key -> Location -> Macaroon
f6781456 JT	59	create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
f6781456 JT	60	where
2aede11a	61	derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)
f6781456	62
1971e224	63	-- \| Inspect a macaroon's contents. For debugging purposes.
f6781456	64	inspect :: Macaroon -> String
2aede11a	65	inspect = show
f6781456	66
f6781456 JT	67	-- \| Add a first party Caveat to a Macaroon, with its identifier
	68	addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
	69	addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m
	70
	71	-- \|Add a third party Caveat to a Macaroon, using its location, identifier and
	72	-- verification key
8505c3d3 JT	73	-- addThirdPartyCaveat :: Key
	74	-- -> Key
	75	-- -> Location
	76	-- -> Macaroon
	77	-- -> Macaroon
	78	-- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
	79	-- where
	80	-- vid = encryptECB (initAES (signature m)) key
f6781456 JT	81
f6781456 JT	82