[github/fretlink/hmacaroons.git] / src / Crypto / Macaroon.hs

{-# LANGUAGE OverloadedStrings #-}
{-|
Module      : Crypto.Macaroon
Copyright   : (c) 2015 Julien Tanguy
License     : BSD3

Maintainer  : julien.tanguy@jhome.fr
Stability   : experimental
Portability : portable

Pure haskell implementations of macaroons.

Warning: this implementation has not been audited by security experts.
Do not use in production


References:

- Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
- Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
-}
module Crypto.Macaroon (
    -- * Types
      Macaroon
    , Caveat
    , Key
    , Location
    , Sig
    -- * Accessing functions
    -- ** Macaroons
    , location
    , identifier
    , caveats
    , signature
    -- ** Caveats
    , caveatLoc
    , caveatId
    , caveatVId

    -- * Create Macaroons
    , create
    , inspect
    , addFirstPartyCaveat
    -- , addThirdPartyCaveat
    ) where

import           Crypto.Cipher.AES
import           Crypto.Hash
import           Data.Byteable
import qualified Data.ByteString            as BS
import qualified Data.ByteString.Base64.URL as B64
import qualified Data.ByteString.Char8      as B8

import           Crypto.Macaroon.Internal

-- | Create a Macaroon from its key, identifier and location
create :: Key -> Key -> Location -> Macaroon
create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
  where
    derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)

-- | Caveat target location
caveatLoc :: Caveat -> Location
caveatLoc = cl

-- | Caveat identifier
caveatId :: Caveat -> Key
caveatId = cid

-- | Caveat verification identifier
caveatVId :: Caveat -> Key
caveatVId = vid

-- | Inspect a macaroon's contents. For debugging purposes.
inspect :: Macaroon -> String
inspect = show

-- | Add a first party Caveat to a Macaroon, with its identifier
addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m

-- |Add a third party Caveat to a Macaroon, using its location, identifier and
-- verification key
addThirdPartyCaveat :: Key
                    -> Key
                    -> Location
                    -> Macaroon
                    -> Macaroon
addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
  where
    vid = encryptECB (initAES (signature m)) key
Commit	Line	Data
f6781456 JT	1	{-# LANGUAGE OverloadedStrings #-}
	2	{-\|
	3	Module : Crypto.Macaroon
	4	Copyright : (c) 2015 Julien Tanguy
	5	License : BSD3
	6
	7	Maintainer : julien.tanguy@jhome.fr
	8	Stability : experimental
	9	Portability : portable
	10
f6781456 JT	11	Pure haskell implementations of macaroons.
	12
	13	Warning: this implementation has not been audited by security experts.
2aede11a	14	Do not use in production
f6781456 JT	15
	16
	17	References:
	18
	19	- Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
	20	- Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
f6781456 JT	21	-}
	22	module Crypto.Macaroon (
	23	-- * Types
	24	Macaroon
	25	, Caveat
	26	, Key
	27	, Location
1971e224	28	, Sig
f6781456 JT	29	-- * Accessing functions
	30	-- ** Macaroons
	31	, location
	32	, identifier
	33	, caveats
	34	, signature
	35	-- ** Caveats
	36	, caveatLoc
	37	, caveatId
	38	, caveatVId
	39
	40	-- * Create Macaroons
	41	, create
	42	, inspect
	43	, addFirstPartyCaveat
26d38f73	44	-- , addThirdPartyCaveat
f6781456 JT	45	) where
	46
	47	import Crypto.Cipher.AES
	48	import Crypto.Hash
	49	import Data.Byteable
	50	import qualified Data.ByteString as BS
	51	import qualified Data.ByteString.Base64.URL as B64
	52	import qualified Data.ByteString.Char8 as B8
f6781456 JT	53
	54	import Crypto.Macaroon.Internal
	55
	56	-- \| Create a Macaroon from its key, identifier and location
	57	create :: Key -> Key -> Location -> Macaroon
	58	create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
	59	where
2aede11a	60	derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)
f6781456	61
1971e224	62	-- \| Caveat target location
f6781456 JT	63	caveatLoc :: Caveat -> Location
	64	caveatLoc = cl
	65
1971e224	66	-- \| Caveat identifier
f6781456 JT	67	caveatId :: Caveat -> Key
	68	caveatId = cid
	69
1971e224	70	-- \| Caveat verification identifier
f6781456 JT	71	caveatVId :: Caveat -> Key
	72	caveatVId = vid
	73
1971e224	74	-- \| Inspect a macaroon's contents. For debugging purposes.
f6781456	75	inspect :: Macaroon -> String
2aede11a	76	inspect = show
f6781456	77
f6781456 JT	78	-- \| Add a first party Caveat to a Macaroon, with its identifier
	79	addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
	80	addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m
	81
	82	-- \|Add a third party Caveat to a Macaroon, using its location, identifier and
	83	-- verification key
	84	addThirdPartyCaveat :: Key
	85	-> Key
	86	-> Location
	87	-> Macaroon
	88	-> Macaroon
	89	addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
	90	where
	91	vid = encryptECB (initAES (signature m)) key
	92
	93