[github/fretlink/hmacaroons.git] / src / Crypto / Macaroon.hs

{-# LANGUAGE OverloadedStrings #-}
{-|
Module      : Crypto.Macaroon
Copyright   : (c) 2015 Julien Tanguy
License     : BSD3

Maintainer  : julien.tanguy@jhome.fr
Stability   : experimental
Portability : portable

Pure haskell implementations of macaroons.

Warning: this implementation has not been audited by security experts.
Do not use in production


References:

- Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
- Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
-}
module Crypto.Macaroon (
    -- * Types
      Macaroon
    , Caveat
    , Secret
    , Key
    , Location
    , Sig
    -- * Accessing functions
    -- ** Macaroons
    , location
    , identifier
    , caveats
    , signature
    -- ** Caveats
    , cl
    , cid
    , vid

    -- * Create Macaroons
    , create
    , inspect
    , addFirstPartyCaveat
    -- , addThirdPartyCaveat
    -- * Serialize
    , module Crypto.Macaroon.Serializer.Base64
    -- * Verify
    , module Crypto.Macaroon.Verifier
    ) where

-- import           Crypto.Cipher.AES
import           Crypto.Hash
import           Data.Byteable
import qualified Data.ByteString                   as BS

import           Crypto.Macaroon.Internal
import           Crypto.Macaroon.Serializer.Base64
import           Crypto.Macaroon.Verifier

-- | Create a Macaroon from its key, identifier and location
create :: Secret -> Key -> Location -> Macaroon
create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
  where
    derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)

-- | Inspect a macaroon's contents. For debugging purposes.
inspect :: Macaroon -> String
inspect = show

-- | Add a first party Caveat to a Macaroon, with its identifier
addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m

-- |Add a third party Caveat to a Macaroon, using its location, identifier and
-- verification key
-- addThirdPartyCaveat :: Key
--                     -> Key
--                     -> Location
--                     -> Macaroon
--                     -> Macaroon
-- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
--   where
--     vid = encryptECB (initAES (signature m)) key
Commit	Line	Data
f6781456 JT	1	{-# LANGUAGE OverloadedStrings #-}
	2	{-\|
	3	Module : Crypto.Macaroon
	4	Copyright : (c) 2015 Julien Tanguy
	5	License : BSD3
	6
	7	Maintainer : julien.tanguy@jhome.fr
	8	Stability : experimental
	9	Portability : portable
	10
f6781456 JT	11	Pure haskell implementations of macaroons.
	12
	13	Warning: this implementation has not been audited by security experts.
2aede11a	14	Do not use in production
f6781456 JT	15
	16
	17	References:
	18
	19	- Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
	20	- Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
f6781456 JT	21	-}
	22	module Crypto.Macaroon (
	23	-- * Types
	24	Macaroon
	25	, Caveat
86f38823	26	, Secret
f6781456 JT	27	, Key
f6781456 JT	28	, Location
1971e224	29	, Sig
f6781456 JT	30	-- * Accessing functions
	31	-- ** Macaroons
	32	, location
	33	, identifier
	34	, caveats
	35	, signature
	36	-- ** Caveats
86f38823 JT	37	, cl
	38	, cid
	39	, vid
f6781456 JT	40
	41	-- * Create Macaroons
	42	, create
	43	, inspect
	44	, addFirstPartyCaveat
26d38f73	45	-- , addThirdPartyCaveat
27d5a3a4 JT	46	-- * Serialize
	47	, module Crypto.Macaroon.Serializer.Base64
	48	-- * Verify
	49	, module Crypto.Macaroon.Verifier
f6781456 JT	50	) where
f6781456 JT	51
8505c3d3	52	-- import Crypto.Cipher.AES
f6781456 JT	53	import Crypto.Hash
f6781456 JT	54	import Data.Byteable
27d5a3a4	55	import qualified Data.ByteString as BS
f6781456 JT	56
f6781456 JT	57	import Crypto.Macaroon.Internal
27d5a3a4 JT	58	import Crypto.Macaroon.Serializer.Base64
27d5a3a4 JT	59	import Crypto.Macaroon.Verifier
f6781456 JT	60
f6781456 JT	61	-- \| Create a Macaroon from its key, identifier and location
86f38823	62	create :: Secret -> Key -> Location -> Macaroon
f6781456 JT	63	create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
f6781456 JT	64	where
2aede11a	65	derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)
f6781456	66
1971e224	67	-- \| Inspect a macaroon's contents. For debugging purposes.
f6781456	68	inspect :: Macaroon -> String
2aede11a	69	inspect = show
f6781456	70
f6781456 JT	71	-- \| Add a first party Caveat to a Macaroon, with its identifier
	72	addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
	73	addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m
	74
	75	-- \|Add a third party Caveat to a Macaroon, using its location, identifier and
	76	-- verification key
8505c3d3 JT	77	-- addThirdPartyCaveat :: Key
	78	-- -> Key
	79	-- -> Location
	80	-- -> Macaroon
	81	-- -> Macaroon
	82	-- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
	83	-- where
	84	-- vid = encryptECB (initAES (signature m)) key