[github/fretlink/hmacaroons.git] / src / Crypto / Macaroon.hs

{-# LANGUAGE OverloadedStrings #-}
{-|
Module      : Crypto.Macaroon
Copyright   : (c) 2015 Julien Tanguy
License     : BSD3

Maintainer  : julien.tanguy@jhome.fr
Stability   : experimental
Portability : portable

Pure haskell implementations of macaroons.

Warning: this implementation has not been audited by security experts.
Do not use in production


References:

- Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
- Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
-}
module Crypto.Macaroon (
    -- * Types
      Macaroon
    , Caveat
    , Key
    , Location
    , Sig
    -- * Accessing functions
    -- ** Macaroons
    , location
    , identifier
    , caveats
    , signature
    -- ** Caveats
    , caveatLoc
    , caveatId
    , caveatVId

    -- * Create Macaroons
    , create
    , inspect
    , addFirstPartyCaveat
    -- , addThirdPartyCaveat
    ) where

-- import           Crypto.Cipher.AES
import           Crypto.Hash
import           Data.Byteable
import qualified Data.ByteString            as BS
import qualified Data.ByteString.Base64.URL as B64
import qualified Data.ByteString.Char8      as B8

import           Crypto.Macaroon.Internal

-- | Create a Macaroon from its key, identifier and location
create :: Key -> Key -> Location -> Macaroon
create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
  where
    derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)

-- | Caveat target location
caveatLoc :: Caveat -> Location
caveatLoc = cl

-- | Caveat identifier
caveatId :: Caveat -> Key
caveatId = cid

-- | Caveat verification identifier
caveatVId :: Caveat -> Key
caveatVId = vid

-- | Inspect a macaroon's contents. For debugging purposes.
inspect :: Macaroon -> String
inspect = show

-- | Add a first party Caveat to a Macaroon, with its identifier
addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m

-- |Add a third party Caveat to a Macaroon, using its location, identifier and
-- verification key
-- addThirdPartyCaveat :: Key
--                     -> Key
--                     -> Location
--                     -> Macaroon
--                     -> Macaroon
-- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
--   where
--     vid = encryptECB (initAES (signature m)) key
Commit	Line	Data
	1	{-# LANGUAGE OverloadedStrings #-}
	2	{-\|
	3	Module : Crypto.Macaroon
	4	Copyright : (c) 2015 Julien Tanguy
	5	License : BSD3
	6
	7	Maintainer : julien.tanguy@jhome.fr
	8	Stability : experimental
	9	Portability : portable
	10
	11	Pure haskell implementations of macaroons.
	12
	13	Warning: this implementation has not been audited by security experts.
	14	Do not use in production
	15
	16
	17	References:
	18
	19	- Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
	20	- Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
	21	-}
	22	module Crypto.Macaroon (
	23	-- * Types
	24	Macaroon
	25	, Caveat
	26	, Key
	27	, Location
	28	, Sig
	29	-- * Accessing functions
	30	-- ** Macaroons
	31	, location
	32	, identifier
	33	, caveats
	34	, signature
	35	-- ** Caveats
	36	, caveatLoc
	37	, caveatId
	38	, caveatVId
	39
	40	-- * Create Macaroons
	41	, create
	42	, inspect
	43	, addFirstPartyCaveat
	44	-- , addThirdPartyCaveat
	45	) where
	46
	47	-- import Crypto.Cipher.AES
	48	import Crypto.Hash
	49	import Data.Byteable
	50	import qualified Data.ByteString as BS
	51	import qualified Data.ByteString.Base64.URL as B64
	52	import qualified Data.ByteString.Char8 as B8
	53
	54	import Crypto.Macaroon.Internal
	55
	56	-- \| Create a Macaroon from its key, identifier and location
	57	create :: Key -> Key -> Location -> Macaroon
	58	create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
	59	where
	60	derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)
	61
	62	-- \| Caveat target location
	63	caveatLoc :: Caveat -> Location
	64	caveatLoc = cl
	65
	66	-- \| Caveat identifier
	67	caveatId :: Caveat -> Key
	68	caveatId = cid
	69
	70	-- \| Caveat verification identifier
	71	caveatVId :: Caveat -> Key
	72	caveatVId = vid
	73
	74	-- \| Inspect a macaroon's contents. For debugging purposes.
	75	inspect :: Macaroon -> String
	76	inspect = show
	77
	78	-- \| Add a first party Caveat to a Macaroon, with its identifier
	79	addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
	80	addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m
	81
	82	-- \|Add a third party Caveat to a Macaroon, using its location, identifier and
	83	-- verification key
	84	-- addThirdPartyCaveat :: Key
	85	-- -> Key
	86	-- -> Location
	87	-- -> Macaroon
	88	-- -> Macaroon
	89	-- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
	90	-- where
	91	-- vid = encryptECB (initAES (signature m)) key
	92
	93