Basic use
>>> from biscuit_auth import Authorizer, AuthorizerBuilder, Biscuit, BiscuitBuilder, BlockBuilder, KeyPair, PrivateKey, PublicKey, Rule, UnverifiedBiscuit
>>> from datetime import datetime, timedelta, timezone
Create and manage keypairs
>>> # random keypair
>>> keypair = KeyPair()
>>> # serialize a keypair to hexadecimal strings
>>> private_key_str = repr(keypair.private_key)
>>> public_key_str = repr(keypair.public_key)
>>> # parse a private key from an hex string
>>> parsed_private_key = PrivateKey("ed25519-private/23d9d45b32899eefd4cde9a2caecdd41f0449c95ee1e4c6b53ef38cb957dd690")
>>> # parse a public key from an hex string
>>> parsed_public_key = PublicKey("ed25519/9e124fbb46ff99a87219aef4b09f4f6c3b7fd96b7bd279e38af3ef429a101c69")
>>> # build a keypair from a private key
>>> parsed_keypair = KeyPair.from_private_key(parsed_private_key)
>>> parsed_keypair.private_key
ed25519-private/23d9d45b32899eefd4cde9a2caecdd41f0449c95ee1e4c6b53ef38cb957dd690
>>> parsed_keypair.public_key
ed25519/9e124fbb46ff99a87219aef4b09f4f6c3b7fd96b7bd279e38af3ef429a101c69
Build a biscuit token
>>> private_key = PrivateKey("ed25519-private/23d9d45b32899eefd4cde9a2caecdd41f0449c95ee1e4c6b53ef38cb957dd690")
>>> token = BiscuitBuilder("""
... user({user_id});
... check if time($time), $time < {expiration};
... """,
... {
... 'user_id': '1234',
... 'expiration': datetime.now(tz = timezone.utc) + timedelta(days = 1)
... }
... ).build(private_key)
>>> token_string = token.to_base64()
Biscuit tokens can carry a root key identifier, helping the verifying party select the correct public key amongst several valid keys. This is especially useful when performing key rotation, when multiple keys are active at the same time.
>>> private_key = PrivateKey("ed25519-private/00731a0f129f088e069d8a8b3523a724bc48136bfc22c916cb754adbf503ad5e")
>>> builder = BiscuitBuilder("""
... user({user_id});
... check if time($time), $time < {expiration};
... """,
... {
... 'user_id': '1234',
... 'expiration': datetime.now(tz = timezone.utc) + timedelta(days = 1)
... }
... )
>>> builder.set_root_key_id(1)
>>> token = builder.build(private_key)
>>> token_string = token.to_base64()
Each block of a token is identified by a unique revocation id. This allows revoking a token and all the tokens derived from it.
>>> revocation_ids = token.revocation_ids
Append a block to a biscuit token
>>> attenuated_token = token.append(BlockBuilder("""
... check if operation("read");
... check if resource({res})
... """, { 'res': 'file1'}))
Save and load snapshots
>>> snapshot = authorizer.base64_snapshot()
>>> parsed = Authorizer.from_base64_snapshot(snapshot)