Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tchoutri/biscuit-demo

Last synced: 5 days ago
JSON representation

Host: GitHub
URL: https://github.com/tchoutri/biscuit-demo
Owner: tchoutri
License: bsd-3-clause
Created: 2022-11-23T11:27:39.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2022-11-23T11:30:07.000Z (about 2 years ago)
Last Synced: 2024-11-05T18:54:28.960Z (about 2 months ago)
Language: Haskell
Size: 18.6 KB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Biscuit demo

This repository is a showcase for the [Biscuit](https://biscuitsec.org) authorization token system.

Three services are contained in this project:

* The token dispenser, that will send a token to the client based on email;
* The API server, that will proces requests from the client

## Demo

Start the services:

```bash
$ cabal run dispenser

[+] Starting the Token dispenser on http://localhost:8900

$ cabal run api-server

[+] Starting the API server on http://localhost:8902
```

Then get the token from the dispenser with this command (using [httpie](https://httpie.io)):

```bash
$ http POST http://localhost:8900/tokens [email protected]
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Date: Fri, 11 Mar 2022 10:06:22 GMT
Server: Warp/3.3.20
Transfer-Encoding: chunked

{
"token": "EqECCrYBCiQ1ZGQ5OGIzNy0wMWRmLTQ0YWQtOGEzYi0yZDg2YjU4MDUzYjEKJGFiNTNlN2ViLTdmZjItNDM4ZC1iNGRiLTBjZDEwMTNkOWE2OAoDYXBpCgRyZWFkCgdzZXJ2aWNlCgp1c2VyX2dyb3VwCgd1c2VyX2lkCgV3cml0ZRgCIggKBggNEgIYCCIQCg4IBBICGAoSAhgMEgIYByIQCg4IBBICGA4SAhgMEgIYByIICgYICxICGAkSJAgAEiC-S8ZXcwjZK0AVM3hFHkdWGr1x1WKa57rM76ERm84m0hpAm79G03LibmVHX9UOAW4g12i6XfU3dwmSge4Xn1cNM7z-3d2TkT4C_oBipJE-L_d4CgaUjAb17Qm3pe22L9NmDyIiCiCzUfLfQJGOlrLJ0NOM8eW3EUG7Ul4EhciUFeLes38MuA=="
}
```

put this token in an environment variable, aptly named `$biscuit`:

```bash

$ export biscuit="EqECCrYBCiQ1ZGQ5OGIzNy0wMWRmLTQ0YWQtOGEzYi0yZDg2YjU4MDUzYjEKJGFiNTNlN2ViLTdmZjItNDM4ZC1iNGRiLTBjZDEwMTNkOWE2OAoDYXBpCgRyZWFkCgdzZXJ2aWNlCgp1c2VyX2dyb3VwCgd1c2VyX2lkCgV3cml0ZRgCIggKBggNEgIYCCIQCg4IBBICGAoSAhgMEgIYByIQCg4IBBICGA4SAhgMEgIYByIICgYICxICGAkSJAgAEiC-S8ZXcwjZK0AVM3hFHkdWGr1x1WKa57rM76ERm84m0hpAm79G03LibmVHX9UOAW4g12i6XfU3dwmSge4Xn1cNM7z-3d2TkT4C_oBipJE-L_d4CgaUjAb17Qm3pe22L9NmDyIiCiCzUfLfQJGOlrLJ0NOM8eW3EUG7Ul4EhciUFeLes38MuA=="
```

and now let's query the API server:

```bash
$ http GET "http://localhost:8902/user_groups/5dd98b37-01df-44ad-8a3b-2d86b58053b1" "Authorization:Bearer $biscuit"
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Date: Fri, 11 Mar 2022 10:08:36 GMT
Server: Warp/3.3.20
Transfer-Encoding: chunked

{
"name": "Passing the time",
"userGroupId": "5dd98b37-01df-44ad-8a3b-2d86b58053b1"
}
```

We can see that the biscuit was validated and the checks have passed.

Now, what if someone from HR tries to access a UserGroup?

After retrieving a token from the dispenser with the email "[email protected]", we try and query the API server:

```bash
http GET "http://localhost:8902/user_groups/5dd98b37-01df-44ad-8a3b-2d86b58053b1" "Authorization:Bearer $hr_biscuit"
HTTP/1.1 401 Unauthorized
Date: Fri, 11 Mar 2022 10:23:46 GMT
Server: Warp/3.3.20
Transfer-Encoding: chunked

Biscuit failed checks
```

And in the server logs:

```haskell
ResultError (NoPoliciesMatched [[QueryItem {qBody = [Predicate {name = "service", terms = [LString "peopledoc"]}], qExpressions = []}],[QueryItem {qBody = [Predicate {name = "service", terms = [LString "api"]}], qExpressions = []}]])
```

This is a bit rough to read, but look for the "service" strings in this message. The first one is "peopledoc", which is the value of the `service()` fact
in the HR token. The other one is "api", which is the value expected by the API server. They do not match, and as such, the verification fails.