Context Navigation

source: libabac/abac.hh @ adc0815

Revision adc0815, 40.7 KB checked in by Mei <mei@…>, 13 months ago (diff)
1) wrap up abac.hh doc first round
Property mode set to `100644`

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <string>
5	#include <vector>
6
7	namespace ABAC {
8	extern "C" {
9	#include "abac.h"
10	}
11	static int debug=0;
12	class Role;
13	class Oset;
14	/***
15	ABAC::Constraint
16	This is a constraint on a data term. It holds a ptr to
17	a abac_condition_t structure
18	***/
19	class Constraint {
20	public:
21	/***
22	Constraint()
23	default constructor, do not use, for swig only
24	Constraint(const Constraint &)
25	copy constructor, used for cloning a constraint
26	~Constraint()
27	default destructor
28	***/
29	Constraint() : m_constraint(NULL) { }
30	Constraint(const Constraint &constraint) {
31	m_constraint =abac_condition_dup(constraint.m_constraint);
32	}
33	~Constraint() {
34	if(m_constraint) abac_condition_free(m_constraint);
35	}
36	/***
37	Constraint(Role &)
38	constructor that takes a constraining role
39	[role:?R[{role-constraint}]
40	Constraint(Oset &)
41	constructor that takes a constraining oset
42	[oset:?O[{oset-constraint}]
43	[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
44	Constraint(abac_condition_t *)
45	constructor that takes an abac_condition_t structure
46	Constraint(char *)
47	constructor that takes one of following string
48	as its vartype to set up a range constraint:
49	"integer"
50	"urn"
51	"float"
52	"boolean"
53	"time"
54	"string"
55	it should be followed with one or many of following utility
56	calls.
57	***/
58	Constraint(Role& role);
59	Constraint(Oset& oset);
60	Constraint(abac_condition_t *constraint):
61	m_constraint(abac_condition_dup(constraint))
62	{ }
63	Constraint(char *vartype) {
64	m_constraint=abac_condition_create(vartype);
65	}
66	/***
67	void add_constraint_integer_max(int)
68	void add_constraint_integer_min(int)
69	utility routines to setup a integer range constraint
70	[integer:?I[10 .. 20]]
71	void add_constraint_integer_target(int)
72	utility routine to setup a integer list constraint
73	[integer:?I[10,20]]
74	***/
75	void add_constraint_integer_max(int val) {
76	abac_condition_add_range_integer_item(m_constraint,abac_max_item_type(),val);
77	}
78	void add_constraint_integer_min(int val) {
79	abac_condition_add_range_integer_item(m_constraint,abac_min_item_type(),val);
80	}
81	void add_constraint_integer_target(int val) {
82	abac_condition_add_range_integer_item(m_constraint,abac_target_item_type(),val);
83	}
84	/***
85	void add_constraint_float_max(float)
86	void add_constraint_float_min(float)
87	utility routines to setup a float range constraint
88	[float:?F[1.0 .. 2.5]]
89	void add_constraint_float_target(float)
90	utility routine to setup a float list constraint
91	[float:?F[0.5, 2.5]]
92	***/
93	void add_constraint_float_max(float val) {
94	abac_condition_add_range_float_item(m_constraint,abac_max_item_type(),val);
95	}
96	void add_constraint_float_min(float val) {
97	abac_condition_add_range_float_item(m_constraint,abac_min_item_type(),val);
98	}
99	void add_constraint_float_target(float val) {
100	abac_condition_add_range_float_item(m_constraint,abac_target_item_type(),val);
101	}
102	/***
103	void add_constraint_time_max(char*)
104	void add_constraint_time_min(char*)
105	utility routines to setup a time range constraint,
106	takes quoted string values, beyond T is optional
107	[time:?M["20201101T182930"]]
108	[time:?M["20201101T"]]
109	void add_constraint_time_target(char*)
110	utility routine to setup a time list constraint
111	[time:?F["20120228T080000" .. "20120228T090000"]]
112	***/
113	void add_constraint_time_max(char* val) {
114	abac_condition_add_range_time_item(m_constraint,abac_max_item_type(),val);
115	}
116	void add_constraint_time_min(char* val) {
117	abac_condition_add_range_time_item(m_constraint,abac_min_item_type(),val);
118	}
119	void add_constraint_time_target(char* val) {
120	abac_condition_add_range_time_item(m_constraint,abac_target_item_type(),val);
121	}
122	/***
123	void add_constraint_urn_target(char*)
124	utility routine to setup a an urn list constraint
125	[urn:?U["fileA","http://fileB"]]
126	void add_constraint_string_target(char*)
127	utility routine to setup a a string list constraint
128	[string:?S["abc",'efg',"hij"]]
129	void add_constraint_boolean_target(char*)
130	utility routine to setup a a boolean list constraint
131	[boolean:?B['true']]
132	***/
133	void add_constraint_urn_target(char* val)
134	{ abac_condition_add_range_urn_item(m_constraint,val); }
135	void add_constraint_string_target(char* val)
136	{ abac_condition_add_range_string_item(m_constraint,val); }
137	void add_constraint_boolean_target(char* val)
138	{ abac_condition_add_range_boolean_item(m_constraint,val); }
139	/***
140	char *string() const
141	returns literal string of the constraint
142	char *typed_string() const
143	returns typed literal string of the constraint
144	***/
145	char *string() const
146	{ return abac_condition_string(m_constraint); }
147	char *typed_string() const
148	{ return abac_condition_typed_string(m_constraint); }
149	/***
150	abac_condition_t *constraint()
151	returns internal constraint structure
152	***/
153	abac_condition_t *constraint()
154	{ return m_constraint; }
155	private:
156	abac_condition_t *m_constraint;
157	};
158
159	/***
160	ABAC::DataTerm
161	A data term is associated with Role or Oset as a parameter that
162	maybe be instantiated, or uninstantiated but being constrained,
163	or as a principal oset term (standalone right handside of an oset
164	policy rule). It holds a pointer to a abac_term_t structure and
165	an optional constraint that may be imposed on this data term if it
166	is indeed an unistantiated variable.
167	***/
168	class DataTerm {
169	public:
170	/***
171	DataTerm()
172	default constructor, do not use, for swig only
173	DataTerm(const DataTerm &)
174	copy constructor, used for cloning a data term
175	~DataTerm()
176	default destructor
177	***/
178	DataTerm() : m_term(NULL) { } // do not use: here for swig
179	DataTerm(const DataTerm &dterm) {
180	m_term =abac_term_dup(dterm.m_term);
181	abac_condition_t *constraint=abac_term_constraint(m_term);
182	if(constraint) m_cond=new Constraint(constraint);
183	else m_cond=NULL;
184	}
185	~DataTerm() {
186	if(m_term) abac_term_free(m_term);
187	if(m_cond) free(m_cond);
188	}
189	/*** ???
190	DataTerm(abac_term_t *)
191	constructor to make data term from abac_term_t structure
192	***/
193	DataTerm(abac_term_t *term) {
194	m_term=abac_term_dup(term);
195	abac_condition_t *constraint=abac_term_constraint(m_term);
196	if(constraint) m_cond=new Constraint(constraint);
197	else m_cond=NULL;
198	}
199	/***
200	DataTerm(char*)
201	constructor to make named principal data term for the oset RHS
202	DataTerm(char, char, Constraint*)
203	constructor for making a variable data term or an instantiated
204	data term
205	***/
206	DataTerm(char *sha) {
207	if(debug) printf("adding a Dataterm named principal(%s)\n",sha);
208	int isnamed=1;
209	int type=e_TERM_PRINCIPAL;
210	m_term=abac_term_named_create(type,sha);
211	}
212	DataTerm(char* typenm, char name, Constraint cond=NULL) {
213	int type=abac_verify_term_type(typenm);
214	if(debug) printf("adding a Dataterm (%s)\n",name);
215	if(type==ABAC_TERM_FAIL)
216	abac_errx(1, "DataTerm, fail to create the term");
217	if(cond) {
218	m_cond=cond;
219	m_term=abac_term_create(type,name,cond->constraint());
220	} else {
221	m_cond=NULL;
222	m_term=abac_term_create(type,name,NULL);
223	}
224	}
225	/***
226	char *string() const
227	returns literal string of the data term
228	char *typed_string() const
229	returns typed literal string of the data term
230	***/
231	char *string() const
232	{ return abac_term_string(m_term); }
233	char *typed_string() const
234	{ return abac_term_typed_string(m_term); }
235	/***
236	bool is_time() const
237	bool is_string() const
238	bool is_urn() const
239	bool is_integer() const
240	returns true if data term is of certain type
241	***/
242	bool is_time() const
243	{ return abac_term_is_time_type(m_term); }
244	bool is_string() const
245	{ return abac_term_is_string_type(m_term); }
246	bool is_urn() const
247	{ return abac_term_is_urn_type(m_term); }
248	bool is_integer() const
249	{ return abac_term_is_integer_type(m_term); }
250	/***
251	int add_constraint(const Contraint&)
252	utiltiy routine to add a constraint to this data term
253	***/
254	int add_constraint(const Constraint& cond) {
255	m_cond=new Constraint(cond);
256	abac_term_add_constraint(m_term, m_cond->constraint());
257	}
258	/***
259	int type() const
260	returns subtype of the data term
261	char *name() const
262	returns the name of the data term
263	***/
264	int type() const
265	{ abac_term_type(m_term); }
266	char *name() const
267	{ return abac_term_name(m_term); }
268	/*** ??? value
269	char *value() const
270	Not implemented
271	***/
272	char *value() const { }
273	/***
274	abac_term_t *term()
275	returns internal data term structure
276	Constraint *constraint()
277	returns internal constraint structure to the data term
278	***/
279	abac_term_t *term()
280	{ return m_term; }
281	Constraint *constraint()
282	{ return m_cond; }
283	private:
284	abac_term_t *m_term;
285	Constraint *m_cond;
286	};
287
288
289	/***
290	ABAC::Role
291	A Role is role specification of a set of entitities for a principal.
292	***/
293	class Role {
294	public:
295	/***
296	Role()
297	default constructor, do not use, for swig only
298	Role(const Role &)
299	copy constructor, used for cloning a role
300	~Role()
301	default destructor
302	***/
303	Role() : m_role(NULL) { } // do not use: here for swig
304	Role(const Role &role) {
305	m_role = abac_aspect_dup(role.m_role);
306	}
307	~Role() {
308	if (m_role) abac_aspect_free(m_role);
309	}
310	/***
311	Role(abac_aspect_t*)
312	constructor that takes an abac_aspect_t structure
313	Role(char*)
314	constructor that builds a bare bone role with just principal's name
315	Role(char, char)
316	constructor that builds a bare bone role with just principal's name
317	and a role name
318	***/
319	Role(abac_aspect_t *role): m_role(abac_aspect_dup(role))
320	{ }
321	Role(char *principal_name) :
322	m_role(abac_aspect_role_principal_create(principal_name))
323	{ }
324	Role(char principal_name, char role_name) :
325	m_role(abac_aspect_role_create(principal_name, role_name))
326	{ }
327	/***
328	bool is_principal() const
329	return true if the role is a principal object(made from
330	a data term), the right hand side of,
331	[keyid:A].role:r <- [keyid:B]
332	***/
333	bool is_principal() const
334	{ return abac_aspect_is_principal(m_role); }
335	/***
336	bool is_linking() const
337	returns true if the role is a linking role like
338	the right hand side of,
339	[keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
340	***/
341	bool is_linking() const
342	{ return abac_aspect_is_linking(m_role); }
343	/***
344	char *string() const
345	returns literal string of the role
346	char *typed_string() const
347	returns typed literal string of the role
348	***/
349	char *string() const
350	{ return abac_aspect_string(m_role); }
351	char *typed_string()
352	{ return abac_aspect_typed_string(m_role); }
353	/***
354	char *linked_role() const
355	returns linked part of a linking role, for
356	[keyid:A].role:r1.role:r2, it returns r1
357	***/
358	char *linked_role() const
359	{ return abac_aspect_linked_role_name(m_role); }
360	/***
361	char *role_name() const
362	returns the role name of any role (the part after the last dot)
363	[keyid:A].role.r1.role:r2, it returns r2
364	[keyid:A].role.r1, it returns r1
365	***/
366	char *role_name() const
367	{ return abac_aspect_aspect_name(m_role); }
368	char *principal() const
369	{ return abac_aspect_principal_name(m_role); }
370
371	/***
372	int add_data_term(DataTerm&)
373	add a data term to the role
374	***/
375	int add_data_term(DataTerm& d) {
376	abac_aspect_add_param(m_role, d.term());
377	return 1;
378	}
379	/***
380	std::vector<DataTerm> get_data_terms(bool &)
381	return the data terms bound to this role.
382	??? If the role is returned in a proof, these will all have values.
383	***/
384	std::vector<DataTerm> get_data_terms(bool &success) {
385	abac_term_t terms, end;
386	int i;
387	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role));
388	for (i = 0; terms[i] != NULL; ++i)
389	;
390	end = &terms[i];
391	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
392	abac_terms_free(terms);
393	success=1;
394	return dataterms;
395	}
396	int add_linking_data_term(DataTerm& d) {
397	abac_aspect_add_linked_param(m_role, d.term());
398	return 1;
399	}
400	/***
401	std::vector<DataTerm> get_linked_data_terms(bool &)
402	return the data terms bound to this role's linking role.
403	??? If the role is returned in a proof, these will all have values.
404	***/
405	std::vector<DataTerm> get_linked_data_terms(bool &success) {
406	abac_term_t terms, end;
407	int i;
408	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role));
409	for (i = 0; terms[i] != NULL; ++i)
410	;
411	end = &terms[i];
412	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
413	abac_terms_free(terms);
414	success=1;
415	return dataterms;
416	}
417	/***
418	abac_aspect_t *role()
419	returns the interal libabac representation of this role
420	***/
421	abac_aspect_t *role() {return m_role;}
422	private:
423	abac_aspect_t *m_role;
424	};
425
426	/***
427	ABAC::Oset
428	An Oset is oset specification of a set of entitities for a principal.
429	***/
430	class Oset {
431	public:
432	/***
433	Oset()
434	default constructor, do not use, for swig only
435	Oset(const Oset &)
436	copy constructor, used for cloning an oset
437	~Oset()
438	default destructor
439	***/
440	Oset() : m_oset(NULL) { } // do not use: here for swig
441	Oset(const Oset &oset)
442	{ m_oset =abac_aspect_dup(oset.m_oset); }
443	~Oset()
444	{ if(m_oset) abac_aspect_free(m_oset); }
445	/***
446	Oset(abac_aspect_t *)
447	constructor that takes abac_aspect_t structure
448	Oset(char *)
449	constructor that makes a principal oset, ie [keyid:B]
450	Oset(char , char )
451	constructor that makes a regular oset, ie. [keyid:B].oset:o
452	Oset(DataTerm&)
453	constructor that makes an object oset, ie. [urn:'file/fileA']
454	***/
455	Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset))
456	{ }
457	Oset(char *oset_name) : m_oset(abac_aspect_oset_principal_create(oset_name))
458	{ }
459	Oset(char principal_name, char oset_name) :
460	m_oset(abac_aspect_oset_create(principal_name, oset_name))
461	{ }
462	Oset(DataTerm& d) :
463	m_oset(abac_aspect_oset_object_create(d.term()))
464	{ }
465
466	/***
467	bool is_object(), ie <- [integer:10]
468	return ture if this oset is an object oset
469	***/
470	bool is_object() const
471	{ return abac_aspect_is_object(m_oset); }
472	/***
473	bool is_principal() const
474	return true if the oset is a principal object(made from
475	a data term), the right hand side of,
476	[keyid:A].oset:o <- [keyid:B]
477	***/
478	bool is_principal() const
479	{ return abac_aspect_is_principal(m_oset); }
480	/***
481	bool is_linking() const
482	returns true if the oset is a linking oset like
483	the right hand side of,
484	[keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
485	***/
486	bool is_linking() const
487	{ return abac_aspect_is_linking(m_oset); }
488	/***
489	char *string() const
490	returns literal string of the oset
491	char *typed_string() const
492	returns typed literal string of the oset
493	***/
494	char *string() const
495	{ return abac_aspect_string(m_oset); }
496	char *typed_string()
497	{ return abac_aspect_typed_string(m_oset); }
498	/***
499	char *linked_role() const
500	returns linked part of a linking oset, for
501	[keyid:A].role:r1.oset:o1, it returns r1
502	***/
503	char *linked_role() const
504	{ return abac_aspect_linked_role_name(m_oset); }
505	/***
506	char *oset_name() const
507	returns oset name,
508	[keyid:A].role:r1.oset:o1, it returns o1
509	[keyid:A].oset:o1, it returns o1
510	***/
511	char *oset_name() const
512	{ return abac_aspect_aspect_name(m_oset); }
513	/***
514	char *principal() const
515	returns principal name,
516	[keyid:A].role:r1.oset:o1, it returns A
517	***/
518	char *principal() const
519	{ return abac_aspect_principal_name(m_oset); }
520	/***
521	char *object() const
522	returns object's name when the oset is a principal object
523	[keyid:A].oset:values <- [integer:10], it returns 10
524	***/
525	char *object() const
526	{ return abac_aspect_object_name(m_oset); }
527	/***
528	int add_data_term(DataTerm&)
529	add a data term to this oset's parameter set
530	always returns 1
531	***/
532	int add_data_term(DataTerm& d) {
533	abac_aspect_add_param(m_oset, d.term());
534	return 1;
535	}
536	/***
537	std::vector<DataTerm> get_data_terms(bool &)
538	returns the data terms bound to this oset.
539	??? If the oset is returned in a proof, these will all have values.
540	***/
541	std::vector<DataTerm> get_data_terms(bool &success) {
542	abac_term_t terms, end;
543	int i;
544	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset));
545	for (i = 0; terms[i] != NULL; ++i)
546	;
547	end = &terms[i];
548	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
549	abac_terms_free(terms);
550	success=1;
551	return dataterms;
552	}
553	/***
554	int add_linking_data_term(DataTerm&)
555	add a data term to this oset's linking role's parameter set.
556	always returns 1
557	***/
558	int add_linking_data_term(DataTerm& d) {
559	abac_aspect_add_linked_param(m_oset, d.term());
560	return 1;
561	}
562	/***
563	std::vector<DataTerm> get_linked_data_terms(bool &)
564	returns the data terms bound to this oset's linking role.
565	??? If the oset is returned in a proof, these will all have values.
566	***/
567	std::vector<DataTerm> get_linked_data_terms(bool &success) {
568	abac_term_t terms, end;
569	int i;
570	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset));
571	for (i = 0; terms[i] != NULL; ++i)
572	;
573	end = &terms[i];
574	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
575	abac_terms_free(terms);
576	success=1;
577	return dataterms;
578	}
579	/***
580	abac_aspect_t *oset()
581	returns the internal libabac representation of the oset
582	***/
583	abac_aspect_t *oset() {return m_oset;}
584	private:
585	abac_aspect_t *m_oset;
586	};
587
588
589	/***
590	ABAC::ID
591	An ID holds a principal credential. It maybe imported from an existing
592	ID credential via external files, constructed from a streaming chunk,
593	or instantiated on the fly
594	***/
595	class ID {
596	public:
597	/***
598	ID()
599	default constructor, do not use, for swig only
600	ID(const ID &)
601	copy constructor, used for cloning an ID
602	~ID()
603	default destructor
604	***/
605	ID() : m_id(NULL) { } // do not use: here for swig
606	ID(const ID &id) { m_id =abac_id_dup(id.m_id); }
607	~ID() { if(m_id) abac_id_free(m_id); }
608	/*** ???
609	ID(abac_id_t *)
610	constructor from abac_id_t
611	ID(abac_id_credential_t *)
612	constructor from abac_id_t
613	***/
614	ID(abac_id_t *id): m_id(abac_id_dup(id))
615	{ }
616	ID(abac_id_credential_t *idcred) {
617	if(idcred)
618	m_id=abac_id_dup(abac_id_credential_id(idcred));
619	else m_id=NULL;
620	}
621
622	/***
623	ID(char *)
624	load an ID cert from a file, will throw an exception
625	if the cert cannot be loaded
626	***/
627	ID(char *filename) {
628	m_id=abac_id_from_file(filename);
629	if(m_id==NULL)
630	abac_errx(1, "Id creation from filename failed");
631	}
632	/***
633	ID(char *,int)
634	generates a new ID with the supplied CN and validity period
635	- CN must be alphanumeric and begin with a letter
636	- validity must be at least one second
637	will throw an exception if either of the above is violated
638	***/
639	ID(char *cn, int validity) {
640	int rt=abac_id_generate(&m_id, cn, validity);
641	if(rt != ABAC_ID_SUCCESS)
642	abac_errx(1, "Id creation failed");
643	}
644	/***
645	void load_privkey(char *)
646	loads the private key associated with the ID credential
647	will throw an exception if the key cannot be loaded
648	***/
649	void load_privkey(char *filename) {
650	int rt=abac_id_load_privkey_file(m_id, filename);
651	if(rt != 1)
652	abac_errx(1, "Failed to load private key");
653	}
654	/***
655	abac_id_t *id()
656	returns the abac_id_t
657	returns the interal libabac representation of this id
658	***/
659	abac_id_t *id() { return m_id; }
660
661	/***
662	char *keyid()
663	returns the SHA1 keyid of the id cert
664	char *name()
665	returns the CN (the parameter passed to the constructor or the
666	CN of the cert).
667	***/
668	char *keyid() { return abac_id_keyid(m_id); }
669	char *name() { return abac_id_cn(m_id); }
670	/***
671	bool has_privkey()
672	returns true if the ID has an associated private key
673	***/
674	bool has_privkey()
675	{ return abac_id_has_privkey(m_id); }
676
677	/***
678	void write_cert(FILE *)
679	writes a PEM-encoded cert to the file handle
680	void write_cert(char *)
681	writes a PEM-encoded cert to a file named out
682	***/
683	void write_cert(FILE *out)
684	{ abac_id_write_cert(m_id, out); }
685	void write_cert(char *filename) {
686	FILE *out = fopen(filename, "a");
687	write_cert(out);
688	fclose(out);
689	}
690	/***
691	void write_privkey(FILE *)
692	writes a PEM-encoded private key to the file handle
693	throws an exception if no private key is loaded
694	void write_privkey(char *)
695	writes a PEM-encoded private key a file named out
696	throws an exception if no private key is loaded
697	***/
698	void write_privkey(FILE *out) {
699	if(!has_privkey())
700	abac_errx(1, "No privkey to write");
701	abac_id_write_privkey(m_id, out);
702	}
703	void write_privkey(char *filename) {
704	FILE *out = fopen(filename, "a");
705	write_privkey(out);
706	fclose(out);
707	}
708	/***
709	abac_chunk_t cert_chunk()
710	returns a DER-encoded binary representation of the X.509 ID cert
711	associated with this ID.
712	can be passed to libabac's Context::load_id_chunk()
713	***/
714	abac_chunk_t cert_chunk()
715	{ return abac_id_cert_chunk(m_id); }
716	/***
717	char *string()
718	returns literal string of the id credential
719	***/
720	char *string() {
721	char *tmp=NULL;
722	if(has_privkey())
723	asprintf(&tmp,"(%s,%s,y)",abac_id_name(m_id),abac_id_idtype_string(m_id));
724	else asprintf(&tmp,"(%s,%s,n)",abac_id_name(m_id),abac_id_idtype_string(m_id));
725	return tmp;
726	}
727	public:
728	abac_id_t *m_id;
729	};
730
731
732	/***
733	ABAC::Attribute
734	This is the attribute representation for the access policy rule
735	LHS <- RHS
736	The sequence of generation is to
737	first, instantiate the object, ie, LHS (head)
738	second, adding subject(s) to it, ie, RHS (tail)
739	and then baking it.
740	Only once it's baked can you access the X.509 cert.
741	Once it's been baked you can no longer add subjects to it
742	***/
743	class Attribute {
744	public:
745	/***
746	Attribute()
747	default constructor, do not use, for swig only
748	Attribute(const Attribute &)
749	copy constructor, used for cloning an attribute
750	~Attribute()
751	default destructor
752	***/
753	Attribute() : m_attr(NULL) { }
754	Attribute(const Attribute &id)
755	{ m_attr =abac_attribute_dup(id.m_attr); }
756	~Attribute()
757	{ if(m_attr) abac_attribute_free(m_attr); }
758	/***
759	Attribute(abac_attribute_t *)
760	constructor that takes abac_attribute_t, locally used
761	Attribute(abac_credential_t *)
762	constructor that takes abac_credential_t, locally used
763	***/
764	Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr))
765	{ }
766	Attribute(abac_credential_t *cred)
767	{ m_attr=abac_attribute_dup(abac_credential_attribute(cred)); }
768	/***
769	Attribute(Role&, int)
770	constructor that creates an attribute policy to be signed by the issuer
771	with the given role with a specified validity period
772	An exception will be thrown if:
773	- the issuer has no private key
774	- the Head role is invalid
775	- the validity period is invalid (must be >= 1 second)
776	***/
777	Attribute(Role& head, int validity) {
778	int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity);
779	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
780	abac_errx(1, "attribute(role), unable to make an attribute");
781	}
782	/***
783	Attribute(Oset&, int)
784	constructor that creates an attribute policy to be signed by the issuer
785	with the given oset with a specified validity period
786	An exception will be thrown if:
787	- the issuer has no private key
788	- the Head oset is invalid
789	- the validity period is invalid (must be >= 1 second)
790	***/
791	Attribute(Oset& head, int validity) {
792	int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity);
793	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
794	abac_errx(1, "attribute(oset), unable to make an attribute");
795	}
796	/***
797	bool add_tail(Role&)
798	Add a role tail. Call multiple times for intersections
799	bool add_tail(Oset&)
800	Add an oset tail. Call multiple times for intersections
801	***/
802	bool add_tail(Role& tail) {
803	if(abac_attribute_add_tail(m_attr, tail.role()))
804	return 1;
805	else return 0;
806	}
807	bool add_tail(Oset& tail) {
808	if(abac_attribute_add_tail(m_attr, tail.oset()))
809	return 1;
810	else return 0;
811	}
812	/***
813	char *head_string()
814	returns literal string of head of the attribute
815	char *tail_string()
816	returns literal string of tail of the attribute
817	***/
818	char *head_string() {
819	abac_aspect_t *head=abac_attribute_head(m_attr);
820	char *string=abac_aspect_string(head);
821	return string;
822	}
823	char *tail_string() {
824	abac_aspect_t *tail=abac_attribute_tail(m_attr);
825	char *string=abac_aspect_string(tail);
826	return string;
827	}
828	/***
829	char *head_typed_string()
830	returns typed literal string of head of the attribute
831	char *tail_typed_string()
832	returns typed literal string of tail of the attribute
833	***/
834	char *head_typed_string() {
835	abac_aspect_t *head=abac_attribute_head(m_attr);
836	char *string=abac_aspect_typed_string(head);
837	return string;
838	}
839	char *tail_typed_string() {
840	abac_aspect_t *tail=abac_attribute_tail(m_attr);
841	char *string=abac_aspect_typed_string(tail);
842	return string;
843	}
844	/***
845	char *string()
846	returns literal string of the attribute
847	char *typed_string()
848	returns typed literal string of the attribute
849	***/
850	char *string() {
851	char *head=head_string();
852	char *tail=tail_string();
853	if(head==NULL \|\| tail==NULL)
854	abac_errx(1, "attribute string, head and tail can not be NULL");
855	char *tmp=NULL;
856	asprintf(&tmp,"%s<-%s",head,tail);
857	return tmp;
858	}
859	char *typed_string() {
860	char *head=head_typed_string();
861	char *tail=tail_typed_string();
862	if(head==NULL \|\| tail==NULL)
863	abac_errx(1, "attribute string, head and tail can not be NULL");
864	char *tmp=NULL;
865	asprintf(&tmp,"%s<-%s",head,tail);
866	return tmp;
867	}
868	/*** ??? not sure about implmentation
869	const Role &role_head()
870	returns the head role
871	const Oset &oset_head()
872	returns the oset head
873	***/
874	const Role &role_head() {
875	abac_aspect_t *head=abac_attribute_head(m_attr);
876	static Role role=Role(head);
877	return role;
878	}
879	const Oset &oset_head() {
880	abac_aspect_t *head=abac_attribute_tail(m_attr);
881	static Oset oset=Oset(head);
882	return oset;
883	}
884	/*** ???
885	std::vector<Role> role_tails(bool &)
886	retrieve tail role which maybe more than 1 if intersecting
887	std::vector<Oset> oset_tails(bool &)
888	retrieve tail oset which maybe more than 1 if intersecting
889	***/
890	std::vector<Role> role_tails(bool &success) {
891	abac_aspect_t tails, end;
892	int i;
893	/* make sure it is role */
894	if(!abac_attribute_is_role(m_attr)) {
895	success=0;
896	abac_errx(1, "role_tails, attribute is not a role");
897	}
898	tails = abac_attribute_tail_vectorized(m_attr);
899	for (i = 0; tails[i] != NULL; ++i)
900	;
901	end = &tails[i];
902	std::vector<Role> roles = std::vector<Role>(tails, end);
903	abac_aspects_free(tails);
904	success=1;
905	return roles;
906	}
907	std::vector<Oset> oset_tails(bool &success) {
908	abac_aspect_t tails, end;
909	int i;
910	/* make sure that tail is not role */
911	if(abac_attribute_is_role(m_attr)) {
912	success=0;
913	abac_errx(1, "oset_tails, attribute is not an oset");
914	}
915	tails = abac_attribute_tail_vectorized(m_attr);
916	for (i = 0; tails[i] != NULL; ++i)
917	;
918	end = &tails[i];
919	std::vector<Oset> osets = std::vector<Oset>(tails, end);
920	success=1;
921	abac_aspects_free(tails);
922	return osets;
923	}
924	/***
925	abac_attribute_t *attribute()
926	return libabac structure for attribute
927	***/
928	abac_attribute_t *attribute() { return m_attr; }
929
930	/***
931	bool bake()
932	Generate the cert. Call this after you've added subjects to your cert.
933	This returns false if there are no subjects
934	This will throw an exception if the cert's already been baked.
935	***/
936	bool bake() {
937	/* can not bake in ABAC_CN mode */
938	if(USE("ABAC_CN"))
939	abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set");
940	int rt=abac_attribute_bake(m_attr);
941	if(rt!=1)
942	abac_errx(1, "bake, can not bake the cert");
943	}
944	/***
945	bool baked()
946	returns true iff the cert has been baked.
947	***/
948	bool baked()
949	{ return abac_attribute_baked(m_attr); }
950
951	/***
952	void write_cert(FILE *)
953	write the DER-encoded X.509 attribute cert to the open file handle
954	Throws an exception if the cert isn't baked
955	***/
956	void write_cert(FILE *out) {
957	int rt= abac_attribute_write(m_attr,out);
958	if(!rt)
959	abac_errx(1, "write, cert is not baked");
960	}
961	/***
962	void write_cert(char *)
963	write the DER-encoded X.509 attribute cert to a file named out
964	Throws an exception if the cert isn't baked
965	***/
966	void write_cert(char *filename) {
967	FILE *out = fopen(filename, "w");
968	write_cert(out);
969	fclose(out);
970	}
971	/***
972	abac_chunk_t cert_chunk()
973	returns a DER-encoded binary representation of the X.509 attribute
974	cert associated with this cert
975	Throws an exception if the cert isn't baked
976	the chunk can be passed to libabac's Context::load_attribute_chunk()
977	***/
978	abac_chunk_t cert_chunk()
979	{ return abac_attribute_cert_chunk(m_attr); }
980
981	/***
982	int consume()
983	generate yap clauses and injected into db
984	***/
985	int consume() {
986	/* attribute needs to be baked */
987	if(!baked()) {
988	return ABAC_ATTRIBUTE_FAIL;
989	}
990	}
991	private:
992	abac_attribute_t *m_attr;
993	};
994
995
996	/***
997	ABAC::Context
998	An ABAC Context
999	***/
1000	class Context {
1001	public:
1002	/***
1003	Context()
1004	default constructor
1005	Context(const Context &)
1006	copy constructor, used for cloning the context
1007	~Context()
1008	default destructor
1009	***/
1010	Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); }
1011	Context(const Context &context) {
1012	m_ctx = abac_context_dup(context.m_ctx);
1013	m_abac_version=strdup(context.m_abac_version);
1014	}
1015	~Context() {
1016	abac_context_free(m_ctx);
1017	if(m_abac_version) free(m_abac_version);
1018	}
1019	/***
1020	void dump_yap()
1021	dump the complete yap prolog database
1022	***/
1023	void dump_yap()
1024	{ show_yap_db("dump_yap"); }
1025
1026	/***
1027	int load_id(ABAC::ID&)
1028	load id cert from ID
1029	int load_id_file(char *)
1030	load id cert from an idkey combo file. key retrieval will be attempt
1031	but won't fail if not found
1032	int load_id_file(char , char )
1033	load id cert from an id file and a key file
1034	int load_id_chunk(abac_chunk_t)
1035	load id cert from a chunk structure
1036	returns:
1037	ABAC_CERT_SUCCESS successfully loaded
1038	ABAC_CERT_INVALID invalid certificate (or file not found)
1039	ABAC_CERT_BAD_SIG invalid signature
1040	***/
1041	int load_id(ABAC::ID& id)
1042	{ return abac_context_load_id_id(m_ctx, id.id()); }
1043	int load_id_file(char *filename)
1044	{ return abac_context_load_id_idkey_file(m_ctx, filename); }
1045	int load_id_file(char filename, char keyfilename)
1046	{ return abac_context_load_id_id_file_key_file(m_ctx, filename, keyfilename); }
1047	int load_id_chunk(abac_chunk_t cert)
1048	{ return abac_context_load_id_chunk(m_ctx, cert); }
1049
1050	/***
1051	int load_attribute(ABAC::Attribute&)
1052	load attribute credential from attribute structure
1053	int load_attribute_file(char *)
1054	load attribute credential from a file
1055	int load_attribute_chunk(abac_chunk_t)
1056	load attribute credential from a chunk
1057	returns the same values as above, additionally
1058	returns ABAC_CERT_MISSING_ISSUER if the issuer
1059	certificate has not been loaded
1060	***/
1061	int load_attribute(ABAC::Attribute& a)
1062	{ return abac_context_load_attribute_attribute(m_ctx, a.attribute()); }
1063	int load_attribute_file(char *filename)
1064	{ return abac_context_load_attribute_file(m_ctx, filename); }
1065	int load_attribute_chunk(abac_chunk_t cert)
1066	{ return abac_context_load_attribute_chunk(m_ctx, cert); }
1067
1068	/***
1069	void load_directory(char *)
1070	load a directory full of certificates:
1071	first: ${path}/*_ID.{der,pem} as identity certificates
1072	implicitly looking for ${path}/*_private.{der,pem} as
1073	the private key file
1074	then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
1075	last: ${path}/*_attr.der as attribute certificates
1076	***/
1077	void load_directory(char *path)
1078	{ abac_context_load_directory(m_ctx, path); }
1079	/***
1080	std::vector<Attribute> query(char , char , bool &)
1081	the string version is for query that is composed by hand with SHA or
1082	in non ABAC_CN mode
1083	std::vector<Attribute> query(Role &, Role &, bool &)
1084	std::vector<Attribute> query(Oset &, Oset &, bool &)
1085
1086	runs the query:
1087	role <-?- principal
1088	returns true/false in success
1089	returns a proof upon success, partial proof on failure
1090	***/
1091	std::vector<Attribute> query(char role, char principal, bool &success) {
1092	abac_credential_t creds, end;
1093	int i, success_int;
1094
1095	creds = abac_context_query(m_ctx, role, principal, &success_int);
1096	success = success_int;
1097
1098	for (i = 0; creds[i] != NULL; ++i)
1099	;
1100
1101	end = &creds[i];
1102	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1103	if(debug) printf("query, got rules(%d)\n", i);
1104
1105	abac_context_credentials_free(creds);
1106
1107	return attributes;
1108	}
1109
1110	std::vector<Attribute> query(Role &role, Role &p_role, bool &success) {
1111	abac_credential_t creds, end;
1112	int i, success_int;
1113
1114	creds = abac_context_query_with_structure(m_ctx, role.role(), p_role.role(), &success_int);
1115	success = success_int;
1116
1117	for (i = 0; creds[i] != NULL; ++i)
1118	;
1119
1120	end = &creds[i];
1121	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1122
1123	abac_context_credentials_free(creds);
1124
1125	return attributes;
1126	}
1127
1128	std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) {
1129	abac_credential_t creds, end;
1130	int i, success_int;
1131
1132	creds = abac_context_query_with_structure(m_ctx, oset.oset(), p_oset.oset(), &success_int);
1133	success = success_int;
1134
1135	for (i = 0; creds[i] != NULL; ++i)
1136	;
1137
1138	end = &creds[i];
1139	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1140	if(debug) printf("query, returning rules(%d)\n", i);
1141
1142	abac_context_credentials_free(creds);
1143
1144	return attributes;
1145	}
1146
1147	/***
1148	std::vector<Attribute> context_credentials(bool &)
1149	returns a vector of all the credentials loaded in the context
1150	extracted from the internal data structure
1151	***/
1152	std::vector<Attribute> context_credentials(bool &success) {
1153	abac_credential_t creds, end;
1154	int i;
1155	success = 1;
1156
1157	creds = abac_context_credentials(m_ctx);
1158	for (i = 0; creds[i] != NULL; ++i)
1159	;
1160
1161	end = &creds[i];
1162	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1163	if(debug) printf("credentials, got (%d)\n", i);
1164
1165	abac_context_credentials_free(creds);
1166	if(debug) show_yap_db("calling from context_credentials");
1167	return attributes;
1168	}
1169
1170	/***
1171	std::vector<Attribute> context_principals(bool &)
1172	returns a vector of all the principals loaded in the context
1173	extracted from the internal data structure
1174	***/
1175	std::vector<ID> context_principals(bool &success) {
1176	abac_id_credential_t ids, end;
1177	int i;
1178	success = 1;
1179
1180	ids = abac_context_principals(m_ctx);
1181	for (i = 0; ids[i] != NULL; ++i)
1182	;
1183
1184	end = &ids[i];
1185	std::vector<ID> principals = std::vector<ID>(ids, end);
1186	if(debug) printf("principals, got (%d)\n", i);
1187
1188	abac_context_principals_free(ids);
1189	return principals;
1190	}
1191	/***
1192	char *version()
1193	return the version of this interface
1194	***/
1195	char *version() const { return m_abac_version; }
1196
1197	private:
1198	abac_context_t *m_ctx;
1199	char *m_abac_version;
1200	};
1201
1202	Constraint::Constraint(Role& role)
1203	{ m_constraint=abac_condition_create_from_aspect(role.role()); }
1204	Constraint::Constraint(Oset &oset)
1205	{ m_constraint=abac_condition_create_from_aspect(oset.oset()); }
1206	}
1207
1208	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: