Changeset 440ba20

Makefile.am

r8bd77b5	r440ba20
27	27	libabac/abac_term.c \
28	28	libabac/abac_pl_gen.c \
	29	libabac/abac_pl_pre.c \
29	30	libabac/abac_pl_yy.c \
30	31	libabac/abac_pl_yy.h \

examples/access_rt2_typed/README

r9502c50	r440ba20
85	85	#
86	86	# [keyid:alpha].role:access([string:'Read'], [urn:?F])<- [principal:?B]
87		# [keyid:alpha].oset:documents([string:?P) <- [urn:?F]
	87	# [keyid:alpha].oset:documents([string:?P]) <- [urn:?F]
88	88	# [keyid:alpha].role:team([string:?P]) <- [principal:?B]
89	89	#

libabac/abac.h

-                      rd037f54
+                      r440ba20
 typedef struct _abac_condition_t abac_condition_t;
 typedef struct _abac_term_t abac_term_t;
+typedef struct _abac_item_t abac_item_t;
 typedef struct _abac_param_list_t abac_param_list_t;
 …
  */
 abac_context_t *abac_context_new(void);
+abac_context_t *abac_context_dup(abac_context_t *ctx);
 abac_context_t *abac_context_dup(abac_context_t *ctx);
 void abac_context_free(abac_context_t *ctx);
 …
  * Operations on term/params.
  */
+abac_condition_t *abac_condition_create(char *vtype);
+abac_condition_t *abac_condition_create_from_aspect(abac_aspect_t *ptr);
 abac_condition_t *abac_condition_dup(abac_condition_t *ptr);
+int abac_condition_add_range_item(abac_condition_t*, char*, char*, char*);
 void abac_condition_free(abac_condition_t *ptr);
-abac_condition_t *abac_condition_from_string(char *string);
-abac_condition_t *abac_condition_from_aspect(abac_aspect_t *ptr);
 char *abac_condition_typed_string(abac_condition_t *ptr);
 char *abac_condition_string(abac_condition_t *ptr);
-char *abac_condtype_name(int);
 char *abac_term_to_time(char *string);
+int abac_term_isvar(abac_term_t *term);
 char *abac_term_typed_string(abac_term_t *ptr);
 char *abac_term_string(abac_term_t *ptr);
 …
 abac_term_t *abac_term_create(int, char*, abac_condition_t*);
 abac_term_t *abac_term_named_create(int, char*);
+bool abac_term_is_urn_type(abac_term_t *);
+bool abac_term_is_integer_type(abac_term_t *);
+bool abac_term_is_numeric(abac_term_t *);
+bool abac_term_is_alpha(abac_term_t *);
+bool abac_term_is_time(abac_term_t *);
+bool abac_term_is_integer_type(abac_term_t *term);
+bool abac_term_is_urn_type(abac_term_t *term);
+bool abac_term_is_string_type(abac_term_t *term);
+bool abac_term_is_time_type(abac_term_t *term);
 int abac_term_type(abac_term_t *term);
 abac_term_t *abac_term_add_constraint(abac_term_t *ptr, abac_condition_t *cond);
 abac_term_t *abac_term_new(int, char *, char *, abac_aspect_t *);
+abac_term_t *abac_term_new(int, char *, int, char *, void *);
 abac_term_t *abac_term_named_new(int, char *);
 void abac_term_free(abac_term_t *);
 …
 abac_term_t **abac_param_list_vectorize(abac_param_list_t *ptr);
 void abac_terms_free(abac_term_t **terms);
+int abac_verify_term_type(char *);
 /* from abac_verifier */
 …
 void abac_errx(int val, const char *string);
+/* from abac_pl_yap */
+void show_yap_db(const char *msg);
 /*
  * Error codes for loading certificates.
 …
 #define ABAC_CERT_BAD_CN            -4  // ID cert is not matching CN=principal format
 #define ABAC_CERT_BAD_YAP           -5  // failed to insert into prolog engine
+#define ABAC_CERT_EXISTS            1   // ID already exists (does not default to a failure)
 #define ABAC_ID_SUCCESS                     0
 …
 #define ABAC_ATTRIBUTE_INVALID_VALIDITY    -2
 #define ABAC_ATTRIBUTE_ISSUER_NOKEY        -3
+#define ABAC_ATTRIBUTE_FAIL                -4
+#define ABAC_TERM_SUCCESS                   0
+#define ABAC_TERM_FAIL                     -1

libabac/abac.hh

-                      rd037f54
+                      r440ba20
+              }
             /* range constraint */
+            Constraint(char *constraint) {
+                m_constraint=abac_condition_from_string(constraint);
+            Constraint(char *vartype) {
+                m_constraint=abac_condition_create(vartype);
+              }
+            /* min, max, target */
+            int add_constraint_item(char *vtype,char *itype, char *val) {
+                return abac_condition_add_range_item(m_constraint,vtype,itype,val);
+              }
+            void add_constraint_item_help() {
+                printf(" USAGE: add_constraint_item(\"integer\",\"max\",\"2000\"); \n");
+                printf("        add_constraint_item(\"time\",\"target\",\"20201101T182930\"); \n");
+              }
             /* role constraint */
 …
+            }
             /* can be an a variable data term or a specific value */
+            DataTerm(int type, char *name, Constraint *cond=NULL) {
+            DataTerm(char* typenm, char *name, Constraint *cond=NULL) {
+                int type=abac_verify_term_type(typenm);
                 if(debug) printf("adding a Dataterm (%s)\n",name);
+                if(type==ABAC_TERM_FAIL)
+                  abac_errx(1, "DataTerm, fail to create the term");
                 if(cond) {
                   m_cond=cond;
 …
    This will throw an exception if the cert's already been baked. */
             bool bake() {
+                /* can not bake in ABAC_CN mode */
+                if(USE("ABAC_CN"))
+                    abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set");
                 int rt=abac_attribute_bake(m_attr);
                 if(rt!=1)
 …
                 return abac_attribute_cert_chunk(m_attr);
+              }
+/* generate yap clauses and injected into db */
+            int consume() {
+              /* attribute needs to be baked */
+                if(!baked()) {
+                    return ABAC_ATTRIBUTE_FAIL;
+                }
+              }
       private:
             abac_attribute_t *m_attr;
 …
       ABAC_CERT_INVALID   invalid certificate (or file not found)
       ABAC_CERT_BAD_SIG   invalid signature */
+            void dump_yap() {
+                show_yap_db("dump_yap");
+              }
             int load_id(ABAC::ID& id) {
                 return abac_context_load_id_id(m_ctx, id.id());
 …
                 abac_context_credentials_free(creds);
+                if(debug) show_yap_db("calling from context_credentials");
                 return attributes;
+              }
 …
     Constraint::Constraint(Role *role)
     { m_constraint=abac_condition_from_aspect(role->role()); }
+    { m_constraint=abac_condition_create_from_aspect(role->role()); }
     Constraint::Constraint(Oset *oset)
     { m_constraint=abac_condition_from_aspect(oset->oset()); }
+    { m_constraint=abac_condition_create_from_aspect(oset->oset()); }
+}

libabac/abac_aspect.c

-                      rd037f54
+                      r440ba20
 /**************************************************************/
+void abac_aspect_dump(abac_aspect_t *ptr, char* offset)
+{
+    char *tmp=NULL;
+    asprintf(&tmp,"  %s",offset);
+    if(ptr->prereqs != 0) {
+        abac_aspect_t *cur;
+        abac_list_foreach(ptr->prereqs, cur,
+            if(cur)
+               abac_aspect_dump(cur, tmp);
+        );
+        return;
+    }
+    printf("\n..... an aspect .....\n");
+    printf("%s aspect_type: %d(%s)\n", offset, ptr->aspect_type, abac_aspect_type_string(ptr));
+    printf("%s is_object: %d\n", offset, ptr->is_object);
+    printf("%s principal_name: %s\n", offset, ptr->principal_name);
+    if(ptr->principal_name_p)
+       printf("%s principal_name_p: %s\n", offset, ptr->principal_name_p);
+       else printf("%s principal_name_p: --\n", offset);
+    if(ptr->principal_object)
+       abac_term_dump(ptr->principal_object, tmp);
+       else ("%s principal_object: --\n", offset);
+    if(ptr->linked_role_name)
+       printf("%s linked_role_name: %s\n", offset, ptr->linked_role_name);
+       else printf("%s linked_role_name: --\n", offset);
+    if(ptr->linked_role_params)
+       abac_param_dump(ptr->linked_role_params, tmp);
+       else printf("%s linked_role_params: --\n", offset);
+     if(ptr->aspect_name)
+       printf("%s aspect_name: %s\n", offset, ptr->aspect_name);
+       else printf("%s aspect_name: --\n", offset);
+    if(ptr->aspect_params)
+       abac_param_dump(ptr->aspect_params, tmp);
+       else printf("%s aspect_params: --\n", offset);
+    if(ptr->type_string)
+       printf("%s type_string:- %s\n", offset, ptr->type_string);
+       else printf("%s type_string: --\n", offset);
+    printf("%s refcount:- %d\n", offset, ptr->refcount);
+    printf("..................................");
+    free(tmp);
+}
 bool abac_aspect_is_oset(abac_aspect_t *ptr)
+{
 …
+}
+abac_term_t *abac_aspect_object_term(abac_aspect_t *ptr)
+{
+    return ptr->principal_object;
+}
 char *abac_aspect_object_name(abac_aspect_t *ptr)
+{
 …
     abac_term_t *obj=ptr->principal_object;
     return abac_term_constraint(obj);
+}
+char* abac_aspect_get_issuer_keytype(abac_aspect_t *ptr)
+{
+    abac_id_t *issuer_id;
+    char *principalname=abac_aspect_principal_principalname(ptr);
+    if(principalname) {
+        abac_id_credential_t *id_cred=abac_id_credential_lookup(principalname);
+        if(id_cred) {
+            issuer_id=abac_id_credential_id(id_cred);
+            return abac_id_keyid(issuer_id);
+        }
+    }
+    return NULL;
+}
+int abac_aspect_get_issuer_idtype(abac_aspect_t *ptr)
+{
+    abac_id_t *issuer_id;
+    char *principalname=abac_aspect_principal_principalname(ptr);
+    if(principalname) {
+        abac_id_credential_t *id_cred=abac_id_credential_lookup(principalname);
+        if(id_cred) {
+            issuer_id=abac_id_credential_id(id_cred);
+            return abac_id_idtype(issuer_id);
+        }
+    }
+    return 0;
+}

libabac/abac_common.h

-                      rd037f54
+                      r440ba20
 } abac_aspecttype_t;
+typedef enum _itemtype_t {
+    e_ITEM_MIN = 1,
+    e_ITEM_MAX = 2,
+    e_ITEM_TARGET = 3
+} abac_itemtype_t;
+/* itemname[itemtype] */
+static const char *const _itemname[] =
+{
+  "baditem",
+  "min",
+  "max",
+  "target"
+};
+static int _itemname_cnt=3;
 #endif

libabac/abac_id.c

-                      r8bd77b5
+                      r440ba20
 #include "abac_internal.h"
 #include "abac_util.h"
+static int debug=0;
 #define KEY_SUFFIX  "_private.pem"
 …
     id->key = NULL;
     id->refcount = 1;
+    if(debug) printf("abac_id_new: made a new id, %ld\n",(long) id);
     return id;
+}
 …
     abac_id_t *id = abac_xmalloc(sizeof(abac_id_t));
+    char *tmp=NULL;
+    asprintf(&tmp,"p%s",cn);
     id->idtype = e_KEYID;
     id->cn = abac_xstrdup(cn);
+    id->cn = tmp;
     id->key = _generate_key();
     id->cert = _generate_cert(id->key, cn, validity);

libabac/abac_internal.h

-                      rd037f54
+                      r440ba20
 #include "abac.h"
+int abac_condition_set_aspect_ptr(abac_condition_t *ptr, abac_aspect_t *aptr);
+int abac_condition_set_aspect_string(abac_condition_t *ptr, char *str);
+int abac_condition_set_range_string(abac_condition_t *ptr);
+int abac_condition_is_range(abac_condition_t *ptr);
+abac_aspect_t *abac_condition_of_aspect(abac_condition_t *ptr);
+void abac_aspect_dump(abac_aspect_t *ptr, char* offset);
+abac_term_t *abac_aspect_object_term(abac_aspect_t *ptr);
+void abac_condition_dump(abac_condition_t *ptr, char *offset);
+abac_list_t *abac_condition_range_list(abac_condition_t *ptr);
+void abac_term_dump(abac_term_t *ptr, char *offset);
+abac_item_t *abac_item_new(char *itype, char *val);
+int abac_item_type(abac_item_t *);
+char* abac_item_val(abac_item_t *);
+void abac_param_dump(abac_param_list_t *ptr, char *offset);
+abac_list_t *abac_param_list(abac_param_list_t *ptr);
+char* abac_aspect_get_issuer_keytype(abac_aspect_t *ptr);
+int abac_aspect_get_issuer_idtype(abac_aspect_t *ptr);
 certificate_t *abac_attribute_issuer_cert(abac_attribute_t *ptr);

libabac/abac_pl_gen.c

-                      rd037f54
+                      r440ba20
 int ABAC_IN_PROLOG=0;
+abac_list_t *abac_pl_constraints=NULL;
+/* to track id certs within a rule clause */
+typedef struct _abac_id_cert_t {
+    char *principalname;
+    int type; /* keyidtype */
+    char *clause;
+} abac_id_cert_t;
+abac_list_t *abac_pl_id_certs = NULL;
 extern int using_this;
 extern char* abac_yyfptr_encoded;
+extern int abac_yy_cnt_yy_id_certs();
+extern void abac_yy_free_yy_id_certs();
+extern char *abac_yy_string_yy_id_certs();
+extern void abac_yy_free_yy_constraints();
+extern char *abac_yy_string_yy_constraints();
+char *generate_pl_type_clause(char *principalname, int type);
 /***********************************************************************/
 …
+    }
     return clist;
+}
+/************************************************************************/
+/* this is for tracking prolog constraints */
+void abac_pl_init_constraints()
+{
+    abac_pl_constraints = abac_list_new();
+}
+void abac_pl_free_constraints()
+{
+    char *cur;
+    abac_list_foreach(abac_pl_constraints, cur,
+        if(cur)
+            free(cur);
+    );
+    abac_list_free(abac_pl_constraints);
+    abac_pl_constraints=NULL;
+}
+int abac_pl_cnt_constraints()
+{
+    return abac_list_size(abac_pl_constraints);
+}
+char *abac_pl_string_constraints()
+{
+    int first=1;
+    char *tmp=NULL;
+    char *final=NULL;
+    char* cur;
+    abac_list_foreach(abac_pl_constraints, cur,
+        if(cur)
+            if(first) {
+                final=abac_xstrdup(cur);
+                first=0;
+                } else {
+                    tmp=final;
+                    final=NULL;
+                    int cnt=asprintf(&final,"%s,%s", tmp, cur);
+            }
+    );
+    return final;
+}
+void abac_pl_add_constraints(char *constraint)
+{
+    if(abac_pl_constraints == NULL)
+        abac_pl_init_constraints();
+    char* nptr=abac_xstrdup(constraint);
+    abac_list_add(abac_pl_constraints, nptr);
+}
+/************************************************************************/
+void abac_pl_init_id_certs()
+{
+    abac_pl_id_certs = abac_list_new();
+}
+void abac_pl_free_id_certs()
+{
+    if(abac_pl_id_certs==NULL)
+        return;
+    abac_id_cert_t *id;
+    abac_list_foreach(abac_pl_id_certs, id,
+        if(id)
+            free(id->principalname);
+            free(id->clause);
+            free(id);
+    );
+    abac_list_free(abac_pl_id_certs);
+    abac_pl_id_certs = NULL;
+}
+int abac_pl_cnt_id_certs()
+{
+    return abac_list_size(abac_pl_id_certs);
+}
+char *abac_pl_string_id_certs()
+{
+    int first=1;
+    char *tmp=NULL;
+    abac_id_cert_t *cur;
+    abac_list_foreach(abac_pl_id_certs, cur,
+        if(cur)
+            if(first) {
+                tmp=abac_xstrdup(cur->clause);
+                first=0;
+                } else {
+                    int cnt=asprintf(&tmp,"%s,%s", tmp, cur->clause);
+            }
+    );
+    return tmp;
+}
+void abac_pl_add_id_certs(char *principalname, int type)
+{
+    abac_id_cert_t *id_cert=NULL;
+    int found=0;
+    abac_id_cert_t *cur;
+    if(debug) {
+         printf("add_id_certs: adding --> (%s)\n", principalname);
+    }
+    if(abac_pl_id_certs == NULL) {
+        abac_pl_init_id_certs();
+        } else {
+            abac_list_foreach(abac_pl_id_certs, cur,
+                if(cur)
+                    if(strcmp(cur->principalname,principalname)==0) {
+                       found=1;
+                       break;
+                    }
+            );
+    }
+    if (found) {
+        return;
+        } else {
+            id_cert=abac_xmalloc(sizeof(abac_id_cert_t));
+            id_cert->principalname=abac_xstrdup(principalname);
+            id_cert->type=type;
+            id_cert->clause=generate_pl_type_clause(principalname,type);
+            abac_list_add(abac_pl_id_certs, id_cert);
+    }
+}
 …
+     }
      if(debug && tmp) printf("head_string: (%s)\n",tmp);
+     if(debug && tmp) printf("generate_pl_head_string: (%s)\n",tmp);
      if(cnt>0)
         return tmp;
 …
+{
     /*only,  A.R <- B */
+    if(debug)
+         printf("calling _build_constraint_rule_clause (%s)(%s)\n", head_string, tail_string);
     char *tmp;
     int idx=_get_next_cred_idx();
 …
    abac_list_t *clauses=abac_list_new();
    int cnt=abac_yy_cnt_yy_id_certs();
+   int cnt=abac_pl_cnt_id_certs();
    if(cnt > 0) { /* string it up */
        id_clauses_string=abac_yy_string_yy_id_certs();
        abac_yy_free_yy_id_certs();
+       id_clauses_string=abac_pl_string_id_certs();
+       abac_pl_free_id_certs();
+   }
    /* make a loop here */
    cnt=abac_yy_cnt_yy_constraints();
+   cnt=abac_pl_cnt_constraints();
    if(cnt > 0) {
       constraint_clauses_string=abac_yy_string_yy_constraints();
       abac_yy_free_yy_constraints();
+      constraint_clauses_string=abac_pl_string_constraints();
+      abac_pl_free_constraints();
+   }
 …
     if(typeid==NULL || strcmp(typeid,"NULL")==0)
         panic("generate_pl_type_clause: can not have null typeid");
+    if(debug)
+        printf("generate type clause, (%s)\n", principalname);
     int cnt=asprintf(&tmp,"isType(%s,%s)",
                                 principalname, typeid);

libabac/abac_pl_yap.c

-                      rd037f54
+                      r440ba20
+}
 static void _show_yap_db(char *msg)
+void show_yap_db(const char *msg)
+{
     char lstr[]="listing";
 …
       acme.buys_rocket <- coyote (coyote=prin, acme.buys_rocket=role)
         ==> isMember(coyote,role(acme,buys_rocket), L)
       acme.buys_rocket <- acme.preferred_customer  -- NOT DONE YET */
+      acme.buys_rocket <- acme.preferred_customer  -- NOT valid
+*/
 static abac_stack_t *_query_with_aspect(abac_pl_t *pl, abac_aspect_t* head, abac_aspect_t* tail)
+{
 …
     if(debug)
         _show_yap_db("DEBUG:calling within _query_with_aspect");
+        show_yap_db("DEBUG:calling within _query_with_aspect");
     char *nm;
 …
     ret=_make_yap_query(prin_nm,nm,tmp);
     return ret;
+}
-/* this is only if the db is rather complete */
-static abac_stack_t *_dump_db(abac_pl_t *pl)
+{
-    YAP_Term *eterm;
-    YAP_Term arg[3];
-    char tmp[5000];
-    abac_stack_t *cred_list = abac_stack_new();
-    if(USE("DUMP_DB"))
-        _show_yap_db("DEBUG:calling within _dump_db");
-    char *estring=NULL;
-    YAP_Term *eterm1;
-    YAP_Term *eterm2;
-    asprintf(&estring,"_");
-/*
-    arg[0]=YAP_ReadBuffer(estring,eterm1);
-    arg[1]=YAP_ReadBuffer(estring,eterm2);
-*/
-    arg[0]=YAP_MkVarTerm();
-    arg[1]=YAP_MkVarTerm();
-    arg[2]=YAP_MkVarTerm();
-    YAP_Atom f = YAP_LookupAtom("isMember");
-    YAP_Functor func = YAP_MkFunctor(f, 3);
-    YAP_Term goal=YAP_MkApplTerm(func, 3, arg);
-    int rc =YAP_RunGoal( goal );
-    if (rc) {
-        printf("YAP dump succeed\n");
-        YAP_WriteBuffer(arg[2], tmp, 5000,YAP_WRITE_HANDLE_VARS);
-        if(debug) printf("    dump answer : %s\n", tmp);
-        /* this is returned as ['string1','string2'] */
-        _credentials_from_string(cred_list,tmp);
-        while (YAP_RestartGoal()) {
-            if(debug) printf("another dump success\n");
-            YAP_WriteBuffer(arg[2], tmp, 5000,YAP_WRITE_HANDLE_VARS);
-            if(debug) printf("    dump restart answer : %s\n", tmp);
-            _credentials_from_string(cred_list,tmp);
+        }
-    } else {
-        printf("YAP _dump_db query failed\n");
-        /* YAP_Exit(1); */
+    }
-    return cred_list;
+}
-/* findall(X,isMember(_,_,X),L) */
-static abac_stack_t *_dump2_db(abac_pl_t *pl)
+{
-    YAP_Term *eterm;
-    YAP_Term arg[3];
-    char tmp[5000];
-    abac_stack_t *cred_list = abac_stack_new();
-    if(debug)
-        _show_yap_db("DEBUG:calling within _dump2_db");
-    char *estring="isMember(_,_,X)";
-    arg[0]=YAP_MkAtomTerm(YAP_LookupAtom("X"));
-    arg[1]=YAP_ReadBuffer(estring,eterm);
-    arg[2]=YAP_MkVarTerm();
-    YAP_Atom f = YAP_LookupAtom("findall");
-    YAP_Functor func = YAP_MkFunctor(f, 3);
-    YAP_Term goal=YAP_MkApplTerm(func, 3, arg);
-    int rc =YAP_RunGoal( goal );
-    if (rc) {
-        printf("YAP dump succeed\n");
-        YAP_WriteBuffer(arg[2], tmp, 5000,YAP_WRITE_HANDLE_VARS);
-        if(debug) printf("    dump answer : %s\n", tmp);
-        /* this is returned as ['string1','string2'] */
-        _credentials_from_string(cred_list,tmp);
-        } else {
-            printf("YAP _dump2_db query failed\n");
-            /* YAP_Exit(1); */
+    }
-    return cred_list;
+}

libabac/abac_pl_yy.c

-                      rd037f54
+                      r440ba20
 /* from abac_pl_gen.c */
-extern char *generate_pl_range_constraint(char *,char *,char *,char *);
-extern char *generate_pl_range_time_constraint(char *,char *,char *);
 extern abac_list_t *generate_pl_clauses(abac_aspect_t *, abac_aspect_t *);
+extern char* generate_pl_constraint_clause(abac_aspect_t *, char *);
+extern char *generate_pl_type_clause(char *, int);
+/* from abac_pl_yap.c */
+extern char *abac_pl_add_range_constraint_clause(char *var, char *tmplist);
 /* from rt2.y */
 extern void abac_yyinit();
 …
 abac_aspect_t *abac_rule_tail_aspect=NULL;
-/* to track id certs within a rule clause */
-typedef struct _abac_yy_id_cert_t {
-    char *principalname;
-    int type; /* keyidtype */
-    char *clause;
-} abac_yy_id_cert_t;
-abac_list_t *abac_yy_id_certs = NULL;
 /* structure to hold the range information
 …
 } abac_yy_range_t;
-/* to track role/oset constraint clauses used within a rule clause,
-   collect them up in one place, these are for conjunction clauses */
-typedef struct _abac_yy_constraint_t {
-    char *clause;
-} abac_yy_constraint_t;
-abac_list_t *abac_yy_constraints = NULL;
 /* local principal structure  [keyid:USC] */
 struct _abac_yy_principal_t {
 …
     int is_anonymous;
     char *name;
+    char *cond_str;
+    void *cond_ptr; // ptr to a saved abac_aspect_t
+    int isrange;
+    char *cond_str;  // range string ???  not sure if this is possible
+    void *cond_ptr; // ptr to a saved abac_aspect_t or a list(item_t)
     abac_yy_expression_t *cond_head_expr;
 };
 …
     int type;
     char *name;
     char *cond_str;
     void *cond_ptr; // ptr to a saved abac_aspect_t
+    char *cond_str; // range string
+    void *cond_ptr; // ptr to a saved abac_aspect_t
     abac_list_t *cond_range;
     abac_yy_expression_t *cond_head_expr; // parking stub
 …
+{
     if (abac_rule_clauses != NULL) {
+        char *cur;
+        if(abac_yy_id_certs) {
+            abac_list_foreach(abac_yy_id_certs, cur,
+                if(cur) free(cur);
+            );
+        }
+        abac_pl_free_id_certs();
         abac_list_free(abac_rule_clauses);
+    }
 …
 /************************************************************************/
-void abac_yy_init_yy_id_certs()
+{
-    abac_yy_id_certs = abac_list_new();
+}
-void abac_yy_free_yy_id_certs()
+{
-    abac_yy_id_cert_t *id;
-    abac_list_foreach(abac_yy_id_certs, id,
-        if(id)
-            free(id->principalname);
-            free(id->clause);
-            free(id);
-    );
-    abac_list_free(abac_yy_id_certs);
-    abac_yy_id_certs = NULL;
+}
-int abac_yy_cnt_yy_id_certs()
+{
-    return abac_list_size(abac_yy_id_certs);
+}
-char *abac_yy_string_yy_id_certs()
+{
-    int first=1;
-    char *tmp=NULL;
-    abac_yy_id_cert_t *cur;
-    abac_list_foreach(abac_yy_id_certs, cur,
-        if(cur)
-            if(first) {
-                tmp=abac_xstrdup(cur->clause);
-                first=0;
-                } else {
-                    int cnt=asprintf(&tmp,"%s,%s", tmp, cur->clause);
+            }
-    );
-    return tmp;
+}
-static void _add_yy_id_certs(char *principalname, int type)
+{
-    abac_yy_id_cert_t *id_cert=NULL;
-    if(debug) {
-         printf("add_yy_id_certs: adding --> (%s)\n", principalname);
+    }
-    int found=0;
-    abac_yy_id_cert_t *cur;
-    abac_list_foreach(abac_yy_id_certs, cur,
-        if(cur)
-            if(strcmp(cur->principalname,principalname)==0) {
-               found=1;
-               break;
+            }
-    );
-    if (found) {
-        return;
-        } else {
-            id_cert=abac_xmalloc(sizeof(abac_yy_id_cert_t));
-            id_cert->principalname=abac_xstrdup(principalname);
-            id_cert->type=type;
-            if(USE("ABAC_CN")) {
-                 id_cert->clause=generate_pl_type_clause(principalname,type);
-                 } else {
-                    int *tmp=NULL;
-                    asprintf(&tmp,"p%s",principalname);
-                    id_cert->clause=generate_pl_type_clause(tmp,type);
-                    free(tmp);
+            }
-            abac_list_add(abac_yy_id_certs, id_cert);
+    }
+}
-/***********************************************************************/
 static void _free_yy_cond_range(abac_list_t *ptr)
+{
 …
 void set_yy_term_data_type(abac_yy_term_data_t *ptr, char* typestr)
+{
     int type=abac_term_verify_term_type(typestr);
+    int type=abac_verify_term_type(typestr);
     ptr->type=type;
+}
 …
 bool is_yy_term_data_type_numeric(abac_yy_term_data_t *ptr)
+{
     if(ptr->type==abac_term_verify_term_type("integer") ||
           ptr->type==abac_term_verify_term_type("float"))
+    if(ptr->type==abac_verify_term_type("integer") ||
+          ptr->type==abac_verify_term_type("float"))
         return 1;
     return 0;
 …
 bool is_yy_term_data_type_time(abac_yy_term_data_t *ptr)
+{
     if(ptr->type==abac_term_verify_term_type("time"))
+    if(ptr->type==abac_verify_term_type("time"))
         return 1;
     return 0;
 …
 bool is_yy_term_data_type_alpha(abac_yy_term_data_t *ptr)
+{
     if(ptr->type==abac_term_verify_term_type("string") ||
         ptr->type==abac_term_verify_term_type("urn") ||
          ptr->type==abac_term_verify_term_type("boolean"))
+    if(ptr->type==abac_verify_term_type("string") ||
+        ptr->type==abac_verify_term_type("urn") ||
+         ptr->type==abac_verify_term_type("boolean"))
         return 1;
     return 0;
 …
     ptr->is_anonymous=0;
     ptr->name=NULL;
+    ptr->isrange=0;
     ptr->cond_str=NULL;
+    ptr->cond_ptr=NULL;
     ptr->cond_head_expr=NULL;
     return ptr;
 …
+{
     using_this=1;
+}
+void set_yy_term_principal_isrange(abac_yy_term_principal_t *ptr, int isrange)
+{
+    ptr->isrange=isrange;
+}
 …
     ptr->next=NULL;
     ptr->bcnt=1;
-    return ptr;
+}
-/************************************************************************/
-void abac_yy_init_yy_constraints()
+{
-    abac_yy_constraints = abac_list_new();
+}
-void abac_yy_free_yy_constraints()
+{
-    abac_yy_constraint_t *cur;
-    abac_list_foreach(abac_yy_constraints, cur,
-        if(cur && cur->clause)
-            free(cur->clause);
-        free(cur);
-    );
-    abac_list_free(abac_yy_constraints);
-    abac_yy_constraints=NULL;
+}
-int abac_yy_cnt_yy_constraints()
+{
-    return abac_list_size(abac_yy_constraints);
+}
-char *abac_yy_string_yy_constraints()
+{
-    int first=1;
-    char *tmp=NULL;
-    abac_yy_constraint_t *cur;
-    abac_list_foreach(abac_yy_constraints, cur,
-        if(cur && cur->clause)
-            if(first) {
-                tmp=abac_xstrdup(cur->clause);
-                first=0;
-                } else {
-                    int cnt=asprintf(&tmp,"%s,%s", tmp, cur->clause);
+            }
-    );
-    return tmp;
+}
-abac_yy_constraint_t *abac_yy_add_yy_constraints(char *constraint)
+{
-    abac_yy_constraint_t *ptr=
-        (abac_yy_constraint_t *) abac_xmalloc(sizeof(abac_yy_constraint_t));
-    ptr->clause=abac_xstrdup(constraint);
-    abac_list_add(abac_yy_constraints, ptr);
     return ptr;
+}
 …
 /***************************************************************************/
 /* add the oset condition to constraint list */
 char *make_yy_oset_constraint(abac_yy_term_data_t *ptr, char *tail_string)
+void make_yy_oset_constraint(abac_yy_term_data_t *ptr, char *tail_string)
+{
    abac_yy_expression_t *head_expr=get_yy_term_data_cond_head_expr(ptr);
    if(head_expr) {
        abac_aspect_t *head_aspect=validate_head(e_yy_OSET_TYPE,head_expr);
+       if(head_aspect == NULL)
+           goto error;
+       char *tmp=generate_pl_constraint_clause(head_aspect,tail_string);
+       set_yy_term_data_cond_str(ptr,tmp);
+       set_yy_term_data_cond_ptr(ptr,head_aspect);
+       abac_yy_add_yy_constraints(tmp);
+       return tmp;
+       if(head_aspect != NULL) {
+           if(debug) printf("make_yy_oset_constraint..\n");
+           set_yy_term_data_cond_ptr(ptr,head_aspect);
+       }
+   }
-error:
-   return NULL;
+}
 /* add the role condition to constraint list */
 char *make_yy_role_constraint(abac_yy_term_principal_t *ptr, char *tail_string)
+void make_yy_role_constraint(abac_yy_term_principal_t *ptr, char *tail_string)
+{
    abac_yy_expression_t *head_expr=get_yy_term_principal_cond_head_expr(ptr);
    if(head_expr) {
        abac_aspect_t *head_aspect=validate_head(e_yy_ROLE_TYPE,head_expr);
+       if(head_aspect == NULL)
+           goto error;
+       char *tmp=generate_pl_constraint_clause(head_aspect,tail_string);
+       set_yy_term_principal_cond_str(ptr,tmp);
+       set_yy_term_principal_cond_ptr(ptr,head_aspect);
+       abac_yy_add_yy_constraints(tmp);
+       if(debug) {
+           printf("make_yy_role_constraint, adding (%s) \n",tmp);
+       if(head_aspect != NULL) {
+          if(debug) printf("make_yy_role_constraint..\n");
+          set_yy_term_principal_cond_ptr(ptr,head_aspect);
+          set_yy_term_principal_isrange(ptr,0);
+       }
-       return tmp;
+   }
-error:
-   return NULL;
+}
 /****************************************************************/
-/* add the range condition to constraint list */
-/* this is for integer and float only */
-void make_yy_range_numeric_constraint(abac_yy_term_data_t *ptr, char *var)
+{
-   char *typestr=abac_termtype_string(ptr->type);
-   abac_list_t *rlist=get_yy_term_data_cond_range(ptr);
-   char *tmplist=NULL;
-   char *tmp=NULL;
-   int as_range=1; /* either , or ; */
-   if(rlist) {
-       char *rstring=_string_yy_cond_range(rlist);
-       set_yy_term_data_cond_str(ptr,rstring);
-       abac_yy_range_t *cur;
-       /* a list of values -- in chars */
-       abac_list_foreach(rlist, cur,
-           int type=cur->type;
-           char *val=cur->val;
-           switch(type) {
-             case e_yy_RANGE_MIN:
-               tmp=generate_pl_range_constraint(typestr,var,val,">=");
-               break;
-             case e_yy_RANGE_MAX:
-               tmp=generate_pl_range_constraint(typestr,var,val,"=<");
-               break;
-             case e_yy_RANGE_TARGET:
-               tmp=generate_pl_range_constraint(NULL,var,val,"=");
-               as_range=0;
-               break;
+           }
-           /* ; is prolog's disjunction built in predicate */
-           if(tmplist) {
-               if(as_range)
-                   asprintf(&tmplist,"%s,%s",tmplist,tmp);
-                   else
-                       asprintf(&tmplist,"%s;%s",tmplist,tmp);
-               } else {
-                   tmplist=tmp;
+           }
-           tmp=NULL;
-       );
-       asprintf(&tmplist,"(%s)",tmplist);
-       abac_yy_add_yy_constraints(tmplist);
+   }
+}
-/****************************************************************/
-/* this is for time only */
-void make_yy_range_time_constraint(abac_yy_term_data_t *ptr, char *var)
+{
-   char *typestr=abac_termtype_string(ptr->type);
-   abac_list_t *rlist=get_yy_term_data_cond_range(ptr);
-   char *tmplist=NULL;
-   char *tmp=NULL;
-   char *ttmp=NULL;
-   char *tlist=NULL;
-   int as_range=1; /* either , or ; */
-   if(rlist) {
-       char *rstring=_string_yy_cond_range(rlist);
-       set_yy_term_data_cond_str(ptr,rstring);
-       abac_yy_range_t *cur;
-       /* a list of values -- in chars */
-       abac_list_foreach(rlist, cur,
-           int type=cur->type;
-           char *tval=cur->val;
-           char *val=abac_term_to_time(tval);
-           switch(type) {
-             case e_yy_RANGE_MIN:
-               ttmp=generate_pl_range_time_constraint(var,val,">");
-               tmp=generate_pl_range_time_constraint(var,val,"=");
-               asprintf(&tlist,"(%s;%s)",ttmp,tmp);
-               tmp=tlist;
-               break;
-             case e_yy_RANGE_MAX:
-               ttmp=generate_pl_range_time_constraint(var,val,"=");
-               tmp=generate_pl_range_time_constraint(var,val,"<");
-               asprintf(&tlist,"(%s;%s)",ttmp,tmp);
-               tmp=tlist;
-               break;
-             case e_yy_RANGE_TARGET:
-               tmp=generate_pl_range_time_constraint(var,val,"=");
-               as_range=0;
-               break;
+           }
-           free(val);
-           /* ; is prolog's disjunction built in predicate */
-           if(tmplist) {
-               if(as_range)
-                   asprintf(&tmplist,"%s,%s",tmplist,tmp);
-                   else
-                       asprintf(&tmplist,"%s;%s",tmplist,tmp);
-               } else {
-                   tmplist=tmp;
+           }
-           tmp=NULL;
-       );
-       asprintf(&tmplist,"(%s)",tmplist);
-       /* generate a clause with above and add into db */
-       tmp=abac_pl_add_range_constraint_clause(var,tmplist);
-       abac_yy_add_yy_constraints(tmp);
+   }
+}
-/****************************************************************/
-/* this is for string and urn only */
-void make_yy_range_string_constraint(abac_yy_term_data_t *ptr, char *var)
+{
-   char *typestr=abac_termtype_string(ptr->type);
-   abac_list_t *rlist=get_yy_term_data_cond_range(ptr);
-   char *tmplist=NULL;
-   char *tmp=NULL;
-   if(rlist) {
-       char *rstring=_string_yy_cond_range(rlist);
-       set_yy_term_data_cond_str(ptr,rstring);
-       abac_yy_range_t *cur;
-       /* a list of values -- in chars */
-       abac_list_foreach(rlist, cur,
-           int type=cur->type;
-           char *val=cur->val;
-           switch(type) {
-             case e_yy_RANGE_MIN:
-               panic("make_yy_range_string_constraint, invalid range type - min");
-               break;
-             case e_yy_RANGE_MAX:
-               /* invalid range type */
-               panic("make_yy_range_string_constraint, invalid range type - max");
-               break;
-             case e_yy_RANGE_TARGET:
-               tmp=generate_pl_range_constraint(NULL,var,val,"=");
-               break;
+           }
-           /* ; is prolog's disjunction built in predicate */
-           if(tmplist)
-               asprintf(&tmplist,"%s;%s",tmplist,tmp);
-               else tmplist=tmp;
-           tmp=NULL;
-       );
-       asprintf(&tmplist,"(%s)",tmplist);
-       /* generate a clause with above and add into db */
-       tmp=abac_pl_add_range_constraint_clause(var,tmplist);
-       abac_yy_add_yy_constraints(tmp);
+   }
+}
-void make_yy_range_constraint(abac_yy_term_data_t *ptr, char *var)
+{
-    if(is_yy_term_data_type_numeric(ptr)) {
-        make_yy_range_numeric_constraint(ptr, var);
-        } else if (is_yy_term_data_type_alpha(ptr)) {
-            make_yy_range_string_constraint(ptr, var);
-            } else if (is_yy_term_data_type_time(ptr)) {
-                make_yy_range_time_constraint(ptr, var);
+    }
+}
-/************************************************************************/
 static void _aspect_add_terms(int linked, abac_aspect_t *aspect_ptr,
 abac_yy_term_t *terms)
 …
     int type;
     int isnamed;
+    int isrange;
     char *name;
     char *cond;
 …
         ptr=NULL;
         isnamed=0;
+        isrange=0;
         switch (curr->type) {
            case e_yy_DTERM_DATA:
 …
                type=dptr->type;
                name=abac_xstrdup(dptr->name);
                if(dptr->cond_str) {
+               if(dptr->cond_str)
                   cond=abac_xstrdup(dptr->cond_str);
                   ptr=dptr->cond_ptr;
+               }
+               ptr=dptr->cond_ptr;
+               isrange=(dptr->cond_range!=NULL)?1:0;
                break;
+           }
 …
+           {
                abac_yy_term_principal_t *pptr=curr->term.p_ptr;
                type=abac_term_verify_term_type("principal");
+               type=abac_verify_term_type("principal");
                name=abac_xstrdup(pptr->name);
                if(pptr->cond_str) {
+               if(pptr->cond_str)
                   cond=abac_xstrdup(pptr->cond_str);
                   ptr=pptr->cond_ptr;
+               }
+               ptr=pptr->cond_ptr;
+               isrange=pptr->isrange;
                break;
+           }
 …
            case e_yy_DTERM_ANONYMOUS:
+           {
               type=abac_term_verify_term_type("anonymous");
+              type=abac_verify_term_type("anonymous");
               name=abac_xstrdup("_");
               break;
 …
        if(isnamed)
            param=abac_term_named_new(type,name);
            else param=abac_term_new(type,name,cond,ptr);
+           else param=abac_term_new(type,name,isrange,cond,ptr);
        if (linked)
            abac_aspect_add_linked_param(aspect_ptr, param);
 …
      char *principalname=get_yy_principal_sha(principal);
-     char *othername=get_yy_principal_name(principal);
      char *name=ptr->name;
      abac_yy_term_t *terms=ptr->terms;
 …
           _aspect_add_aspect_terms(aptr, terms);
+     }
-     _add_yy_id_certs(othername,get_yy_principal_type(principal));
      return aptr;
 …
      abac_yy_principal_t *principal=expr->principal;
      char *principalname=get_yy_principal_sha(principal);
-     char *othername=get_yy_principal_name(principal);
      abac_aspect_t *ptr=NULL;
 …
          ptr=abac_aspect_oset_principal_new(principalname);
          else ptr=abac_aspect_role_principal_new(principalname);
-     _add_yy_id_certs(othername,get_yy_principal_type(principal));
      if (ptr==NULL)
          goto error;
 …
      char *cond=object->cond_str;
      void *ptr=object->cond_ptr;
+     abac_term_t *term=abac_term_new(type,name,cond,ptr);
+     int isrange=(object->cond_range!=NULL)?1:0;
+     abac_term_t *term=abac_term_new(type,name,isrange,cond,ptr);
      abac_aspect_t *aptr=NULL;
      if(yytype==e_yy_OSET_TYPE)
 …
          else
              goto error; /* can not be a role expression with obj */
-     if(get_yy_term_data_is_variable(object))
-         _add_yy_id_certs(name,type);
      if (aptr==NULL)
          goto error;
 …
      char *principalname=get_yy_principal_sha(principal);
-     char *othername=get_yy_principal_name(principal);
      char *name=eptr->name;
      abac_yy_term_t *terms=eptr->terms;
 …
          _aspect_add_aspect_terms(ptr, terms);
+     }
-     _add_yy_id_certs(othername,get_yy_principal_type(principal));
      return ptr;
 …
      char *principalname=get_yy_principal_sha(principal);
-     char *othername=get_yy_principal_name(principal);
      char *name=eptr->name;
      abac_yy_term_t *terms=eptr->terms;
 …
          _aspect_add_aspect_terms(ptr, terms);
+     }
-     _add_yy_id_certs(othername,get_yy_principal_type(principal));
      return ptr;
 …
         } /* while */
+        preprocess_pl_head(head_oset);
+        preprocess_pl_tail(tail_oset);
 /* XXX collect up type clauses, constraint clauses and
    generate rule clauses */
 …
+}
+/*****************************************************************************/
+abac_list_t *validate_range(abac_list_t *ptr)
+{
+    abac_list_t *nlist=abac_list_new();
+    abac_item_t *nitem;
+    abac_yy_range_t *cur;
+    char *val;
+    int type;
+    abac_list_foreach(ptr, cur,
+        if(cur) {
+            type=cur->type;
+            val=cur->val;
+            if(type==e_yy_RANGE_MIN) nitem=abac_item_new("min",val);
+            if(type==e_yy_RANGE_MAX) nitem=abac_item_new("max",val);
+            if(type==e_yy_RANGE_TARGET) nitem=abac_item_new("target",val);
+            abac_list_add(nlist,nitem);
+        }
+    );
+    return nlist;
+}
+/****************************************************************/
+void make_yy_range_constraint(abac_yy_term_data_t *ptr)
+{
+    if(is_yy_term_data_type_numeric(ptr) ||
+        is_yy_term_data_type_alpha(ptr) ||
+           is_yy_term_data_type_time(ptr)) {
+       abac_list_t *rlist=get_yy_term_data_cond_range(ptr);
+       if(rlist) {
+           abac_list_t *nlist=validate_range(rlist);
+           set_yy_term_data_cond_ptr(ptr,nlist);
+       }
+    }
+}
 /*****************************************************************************/
 /* build up the abac structure and also create the yap clause
 …
         } /* while */
+        preprocess_pl_head(head_role);
+        preprocess_pl_tail(tail_role);
 /* collect up type clauses, constraint clauses and
    generate the final rule clauses */
 …
    abac_yyinit();
    abac_yy_init_rule_id_clauses();
+   abac_yy_init_yy_id_certs();
+   abac_yy_init_yy_constraints();
+}
+}

libabac/abac_pl_yy.h

-                      r8bd77b5
+                      r440ba20
 extern abac_list_t *make_yy_minmax_range(char *min, char *max);
 extern abac_list_t *make_yy_min_range(char *min);
+extern char *make_yy_oset_constraint(abac_yy_term_data_t *ptr, char *tail_string);
+extern char *make_yy_oset_constraint(abac_yy_term_data_t *ptr, char *tail_string);
+extern void make_yy_range_constraint(abac_yy_term_data_t *ptr);
+extern void make_yy_oset_constraint(abac_yy_term_data_t *ptr, char *tail_string);
+extern void make_yy_role_constraint(abac_yy_term_principal_t *ptr, char *tail_string);
 extern abac_yy_principal_t *make_yy_principal(char *sha, char *cn, int type);
-extern void make_yy_range_constraint(abac_yy_term_data_t *ptr, char *var);
 extern abac_yy_roleoset_t *make_yy_roleoset_role(char *name, abac_yy_term_t *terms);
 extern abac_yy_roleoset_t *make_yy_roleoset_oset(char *name, abac_yy_term_t *terms);
-extern char *make_yy_oset_constraint(abac_yy_term_data_t *ptr, char *tail_string);
-extern char *make_yy_role_constraint(abac_yy_term_principal_t *ptr, char *tail_string);
 extern abac_yy_term_data_t *make_yy_term_data();
 extern void set_yy_term_data_name(abac_yy_term_data_t *ptr, char *name);

libabac/abac_term.c

-                      rd037f54
+                      r440ba20
 static int debug=0;
+/* string will contain either
+     the range literal (static constraint)
+       or
+     the oset/role prologized string (dynamic constraint)
+   union ptr will only be set if it is a dynamic
+   constraint */
+/* itemtype is
+     e_ITEM_MIN=1,
+     e_ITEM_MAX=2,
+     e_ITEM_TARGET=3,
+ [a..b], [a..], [..b], [a],[a,b],[many a]
+*/
+struct _abac_item_t {
+    int itemtype;
+    char *val;
+};
+/* condtype is
+     e_COND_ROLE = 1,
+     e_COND_OSET = 2,
+     e_COND_RANGE = 3
+   vartype is one of termtype
+   string will contain either
+       the range literal (static constraint)
+      or
+       the oset/role prologized string (dynamic constraint)
+      it is set if this condition has been pre-processed for codegen
+   of_aspect ptr will only be set only if it is a dynamic
+       constraint
+   range_list is set only if needed
+*/
 struct _abac_condition_t {
+    int type;
+    int condtype;
+    int vartype;
     char *string;
+    abac_list_t *range_list;
     abac_aspect_t *of_aspect;
 };
 …
    idtype_t/name/p_name pair for the named principal term
 */
 struct _abac_term_t {
     int type;
     char *name;
-    // e_TERM_PRINCIPAL isnamed
     int isnamed;
     char *p_name;
 …
 };
 /******************************************************************/
 char *abac_condtype_name(int i)
+char *abac_condtype_string(int i)
+{
     if(i>_condname_cnt)
         panic("abac_condtype_name: went out of range on condname");
+        panic("abac_condtype_string: went out of range on condname");
     return (char *) _condname[i];
+}
+abac_condition_t *abac_condition_new(int type,char* condstr,abac_aspect_t *cptr)
+char *abac_termtype_string(int i)
+{
+    if(i>_termname_cnt)
+        panic("abac_termtype_string: went out of range on termname");
+    return (char *) _termname[i];
+}
+int abac_verify_term_type(char *type) {
+    int i;
+    if (type == NULL)
+        panic("abac_verify_term_type: fail with NULL type\n");
+    for (i = 1; i <= _termname_cnt ; i++)
+        if(strcmp(type,_termname[i])==0)
+            return i;
+    panic("abac_verify_term_type: fail with unfounded type\n");
+}
+int abac_verify_item_type(char *type) {
+    int i;
+    if (type == NULL)
+        panic("abac_verify_item_type: fail with NULL type\n");
+    for (i = 1; i <= _itemname_cnt ; i++)
+        if(strcmp(type,_itemname[i])==0)
+            return i;
+    panic("abac_verify_item_type: fail with unfounded type\n");
+}
+char *abac_range_string(abac_list_t *ptr)
+{
+    assert(ptr);
+    char *tmp=NULL;
+    char *min=NULL;
+    char *max=NULL;
+    char *val=NULL;
+    int type;
+    abac_item_t *cur;
+    assert(ptr);
+    abac_list_foreach(ptr, cur,
+        type=cur->itemtype;
+        switch (type) {
+            case e_ITEM_MIN:
+                min=abac_xstrdup(cur->val);
+                break;
+            case e_ITEM_MAX:
+                max=abac_xstrdup(cur->val);
+                break;
+            case e_ITEM_TARGET:
+                if(val)
+                    asprintf(&val,"%s,%s",val,cur->val);
+                else val=abac_xstrdup(cur->val);
+                break;
+        }
+    );
+    if(max && min) {
+         asprintf(&tmp,"[%s..%s]",min,max);
+         free(max);
+         free(min);
+         return tmp;
+    }
+    if(max) {
+         asprintf(&tmp,"[..%s]",max);
+         free(max);
+         return tmp;
+    }
+    if(min) {
+         asprintf(&tmp,"[%s..]",min);
+         free(min);
+         return tmp;
+    }
+    if(val) {
+         asprintf(&tmp,"[%s]",val);
+         free(val);
+         return tmp;
+    }
+    return NULL;
+}
+/******************************************************************/
+abac_item_t *abac_item_new(char *itype, char *val)
+{
+     abac_item_t *nptr=
+             (abac_item_t *)abac_xmalloc(sizeof(abac_item_t));
+     nptr->itemtype=abac_verify_item_type(itype);
+     nptr->val=abac_xstrdup(val);
+     return nptr;
+}
+void abac_item_free(abac_item_t *ptr)
+{
+     assert(ptr);
+     assert(ptr->val);
+     free(ptr->val);
+     free(ptr);
+}
+abac_item_t *abac_item_dup(abac_item_t *ptr)
+{
+     abac_item_t *nptr=
+             (abac_item_t *)abac_xmalloc(sizeof(abac_item_t));
+     nptr->itemtype=ptr->itemtype;
+     nptr->val=abac_xstrdup(ptr->val);
+     return nptr;
+}
+int abac_item_type(abac_item_t *ptr)
+{
+    return ptr->itemtype;
+}
+char *abac_item_val(abac_item_t *ptr)
+{
+    return ptr->val;
+}
+/******************************************************************/
+static abac_condition_t *_abac_condition_new(int type, int vtype,
+char* condstr,void *cptr)
+{
      if(debug) {
          printf("   abac_condition_new: \n");
+         printf("     type is %d(%s)\n", type, abac_condtype_name(type));
+         printf("     condtype is %d(%s)\n", type, abac_condtype_string(type));
+         printf("     vtype is %d(%s)\n", vtype, abac_termtype_string(type));
          printf("     condstr is (%s)\n", condstr);
          if(cptr) printf("     yes on cptr\n");
 …
      abac_condition_t *ptr=
              (abac_condition_t *)abac_xmalloc(sizeof(abac_condition_t));
+     ptr->type=type;
+     ptr->condtype=type;
+     ptr->vartype=vtype;
      ptr->string=abac_xstrdup(condstr);
+     if(cptr) ptr->of_aspect=abac_aspect_dup(cptr);
+         else ptr->of_aspect=NULL;
+     ptr->of_aspect=NULL;
+     ptr->range_list=NULL;
+     if(type==e_COND_RANGE) {
+          ptr->range_list=(abac_list_t *)cptr;
+          } else {
+             if(cptr) ptr->of_aspect=abac_aspect_dup((abac_aspect_t *)cptr);
+     }
      return ptr;
+}
 …
 void abac_condition_free(abac_condition_t *ptr)
+{
      switch(ptr->type) {
+     switch(ptr->condtype) {
         case e_COND_OSET:
         case e_COND_ROLE:
 …
+     }
      if(ptr->string) free(ptr->string);
+     if(ptr->range_list != NULL) {
+         abac_item_t *cur;
+         abac_list_foreach(ptr->range_list, cur,
+           abac_item_free(cur);
+         );
+         abac_list_free(ptr->range_list);
+     }
      free(ptr);
+}
+abac_condition_t *abac_condition_from_string(char *string)
+{
+     assert(string);
+abac_aspect_t *abac_condition_of_aspect(abac_condition_t *ptr)
+{
+   return ptr->of_aspect;
+}
+int abac_condition_is_range(abac_condition_t *ptr)
+{
+   if(ptr->condtype==e_COND_RANGE)
+      return 1;
+      else return 0;
+}
+/* called from backend, intended as stub for range constraint */
+abac_condition_t *abac_condition_create(char *vtype)
+{
      abac_condition_t *nptr=
              (abac_condition_t *)abac_xmalloc(sizeof(abac_condition_t));
+     nptr->type=e_COND_RANGE;
+     nptr->string=abac_xstrdup(string);
+     nptr->condtype=e_COND_RANGE;
+     nptr->vartype=abac_verify_term_type(vtype);
+     nptr->string=NULL;
+     nptr->range_list=NULL;
      nptr->of_aspect=NULL;
      return nptr;
+}
 abac_condition_t *abac_condition_from_aspect(abac_aspect_t *ptr)
+abac_condition_t *abac_condition_create_from_aspect(abac_aspect_t *ptr)
+{
      assert(ptr);
 …
              (abac_condition_t *)abac_xmalloc(sizeof(abac_condition_t));
      if(abac_aspect_is_role(ptr))
+         nptr->type=e_COND_ROLE;
+         else nptr->type=e_COND_OSET;
+         nptr->condtype=e_COND_ROLE;
+         else nptr->condtype=e_COND_OSET;
+     nptr->vartype=e_TERM_PRINCIPAL;
      nptr->string=NULL;
+     nptr->range_list=NULL;
      nptr->of_aspect=abac_aspect_dup(ptr);
      return nptr;
 …
      abac_condition_t *nptr=
              (abac_condition_t *)abac_xmalloc(sizeof(abac_condition_t));
+     nptr->type=ptr->type;
+     nptr->condtype=ptr->condtype;
+     nptr->vartype=ptr->vartype;
      if(ptr->string)
          nptr->string=abac_xstrdup(ptr->string);
 …
          nptr->of_aspect=abac_aspect_dup(ptr->of_aspect);
          else nptr->of_aspect=NULL;
+     if(ptr->range_list!=NULL) {
+         nptr->range_list=abac_list_new();
+         abac_item_t *cur;
+         abac_item_t *nitem;
+         abac_list_foreach(ptr->range_list, cur,
+           nitem=abac_item_dup(cur);
+           abac_list_add(nptr->range_list,nitem);
+         );
+         } else {
+             nptr->range_list=NULL;
+     }
      return nptr;
+}
+int abac_condition_vartype(abac_condition_t *ptr)
+{
+    return ptr->vartype;
+}
+abac_list_t *abac_condition_range_list(abac_condition_t *ptr)
+{
+     assert(ptr);
+     return ptr->range_list;
+}
+int abac_condition_add_range_item(abac_condition_t *ptr, char *vtype, char* itype, char* val)
+{
+    if(ptr->vartype != abac_verify_term_type(vtype))
+       panic("abac_condition_add_range_item: attempt to add range item that does not match with the constraint's type\n");
+    abac_item_t *nitem=abac_item_new(itype,val);
+    if(ptr->range_list==NULL)
+       ptr->range_list=abac_list_new();
+    abac_list_add(ptr->range_list,nitem);
+}
 char *abac_condition_string(abac_condition_t *ptr)
+{
      char *string=NULL;
      switch(ptr->type) {
+     switch(ptr->condtype) {
         case e_COND_OSET:
         case e_COND_ROLE:
             string=abac_aspect_string_with_condition(ptr->of_aspect);
+            return string;
             break;
         case e_COND_RANGE:
+            string=abac_xstrdup(ptr->string);
+            if(ptr->string != NULL) {
+                string=abac_xstrdup(ptr->string);
+                return string;
+            }
+            if(ptr->range_list != NULL) {
+                string=abac_range_string(ptr->range_list);
+                return string;
+            }
             break;
+     }
 …
+{
      char *string=NULL;
      switch(ptr->type) {
+     switch(ptr->condtype) {
         case e_COND_OSET:
         case e_COND_ROLE:
             string=abac_aspect_typed_string_with_condition(ptr->of_aspect);
+            return string;
             break;
         case e_COND_RANGE:
+            string=abac_xstrdup(ptr->string);
+            if(ptr->string != NULL) {
+                string=abac_xstrdup(ptr->string);
+                return string;
+            }
+            if(ptr->range_list != NULL) {
+                string=abac_range_string(ptr->range_list);
+                return string;
+            }
             break;
+     }
 …
+}
+int abac_condition_set_range_string(abac_condition_t *ptr)
+{
+   char *string= abac_range_string(ptr->range_list);
+   ptr->string=string;
+   return 1;
+}
+int abac_condition_set_aspect_string(abac_condition_t *ptr, char *str)
+{
+   ptr->string=abac_xstrdup(str);
+   return 1;
+}
+int abac_condition_set_aspect_ptr(abac_condition_t *ptr, abac_aspect_t *aptr)
+{
+   ptr->of_aspect=abac_aspect_dup(aptr);
+   return 1;
+}
+void abac_condition_dump(abac_condition_t *ptr, char *offset)
+{
+   printf("...constraint...\n");
+   printf("%s condtype: %d(%s)\n",
+                offset, ptr->condtype,abac_condtype_string(ptr->condtype));
+   printf("%s vartype: %d(%s)\n",
+                offset, ptr->vartype,abac_termtype_string(ptr->vartype));
+   if(ptr->string)
+       printf("%s string: %s\n", offset, ptr->string);
+       else printf("%s string: --\n", offset);
+   if(ptr->range_list)
+       printf("%s range_list: %s\n",
+                     offset, abac_range_string(ptr->range_list));
+       else printf("%s range_list: --\n", offset);
+   if(ptr->of_aspect) {
+       char *tmp=NULL;
+       asprintf(&tmp,"  %s",offset);
+       abac_aspect_dump(ptr->of_aspect,tmp);
+       free(tmp);
+       } else printf("%s of_aspect: --\n", offset);
+   printf("................\n");
+}
 /******************************************************************/
+int abac_term_isvar(abac_term_t *term)
+{
+    if(isupper(term->name[0])) return 1;
+       else return 0;
+}
 int abac_term_isnamed(abac_term_t *term)
 …
+{
     return term->constraint;
+}
-char *abac_termtype_string(int i)
+{
-    if(i>_termname_cnt)
-        panic("abac_termtype_string: went out of range on termname");
-    return (char *) _termname[i];
+}
 …
+}
+int abac_term_verify_term_type(char *type) {
+    int i;
+    if (type == NULL)
+        return 0;
+    for (i = 1; i <= _termname_cnt ; i++)
+        if(strcmp(type,_termname[i])==0)
+            return i;
+bool abac_term_is_alpha(abac_term_t *term)
+{
+    if(term->type == e_TERM_URN ||
+          term->type == e_TERM_STRING ||
+              term->type == e_TERM_BOOLEAN)
+        return 1;
+    return 0;
+}
+bool abac_term_is_numeric(abac_term_t *term)
+{
+    if(term->type == e_TERM_INTEGER ||
+          term->type == e_TERM_FLOAT)
+        return 1;
+    return 0;
+}
+bool abac_term_is_time(abac_term_t *term)
+{
+    if(term->type == e_TERM_TIME)
+        return 1;
     return 0;
+}
 …
+}
 /* called from yy */
 abac_term_t *abac_term_new(int type, char *name, char *cond, abac_aspect_t *cptr)
+/* called from yy, cptr is either abac_aspect_t or abac_list_t */
+abac_term_t *abac_term_new(int type, char *name, int isrange, char *cond, void *cptr)
+{
      if(debug) {
 …
              printf("  cond is %s\n", cond);
              else printf("  no cond \n");
+         if(cptr)
+             printf("  cptr is (%s)\n", abac_aspect_string_with_condition(cptr));
+             else printf("  there is no cptr\n");
+         printf("  isrange is %d\n", isrange);
+         if(cptr) {
+             if(isrange) printf("  cptr is (%s)\n",
+                                    abac_range_string((abac_list_t *)cptr));
+                else
+                   printf("  cptr is (%s)\n",
+                          abac_aspect_string_with_condition((abac_aspect_t *)cptr));
+         }    else printf("  there is no cptr\n");
+     }
      abac_condition_t *constraint=NULL;
      if (cond) {
          if(type==e_TERM_PRINCIPAL) {
              constraint=abac_condition_new(e_COND_ROLE,cond,cptr);
              } else {
                  if(cptr == NULL)
                     constraint=abac_condition_new(e_COND_RANGE,cond,NULL);
                     else
                         constraint=abac_condition_new(e_COND_OSET,cond,cptr);
+     if (cptr) {
+         if(isrange) {
+           constraint=_abac_condition_new(e_COND_RANGE,type,cond,cptr);
+           } else {
+             if(type==e_TERM_PRINCIPAL)
+               constraint=_abac_condition_new(e_COND_ROLE,type,cond,cptr);
+               else
+                 constraint=_abac_condition_new(e_COND_OSET,type,cond,cptr);
+         }
+     }
 …
 abac_term_t *abac_term_add_constraint(abac_term_t *ptr, abac_condition_t *cond)
+{
+    /* make sure the types are matching */
+    if(abac_condition_vartype(cond) != abac_term_type(ptr)) {
+        panic("abac_term_add_constraint: mismatched constraint type with the dataterm\n");
+        return NULL;
+    }
     if(ptr->constraint) {
         abac_condition_free(ptr->constraint);
 …
 /********************************************************************/
+abac_list_t *abac_param_list(abac_param_list_t *ptr)
+{
+    assert(ptr);
+    return ptr->list;
+}
+void abac_param_dump(abac_param_list_t *ptr, char *offset)
+{
+    printf("===params===\n");
+    abac_term_t  *cur;
+    abac_list_foreach(ptr->list, cur,
+           abac_term_dump(cur, offset);
+    );
+    printf("============\n");
+}
 abac_param_list_t *abac_param_list_new(abac_term_t *term)
+{
 …
+}
 void abac_terms_free(abac_term_t **terms)
+{
 …
     free(terms);
+}
+void abac_term_dump(abac_term_t *ptr, char *offset)
+{
+    printf("--- term---\n");
+    printf("%s type : %s\n",offset, abac_term_type_name(ptr));
+    printf("%s name : %s\n",offset, abac_term_name(ptr));
+    printf("%s isnamed: %d\n",offset,ptr->isnamed);
+    if(ptr->p_name)
+        printf("%s p_name: %s\n",offset,ptr->p_name);
+        else printf("%s p_name: --\n",offset);
+    if(ptr->cn)
+        printf("%s cn: %s\n",offset,ptr->cn);
+        else printf("%s cn: --\n",offset);
+    if(ptr->constraint) {
+        char *tmp=NULL;
+        asprintf(&tmp,"  %s", offset);
+        abac_condition_dump(ptr->constraint,offset);
+        free(tmp);
+        } else printf("%s constraint: --\n",offset);
+    printf("-----------\n");
+}

libabac/abac_verifier.c

-                      rd037f54
+                      r440ba20
 char *abac_idtype_string(int i)
+{
+    if(i > _idtypename_cnt)
+    if(i > _idtypename_cnt) {
+        printf("bad idtypename idx %d\n", i);
         panic("abac_idtype_string: went out of range on idtypename");
+    return _idtypename[i];
+    }
+    return (char*) _idtypename[i];
+}
 …
     char *keyid=abac_id_keyid(a_id);
+    if(debug) {
+         printf("abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
+                cn, keyid);
+    }
     // add the abac_id to the map of id credentials
     id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
 …
                                    id_cred->hashkeyid, HASH_COUNT(id_creds));
-     free(keyid);
      return id_cred;
+}
 /**
  * Load an ID certificate.
+ * Load an ID
  */
 static int _load_id(abac_id_t **a_id,certificate_t *cert, abac_id_credential_t **id_cred_ret) {
 …
     HASH_FIND_STR(id_creds, keyid, id_cred);
     if (id_cred != NULL) {
+        ret = ABAC_CERT_SUCCESS;
+        if(debug) printf("existing cert \n");
+        ret = ABAC_CERT_EXISTS;
         goto error;
+    }
 …
     // success, add a new abac_id
+    if(*a_id ==NULL)
+        *a_id = abac_id_keyid_new(keyid,cn,cert);
+    if(*a_id==NULL) {
+        *a_id=abac_id_keyid_new(keyid,cn,cert);
+    }
     abac_id_credential_t *n_id_cred=abac_verifier_add_id_credential(*a_id);
 …
     int rc=_load_id(&id,cert,id_cred_ret);
+    if(rc==ABAC_CERT_EXISTS) {
+        if(debug) printf("abac_verifier_load_id_files: id already exists\n");
+        return ABAC_CERT_SUCCESS;
+    }
     /* try to load the private key if it is there */
     if(_exist(keyfilename)) {
+    if((rc==ABAC_CERT_SUCCESS) &&  _exist(keyfilename)) {
         if(debug) printf("loading... %s\n", keyfilename);
         int keyrc=abac_id_load_privkey(id, keyfilename);

libabac/rt2.y

-                      rd037f54
+                      r440ba20
                if(is_yy_term_data_has_constraint(ptr)) {
                   char *tail_string=get_yy_term_data_name(ptr);
                   make_yy_range_constraint(ptr,tail_string);
+                  make_yy_range_constraint(ptr);
                   make_yy_oset_constraint(ptr,tail_string);
+               }
 …
                   set_yy_term_principal_name(ptr,tail_string);
                   set_yy_term_principal_cond_head_expr(ptr,expr);
                   char *string=make_yy_role_constraint(ptr,tail_string);
+                  make_yy_role_constraint(ptr,tail_string);
                   $$=ptr;
+                }

Context Navigation

Legend:

Makefile.am

examples/access_rt2_typed/README

libabac/abac.h

libabac/abac.hh

libabac/abac_aspect.c

libabac/abac_common.h

libabac/abac_id.c

libabac/abac_internal.h

libabac/abac_pl_gen.c

libabac/abac_pl_yap.c

libabac/abac_pl_yy.c

libabac/abac_pl_yy.h

libabac/abac_term.c

libabac/abac_verifier.c

libabac/rt2.y

Download in other formats: