source: doc/ABAC.hh @ 4fd9436

abac0-leakabac0-meitvf-new-xml
Last change on this file since 4fd9436 was bc12f3d, checked in by Ted Faber <faber@…>, 12 years ago

Allow user to specify credential output format

  • Property mode set to 100644
File size: 21.0 KB
RevLine 
[3ed053d]1#ifndef __ABAC_HH__
2#define __ABAC_HH__
3
4#include <cstdio>
5#include <stdexcept>
6#include <string>
7#include <vector>
8
9/* This file is generated from doc/ABAC.hh by doc/extract_doc.c */
10
11namespace ABAC {
12    extern "C" {
13        #include "abac.h"
14    }
15
16    class Attribute;
17    class ID;
18
19/***
20ABAC::Role
21   A Role, most calls are rarely used outside the library
22***/
23    class Role {
24        public:
25/***
26f  Role()
27     default constructor, do not use, for swig only
28f  Role(abac_role_t*)
29     copy constructor, used for cloning an Role
30     (C:abac_role_dup)
31f  Role(char *)
32     instantiate a role from a string
33     (C:abac_role_from_string)
34f  Role(const Role &)
35     copy constructor, used for cloning an Role
36     (C:abac_role_dup)
37f  ~Role()
38     default destructor
39     (C:abac_role_free)
40***/
41            Role() : m_role(NULL) { } // do not use: here for swig
42            Role(abac_role_t *role) { m_role = abac_role_dup(role); }
43            Role(char *role_name) { m_role = abac_role_from_string(role_name); }
44            Role(const Role &role) { m_role = abac_role_dup(role.m_role); }
45            ~Role() { abac_role_free(m_role); }
46/***
47f  bool is_principal()
48     (C:abac_role_is_principal)
49f  bool is_role()
50     (C:abac_role_is_role)
51f  bool is_linking()
52     (C:abac_role_is_linking)
53     indicates the type of role encoded
54***/
55            bool is_principal() const { return abac_role_is_principal(m_role); }
56            bool is_role() const { return abac_role_is_role(m_role); }
57            bool is_linking() const { return abac_role_is_linking(m_role); }
58
59/***
60f  char* string()
61     string representation of the role
62     (C:abac_role_string)
63***/
64            char *string() const { return abac_role_string(m_role); }
65/***
66f  char* linked_role()
67     the linked role of a linking role
68     i.e., A.r1.r2, linked_role() returns A.r1
69     (C:abac_role_linked_role)
70f  char* role_name()
71     the role name of any role (the part after the last dot)
72     (C:abac_role_role_name)
73f  char* principal()
74     the principal part of any role
75     (C:abac_role_principal)
76***/
77            char *linked_role() const { return abac_role_linked_role(m_role); }
78            char *role_name() const { return abac_role_role_name(m_role); }
79            char *principal() const { return abac_role_principal(m_role); }
80
81        private:
82            abac_role_t *m_role;
83    };
84
85/***
86ABAC::Credential
87   This is never instantiated directly. These will only ever be
88   returned as a result of calls to Context::query or
89   Context::credentials.
90***/
91    class Credential {
92        public:
93/***
94f  Credential()
95     default constructor, do not use, for swig only
96f  Credential(abac_credential_t*)
97     copy constructor, used for cloning a credential
98     (C:abac_credential_head)
99     (C:abac_credential_tail)
100     (C:abac_credential_dup)
101f  Credential(const Credential&)
102     copy constructor, used for cloning a credential
103     (C:abac_credential_head)
104     (C:abac_credential_tail)
105     (C:abac_credential_dup)
106f  ~Credential()
107     default destructor
108     (C:abac_credential_free)
109***/
110            Credential() : m_cred(NULL) { } // do not use: here for swig
111            Credential(abac_credential_t *cred) :
112                m_head(abac_credential_head(cred)),
113                m_tail(abac_credential_tail(cred)),
114                m_cred(abac_credential_dup(cred))
115                    { }
116            Credential(const Credential &cred) :
117                m_head(cred.m_head),
118                m_tail(cred.m_tail),
119                m_cred(abac_credential_dup(cred.m_cred))
120                    { }
121            ~Credential() { abac_credential_free(m_cred); }
122/***
123f  Role &head()
124     returns the head of the credential
125f  Role &tail()
126     returns the tail of the credential
127***/
128            const Role &head() { return m_head; }
129            const Role &tail() { return m_tail; }
130/***
131f  abac_chunk_t attribute_cert()
132     returns the attribute certificate in chunk, suitable for
133     transmission over the network or storage in a file
134     (C:abac_credential_attribute_cert)
135f  abac_chunk_t issuer_cert()
136     returns the issuer certificate in chunk, again suitable for
137     network transmission or file storage
138     (C:abac_credential_issuer_cert)
139***/
140            abac_chunk_t attribute_cert() { return abac_credential_attribute_cert(m_cred); }
141            abac_chunk_t issuer_cert() { return abac_credential_issuer_cert(m_cred); }
142       
143        private:
144            abac_credential_t *m_cred;
145            Role m_head, m_tail;
146    };
147
148/***
149ABAC::Context
150    An ABAC Context
151***/
152    class Context {
153        public:
154/***
155f  Context()
156     default constructor
157     (C:abac_context_new)
158f  Context(const Context &)
159     copy constructor, used for cloning the context
160     (C:abac_context_dup)
161f  ~Context()
162     default destructor
163     (C:abac_context_free)
164***/
165            Context() { m_ctx = abac_context_new(); }
166            Context(const Context &context) { m_ctx = abac_context_dup(context.m_ctx); }
167            ~Context() { abac_context_free(m_ctx); }
168
169/***
170f  int load_id_file(char *)
171     load identity certificate from an id file
172     (C:abac_context_load_id_file)
173f  int load_id_chunk(abac_chunk_t)
174     load id certificate from an chunk
175     (C:abac_context_load_id_chunk)
176f  int load_attribute_file(char *)
177     load attribute certificate from an id file.
178     (C:abac_context_load_attribute_file)
179f  int load_attribute_chunk(abac_chunk_t)
180     load attribute certificate from an chunk
181     (C:abac_context_load_attribute_chunk)
182f  returns :
183        ABAC_CERT_SUCCESS   successfully loaded
184        ABAC_CERT_INVALID   invalid certificate (or file not found)
185        ABAC_CERT_BAD_SIG   invalid signature
186***/
187            int load_id_file(char *filename) { return abac_context_load_id_file(m_ctx, filename); }
188            int load_id_chunk(abac_chunk_t cert) { return abac_context_load_id_chunk(m_ctx, cert); }
189            int load_attribute_file(char *filename) { return abac_context_load_attribute_file(m_ctx, filename); }
190            int load_attribute_chunk(abac_chunk_t cert) { return abac_context_load_attribute_chunk(m_ctx, cert); }
191
192/***
193f  void load_directory(char *)
194     load a directory full of certificates:
195f       first: ${path}/*_ID.{der,pem} as identity certificates
196               implicitly looking for ${path}/*_private.{der,pem} as
197               the private key file
198        last: ${path}/*_attr.xml as attribute certificates
199      (C:abac_context_load_directory)
200***/
201            void load_directory(char *path) { abac_context_load_directory(m_ctx, path); }
202
203/***
204f  std::vector<Credential> query(char *, char *, bool &)
205     run the query:
206        role <-?- principal
207     returns true/false in success
208     returns a proof upon success, partial proof on failure
209     (C:abac_context_query)
210     (C::abac_free_credentials_free)
211***/
212
213            /* abac query, returns a vector of credentials on success, NULL on fail */
214            std::vector<Credential> query(char *role, char *principal, bool &success) {
215                abac_credential_t **creds, **end;
216                int i, success_int;
217                creds = abac_context_query(m_ctx, role, principal, &success_int);
218                success = success_int;
219
220                for (i = 0; creds[i] != NULL; ++i)
221                    ;
222
223                end = &creds[i];
224                std::vector<Credential> credentials = std::vector<Credential>(creds, end);
225                abac_context_credentials_free(creds);
226                return credentials;
227            }
228/***
229f  std::vector<Credential> credentials(bool &)
230     returns a vector of all the credentials loaded in the context
231     (C:abac_context_credentials)
232     (C::abac_context_credentials_free)
233***/
234            std::vector<Credential> credentials() {
235                abac_credential_t **creds, **end;
236                int i;
237
238                creds = abac_context_credentials(m_ctx);
239                for (i = 0; creds[i] != NULL; ++i)
240                    ;
241
242                end = &creds[i];
243                std::vector<Credential> credentials = std::vector<Credential>(creds, end);
244
245                abac_context_credentials_free(creds);
246                return credentials;
247            }
248
249        private:
250            abac_context_t *m_ctx;
251    };
252
253/***
254ABAC::ID
255   An ID holds a principal credential. It maybe imported from an existing
256   ID credential via external files, constructed from a streaming chunk,
257   or instantiated on the fly
258***/
259    class ID {
260        public:
261/***
262f  ID()
263     default constructor, do not use, for swig only
264f  ID(const ID &)
265     copy constructor, used for cloning an ID
266     (C:abac_id_dup)
267f  ~ID()
268     default destructor
269     (C:abac_id_free)
270***/
271            ID() : m_id(NULL) { } // do not use: required by swig
272            ID(const ID &id) { m_id = abac_id_dup(id.m_id); }
273            ~ID() { abac_id_free(m_id); }
274
275/***
276f  ID(char *)
277     load an ID certificate from a file, will throw an exception
278     if the certificate cannot be loaded
279     (C:abac_id_from_file)
280***/
281            ID(char *filename) : m_id(NULL) {
282                m_id = abac_id_from_file(filename);
283                if (m_id == NULL)
284                    throw std::invalid_argument("Could not load ID cert");
285            }
286
287/***
288f  ID_chunk(abac_chunk_t chunk)
289     create an ID certificate from an certificate chunk, will
290     throw an exception if the certificate cannot be loaded
291     (C:abac_id_from_chunk)
292***/
293            ID(abac_chunk_t chunk) : m_id(NULL) {
294                m_id = abac_id_from_chunk(chunk);
295                if (m_id == NULL)
296                    throw std::invalid_argument("Could not load ID certificate with a chunk");
297            }
298/***
299f  ID(char *,int)
300     generates a new ID(cert&key) with the supplied CN and validity period
301     - CN must be alphanumeric and begin with a letter
302     - validity must be at least one second
303     will throw an exception if either of the above is violated
304     (C:abac_id_generate)
305***/
306            ID(char *cn, int validity) : m_id(NULL) {
307                int ret = abac_id_generate(&m_id, cn, validity);
308                if (ret == ABAC_GENERATE_INVALID_CN)
309                    throw std::invalid_argument("CN must be alphanumeric and start with a letter");
310                if (ret == ABAC_GENERATE_INVALID_VALIDITY)
311                    throw std::invalid_argument("Validity must be > 0 days");
312            }
313/***
314f  void load_privkey(char *)
315     loads the private key associated with the ID credential,
316     will throw an exception if the key cannot be loaded
317     (C:abac_id_privkey_from_file)
318f  void load_privkey_chunk(abac_chunk_t)
319     loads the private key associated with the ID credential,
320     will throw an exception if the key cannot be loaded
321     (C:abac_id_privkey_from_chunk)
322f  int has_privkey()
323     check to see if there is a privkey in this ID
324     (C:abac_id_has_privkey)
325***/
326            void load_privkey(char *filename) {
327                int ret = abac_id_privkey_from_file(m_id, filename);
328                if (ret != ABAC_SUCCESS)
329                    throw std::invalid_argument("Could not load private key");
330            }
331            void load_privkey_chunk(abac_chunk_t chunk) {
332                int ret = abac_id_privkey_from_chunk(m_id, chunk);
333                if (ret != ABAC_SUCCESS)
334                    throw std::invalid_argument("Could not load private key with a chunk");
335            }
336            int has_privkey() {
337                int ret= abac_id_has_privkey(m_id);
338                return ret;
339            }
340/***
341f  char *keyid()
342     returns the SHA1 keyid of the id cert
343     (C:abac_id_keyid)
344f  char *cert_filename()
345     returns the default libabac filename for the cert.
346     value must be freed by caller.
347     (C:abac_id_cert_filename)
348***/
349            char *keyid() { return abac_id_keyid(m_id); }
350            char *cert_filename() { return abac_id_cert_filename(m_id); }
351/***
352f  void write_cert(FILE *)
353     writes a PEM-encoded certificate to a file handle
354     (C:abac_id_write_cert)
355f  void write_cert(string &)
356     writes a PEM-encoded certificate to a file named in string
357f  void write_cert_file(const char *)
358     writes a PEM-encoded certificate to a file
359f  void write_cert_name(const char *)
360     writes a PEM-encoded certificate to a file
361     (added to support original libcreddy users)
362***/
363            void write_cert(FILE *out) { abac_id_write_cert(m_id, out); }
364            void write_cert(const std::string &name) {
365                FILE *out = fopen(name.c_str(), "a+");
366                if (out == NULL)
367                    throw std::invalid_argument("Could not open certificate file for writing");
368                write_cert(out);
369                fclose(out);
370            }
371            // Simplifies access from swig
372            void write_cert_file(const char *n) {
373                write_cert(std::string(n));
374            }
375            void write_cert_name(const char *n) {
376                write_cert(std::string(n));
377                fprintf(stderr,"ABAC::ID::write_cert_name is deprecated, please use ABAC::ID::write_cert_name\n");
378            }
379/***
380f  char *privkey_filename()
381     returns the default libabac filename for the private key.
382     value must be freed by caller.
383     (C:abac_id_privkey_filename)
384***/
385            char *privkey_filename() { return abac_id_privkey_filename(m_id); }
386/***
387f  void write_privkey(FILE *)
388     write the private key to a file handle
389     throws a std::logic_error if no private key is loaded
390     (C:abac_id_write_privkey)
391f  void write_privkey(string &)
392     writes a private key to file named in string
393f  void write_privkey_file(const char *)
394     writes a private key to a file
395f  void write_privkey_name(const char *)
396     writes a private key to a file
397     (added to support original libcreddy users)
398***/
399            void write_privkey(FILE *out) {
400                int ret = abac_id_write_privkey(m_id, out);
401                if (ret!=ABAC_SUCCESS) throw std::logic_error("No private key loaded");
402            }
403            void write_privkey(const std::string &name) {
404                FILE *out = fopen(name.c_str(), "a+");
405                if (out == NULL)
406                    throw std::invalid_argument("Could not open privkey file for writing");
407                write_privkey(out);
408                fclose(out);
409            }
410            // Simplifies access from swig
411            void write_privkey_file(const char *name) {
412                write_privkey(std::string(name));
413            }
414            void write_privkey_name(const char *name) {
415                write_privkey(std::string(name));
416                fprintf(stderr,"ABAC::ID::write_privkey_name is deprecated, please use ABAC::ID::write_privkey_file\n");
417            }
418/***
419f  abac_chunk_t cert_chunk()
420     returns a DER-encoded binary representation of the X.509 ID cert
421     associated with this ID.
422     can be passed to libabac's Context::load_id_chunk()
423     (C:abac_id_cert_chunk)
424f  abac_chunk_t privkey_chunk()
425     returns a PEM-encoded binary representation of the private key
426     associated with this ID.
427     (C:abac_id_privkey_chunk)
428***/
429            abac_chunk_t cert_chunk() { return abac_id_cert_chunk(m_id); }
430            abac_chunk_t privkey_chunk() { return abac_id_privkey_chunk(m_id); }
431
432            friend class Attribute;
433
434        private:
435            abac_id_t *m_id;
436    };
437
438/***
439ABAC::Attribute
440   This is the attribute representation for the access policy rule
441       LHS <- RHS
442   The sequence of generation is to
443       first, instantiate the object, ie, LHS (head)
444       second, adding subject(s) to it, ie, RHS (tail)
445       and then baking it.
446   Only once it's baked can you access the X.509 cert.
447   Once it's been baked you can no longer add subjects to it
448***/
449    class Attribute {
450        public:
451/***
452f  Attribute()
453     default constructor, do not use, for swig only
454f  ~Attribute()
455     default destructor
456     (C:abac_attribute_free)
457***/
458            Attribute() : m_attr(NULL) { } // do not use: required by swig
459            ~Attribute() { abac_attribute_free(m_attr); }
460
461/***
462f  Attribute(ID&, char*,int)
463     constructor that creates an attribute policy to be signed by the issuer
464     with the given role with a specified validity period
465     An exception will be thrown if:
466       - the issuer has no private key
467       - the Head role is invalid
468       - the validity period is invalid (must be >= 0 second)
469       - The issuer is invalid
470     (C:abac_attribute_create)
471***/
472            Attribute(ID &issuer, char *role, int validity) : m_attr(NULL) {
473                int ret = abac_attribute_create(&m_attr, issuer.m_id, role, validity);
474                if (ret == ABAC_ATTRIBUTE_ISSUER_NOKEY)
475                    throw std::invalid_argument("Issuer has no private key");
476                if (ret == ABAC_ATTRIBUTE_INVALID_ROLE)
477                    throw std::invalid_argument("Role name must be alphanumeric");
478                if (ret == ABAC_ATTRIBUTE_INVALID_VALIDITY)
479                    throw std::invalid_argument("Validity must be > 0 days");
480                if (ret == ABAC_ATTRIBUTE_INVALID_ISSUER)
481                    throw std::invalid_argument("Issuer's validity expired");
482            }
483
484
485/***
[6d3fc40]486f  bool principal(char *keyid)
487     {keyid}
[3ed053d]488     validate the principal and insert into the attribute
489     throw a std::logic_error if the cert's been baked and keyid bad
490     (C:abac_attribute_principal)
[6d3fc40]491f bool role(char *keyid, char *role)
492     {keyid.role}
[3ed053d]493     validate the principal and role and insert into the attribute
494     throw a std::logic_error if the cert's been baked and keyid bad
495     (C:abac_attribute_role)
[6d3fc40]496f bool linking_role(char *keyid, char *role, char *linked)
497     {keyid.linked.role}
[3ed053d]498     validate the role and linking role and insert into the attribute
499     throw a std::logic_error if the cert's been baked and keyid bad
500     (C:abac_attribute_linking_role)
501***/
502            bool principal(char *keyid) {
503                if (baked()) throw std::logic_error("Cert is already baked");
504                return abac_attribute_principal(m_attr, keyid);
505            }
506            bool role(char *keyid, char *role) {
507                if (baked()) throw std::logic_error("Cert is already baked");
508                return abac_attribute_role(m_attr, keyid, role);
509            }
510            bool linking_role(char *keyid, char *role, char *linked) {
511                if (baked()) throw std::logic_error("Cert is already baked");
512                return abac_attribute_linking_role(m_attr, keyid, role, linked);
513            }
514/***
515f  bool bake()
516     Generate the cert. Call this after you've added subjects to your cert.
517     This returns false if there are no subjects
518     This will throw an exception if the cert's already been baked.
519     (C:abac_attribute_bake)
520***/
521            bool bake() {
522                if (baked()) throw std::logic_error("Cert is already baked");
523                return abac_attribute_bake(m_attr);
524            }
525
526/***
527f  bool baked()
528     returns true iff the certificate has been baked.
529     (C:abac_attribute_baked)
530***/
531            bool baked() { return abac_attribute_baked(m_attr); }
532
[bc12f3d]533/***
534f  set_output_format(char *fmt)
535     {fmt}
536     Set the attribute's output format.  Valid choices are GENIv1.0 and
537     GENIV1.1.  Default is GENIv1.1.
538***/
539            void set_output_format(char *fmt) {
540                abac_attribute_set_output_format(m_attr, fmt);
541            }
542
[3ed053d]543/***
544f  void write(FILE *)
545     write an attribute certificate in XML to an open file handle
546     Throws an exception if the certificate isn't baked
547     (C:abac_attribute_write)
548f  void write(const string&)
549     write an attribute certificate in XML to file named in string
550f  void write_file(const char *)
551     write an attribute certificate in XML to file
552f  void write_name(const char *)
553     write an attribute certificate in XML to file
554     (added to support original libcreddy users)
555***/
556            void write(FILE *out) {
557                int ret = abac_attribute_write(m_attr, out);
558                if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
559            }
560            void write(const std::string &name) {
561                FILE *out = fopen(name.c_str(), "w");
562                if (out == NULL)
563                    throw std::invalid_argument("Could not open certificate file for writing");
564                write(out);
565                fclose(out);
566            }
567            void write_file(const char *name) {
568                int ret = abac_attribute_write_file(m_attr, name);
569                if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
570            }
571            void write_name(const char *name) {
572                write_file(name);
573                fprintf(stderr,"ABAC::Attribute::write_name is deprecated, please use ABAC::Attribute::write_name\n");
574            }
575/***
576f  abac_chunk_t cert_chunk()
577     returns a XML structure of the attribute certificate in a abac_chunk_t
578     Throws an exception if the certificate isn't baked
579     the chunk can be passed to libabac's Context::load_attribute_chunk()
580     (C:abac_attribute_cert_chunk)
581***/
582            abac_chunk_t cert_chunk() {
583                abac_chunk_t ret=abac_attribute_cert_chunk(m_attr);
584                if(ret.len == 0)
585                    throw std::logic_error("Cert is not baked");
586                return ret;
587            }
588
589        private:
590            abac_attribute_t *m_attr;
591    };
592}
593
594#endif /* __ABAC_HH__ */
Note: See TracBrowser for help on using the repository browser.