source: doc/ABAC.hh @ 12a2fa7

abac0-leakabac0-meitvf-new-xml
Last change on this file since 12a2fa7 was 94605f2, checked in by Ted Faber <faber@…>, 12 years ago

checkpoint Lots of the way toward mnemonic names, some parsing fixes

  • Property mode set to 100644
File size: 21.3 KB
Line 
1#ifndef __ABAC_HH__
2#define __ABAC_HH__
3
4#include <cstdio>
5#include <stdexcept>
6#include <string>
7#include <vector>
8
9/* This file is generated from doc/ABAC.hh by doc/extract_doc.c */
10
11namespace ABAC {
12    extern "C" {
13        #include "abac.h"
14    }
15
16    class Attribute;
17    class ID;
18    class Role;
19    class Credential;
20
21/***
22ABAC::Context
23    An ABAC Context
24***/
25    class Context {
26        public:
27/***
28f  Context()
29     default constructor
30     (C:abac_context_new)
31f  Context(const Context &)
32     copy constructor, used for cloning the context
33     (C:abac_context_dup)
34f  ~Context()
35     default destructor
36     (C:abac_context_free)
37***/
38            Context() { m_ctx = abac_context_new(); }
39            Context(const Context &context) { m_ctx = abac_context_dup(context.m_ctx); }
40            ~Context() { abac_context_free(m_ctx); }
41
42/***
43f  int load_id_file(char *)
44     load identity certificate from an id file
45     (C:abac_context_load_id_file)
46f  int load_id_chunk(abac_chunk_t)
47     load id certificate from an chunk
48     (C:abac_context_load_id_chunk)
49f  int load_attribute_file(char *)
50     load attribute certificate from an id file.
51     (C:abac_context_load_attribute_file)
52f  int load_attribute_chunk(abac_chunk_t)
53     load attribute certificate from an chunk
54     (C:abac_context_load_attribute_chunk)
55f  returns :
56        ABAC_CERT_SUCCESS   successfully loaded
57        ABAC_CERT_INVALID   invalid certificate (or file not found)
58        ABAC_CERT_BAD_SIG   invalid signature
59***/
60            int load_id_file(char *filename) { return abac_context_load_id_file(m_ctx, filename); }
61            int load_id_chunk(abac_chunk_t cert) { return abac_context_load_id_chunk(m_ctx, cert); }
62            int load_attribute_file(char *filename) { return abac_context_load_attribute_file(m_ctx, filename); }
63            int load_attribute_chunk(abac_chunk_t cert) { return abac_context_load_attribute_chunk(m_ctx, cert); }
64
65/***
66f  void load_directory(char *)
67     load a directory full of certificates:
68f       first: ${path}/*_ID.{der,pem} as identity certificates
69               implicitly looking for ${path}/*_private.{der,pem} as
70               the private key file
71        last: ${path}/*_attr.xml as attribute certificates
72      (C:abac_context_load_directory)
73***/
74            void load_directory(char *path) { abac_context_load_directory(m_ctx, path); }
75
76/***
77f  std::vector<Credential> query(char *, char *, bool &)
78     run the query:
79        role <-?- principal
80     returns true/false in success
81     returns a proof upon success, partial proof on failure
82     (C:abac_context_query)
83     (C::abac_free_credentials_free)
84***/
85
86            /* abac query, returns a vector of credentials on success, NULL on fail */
87            std::vector<Credential> query(char *role, char *principal, bool &success) {
88                abac_credential_t **creds, **end;
89                int i, success_int;
90                creds = abac_context_query(m_ctx, role, principal, &success_int);
91                success = success_int;
92
93                for (i = 0; creds[i] != NULL; ++i)
94                    ;
95
96                end = &creds[i];
97                std::vector<Credential> credentials = std::vector<Credential>(creds, end);
98                abac_context_credentials_free(creds);
99                return credentials;
100            }
101/***
102f  std::vector<Credential> credentials(bool &)
103     returns a vector of all the credentials loaded in the context
104     (C:abac_context_credentials)
105     (C::abac_context_credentials_free)
106***/
107            std::vector<Credential> credentials() {
108                abac_credential_t **creds, **end;
109                int i;
110
111                creds = abac_context_credentials(m_ctx);
112                for (i = 0; creds[i] != NULL; ++i)
113                    ;
114
115                end = &creds[i];
116                std::vector<Credential> credentials = std::vector<Credential>(creds, end);
117
118                abac_context_credentials_free(creds);
119                return credentials;
120            }
121        private:
122            abac_context_t *m_ctx;
123        friend class Role;
124    };
125
126/***
127ABAC::Role
128   A Role, most calls are rarely used outside the library
129***/
130    class Role {
131        public:
132/***
133f  Role()
134     default constructor, do not use, for swig only
135f  Role(abac_role_t*)
136     copy constructor, used for cloning an Role
137     (C:abac_role_dup)
138f  Role(char *)
139     instantiate a role from a string
140     (C:abac_role_from_string)
141f  Role(const Role &)
142     copy constructor, used for cloning an Role
143     (C:abac_role_dup)
144f  ~Role()
145     default destructor
146     (C:abac_role_free)
147***/
148            Role() : m_role(NULL) { } // do not use: here for swig
149            Role(abac_role_t *role) { m_role = abac_role_dup(role); }
150            Role(char *role_name) { m_role = abac_role_from_string(role_name); }
151            Role(const Role &role) { m_role = abac_role_dup(role.m_role); }
152            ~Role() { abac_role_free(m_role); }
153/***
154f  bool is_principal()
155     (C:abac_role_is_principal)
156f  bool is_role()
157     (C:abac_role_is_role)
158f  bool is_linking()
159     (C:abac_role_is_linking)
160     indicates the type of role encoded
161***/
162            bool is_principal() const { return abac_role_is_principal(m_role); }
163            bool is_role() const { return abac_role_is_role(m_role); }
164            bool is_linking() const { return abac_role_is_linking(m_role); }
165
166/***
167f  char* string()
168     string representation of the role
169     (C:abac_role_string)
170***/
171            char *string() const { return abac_role_string(m_role); }
172/***
173f  char* short_string()
174     string representation of the role
175     (C:abac_role_string)
176***/
177            char *short_string(Context& c) const { 
178                return abac_role_short_string(m_role, c.m_ctx);
179            }
180/***
181f  char* linked_role()
182     the linked role of a linking role
183     i.e., A.r1.r2, linked_role() returns A.r1
184     (C:abac_role_linked_role)
185f  char* role_name()
186     the role name of any role (the part after the last dot)
187     (C:abac_role_role_name)
188f  char* principal()
189     the principal part of any role
190     (C:abac_role_principal)
191***/
192            char *linked_role() const { return abac_role_linked_role(m_role); }
193            char *role_name() const { return abac_role_role_name(m_role); }
194            char *principal() const { return abac_role_principal(m_role); }
195
196        private:
197            abac_role_t *m_role;
198    };
199
200/***
201ABAC::Credential
202   This is never instantiated directly. These will only ever be
203   returned as a result of calls to Context::query or
204   Context::credentials.
205***/
206    class Credential {
207        public:
208/***
209f  Credential()
210     default constructor, do not use, for swig only
211f  Credential(abac_credential_t*)
212     copy constructor, used for cloning a credential
213     (C:abac_credential_head)
214     (C:abac_credential_tail)
215     (C:abac_credential_dup)
216f  Credential(const Credential&)
217     copy constructor, used for cloning a credential
218     (C:abac_credential_head)
219     (C:abac_credential_tail)
220     (C:abac_credential_dup)
221f  ~Credential()
222     default destructor
223     (C:abac_credential_free)
224***/
225            Credential() : m_cred(NULL) { } // do not use: here for swig
226            Credential(abac_credential_t *cred) :
227                m_head(abac_credential_head(cred)),
228                m_tail(abac_credential_tail(cred)),
229                m_cred(abac_credential_dup(cred))
230                    { }
231            Credential(const Credential &cred) :
232                m_head(cred.m_head),
233                m_tail(cred.m_tail),
234                m_cred(abac_credential_dup(cred.m_cred))
235                    { }
236            ~Credential() { abac_credential_free(m_cred); }
237/***
238f  Role &head()
239     returns the head of the credential
240f  Role &tail()
241     returns the tail of the credential
242***/
243            const Role &head() { return m_head; }
244            const Role &tail() { return m_tail; }
245/***
246f  abac_chunk_t attribute_cert()
247     returns the attribute certificate in chunk, suitable for
248     transmission over the network or storage in a file
249     (C:abac_credential_attribute_cert)
250f  abac_chunk_t issuer_cert()
251     returns the issuer certificate in chunk, again suitable for
252     network transmission or file storage
253     (C:abac_credential_issuer_cert)
254***/
255            abac_chunk_t attribute_cert() { return abac_credential_attribute_cert(m_cred); }
256            abac_chunk_t issuer_cert() { return abac_credential_issuer_cert(m_cred); }
257       
258        private:
259            abac_credential_t *m_cred;
260            Role m_head, m_tail;
261    };
262
263
264/***
265ABAC::ID
266   An ID holds a principal credential. It maybe imported from an existing
267   ID credential via external files, constructed from a streaming chunk,
268   or instantiated on the fly
269***/
270    class ID {
271        public:
272/***
273f  ID()
274     default constructor, do not use, for swig only
275f  ID(const ID &)
276     copy constructor, used for cloning an ID
277     (C:abac_id_dup)
278f  ~ID()
279     default destructor
280     (C:abac_id_free)
281***/
282            ID() : m_id(NULL) { } // do not use: required by swig
283            ID(const ID &id) { m_id = abac_id_dup(id.m_id); }
284            ~ID() { abac_id_free(m_id); }
285
286/***
287f  ID(char *)
288     load an ID certificate from a file, will throw an exception
289     if the certificate cannot be loaded
290     (C:abac_id_from_file)
291***/
292            ID(char *filename) : m_id(NULL) {
293                m_id = abac_id_from_file(filename);
294                if (m_id == NULL)
295                    throw std::invalid_argument("Could not load ID cert");
296            }
297
298/***
299f  ID_chunk(abac_chunk_t chunk)
300     create an ID certificate from an certificate chunk, will
301     throw an exception if the certificate cannot be loaded
302     (C:abac_id_from_chunk)
303***/
304            ID(abac_chunk_t chunk) : m_id(NULL) {
305                m_id = abac_id_from_chunk(chunk);
306                if (m_id == NULL)
307                    throw std::invalid_argument("Could not load ID certificate with a chunk");
308            }
309/***
310f  ID(char *,int)
311     generates a new ID(cert&key) with the supplied CN and validity period
312     - CN must be alphanumeric and begin with a letter
313     - validity must be at least one second
314     will throw an exception if either of the above is violated
315     (C:abac_id_generate)
316***/
317            ID(char *cn, int validity) : m_id(NULL) {
318                int ret = abac_id_generate(&m_id, cn, validity);
319                if (ret == ABAC_GENERATE_INVALID_CN)
320                    throw std::invalid_argument("CN must be alphanumeric and start with a letter");
321                if (ret == ABAC_GENERATE_INVALID_VALIDITY)
322                    throw std::invalid_argument("Validity must be > 0 days");
323            }
324/***
325f  void load_privkey(char *)
326     loads the private key associated with the ID credential,
327     will throw an exception if the key cannot be loaded
328     (C:abac_id_privkey_from_file)
329f  void load_privkey_chunk(abac_chunk_t)
330     loads the private key associated with the ID credential,
331     will throw an exception if the key cannot be loaded
332     (C:abac_id_privkey_from_chunk)
333f  int has_privkey()
334     check to see if there is a privkey in this ID
335     (C:abac_id_has_privkey)
336***/
337            void load_privkey(char *filename) {
338                int ret = abac_id_privkey_from_file(m_id, filename);
339                if (ret != ABAC_SUCCESS)
340                    throw std::invalid_argument("Could not load private key");
341            }
342            void load_privkey_chunk(abac_chunk_t chunk) {
343                int ret = abac_id_privkey_from_chunk(m_id, chunk);
344                if (ret != ABAC_SUCCESS)
345                    throw std::invalid_argument("Could not load private key with a chunk");
346            }
347            int has_privkey() {
348                int ret= abac_id_has_privkey(m_id);
349                return ret;
350            }
351/***
352f  char *keyid()
353     returns the SHA1 keyid of the id cert
354     (C:abac_id_keyid)
355f  char *cert_filename()
356     returns the default libabac filename for the cert.
357     value must be freed by caller.
358     (C:abac_id_cert_filename)
359***/
360            char *keyid() { return abac_id_keyid(m_id); }
361            char *cert_filename() { return abac_id_cert_filename(m_id); }
362/***
363f  void write_cert(FILE *)
364     writes a PEM-encoded certificate to a file handle
365     (C:abac_id_write_cert)
366f  void write_cert(string &)
367     writes a PEM-encoded certificate to a file named in string
368f  void write_cert_file(const char *)
369     writes a PEM-encoded certificate to a file
370f  void write_cert_name(const char *)
371     writes a PEM-encoded certificate to a file
372     (added to support original libcreddy users)
373***/
374            void write_cert(FILE *out) { abac_id_write_cert(m_id, out); }
375            void write_cert(const std::string &name) {
376                FILE *out = fopen(name.c_str(), "a+");
377                if (out == NULL)
378                    throw std::invalid_argument("Could not open certificate file for writing");
379                write_cert(out);
380                fclose(out);
381            }
382            // Simplifies access from swig
383            void write_cert_file(const char *n) {
384                write_cert(std::string(n));
385            }
386            void write_cert_name(const char *n) {
387                write_cert(std::string(n));
388                fprintf(stderr,"ABAC::ID::write_cert_name is deprecated, please use ABAC::ID::write_cert_name\n");
389            }
390/***
391f  char *privkey_filename()
392     returns the default libabac filename for the private key.
393     value must be freed by caller.
394     (C:abac_id_privkey_filename)
395***/
396            char *privkey_filename() { return abac_id_privkey_filename(m_id); }
397/***
398f  void write_privkey(FILE *)
399     write the private key to a file handle
400     throws a std::logic_error if no private key is loaded
401     (C:abac_id_write_privkey)
402f  void write_privkey(string &)
403     writes a private key to file named in string
404f  void write_privkey_file(const char *)
405     writes a private key to a file
406f  void write_privkey_name(const char *)
407     writes a private key to a file
408     (added to support original libcreddy users)
409***/
410            void write_privkey(FILE *out) {
411                int ret = abac_id_write_privkey(m_id, out);
412                if (ret!=ABAC_SUCCESS) throw std::logic_error("No private key loaded");
413            }
414            void write_privkey(const std::string &name) {
415                FILE *out = fopen(name.c_str(), "a+");
416                if (out == NULL)
417                    throw std::invalid_argument("Could not open privkey file for writing");
418                write_privkey(out);
419                fclose(out);
420            }
421            // Simplifies access from swig
422            void write_privkey_file(const char *name) {
423                write_privkey(std::string(name));
424            }
425            void write_privkey_name(const char *name) {
426                write_privkey(std::string(name));
427                fprintf(stderr,"ABAC::ID::write_privkey_name is deprecated, please use ABAC::ID::write_privkey_file\n");
428            }
429/***
430f  abac_chunk_t cert_chunk()
431     returns a DER-encoded binary representation of the X.509 ID cert
432     associated with this ID.
433     can be passed to libabac's Context::load_id_chunk()
434     (C:abac_id_cert_chunk)
435f  abac_chunk_t privkey_chunk()
436     returns a PEM-encoded binary representation of the private key
437     associated with this ID.
438     (C:abac_id_privkey_chunk)
439***/
440            abac_chunk_t cert_chunk() { return abac_id_cert_chunk(m_id); }
441            abac_chunk_t privkey_chunk() { return abac_id_privkey_chunk(m_id); }
442
443            friend class Attribute;
444
445        private:
446            abac_id_t *m_id;
447    };
448
449/***
450ABAC::Attribute
451   This is the attribute representation for the access policy rule
452       LHS <- RHS
453   The sequence of generation is to
454       first, instantiate the object, ie, LHS (head)
455       second, adding subject(s) to it, ie, RHS (tail)
456       and then baking it.
457   Only once it's baked can you access the X.509 cert.
458   Once it's been baked you can no longer add subjects to it
459***/
460    class Attribute {
461        public:
462/***
463f  Attribute()
464     default constructor, do not use, for swig only
465f  ~Attribute()
466     default destructor
467     (C:abac_attribute_free)
468***/
469            Attribute() : m_attr(NULL) { } // do not use: required by swig
470            ~Attribute() { abac_attribute_free(m_attr); }
471
472/***
473f  Attribute(ID&, char*,int)
474     constructor that creates an attribute policy to be signed by the issuer
475     with the given role with a specified validity period
476     An exception will be thrown if:
477       - the issuer has no private key
478       - the Head role is invalid
479       - the validity period is invalid (must be >= 0 second)
480       - The issuer is invalid
481     (C:abac_attribute_create)
482***/
483            Attribute(ID &issuer, char *role, int validity) : m_attr(NULL) {
484                int ret = abac_attribute_create(&m_attr, issuer.m_id, role, validity);
485                if (ret == ABAC_ATTRIBUTE_ISSUER_NOKEY)
486                    throw std::invalid_argument("Issuer has no private key");
487                if (ret == ABAC_ATTRIBUTE_INVALID_ROLE)
488                    throw std::invalid_argument("Role name must be alphanumeric");
489                if (ret == ABAC_ATTRIBUTE_INVALID_VALIDITY)
490                    throw std::invalid_argument("Validity must be > 0 days");
491                if (ret == ABAC_ATTRIBUTE_INVALID_ISSUER)
492                    throw std::invalid_argument("Issuer's validity expired");
493            }
494
495
496/***
497f  bool principal(char *keyid)
498     {keyid}
499     validate the principal and insert into the attribute
500     throw a std::logic_error if the cert's been baked and keyid bad
501     (C:abac_attribute_principal)
502f bool role(char *keyid, char *role)
503     {keyid.role}
504     validate the principal and role and insert into the attribute
505     throw a std::logic_error if the cert's been baked and keyid bad
506     (C:abac_attribute_role)
507f bool linking_role(char *keyid, char *role, char *linked)
508     {keyid.linked.role}
509     validate the role and linking role and insert into the attribute
510     throw a std::logic_error if the cert's been baked and keyid bad
511     (C:abac_attribute_linking_role)
512***/
513            bool principal(char *keyid) {
514                if (baked()) throw std::logic_error("Cert is already baked");
515                return abac_attribute_principal(m_attr, keyid);
516            }
517            bool role(char *keyid, char *role) {
518                if (baked()) throw std::logic_error("Cert is already baked");
519                return abac_attribute_role(m_attr, keyid, role);
520            }
521            bool linking_role(char *keyid, char *role, char *linked) {
522                if (baked()) throw std::logic_error("Cert is already baked");
523                return abac_attribute_linking_role(m_attr, keyid, role, linked);
524            }
525/***
526f  bool bake()
527     Generate the cert. Call this after you've added subjects to your cert.
528     This returns false if there are no subjects
529     This will throw an exception if the cert's already been baked.
530     (C:abac_attribute_bake)
531***/
532            bool bake() {
533                if (baked()) throw std::logic_error("Cert is already baked");
534                return abac_attribute_bake(m_attr);
535            }
536
537/***
538f  bool baked()
539     returns true iff the certificate has been baked.
540     (C:abac_attribute_baked)
541***/
542            bool baked() { return abac_attribute_baked(m_attr); }
543
544/***
545f  set_output_format(char *fmt)
546     {fmt}
547     Set the attribute's output format.  Valid choices are GENIv1.0 and
548     GENIV1.1.  Default is GENIv1.1.
549***/
550            void set_output_format(char *fmt) {
551                abac_attribute_set_output_format(m_attr, fmt);
552            }
553
554/***
555f  void write(FILE *)
556     write an attribute certificate in XML to an open file handle
557     Throws an exception if the certificate isn't baked
558     (C:abac_attribute_write)
559f  void write(const string&)
560     write an attribute certificate in XML to file named in string
561f  void write_file(const char *)
562     write an attribute certificate in XML to file
563f  void write_name(const char *)
564     write an attribute certificate in XML to file
565     (added to support original libcreddy users)
566***/
567            void write(FILE *out) {
568                int ret = abac_attribute_write(m_attr, out);
569                if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
570            }
571            void write(const std::string &name) {
572                FILE *out = fopen(name.c_str(), "w");
573                if (out == NULL)
574                    throw std::invalid_argument("Could not open certificate file for writing");
575                write(out);
576                fclose(out);
577            }
578            void write_file(const char *name) {
579                int ret = abac_attribute_write_file(m_attr, name);
580                if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
581            }
582            void write_name(const char *name) {
583                write_file(name);
584                fprintf(stderr,"ABAC::Attribute::write_name is deprecated, please use ABAC::Attribute::write_name\n");
585            }
586/***
587f  abac_chunk_t cert_chunk()
588     returns a XML structure of the attribute certificate in a abac_chunk_t
589     Throws an exception if the certificate isn't baked
590     the chunk can be passed to libabac's Context::load_attribute_chunk()
591     (C:abac_attribute_cert_chunk)
592***/
593            abac_chunk_t cert_chunk() {
594                abac_chunk_t ret=abac_attribute_cert_chunk(m_attr);
595                if(ret.len == 0)
596                    throw std::logic_error("Cert is not baked");
597                return ret;
598            }
599
600        private:
601            abac_attribute_t *m_attr;
602    };
603}
604
605#endif /* __ABAC_HH__ */
Note: See TracBrowser for help on using the repository browser.