Context Navigation

source: doc/ABAC.hh @ afcafea

abac0-leakabac0-meitvf-new-xml

Last change on this file since afcafea was afcafea, checked in by Ted Faber <faber@…>, 11 years ago
Outputs names with bake(Context)
Property mode set to `100644`
File size: 21.8 KB

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <cstdio>
5	#include <stdexcept>
6	#include <string>
7	#include <vector>
8
9	/* This file is generated from doc/ABAC.hh by doc/extract_doc.c */
10
11	namespace ABAC {
12	extern "C" {
13	#include "abac.h"
14	}
15
16	class Attribute;
17	class ID;
18	class Role;
19	class Credential;
20
21	/***
22	ABAC::Context
23	An ABAC Context
24	***/
25	class Context {
26	public:
27	/***
28	f Context()
29	default constructor
30	(C:abac_context_new)
31	f Context(const Context &)
32	copy constructor, used for cloning the context
33	(C:abac_context_dup)
34	f ~Context()
35	default destructor
36	(C:abac_context_free)
37	***/
38	Context() { m_ctx = abac_context_new(); }
39	Context(const Context &context) { m_ctx = abac_context_dup(context.m_ctx); }
40	~Context() { abac_context_free(m_ctx); }
41
42	/***
43	f int load_id_file(char *)
44	load identity certificate from an id file
45	(C:abac_context_load_id_file)
46	f int load_id_chunk(abac_chunk_t)
47	load id certificate from an chunk
48	(C:abac_context_load_id_chunk)
49	f int load_attribute_file(char *)
50	load attribute certificate from an id file.
51	(C:abac_context_load_attribute_file)
52	f int load_attribute_chunk(abac_chunk_t)
53	load attribute certificate from an chunk
54	(C:abac_context_load_attribute_chunk)
55	f returns :
56	ABAC_CERT_SUCCESS successfully loaded
57	ABAC_CERT_INVALID invalid certificate (or file not found)
58	ABAC_CERT_BAD_SIG invalid signature
59	***/
60	int load_id_file(char *filename) { return abac_context_load_id_file(m_ctx, filename); }
61	int load_id_chunk(abac_chunk_t cert) { return abac_context_load_id_chunk(m_ctx, cert); }
62	int load_attribute_file(char *filename) { return abac_context_load_attribute_file(m_ctx, filename); }
63	int load_attribute_chunk(abac_chunk_t cert) { return abac_context_load_attribute_chunk(m_ctx, cert); }
64
65	/***
66	f void load_directory(char *)
67	load a directory full of certificates:
68	f first: ${path}/*_ID.{der,pem} as identity certificates
69	implicitly looking for ${path}/*_private.{der,pem} as
70	the private key file
71	last: ${path}/*_attr.xml as attribute certificates
72	(C:abac_context_load_directory)
73	***/
74	void load_directory(char *path) { abac_context_load_directory(m_ctx, path); }
75
76	/***
77	f std::vector<Credential> query(char , char , bool &)
78	run the query:
79	role <-?- principal
80	returns true/false in success
81	returns a proof upon success, partial proof on failure
82	(C:abac_context_query)
83	(C::abac_free_credentials_free)
84	***/
85
86	/* abac query, returns a vector of credentials on success, NULL on fail */
87	std::vector<Credential> query(char role, char principal, bool &success) {
88	abac_credential_t creds, end;
89	int i, success_int;
90	creds = abac_context_query(m_ctx, role, principal, &success_int);
91	success = success_int;
92
93	for (i = 0; creds[i] != NULL; ++i)
94	;
95
96	end = &creds[i];
97	std::vector<Credential> credentials = std::vector<Credential>(creds, end);
98	abac_context_credentials_free(creds);
99	return credentials;
100	}
101	/***
102	f std::vector<Credential> credentials(bool &)
103	returns a vector of all the credentials loaded in the context
104	(C:abac_context_credentials)
105	(C::abac_context_credentials_free)
106	***/
107	std::vector<Credential> credentials() {
108	abac_credential_t creds, end;
109	int i;
110
111	creds = abac_context_credentials(m_ctx);
112	for (i = 0; creds[i] != NULL; ++i)
113	;
114
115	end = &creds[i];
116	std::vector<Credential> credentials = std::vector<Credential>(creds, end);
117
118	abac_context_credentials_free(creds);
119	return credentials;
120	}
121	private:
122	abac_context_t *m_ctx;
123	friend class Role;
124	friend class Attribute;
125	};
126
127	/***
128	ABAC::Role
129	A Role, most calls are rarely used outside the library
130	***/
131	class Role {
132	public:
133	/***
134	f Role()
135	default constructor, do not use, for swig only
136	f Role(abac_role_t*)
137	copy constructor, used for cloning an Role
138	(C:abac_role_dup)
139	f Role(char *)
140	instantiate a role from a string
141	(C:abac_role_from_string)
142	f Role(const Role &)
143	copy constructor, used for cloning an Role
144	(C:abac_role_dup)
145	f ~Role()
146	default destructor
147	(C:abac_role_free)
148	***/
149	Role() : m_role(NULL) { } // do not use: here for swig
150	Role(abac_role_t *role) { m_role = abac_role_dup(role); }
151	Role(char *role_name) { m_role = abac_role_from_string(role_name); }
152	Role(const Role &role) { m_role = abac_role_dup(role.m_role); }
153	~Role() { abac_role_free(m_role); }
154	/***
155	f bool is_principal()
156	(C:abac_role_is_principal)
157	f bool is_role()
158	(C:abac_role_is_role)
159	f bool is_linking()
160	(C:abac_role_is_linking)
161	indicates the type of role encoded
162	***/
163	bool is_principal() const { return abac_role_is_principal(m_role); }
164	bool is_role() const { return abac_role_is_role(m_role); }
165	bool is_linking() const { return abac_role_is_linking(m_role); }
166
167	/***
168	f char* string()
169	string representation of the role
170	(C:abac_role_string)
171	***/
172	char *string() const { return abac_role_string(m_role); }
173	/***
174	f char* short_string()
175	string representation of the role
176	(C:abac_role_string)
177	***/
178	char *short_string(Context& c) const {
179	return abac_role_short_string(m_role, c.m_ctx);
180	}
181	/***
182	f char* linked_role()
183	the linked role of a linking role
184	i.e., A.r1.r2, linked_role() returns A.r1
185	(C:abac_role_linked_role)
186	f char* role_name()
187	the role name of any role (the part after the last dot)
188	(C:abac_role_role_name)
189	f char* principal()
190	the principal part of any role
191	(C:abac_role_principal)
192	***/
193	char *linked_role() const { return abac_role_linked_role(m_role); }
194	char *role_name() const { return abac_role_role_name(m_role); }
195	char *principal() const { return abac_role_principal(m_role); }
196
197	private:
198	abac_role_t *m_role;
199	};
200
201	/***
202	ABAC::Credential
203	This is never instantiated directly. These will only ever be
204	returned as a result of calls to Context::query or
205	Context::credentials.
206	***/
207	class Credential {
208	public:
209	/***
210	f Credential()
211	default constructor, do not use, for swig only
212	f Credential(abac_credential_t*)
213	copy constructor, used for cloning a credential
214	(C:abac_credential_head)
215	(C:abac_credential_tail)
216	(C:abac_credential_dup)
217	f Credential(const Credential&)
218	copy constructor, used for cloning a credential
219	(C:abac_credential_head)
220	(C:abac_credential_tail)
221	(C:abac_credential_dup)
222	f ~Credential()
223	default destructor
224	(C:abac_credential_free)
225	***/
226	Credential() : m_cred(NULL) { } // do not use: here for swig
227	Credential(abac_credential_t *cred) :
228	m_head(abac_credential_head(cred)),
229	m_tail(abac_credential_tail(cred)),
230	m_cred(abac_credential_dup(cred))
231	{ }
232	Credential(const Credential &cred) :
233	m_head(cred.m_head),
234	m_tail(cred.m_tail),
235	m_cred(abac_credential_dup(cred.m_cred))
236	{ }
237	~Credential() { abac_credential_free(m_cred); }
238	/***
239	f Role &head()
240	returns the head of the credential
241	f Role &tail()
242	returns the tail of the credential
243	***/
244	const Role &head() { return m_head; }
245	const Role &tail() { return m_tail; }
246	/***
247	f abac_chunk_t attribute_cert()
248	returns the attribute certificate in chunk, suitable for
249	transmission over the network or storage in a file
250	(C:abac_credential_attribute_cert)
251	f abac_chunk_t issuer_cert()
252	returns the issuer certificate in chunk, again suitable for
253	network transmission or file storage
254	(C:abac_credential_issuer_cert)
255	***/
256	abac_chunk_t attribute_cert() { return abac_credential_attribute_cert(m_cred); }
257	abac_chunk_t issuer_cert() { return abac_credential_issuer_cert(m_cred); }
258
259	private:
260	abac_credential_t *m_cred;
261	Role m_head, m_tail;
262	};
263
264
265	/***
266	ABAC::ID
267	An ID holds a principal credential. It maybe imported from an existing
268	ID credential via external files, constructed from a streaming chunk,
269	or instantiated on the fly
270	***/
271	class ID {
272	public:
273	/***
274	f ID()
275	default constructor, do not use, for swig only
276	f ID(const ID &)
277	copy constructor, used for cloning an ID
278	(C:abac_id_dup)
279	f ~ID()
280	default destructor
281	(C:abac_id_free)
282	***/
283	ID() : m_id(NULL) { } // do not use: required by swig
284	ID(const ID &id) { m_id = abac_id_dup(id.m_id); }
285	~ID() { abac_id_free(m_id); }
286
287	/***
288	f ID(char *)
289	load an ID certificate from a file, will throw an exception
290	if the certificate cannot be loaded
291	(C:abac_id_from_file)
292	***/
293	ID(char *filename) : m_id(NULL) {
294	m_id = abac_id_from_file(filename);
295	if (m_id == NULL)
296	throw std::invalid_argument("Could not load ID cert");
297	}
298
299	/***
300	f ID_chunk(abac_chunk_t chunk)
301	create an ID certificate from an certificate chunk, will
302	throw an exception if the certificate cannot be loaded
303	(C:abac_id_from_chunk)
304	***/
305	ID(abac_chunk_t chunk) : m_id(NULL) {
306	m_id = abac_id_from_chunk(chunk);
307	if (m_id == NULL)
308	throw std::invalid_argument("Could not load ID certificate with a chunk");
309	}
310	/***
311	f ID(char *,int)
312	generates a new ID(cert&key) with the supplied CN and validity period
313	- CN must be alphanumeric and begin with a letter
314	- validity must be at least one second
315	will throw an exception if either of the above is violated
316	(C:abac_id_generate)
317	***/
318	ID(char *cn, int validity) : m_id(NULL) {
319	int ret = abac_id_generate(&m_id, cn, validity);
320	if (ret == ABAC_GENERATE_INVALID_CN)
321	throw std::invalid_argument("CN must be alphanumeric and start with a letter");
322	if (ret == ABAC_GENERATE_INVALID_VALIDITY)
323	throw std::invalid_argument("Validity must be > 0 days");
324	}
325	/***
326	f void load_privkey(char *)
327	loads the private key associated with the ID credential,
328	will throw an exception if the key cannot be loaded
329	(C:abac_id_privkey_from_file)
330	f void load_privkey_chunk(abac_chunk_t)
331	loads the private key associated with the ID credential,
332	will throw an exception if the key cannot be loaded
333	(C:abac_id_privkey_from_chunk)
334	f int has_privkey()
335	check to see if there is a privkey in this ID
336	(C:abac_id_has_privkey)
337	***/
338	void load_privkey(char *filename) {
339	int ret = abac_id_privkey_from_file(m_id, filename);
340	if (ret != ABAC_SUCCESS)
341	throw std::invalid_argument("Could not load private key");
342	}
343	void load_privkey_chunk(abac_chunk_t chunk) {
344	int ret = abac_id_privkey_from_chunk(m_id, chunk);
345	if (ret != ABAC_SUCCESS)
346	throw std::invalid_argument("Could not load private key with a chunk");
347	}
348	int has_privkey() {
349	int ret= abac_id_has_privkey(m_id);
350	return ret;
351	}
352	/***
353	f char *keyid()
354	returns the SHA1 keyid of the id cert
355	(C:abac_id_keyid)
356	f char *cert_filename()
357	returns the default libabac filename for the cert.
358	value must be freed by caller.
359	(C:abac_id_cert_filename)
360	***/
361	char *keyid() { return abac_id_keyid(m_id); }
362	char *cert_filename() { return abac_id_cert_filename(m_id); }
363	/***
364	f void write_cert(FILE *)
365	writes a PEM-encoded certificate to a file handle
366	(C:abac_id_write_cert)
367	f void write_cert(string &)
368	writes a PEM-encoded certificate to a file named in string
369	f void write_cert_file(const char *)
370	writes a PEM-encoded certificate to a file
371	f void write_cert_name(const char *)
372	writes a PEM-encoded certificate to a file
373	(added to support original libcreddy users)
374	***/
375	void write_cert(FILE *out) { abac_id_write_cert(m_id, out); }
376	void write_cert(const std::string &name) {
377	FILE *out = fopen(name.c_str(), "a+");
378	if (out == NULL)
379	throw std::invalid_argument("Could not open certificate file for writing");
380	write_cert(out);
381	fclose(out);
382	}
383	// Simplifies access from swig
384	void write_cert_file(const char *n) {
385	write_cert(std::string(n));
386	}
387	void write_cert_name(const char *n) {
388	write_cert(std::string(n));
389	fprintf(stderr,"ABAC::ID::write_cert_name is deprecated, please use ABAC::ID::write_cert_name\n");
390	}
391	/***
392	f char *privkey_filename()
393	returns the default libabac filename for the private key.
394	value must be freed by caller.
395	(C:abac_id_privkey_filename)
396	***/
397	char *privkey_filename() { return abac_id_privkey_filename(m_id); }
398	/***
399	f void write_privkey(FILE *)
400	write the private key to a file handle
401	throws a std::logic_error if no private key is loaded
402	(C:abac_id_write_privkey)
403	f void write_privkey(string &)
404	writes a private key to file named in string
405	f void write_privkey_file(const char *)
406	writes a private key to a file
407	f void write_privkey_name(const char *)
408	writes a private key to a file
409	(added to support original libcreddy users)
410	***/
411	void write_privkey(FILE *out) {
412	int ret = abac_id_write_privkey(m_id, out);
413	if (ret!=ABAC_SUCCESS) throw std::logic_error("No private key loaded");
414	}
415	void write_privkey(const std::string &name) {
416	FILE *out = fopen(name.c_str(), "a+");
417	if (out == NULL)
418	throw std::invalid_argument("Could not open privkey file for writing");
419	write_privkey(out);
420	fclose(out);
421	}
422	// Simplifies access from swig
423	void write_privkey_file(const char *name) {
424	write_privkey(std::string(name));
425	}
426	void write_privkey_name(const char *name) {
427	write_privkey(std::string(name));
428	fprintf(stderr,"ABAC::ID::write_privkey_name is deprecated, please use ABAC::ID::write_privkey_file\n");
429	}
430	/***
431	f abac_chunk_t cert_chunk()
432	returns a DER-encoded binary representation of the X.509 ID cert
433	associated with this ID.
434	can be passed to libabac's Context::load_id_chunk()
435	(C:abac_id_cert_chunk)
436	f abac_chunk_t privkey_chunk()
437	returns a PEM-encoded binary representation of the private key
438	associated with this ID.
439	(C:abac_id_privkey_chunk)
440	***/
441	abac_chunk_t cert_chunk() { return abac_id_cert_chunk(m_id); }
442	abac_chunk_t privkey_chunk() { return abac_id_privkey_chunk(m_id); }
443
444	friend class Attribute;
445
446	private:
447	abac_id_t *m_id;
448	};
449
450	/***
451	ABAC::Attribute
452	This is the attribute representation for the access policy rule
453	LHS <- RHS
454	The sequence of generation is to
455	first, instantiate the object, ie, LHS (head)
456	second, adding subject(s) to it, ie, RHS (tail)
457	and then baking it.
458	Only once it's baked can you access the X.509 cert.
459	Once it's been baked you can no longer add subjects to it
460	***/
461	class Attribute {
462	public:
463	/***
464	f Attribute()
465	default constructor, do not use, for swig only
466	f ~Attribute()
467	default destructor
468	(C:abac_attribute_free)
469	***/
470	Attribute() : m_attr(NULL) { } // do not use: required by swig
471	~Attribute() { abac_attribute_free(m_attr); }
472
473	/***
474	f Attribute(ID&, char*,int)
475	constructor that creates an attribute policy to be signed by the issuer
476	with the given role with a specified validity period
477	An exception will be thrown if:
478	- the issuer has no private key
479	- the Head role is invalid
480	- the validity period is invalid (must be >= 0 second)
481	- The issuer is invalid
482	(C:abac_attribute_create)
483	***/
484	Attribute(ID &issuer, char *role, int validity) : m_attr(NULL) {
485	int ret = abac_attribute_create(&m_attr, issuer.m_id, role, validity);
486	if (ret == ABAC_ATTRIBUTE_ISSUER_NOKEY)
487	throw std::invalid_argument("Issuer has no private key");
488	if (ret == ABAC_ATTRIBUTE_INVALID_ROLE)
489	throw std::invalid_argument("Role name must be alphanumeric");
490	if (ret == ABAC_ATTRIBUTE_INVALID_VALIDITY)
491	throw std::invalid_argument("Validity must be > 0 days");
492	if (ret == ABAC_ATTRIBUTE_INVALID_ISSUER)
493	throw std::invalid_argument("Issuer's validity expired");
494	}
495
496
497	/***
498	f bool principal(char *keyid)
499	{keyid}
500	validate the principal and insert into the attribute
501	throw a std::logic_error if the cert's been baked and keyid bad
502	(C:abac_attribute_principal)
503	f bool role(char keyid, char role)
504	{keyid.role}
505	validate the principal and role and insert into the attribute
506	throw a std::logic_error if the cert's been baked and keyid bad
507	(C:abac_attribute_role)
508	f bool linking_role(char keyid, char role, char *linked)
509	{keyid.linked.role}
510	validate the role and linking role and insert into the attribute
511	throw a std::logic_error if the cert's been baked and keyid bad
512	(C:abac_attribute_linking_role)
513	***/
514	bool principal(char *keyid) {
515	if (baked()) throw std::logic_error("Cert is already baked");
516	return abac_attribute_principal(m_attr, keyid);
517	}
518	bool role(char keyid, char role) {
519	if (baked()) throw std::logic_error("Cert is already baked");
520	return abac_attribute_role(m_attr, keyid, role);
521	}
522	bool linking_role(char keyid, char role, char *linked) {
523	if (baked()) throw std::logic_error("Cert is already baked");
524	return abac_attribute_linking_role(m_attr, keyid, role, linked);
525	}
526	/***
527	f bool bake()
528	Generate the cert. Call this after you've added subjects to your cert.
529	This returns false if there are no subjects
530	This will throw an exception if the cert's already been baked.
531	(C:abac_attribute_bake)
532	***/
533	bool bake() {
534	if (baked()) throw std::logic_error("Cert is already baked");
535	return abac_attribute_bake(m_attr);
536	}
537
538	/***
539	f bool bake(Context c)
540	Generate the cert. Call this after you've added subjects to your cert.
541	This returns false if there are no subjects
542	This will throw an exception if the cert's already been baked.
543	This version annotated the baked credential with any mnemonic names in the
544	context.
545	(C:abac_attribute_bake)
546	***/
547	bool bake(Context& c) {
548	if (baked()) throw std::logic_error("Cert is already baked");
549	return abac_attribute_bake_context(m_attr, c.m_ctx);
550	}
551
552	/***
553	f bool baked()
554	returns true iff the certificate has been baked.
555	(C:abac_attribute_baked)
556	***/
557	bool baked() { return abac_attribute_baked(m_attr); }
558
559	/***
560	f set_output_format(char *fmt)
561	{fmt}
562	Set the attribute's output format. Valid choices are GENIv1.0 and
563	GENIV1.1. Default is GENIv1.1.
564	***/
565	void set_output_format(char *fmt) {
566	abac_attribute_set_output_format(m_attr, fmt);
567	}
568
569	/***
570	f void write(FILE *)
571	write an attribute certificate in XML to an open file handle
572	Throws an exception if the certificate isn't baked
573	(C:abac_attribute_write)
574	f void write(const string&)
575	write an attribute certificate in XML to file named in string
576	f void write_file(const char *)
577	write an attribute certificate in XML to file
578	f void write_name(const char *)
579	write an attribute certificate in XML to file
580	(added to support original libcreddy users)
581	***/
582	void write(FILE *out) {
583	int ret = abac_attribute_write(m_attr, out);
584	if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
585	}
586	void write(const std::string &name) {
587	FILE *out = fopen(name.c_str(), "w");
588	if (out == NULL)
589	throw std::invalid_argument("Could not open certificate file for writing");
590	write(out);
591	fclose(out);
592	}
593	void write_file(const char *name) {
594	int ret = abac_attribute_write_file(m_attr, name);
595	if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
596	}
597	void write_name(const char *name) {
598	write_file(name);
599	fprintf(stderr,"ABAC::Attribute::write_name is deprecated, please use ABAC::Attribute::write_name\n");
600	}
601	/***
602	f abac_chunk_t cert_chunk()
603	returns a XML structure of the attribute certificate in a abac_chunk_t
604	Throws an exception if the certificate isn't baked
605	the chunk can be passed to libabac's Context::load_attribute_chunk()
606	(C:abac_attribute_cert_chunk)
607	***/
608	abac_chunk_t cert_chunk() {
609	abac_chunk_t ret=abac_attribute_cert_chunk(m_attr);
610	if(ret.len == 0)
611	throw std::logic_error("Cert is not baked");
612	return ret;
613	}
614
615	private:
616	abac_attribute_t *m_attr;
617	};
618	}
619
620	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: