Context Navigation

source: doc/ABAC.hh @ bc12f3d

abac0-leakabac0-meitvf-new-xml

Last change on this file since bc12f3d was bc12f3d, checked in by Ted Faber <faber@…>, 11 years ago
Allow user to specify credential output format
Property mode set to `100644`
File size: 21.0 KB

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <cstdio>
5	#include <stdexcept>
6	#include <string>
7	#include <vector>
8
9	/* This file is generated from doc/ABAC.hh by doc/extract_doc.c */
10
11	namespace ABAC {
12	extern "C" {
13	#include "abac.h"
14	}
15
16	class Attribute;
17	class ID;
18
19	/***
20	ABAC::Role
21	A Role, most calls are rarely used outside the library
22	***/
23	class Role {
24	public:
25	/***
26	f Role()
27	default constructor, do not use, for swig only
28	f Role(abac_role_t*)
29	copy constructor, used for cloning an Role
30	(C:abac_role_dup)
31	f Role(char *)
32	instantiate a role from a string
33	(C:abac_role_from_string)
34	f Role(const Role &)
35	copy constructor, used for cloning an Role
36	(C:abac_role_dup)
37	f ~Role()
38	default destructor
39	(C:abac_role_free)
40	***/
41	Role() : m_role(NULL) { } // do not use: here for swig
42	Role(abac_role_t *role) { m_role = abac_role_dup(role); }
43	Role(char *role_name) { m_role = abac_role_from_string(role_name); }
44	Role(const Role &role) { m_role = abac_role_dup(role.m_role); }
45	~Role() { abac_role_free(m_role); }
46	/***
47	f bool is_principal()
48	(C:abac_role_is_principal)
49	f bool is_role()
50	(C:abac_role_is_role)
51	f bool is_linking()
52	(C:abac_role_is_linking)
53	indicates the type of role encoded
54	***/
55	bool is_principal() const { return abac_role_is_principal(m_role); }
56	bool is_role() const { return abac_role_is_role(m_role); }
57	bool is_linking() const { return abac_role_is_linking(m_role); }
58
59	/***
60	f char* string()
61	string representation of the role
62	(C:abac_role_string)
63	***/
64	char *string() const { return abac_role_string(m_role); }
65	/***
66	f char* linked_role()
67	the linked role of a linking role
68	i.e., A.r1.r2, linked_role() returns A.r1
69	(C:abac_role_linked_role)
70	f char* role_name()
71	the role name of any role (the part after the last dot)
72	(C:abac_role_role_name)
73	f char* principal()
74	the principal part of any role
75	(C:abac_role_principal)
76	***/
77	char *linked_role() const { return abac_role_linked_role(m_role); }
78	char *role_name() const { return abac_role_role_name(m_role); }
79	char *principal() const { return abac_role_principal(m_role); }
80
81	private:
82	abac_role_t *m_role;
83	};
84
85	/***
86	ABAC::Credential
87	This is never instantiated directly. These will only ever be
88	returned as a result of calls to Context::query or
89	Context::credentials.
90	***/
91	class Credential {
92	public:
93	/***
94	f Credential()
95	default constructor, do not use, for swig only
96	f Credential(abac_credential_t*)
97	copy constructor, used for cloning a credential
98	(C:abac_credential_head)
99	(C:abac_credential_tail)
100	(C:abac_credential_dup)
101	f Credential(const Credential&)
102	copy constructor, used for cloning a credential
103	(C:abac_credential_head)
104	(C:abac_credential_tail)
105	(C:abac_credential_dup)
106	f ~Credential()
107	default destructor
108	(C:abac_credential_free)
109	***/
110	Credential() : m_cred(NULL) { } // do not use: here for swig
111	Credential(abac_credential_t *cred) :
112	m_head(abac_credential_head(cred)),
113	m_tail(abac_credential_tail(cred)),
114	m_cred(abac_credential_dup(cred))
115	{ }
116	Credential(const Credential &cred) :
117	m_head(cred.m_head),
118	m_tail(cred.m_tail),
119	m_cred(abac_credential_dup(cred.m_cred))
120	{ }
121	~Credential() { abac_credential_free(m_cred); }
122	/***
123	f Role &head()
124	returns the head of the credential
125	f Role &tail()
126	returns the tail of the credential
127	***/
128	const Role &head() { return m_head; }
129	const Role &tail() { return m_tail; }
130	/***
131	f abac_chunk_t attribute_cert()
132	returns the attribute certificate in chunk, suitable for
133	transmission over the network or storage in a file
134	(C:abac_credential_attribute_cert)
135	f abac_chunk_t issuer_cert()
136	returns the issuer certificate in chunk, again suitable for
137	network transmission or file storage
138	(C:abac_credential_issuer_cert)
139	***/
140	abac_chunk_t attribute_cert() { return abac_credential_attribute_cert(m_cred); }
141	abac_chunk_t issuer_cert() { return abac_credential_issuer_cert(m_cred); }
142
143	private:
144	abac_credential_t *m_cred;
145	Role m_head, m_tail;
146	};
147
148	/***
149	ABAC::Context
150	An ABAC Context
151	***/
152	class Context {
153	public:
154	/***
155	f Context()
156	default constructor
157	(C:abac_context_new)
158	f Context(const Context &)
159	copy constructor, used for cloning the context
160	(C:abac_context_dup)
161	f ~Context()
162	default destructor
163	(C:abac_context_free)
164	***/
165	Context() { m_ctx = abac_context_new(); }
166	Context(const Context &context) { m_ctx = abac_context_dup(context.m_ctx); }
167	~Context() { abac_context_free(m_ctx); }
168
169	/***
170	f int load_id_file(char *)
171	load identity certificate from an id file
172	(C:abac_context_load_id_file)
173	f int load_id_chunk(abac_chunk_t)
174	load id certificate from an chunk
175	(C:abac_context_load_id_chunk)
176	f int load_attribute_file(char *)
177	load attribute certificate from an id file.
178	(C:abac_context_load_attribute_file)
179	f int load_attribute_chunk(abac_chunk_t)
180	load attribute certificate from an chunk
181	(C:abac_context_load_attribute_chunk)
182	f returns :
183	ABAC_CERT_SUCCESS successfully loaded
184	ABAC_CERT_INVALID invalid certificate (or file not found)
185	ABAC_CERT_BAD_SIG invalid signature
186	***/
187	int load_id_file(char *filename) { return abac_context_load_id_file(m_ctx, filename); }
188	int load_id_chunk(abac_chunk_t cert) { return abac_context_load_id_chunk(m_ctx, cert); }
189	int load_attribute_file(char *filename) { return abac_context_load_attribute_file(m_ctx, filename); }
190	int load_attribute_chunk(abac_chunk_t cert) { return abac_context_load_attribute_chunk(m_ctx, cert); }
191
192	/***
193	f void load_directory(char *)
194	load a directory full of certificates:
195	f first: ${path}/*_ID.{der,pem} as identity certificates
196	implicitly looking for ${path}/*_private.{der,pem} as
197	the private key file
198	last: ${path}/*_attr.xml as attribute certificates
199	(C:abac_context_load_directory)
200	***/
201	void load_directory(char *path) { abac_context_load_directory(m_ctx, path); }
202
203	/***
204	f std::vector<Credential> query(char , char , bool &)
205	run the query:
206	role <-?- principal
207	returns true/false in success
208	returns a proof upon success, partial proof on failure
209	(C:abac_context_query)
210	(C::abac_free_credentials_free)
211	***/
212
213	/* abac query, returns a vector of credentials on success, NULL on fail */
214	std::vector<Credential> query(char role, char principal, bool &success) {
215	abac_credential_t creds, end;
216	int i, success_int;
217	creds = abac_context_query(m_ctx, role, principal, &success_int);
218	success = success_int;
219
220	for (i = 0; creds[i] != NULL; ++i)
221	;
222
223	end = &creds[i];
224	std::vector<Credential> credentials = std::vector<Credential>(creds, end);
225	abac_context_credentials_free(creds);
226	return credentials;
227	}
228	/***
229	f std::vector<Credential> credentials(bool &)
230	returns a vector of all the credentials loaded in the context
231	(C:abac_context_credentials)
232	(C::abac_context_credentials_free)
233	***/
234	std::vector<Credential> credentials() {
235	abac_credential_t creds, end;
236	int i;
237
238	creds = abac_context_credentials(m_ctx);
239	for (i = 0; creds[i] != NULL; ++i)
240	;
241
242	end = &creds[i];
243	std::vector<Credential> credentials = std::vector<Credential>(creds, end);
244
245	abac_context_credentials_free(creds);
246	return credentials;
247	}
248
249	private:
250	abac_context_t *m_ctx;
251	};
252
253	/***
254	ABAC::ID
255	An ID holds a principal credential. It maybe imported from an existing
256	ID credential via external files, constructed from a streaming chunk,
257	or instantiated on the fly
258	***/
259	class ID {
260	public:
261	/***
262	f ID()
263	default constructor, do not use, for swig only
264	f ID(const ID &)
265	copy constructor, used for cloning an ID
266	(C:abac_id_dup)
267	f ~ID()
268	default destructor
269	(C:abac_id_free)
270	***/
271	ID() : m_id(NULL) { } // do not use: required by swig
272	ID(const ID &id) { m_id = abac_id_dup(id.m_id); }
273	~ID() { abac_id_free(m_id); }
274
275	/***
276	f ID(char *)
277	load an ID certificate from a file, will throw an exception
278	if the certificate cannot be loaded
279	(C:abac_id_from_file)
280	***/
281	ID(char *filename) : m_id(NULL) {
282	m_id = abac_id_from_file(filename);
283	if (m_id == NULL)
284	throw std::invalid_argument("Could not load ID cert");
285	}
286
287	/***
288	f ID_chunk(abac_chunk_t chunk)
289	create an ID certificate from an certificate chunk, will
290	throw an exception if the certificate cannot be loaded
291	(C:abac_id_from_chunk)
292	***/
293	ID(abac_chunk_t chunk) : m_id(NULL) {
294	m_id = abac_id_from_chunk(chunk);
295	if (m_id == NULL)
296	throw std::invalid_argument("Could not load ID certificate with a chunk");
297	}
298	/***
299	f ID(char *,int)
300	generates a new ID(cert&key) with the supplied CN and validity period
301	- CN must be alphanumeric and begin with a letter
302	- validity must be at least one second
303	will throw an exception if either of the above is violated
304	(C:abac_id_generate)
305	***/
306	ID(char *cn, int validity) : m_id(NULL) {
307	int ret = abac_id_generate(&m_id, cn, validity);
308	if (ret == ABAC_GENERATE_INVALID_CN)
309	throw std::invalid_argument("CN must be alphanumeric and start with a letter");
310	if (ret == ABAC_GENERATE_INVALID_VALIDITY)
311	throw std::invalid_argument("Validity must be > 0 days");
312	}
313	/***
314	f void load_privkey(char *)
315	loads the private key associated with the ID credential,
316	will throw an exception if the key cannot be loaded
317	(C:abac_id_privkey_from_file)
318	f void load_privkey_chunk(abac_chunk_t)
319	loads the private key associated with the ID credential,
320	will throw an exception if the key cannot be loaded
321	(C:abac_id_privkey_from_chunk)
322	f int has_privkey()
323	check to see if there is a privkey in this ID
324	(C:abac_id_has_privkey)
325	***/
326	void load_privkey(char *filename) {
327	int ret = abac_id_privkey_from_file(m_id, filename);
328	if (ret != ABAC_SUCCESS)
329	throw std::invalid_argument("Could not load private key");
330	}
331	void load_privkey_chunk(abac_chunk_t chunk) {
332	int ret = abac_id_privkey_from_chunk(m_id, chunk);
333	if (ret != ABAC_SUCCESS)
334	throw std::invalid_argument("Could not load private key with a chunk");
335	}
336	int has_privkey() {
337	int ret= abac_id_has_privkey(m_id);
338	return ret;
339	}
340	/***
341	f char *keyid()
342	returns the SHA1 keyid of the id cert
343	(C:abac_id_keyid)
344	f char *cert_filename()
345	returns the default libabac filename for the cert.
346	value must be freed by caller.
347	(C:abac_id_cert_filename)
348	***/
349	char *keyid() { return abac_id_keyid(m_id); }
350	char *cert_filename() { return abac_id_cert_filename(m_id); }
351	/***
352	f void write_cert(FILE *)
353	writes a PEM-encoded certificate to a file handle
354	(C:abac_id_write_cert)
355	f void write_cert(string &)
356	writes a PEM-encoded certificate to a file named in string
357	f void write_cert_file(const char *)
358	writes a PEM-encoded certificate to a file
359	f void write_cert_name(const char *)
360	writes a PEM-encoded certificate to a file
361	(added to support original libcreddy users)
362	***/
363	void write_cert(FILE *out) { abac_id_write_cert(m_id, out); }
364	void write_cert(const std::string &name) {
365	FILE *out = fopen(name.c_str(), "a+");
366	if (out == NULL)
367	throw std::invalid_argument("Could not open certificate file for writing");
368	write_cert(out);
369	fclose(out);
370	}
371	// Simplifies access from swig
372	void write_cert_file(const char *n) {
373	write_cert(std::string(n));
374	}
375	void write_cert_name(const char *n) {
376	write_cert(std::string(n));
377	fprintf(stderr,"ABAC::ID::write_cert_name is deprecated, please use ABAC::ID::write_cert_name\n");
378	}
379	/***
380	f char *privkey_filename()
381	returns the default libabac filename for the private key.
382	value must be freed by caller.
383	(C:abac_id_privkey_filename)
384	***/
385	char *privkey_filename() { return abac_id_privkey_filename(m_id); }
386	/***
387	f void write_privkey(FILE *)
388	write the private key to a file handle
389	throws a std::logic_error if no private key is loaded
390	(C:abac_id_write_privkey)
391	f void write_privkey(string &)
392	writes a private key to file named in string
393	f void write_privkey_file(const char *)
394	writes a private key to a file
395	f void write_privkey_name(const char *)
396	writes a private key to a file
397	(added to support original libcreddy users)
398	***/
399	void write_privkey(FILE *out) {
400	int ret = abac_id_write_privkey(m_id, out);
401	if (ret!=ABAC_SUCCESS) throw std::logic_error("No private key loaded");
402	}
403	void write_privkey(const std::string &name) {
404	FILE *out = fopen(name.c_str(), "a+");
405	if (out == NULL)
406	throw std::invalid_argument("Could not open privkey file for writing");
407	write_privkey(out);
408	fclose(out);
409	}
410	// Simplifies access from swig
411	void write_privkey_file(const char *name) {
412	write_privkey(std::string(name));
413	}
414	void write_privkey_name(const char *name) {
415	write_privkey(std::string(name));
416	fprintf(stderr,"ABAC::ID::write_privkey_name is deprecated, please use ABAC::ID::write_privkey_file\n");
417	}
418	/***
419	f abac_chunk_t cert_chunk()
420	returns a DER-encoded binary representation of the X.509 ID cert
421	associated with this ID.
422	can be passed to libabac's Context::load_id_chunk()
423	(C:abac_id_cert_chunk)
424	f abac_chunk_t privkey_chunk()
425	returns a PEM-encoded binary representation of the private key
426	associated with this ID.
427	(C:abac_id_privkey_chunk)
428	***/
429	abac_chunk_t cert_chunk() { return abac_id_cert_chunk(m_id); }
430	abac_chunk_t privkey_chunk() { return abac_id_privkey_chunk(m_id); }
431
432	friend class Attribute;
433
434	private:
435	abac_id_t *m_id;
436	};
437
438	/***
439	ABAC::Attribute
440	This is the attribute representation for the access policy rule
441	LHS <- RHS
442	The sequence of generation is to
443	first, instantiate the object, ie, LHS (head)
444	second, adding subject(s) to it, ie, RHS (tail)
445	and then baking it.
446	Only once it's baked can you access the X.509 cert.
447	Once it's been baked you can no longer add subjects to it
448	***/
449	class Attribute {
450	public:
451	/***
452	f Attribute()
453	default constructor, do not use, for swig only
454	f ~Attribute()
455	default destructor
456	(C:abac_attribute_free)
457	***/
458	Attribute() : m_attr(NULL) { } // do not use: required by swig
459	~Attribute() { abac_attribute_free(m_attr); }
460
461	/***
462	f Attribute(ID&, char*,int)
463	constructor that creates an attribute policy to be signed by the issuer
464	with the given role with a specified validity period
465	An exception will be thrown if:
466	- the issuer has no private key
467	- the Head role is invalid
468	- the validity period is invalid (must be >= 0 second)
469	- The issuer is invalid
470	(C:abac_attribute_create)
471	***/
472	Attribute(ID &issuer, char *role, int validity) : m_attr(NULL) {
473	int ret = abac_attribute_create(&m_attr, issuer.m_id, role, validity);
474	if (ret == ABAC_ATTRIBUTE_ISSUER_NOKEY)
475	throw std::invalid_argument("Issuer has no private key");
476	if (ret == ABAC_ATTRIBUTE_INVALID_ROLE)
477	throw std::invalid_argument("Role name must be alphanumeric");
478	if (ret == ABAC_ATTRIBUTE_INVALID_VALIDITY)
479	throw std::invalid_argument("Validity must be > 0 days");
480	if (ret == ABAC_ATTRIBUTE_INVALID_ISSUER)
481	throw std::invalid_argument("Issuer's validity expired");
482	}
483
484
485	/***
486	f bool principal(char *keyid)
487	{keyid}
488	validate the principal and insert into the attribute
489	throw a std::logic_error if the cert's been baked and keyid bad
490	(C:abac_attribute_principal)
491	f bool role(char keyid, char role)
492	{keyid.role}
493	validate the principal and role and insert into the attribute
494	throw a std::logic_error if the cert's been baked and keyid bad
495	(C:abac_attribute_role)
496	f bool linking_role(char keyid, char role, char *linked)
497	{keyid.linked.role}
498	validate the role and linking role and insert into the attribute
499	throw a std::logic_error if the cert's been baked and keyid bad
500	(C:abac_attribute_linking_role)
501	***/
502	bool principal(char *keyid) {
503	if (baked()) throw std::logic_error("Cert is already baked");
504	return abac_attribute_principal(m_attr, keyid);
505	}
506	bool role(char keyid, char role) {
507	if (baked()) throw std::logic_error("Cert is already baked");
508	return abac_attribute_role(m_attr, keyid, role);
509	}
510	bool linking_role(char keyid, char role, char *linked) {
511	if (baked()) throw std::logic_error("Cert is already baked");
512	return abac_attribute_linking_role(m_attr, keyid, role, linked);
513	}
514	/***
515	f bool bake()
516	Generate the cert. Call this after you've added subjects to your cert.
517	This returns false if there are no subjects
518	This will throw an exception if the cert's already been baked.
519	(C:abac_attribute_bake)
520	***/
521	bool bake() {
522	if (baked()) throw std::logic_error("Cert is already baked");
523	return abac_attribute_bake(m_attr);
524	}
525
526	/***
527	f bool baked()
528	returns true iff the certificate has been baked.
529	(C:abac_attribute_baked)
530	***/
531	bool baked() { return abac_attribute_baked(m_attr); }
532
533	/***
534	f set_output_format(char *fmt)
535	{fmt}
536	Set the attribute's output format. Valid choices are GENIv1.0 and
537	GENIV1.1. Default is GENIv1.1.
538	***/
539	void set_output_format(char *fmt) {
540	abac_attribute_set_output_format(m_attr, fmt);
541	}
542
543	/***
544	f void write(FILE *)
545	write an attribute certificate in XML to an open file handle
546	Throws an exception if the certificate isn't baked
547	(C:abac_attribute_write)
548	f void write(const string&)
549	write an attribute certificate in XML to file named in string
550	f void write_file(const char *)
551	write an attribute certificate in XML to file
552	f void write_name(const char *)
553	write an attribute certificate in XML to file
554	(added to support original libcreddy users)
555	***/
556	void write(FILE *out) {
557	int ret = abac_attribute_write(m_attr, out);
558	if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
559	}
560	void write(const std::string &name) {
561	FILE *out = fopen(name.c_str(), "w");
562	if (out == NULL)
563	throw std::invalid_argument("Could not open certificate file for writing");
564	write(out);
565	fclose(out);
566	}
567	void write_file(const char *name) {
568	int ret = abac_attribute_write_file(m_attr, name);
569	if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
570	}
571	void write_name(const char *name) {
572	write_file(name);
573	fprintf(stderr,"ABAC::Attribute::write_name is deprecated, please use ABAC::Attribute::write_name\n");
574	}
575	/***
576	f abac_chunk_t cert_chunk()
577	returns a XML structure of the attribute certificate in a abac_chunk_t
578	Throws an exception if the certificate isn't baked
579	the chunk can be passed to libabac's Context::load_attribute_chunk()
580	(C:abac_attribute_cert_chunk)
581	***/
582	abac_chunk_t cert_chunk() {
583	abac_chunk_t ret=abac_attribute_cert_chunk(m_attr);
584	if(ret.len == 0)
585	throw std::logic_error("Cert is not baked");
586	return ret;
587	}
588
589	private:
590	abac_attribute_t *m_attr;
591	};
592	}
593
594	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: