Context Navigation

source: doc/ABAC.hh @ d2b198c

abac0-leakabac0-meitvf-new-xml

Last change on this file since d2b198c was 94605f2, checked in by Ted Faber <faber@…>, 11 years ago
checkpoint Lots of the way toward mnemonic names, some parsing fixes
Property mode set to `100644`
File size: 21.3 KB

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <cstdio>
5	#include <stdexcept>
6	#include <string>
7	#include <vector>
8
9	/* This file is generated from doc/ABAC.hh by doc/extract_doc.c */
10
11	namespace ABAC {
12	extern "C" {
13	#include "abac.h"
14	}
15
16	class Attribute;
17	class ID;
18	class Role;
19	class Credential;
20
21	/***
22	ABAC::Context
23	An ABAC Context
24	***/
25	class Context {
26	public:
27	/***
28	f Context()
29	default constructor
30	(C:abac_context_new)
31	f Context(const Context &)
32	copy constructor, used for cloning the context
33	(C:abac_context_dup)
34	f ~Context()
35	default destructor
36	(C:abac_context_free)
37	***/
38	Context() { m_ctx = abac_context_new(); }
39	Context(const Context &context) { m_ctx = abac_context_dup(context.m_ctx); }
40	~Context() { abac_context_free(m_ctx); }
41
42	/***
43	f int load_id_file(char *)
44	load identity certificate from an id file
45	(C:abac_context_load_id_file)
46	f int load_id_chunk(abac_chunk_t)
47	load id certificate from an chunk
48	(C:abac_context_load_id_chunk)
49	f int load_attribute_file(char *)
50	load attribute certificate from an id file.
51	(C:abac_context_load_attribute_file)
52	f int load_attribute_chunk(abac_chunk_t)
53	load attribute certificate from an chunk
54	(C:abac_context_load_attribute_chunk)
55	f returns :
56	ABAC_CERT_SUCCESS successfully loaded
57	ABAC_CERT_INVALID invalid certificate (or file not found)
58	ABAC_CERT_BAD_SIG invalid signature
59	***/
60	int load_id_file(char *filename) { return abac_context_load_id_file(m_ctx, filename); }
61	int load_id_chunk(abac_chunk_t cert) { return abac_context_load_id_chunk(m_ctx, cert); }
62	int load_attribute_file(char *filename) { return abac_context_load_attribute_file(m_ctx, filename); }
63	int load_attribute_chunk(abac_chunk_t cert) { return abac_context_load_attribute_chunk(m_ctx, cert); }
64
65	/***
66	f void load_directory(char *)
67	load a directory full of certificates:
68	f first: ${path}/*_ID.{der,pem} as identity certificates
69	implicitly looking for ${path}/*_private.{der,pem} as
70	the private key file
71	last: ${path}/*_attr.xml as attribute certificates
72	(C:abac_context_load_directory)
73	***/
74	void load_directory(char *path) { abac_context_load_directory(m_ctx, path); }
75
76	/***
77	f std::vector<Credential> query(char , char , bool &)
78	run the query:
79	role <-?- principal
80	returns true/false in success
81	returns a proof upon success, partial proof on failure
82	(C:abac_context_query)
83	(C::abac_free_credentials_free)
84	***/
85
86	/* abac query, returns a vector of credentials on success, NULL on fail */
87	std::vector<Credential> query(char role, char principal, bool &success) {
88	abac_credential_t creds, end;
89	int i, success_int;
90	creds = abac_context_query(m_ctx, role, principal, &success_int);
91	success = success_int;
92
93	for (i = 0; creds[i] != NULL; ++i)
94	;
95
96	end = &creds[i];
97	std::vector<Credential> credentials = std::vector<Credential>(creds, end);
98	abac_context_credentials_free(creds);
99	return credentials;
100	}
101	/***
102	f std::vector<Credential> credentials(bool &)
103	returns a vector of all the credentials loaded in the context
104	(C:abac_context_credentials)
105	(C::abac_context_credentials_free)
106	***/
107	std::vector<Credential> credentials() {
108	abac_credential_t creds, end;
109	int i;
110
111	creds = abac_context_credentials(m_ctx);
112	for (i = 0; creds[i] != NULL; ++i)
113	;
114
115	end = &creds[i];
116	std::vector<Credential> credentials = std::vector<Credential>(creds, end);
117
118	abac_context_credentials_free(creds);
119	return credentials;
120	}
121	private:
122	abac_context_t *m_ctx;
123	friend class Role;
124	};
125
126	/***
127	ABAC::Role
128	A Role, most calls are rarely used outside the library
129	***/
130	class Role {
131	public:
132	/***
133	f Role()
134	default constructor, do not use, for swig only
135	f Role(abac_role_t*)
136	copy constructor, used for cloning an Role
137	(C:abac_role_dup)
138	f Role(char *)
139	instantiate a role from a string
140	(C:abac_role_from_string)
141	f Role(const Role &)
142	copy constructor, used for cloning an Role
143	(C:abac_role_dup)
144	f ~Role()
145	default destructor
146	(C:abac_role_free)
147	***/
148	Role() : m_role(NULL) { } // do not use: here for swig
149	Role(abac_role_t *role) { m_role = abac_role_dup(role); }
150	Role(char *role_name) { m_role = abac_role_from_string(role_name); }
151	Role(const Role &role) { m_role = abac_role_dup(role.m_role); }
152	~Role() { abac_role_free(m_role); }
153	/***
154	f bool is_principal()
155	(C:abac_role_is_principal)
156	f bool is_role()
157	(C:abac_role_is_role)
158	f bool is_linking()
159	(C:abac_role_is_linking)
160	indicates the type of role encoded
161	***/
162	bool is_principal() const { return abac_role_is_principal(m_role); }
163	bool is_role() const { return abac_role_is_role(m_role); }
164	bool is_linking() const { return abac_role_is_linking(m_role); }
165
166	/***
167	f char* string()
168	string representation of the role
169	(C:abac_role_string)
170	***/
171	char *string() const { return abac_role_string(m_role); }
172	/***
173	f char* short_string()
174	string representation of the role
175	(C:abac_role_string)
176	***/
177	char *short_string(Context& c) const {
178	return abac_role_short_string(m_role, c.m_ctx);
179	}
180	/***
181	f char* linked_role()
182	the linked role of a linking role
183	i.e., A.r1.r2, linked_role() returns A.r1
184	(C:abac_role_linked_role)
185	f char* role_name()
186	the role name of any role (the part after the last dot)
187	(C:abac_role_role_name)
188	f char* principal()
189	the principal part of any role
190	(C:abac_role_principal)
191	***/
192	char *linked_role() const { return abac_role_linked_role(m_role); }
193	char *role_name() const { return abac_role_role_name(m_role); }
194	char *principal() const { return abac_role_principal(m_role); }
195
196	private:
197	abac_role_t *m_role;
198	};
199
200	/***
201	ABAC::Credential
202	This is never instantiated directly. These will only ever be
203	returned as a result of calls to Context::query or
204	Context::credentials.
205	***/
206	class Credential {
207	public:
208	/***
209	f Credential()
210	default constructor, do not use, for swig only
211	f Credential(abac_credential_t*)
212	copy constructor, used for cloning a credential
213	(C:abac_credential_head)
214	(C:abac_credential_tail)
215	(C:abac_credential_dup)
216	f Credential(const Credential&)
217	copy constructor, used for cloning a credential
218	(C:abac_credential_head)
219	(C:abac_credential_tail)
220	(C:abac_credential_dup)
221	f ~Credential()
222	default destructor
223	(C:abac_credential_free)
224	***/
225	Credential() : m_cred(NULL) { } // do not use: here for swig
226	Credential(abac_credential_t *cred) :
227	m_head(abac_credential_head(cred)),
228	m_tail(abac_credential_tail(cred)),
229	m_cred(abac_credential_dup(cred))
230	{ }
231	Credential(const Credential &cred) :
232	m_head(cred.m_head),
233	m_tail(cred.m_tail),
234	m_cred(abac_credential_dup(cred.m_cred))
235	{ }
236	~Credential() { abac_credential_free(m_cred); }
237	/***
238	f Role &head()
239	returns the head of the credential
240	f Role &tail()
241	returns the tail of the credential
242	***/
243	const Role &head() { return m_head; }
244	const Role &tail() { return m_tail; }
245	/***
246	f abac_chunk_t attribute_cert()
247	returns the attribute certificate in chunk, suitable for
248	transmission over the network or storage in a file
249	(C:abac_credential_attribute_cert)
250	f abac_chunk_t issuer_cert()
251	returns the issuer certificate in chunk, again suitable for
252	network transmission or file storage
253	(C:abac_credential_issuer_cert)
254	***/
255	abac_chunk_t attribute_cert() { return abac_credential_attribute_cert(m_cred); }
256	abac_chunk_t issuer_cert() { return abac_credential_issuer_cert(m_cred); }
257
258	private:
259	abac_credential_t *m_cred;
260	Role m_head, m_tail;
261	};
262
263
264	/***
265	ABAC::ID
266	An ID holds a principal credential. It maybe imported from an existing
267	ID credential via external files, constructed from a streaming chunk,
268	or instantiated on the fly
269	***/
270	class ID {
271	public:
272	/***
273	f ID()
274	default constructor, do not use, for swig only
275	f ID(const ID &)
276	copy constructor, used for cloning an ID
277	(C:abac_id_dup)
278	f ~ID()
279	default destructor
280	(C:abac_id_free)
281	***/
282	ID() : m_id(NULL) { } // do not use: required by swig
283	ID(const ID &id) { m_id = abac_id_dup(id.m_id); }
284	~ID() { abac_id_free(m_id); }
285
286	/***
287	f ID(char *)
288	load an ID certificate from a file, will throw an exception
289	if the certificate cannot be loaded
290	(C:abac_id_from_file)
291	***/
292	ID(char *filename) : m_id(NULL) {
293	m_id = abac_id_from_file(filename);
294	if (m_id == NULL)
295	throw std::invalid_argument("Could not load ID cert");
296	}
297
298	/***
299	f ID_chunk(abac_chunk_t chunk)
300	create an ID certificate from an certificate chunk, will
301	throw an exception if the certificate cannot be loaded
302	(C:abac_id_from_chunk)
303	***/
304	ID(abac_chunk_t chunk) : m_id(NULL) {
305	m_id = abac_id_from_chunk(chunk);
306	if (m_id == NULL)
307	throw std::invalid_argument("Could not load ID certificate with a chunk");
308	}
309	/***
310	f ID(char *,int)
311	generates a new ID(cert&key) with the supplied CN and validity period
312	- CN must be alphanumeric and begin with a letter
313	- validity must be at least one second
314	will throw an exception if either of the above is violated
315	(C:abac_id_generate)
316	***/
317	ID(char *cn, int validity) : m_id(NULL) {
318	int ret = abac_id_generate(&m_id, cn, validity);
319	if (ret == ABAC_GENERATE_INVALID_CN)
320	throw std::invalid_argument("CN must be alphanumeric and start with a letter");
321	if (ret == ABAC_GENERATE_INVALID_VALIDITY)
322	throw std::invalid_argument("Validity must be > 0 days");
323	}
324	/***
325	f void load_privkey(char *)
326	loads the private key associated with the ID credential,
327	will throw an exception if the key cannot be loaded
328	(C:abac_id_privkey_from_file)
329	f void load_privkey_chunk(abac_chunk_t)
330	loads the private key associated with the ID credential,
331	will throw an exception if the key cannot be loaded
332	(C:abac_id_privkey_from_chunk)
333	f int has_privkey()
334	check to see if there is a privkey in this ID
335	(C:abac_id_has_privkey)
336	***/
337	void load_privkey(char *filename) {
338	int ret = abac_id_privkey_from_file(m_id, filename);
339	if (ret != ABAC_SUCCESS)
340	throw std::invalid_argument("Could not load private key");
341	}
342	void load_privkey_chunk(abac_chunk_t chunk) {
343	int ret = abac_id_privkey_from_chunk(m_id, chunk);
344	if (ret != ABAC_SUCCESS)
345	throw std::invalid_argument("Could not load private key with a chunk");
346	}
347	int has_privkey() {
348	int ret= abac_id_has_privkey(m_id);
349	return ret;
350	}
351	/***
352	f char *keyid()
353	returns the SHA1 keyid of the id cert
354	(C:abac_id_keyid)
355	f char *cert_filename()
356	returns the default libabac filename for the cert.
357	value must be freed by caller.
358	(C:abac_id_cert_filename)
359	***/
360	char *keyid() { return abac_id_keyid(m_id); }
361	char *cert_filename() { return abac_id_cert_filename(m_id); }
362	/***
363	f void write_cert(FILE *)
364	writes a PEM-encoded certificate to a file handle
365	(C:abac_id_write_cert)
366	f void write_cert(string &)
367	writes a PEM-encoded certificate to a file named in string
368	f void write_cert_file(const char *)
369	writes a PEM-encoded certificate to a file
370	f void write_cert_name(const char *)
371	writes a PEM-encoded certificate to a file
372	(added to support original libcreddy users)
373	***/
374	void write_cert(FILE *out) { abac_id_write_cert(m_id, out); }
375	void write_cert(const std::string &name) {
376	FILE *out = fopen(name.c_str(), "a+");
377	if (out == NULL)
378	throw std::invalid_argument("Could not open certificate file for writing");
379	write_cert(out);
380	fclose(out);
381	}
382	// Simplifies access from swig
383	void write_cert_file(const char *n) {
384	write_cert(std::string(n));
385	}
386	void write_cert_name(const char *n) {
387	write_cert(std::string(n));
388	fprintf(stderr,"ABAC::ID::write_cert_name is deprecated, please use ABAC::ID::write_cert_name\n");
389	}
390	/***
391	f char *privkey_filename()
392	returns the default libabac filename for the private key.
393	value must be freed by caller.
394	(C:abac_id_privkey_filename)
395	***/
396	char *privkey_filename() { return abac_id_privkey_filename(m_id); }
397	/***
398	f void write_privkey(FILE *)
399	write the private key to a file handle
400	throws a std::logic_error if no private key is loaded
401	(C:abac_id_write_privkey)
402	f void write_privkey(string &)
403	writes a private key to file named in string
404	f void write_privkey_file(const char *)
405	writes a private key to a file
406	f void write_privkey_name(const char *)
407	writes a private key to a file
408	(added to support original libcreddy users)
409	***/
410	void write_privkey(FILE *out) {
411	int ret = abac_id_write_privkey(m_id, out);
412	if (ret!=ABAC_SUCCESS) throw std::logic_error("No private key loaded");
413	}
414	void write_privkey(const std::string &name) {
415	FILE *out = fopen(name.c_str(), "a+");
416	if (out == NULL)
417	throw std::invalid_argument("Could not open privkey file for writing");
418	write_privkey(out);
419	fclose(out);
420	}
421	// Simplifies access from swig
422	void write_privkey_file(const char *name) {
423	write_privkey(std::string(name));
424	}
425	void write_privkey_name(const char *name) {
426	write_privkey(std::string(name));
427	fprintf(stderr,"ABAC::ID::write_privkey_name is deprecated, please use ABAC::ID::write_privkey_file\n");
428	}
429	/***
430	f abac_chunk_t cert_chunk()
431	returns a DER-encoded binary representation of the X.509 ID cert
432	associated with this ID.
433	can be passed to libabac's Context::load_id_chunk()
434	(C:abac_id_cert_chunk)
435	f abac_chunk_t privkey_chunk()
436	returns a PEM-encoded binary representation of the private key
437	associated with this ID.
438	(C:abac_id_privkey_chunk)
439	***/
440	abac_chunk_t cert_chunk() { return abac_id_cert_chunk(m_id); }
441	abac_chunk_t privkey_chunk() { return abac_id_privkey_chunk(m_id); }
442
443	friend class Attribute;
444
445	private:
446	abac_id_t *m_id;
447	};
448
449	/***
450	ABAC::Attribute
451	This is the attribute representation for the access policy rule
452	LHS <- RHS
453	The sequence of generation is to
454	first, instantiate the object, ie, LHS (head)
455	second, adding subject(s) to it, ie, RHS (tail)
456	and then baking it.
457	Only once it's baked can you access the X.509 cert.
458	Once it's been baked you can no longer add subjects to it
459	***/
460	class Attribute {
461	public:
462	/***
463	f Attribute()
464	default constructor, do not use, for swig only
465	f ~Attribute()
466	default destructor
467	(C:abac_attribute_free)
468	***/
469	Attribute() : m_attr(NULL) { } // do not use: required by swig
470	~Attribute() { abac_attribute_free(m_attr); }
471
472	/***
473	f Attribute(ID&, char*,int)
474	constructor that creates an attribute policy to be signed by the issuer
475	with the given role with a specified validity period
476	An exception will be thrown if:
477	- the issuer has no private key
478	- the Head role is invalid
479	- the validity period is invalid (must be >= 0 second)
480	- The issuer is invalid
481	(C:abac_attribute_create)
482	***/
483	Attribute(ID &issuer, char *role, int validity) : m_attr(NULL) {
484	int ret = abac_attribute_create(&m_attr, issuer.m_id, role, validity);
485	if (ret == ABAC_ATTRIBUTE_ISSUER_NOKEY)
486	throw std::invalid_argument("Issuer has no private key");
487	if (ret == ABAC_ATTRIBUTE_INVALID_ROLE)
488	throw std::invalid_argument("Role name must be alphanumeric");
489	if (ret == ABAC_ATTRIBUTE_INVALID_VALIDITY)
490	throw std::invalid_argument("Validity must be > 0 days");
491	if (ret == ABAC_ATTRIBUTE_INVALID_ISSUER)
492	throw std::invalid_argument("Issuer's validity expired");
493	}
494
495
496	/***
497	f bool principal(char *keyid)
498	{keyid}
499	validate the principal and insert into the attribute
500	throw a std::logic_error if the cert's been baked and keyid bad
501	(C:abac_attribute_principal)
502	f bool role(char keyid, char role)
503	{keyid.role}
504	validate the principal and role and insert into the attribute
505	throw a std::logic_error if the cert's been baked and keyid bad
506	(C:abac_attribute_role)
507	f bool linking_role(char keyid, char role, char *linked)
508	{keyid.linked.role}
509	validate the role and linking role and insert into the attribute
510	throw a std::logic_error if the cert's been baked and keyid bad
511	(C:abac_attribute_linking_role)
512	***/
513	bool principal(char *keyid) {
514	if (baked()) throw std::logic_error("Cert is already baked");
515	return abac_attribute_principal(m_attr, keyid);
516	}
517	bool role(char keyid, char role) {
518	if (baked()) throw std::logic_error("Cert is already baked");
519	return abac_attribute_role(m_attr, keyid, role);
520	}
521	bool linking_role(char keyid, char role, char *linked) {
522	if (baked()) throw std::logic_error("Cert is already baked");
523	return abac_attribute_linking_role(m_attr, keyid, role, linked);
524	}
525	/***
526	f bool bake()
527	Generate the cert. Call this after you've added subjects to your cert.
528	This returns false if there are no subjects
529	This will throw an exception if the cert's already been baked.
530	(C:abac_attribute_bake)
531	***/
532	bool bake() {
533	if (baked()) throw std::logic_error("Cert is already baked");
534	return abac_attribute_bake(m_attr);
535	}
536
537	/***
538	f bool baked()
539	returns true iff the certificate has been baked.
540	(C:abac_attribute_baked)
541	***/
542	bool baked() { return abac_attribute_baked(m_attr); }
543
544	/***
545	f set_output_format(char *fmt)
546	{fmt}
547	Set the attribute's output format. Valid choices are GENIv1.0 and
548	GENIV1.1. Default is GENIv1.1.
549	***/
550	void set_output_format(char *fmt) {
551	abac_attribute_set_output_format(m_attr, fmt);
552	}
553
554	/***
555	f void write(FILE *)
556	write an attribute certificate in XML to an open file handle
557	Throws an exception if the certificate isn't baked
558	(C:abac_attribute_write)
559	f void write(const string&)
560	write an attribute certificate in XML to file named in string
561	f void write_file(const char *)
562	write an attribute certificate in XML to file
563	f void write_name(const char *)
564	write an attribute certificate in XML to file
565	(added to support original libcreddy users)
566	***/
567	void write(FILE *out) {
568	int ret = abac_attribute_write(m_attr, out);
569	if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
570	}
571	void write(const std::string &name) {
572	FILE *out = fopen(name.c_str(), "w");
573	if (out == NULL)
574	throw std::invalid_argument("Could not open certificate file for writing");
575	write(out);
576	fclose(out);
577	}
578	void write_file(const char *name) {
579	int ret = abac_attribute_write_file(m_attr, name);
580	if (ret!=ABAC_SUCCESS) throw std::logic_error("Cert is not baked");
581	}
582	void write_name(const char *name) {
583	write_file(name);
584	fprintf(stderr,"ABAC::Attribute::write_name is deprecated, please use ABAC::Attribute::write_name\n");
585	}
586	/***
587	f abac_chunk_t cert_chunk()
588	returns a XML structure of the attribute certificate in a abac_chunk_t
589	Throws an exception if the certificate isn't baked
590	the chunk can be passed to libabac's Context::load_attribute_chunk()
591	(C:abac_attribute_cert_chunk)
592	***/
593	abac_chunk_t cert_chunk() {
594	abac_chunk_t ret=abac_attribute_cert_chunk(m_attr);
595	if(ret.len == 0)
596	throw std::logic_error("Cert is not baked");
597	return ret;
598	}
599
600	private:
601	abac_attribute_t *m_attr;
602	};
603	}
604
605	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: