source: doc/API @ 7751094

mei_rt2
Last change on this file since 7751094 was 2e9455f, checked in by Mei <mei@…>, 12 years ago

1) added namespace
2) tweak ?This,
3) allowing linking role/oset as constraining conditions
4) adding access_tests regression testing that uses GENI's access policy
5) added couple multi contexts regression tests
6) add compression/uncompression calls to abac_encode_string/abac_decode_string
(libstrongwan only allows 512 char for attribute rule storage)
7) add attribute_now option to creddy that takes a whole char string for attribute
rule

  • Property mode set to 100644
File size: 25.3 KB
RevLine 
[58ba801]1C++ API
2
[4a72b30]3(see bottom for notes on C, Perl, Python and Java)
[fe5682f]4
5ABAC::abac_chunk_t
[5d06689]6   Structure, represents a blob of memory
7   used to load/return DER-encoded X509 certificates
8     -unsigned char *data
9     -int len
[fe5682f]10
[2e9455f]11ABAC::dump_yap_db()
12   Dump the complete yap prolog database
13   (C:show_yap_db)
14
15ABAC::dump_debug_info()
16   Dump debug info on whole session
17   (C:show_debug_info)
18
[5d06689]19ABAC::Constraint
20   Constraint on a data term.
21   There are 3 types:
22     - Role constraint on a principal
23     - Oset constraint on a principal, or a data object
24     - Range/List constraint on a data object
25   It holds a ptr to a abac_condition_t structure
[fe5682f]26
[5d06689]27   Constraint()
28     default constructor, do not use, for swig only
29
30   Constraint(const Constraint &)
31     copy constructor, used for cloning a constraint
[2e9455f]32     (C:abac_condition_dup)
[5d06689]33
34   ~Constraint()
35     default destructor
[2e9455f]36     (C:abac_condition_free)
[5d06689]37
38   Constraint(Role &)
39     constructor that takes a constraining role
40       [role:?R[{role-constraint}]
[669b481]41     (C:abac_constraint_from_role)
[5d06689]42
43   Constraint(Oset &)
44     constructor that takes a constraining oset
45       [oset:?O[{oset-constraint}]
46       [urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
[669b481]47     (C:abac_constraint_from_oset)
[5d06689]48
49   Constraint(char *)
50     constructor that takes one of following string
51     as its vartype to set up a range constraint:
52       "integer"
53       "urn"
54       "float"
55       "boolean"
56       "time"
57       "string"
58     it should be followed with one or many of following utility
59     calls.
[669b481]60     (C:abac_constraint_create)
[5d06689]61
62   void constraint_add_integer_max(int)
[669b481]63     (C:abac_constraint_add_integer_max)
[5d06689]64   void constraint_add_integer_min(int)
65     utility routines to setup a integer range constraint
66       [integer:?I[10 .. 20]]
[669b481]67     (C:abac_constraint_add_integer_min)
[5d06689]68
69   void constraint_add_integer_target(int)
70     utility routine to setup a integer list constraint
71       [integer:?I[10,20]]
[669b481]72     (C:abac_constraint_add_integer_target)
[5d06689]73
74   void constraint_add_float_max(float)
[669b481]75     (C:abac_constraint_add_float_max)
[5d06689]76   void constraint_add_float_min(float)
77     utility routines to setup a float range constraint
78       [float:?F[1.0 .. 2.5]]
[669b481]79     (C:abac_constraint_add_float_min)
[5d06689]80
81   void constraint_add_float_target(float)
82     utility routine to setup a float list constraint
83       [float:?F[0.5, 2.5]]
[669b481]84     (C:abac_constraint_add_float_target)
[5d06689]85
86   void constraint_add_time_max(char*)
[669b481]87     (C:abac_constraint_add_time_max)
[5d06689]88   void constraint_add_time_min(char*)
89     utility routines to setup a time range constraint,
90     takes quoted string values, beyond T is optional
91       [time:?F["20120228T" .. "20120228T090000"]]
[669b481]92     (C:abac_constraint_add_time_min)
[5d06689]93
94   void constraint_add_time_target(char*)
95     utility routine to setup a time list constraint
96       [time:?M["20201101T182930","20201101T"]]
[669b481]97     (C:abac_constraint_add_time_target)
[5d06689]98
99   void constraint_add_urn_target(char*)
100     utility routine to setup a an urn list constraint
101       [urn:?U["fileA","http://fileB"]]
[669b481]102     (C:abac_constraint_add_urn_target)
[5d06689]103
104   void constraint_add_string_target(char*)
105     utility routine to setup a a string list constraint
106       [string:?S["abc",'efg',"hij"]]
[669b481]107     (C:abac_constraint_add_string_target)
[5d06689]108
109   void constraint_add_boolean_target(char*)
110     utility routine to setup a a boolean list constraint
111       [boolean:?B['true']]
[669b481]112     (C:abac_constraint_add_boolean_target)
[5d06689]113
114   char *string() const
115     returns literal string of the constraint
[669b481]116     (C:abac_constraint_string)
[5d06689]117
118   char *typed_string() const
119     returns typed literal string of the constraint
[669b481]120     (C:abac_constraint_typed_string)
[5d06689]121
122ABAC::DataTerm
123   A data term is associated with Role or Oset as a parameter that
124   maybe be instantiated, or uninstantiated but being constrained,
125   or as a principal oset term (standalone right handside of an oset
[669b481]126   policy rule).  It holds a pointer to a abac_term_t structure.
127   Types of data terms are:
128     "integer"
129     "urn"
130     "float"
131     "boolean"
132     "string"
133     "time"
134     "principal"
135     "anonymous"
[2e9455f]136     "this"
[5d06689]137
138   DataTerm()
139     default constructor, do not use, for swig only
140
141   DataTerm(const DataTerm &)
142     copy constructor, used for cloning a data term
[2e9455f]143     (C:abac_term_dup)
[5d06689]144
145   ~DataTerm()
146     default destructor
[2e9455f]147     (C:abac_term_free)
[5d06689]148
149   DataTerm(char*)
150     constructor to make named principal data term for the oset RHS
[2e9455f]151     if "this" is supplied, a term with tyep=e_TERM_THIS is created
152     if "anonymous" is supplied, a term with type=e_TERM_ANONYMOUS is created
153     (C:abac_term_named_create)
[5d06689]154
[669b481]155   DataTerm(const ID&)
156     constructor to make named principal data term for parameter term
[2e9455f]157     (C:abac_term_id_create)
[669b481]158
[5d06689]159   DataTerm(char*, char*, Constraint*)
160     constructor for making a variable data term
[2e9455f]161     (C:abac_term_create)
[5d06689]162
163   DataTerm(char*, char*)
164     constructor for making an instantiated data term
[2e9455f]165     (C:abac_term_create)
[5d06689]166
167   char *string() const
168     returns literal string of the data term
[669b481]169     (C:abac_term_string)
[5d06689]170
171   char *typed_string() const
172     returns typed literal string of the data term
[669b481]173     (C:abac_term_typed_string)
[5d06689]174
175   bool term_is_time() const
[669b481]176     (C:abac_term_is_time)
[5d06689]177   bool term_is_string() const
[669b481]178     (C:abac_term_is_string)
[5d06689]179   bool term_is_urn() const
[669b481]180     (C:abac_term_is_urn)
[5d06689]181   bool term_is_integer() const
[669b481]182     (C:abac_term_is_integer)
[5d06689]183     returns true if data term is of certain type
184
185   int term_add_constraint(Contraint&)
186     utiltiy routine to add a constraint to this data term
[669b481]187     (C:abac_term_add_constraint)
[5d06689]188
189   int term_type() const
190     returns subtype of the data term
[669b481]191     (C:abac_term_type)
[5d06689]192
193   char *term_name() const
194     returns the name of the data term
[669b481]195     (C:abac_term_name)
[fe5682f]196
197ABAC::Role
[5d06689]198   A Role is role specification of a set of entitities for a principal
199
200   Role()
201     default constructor, do not use, for swig only
202
203   Role(const Role &)
204     copy constructor, used for cloning a role
[2e9455f]205     (C:abac_aspect_dup)
[5d06689]206
207   ~Role()
208     default destructor
[2e9455f]209     (C:abac_aspect_free)
[5d06689]210
211   Role(char*)
212     constructor that builds a bare bone role with just principal's name
[669b481]213     (C:abac_role_principal_create)
[5d06689]214
215   Role(char*, char*)
216     constructor that builds a bare bone role with just principal's name
217     and a role name
[669b481]218     (C:abac_role_create)
219
220   Role(char*, char*, char*)
221     constructor that builds a bare bone role with just principal's name
222     and a linking role name and a role name
223     (C:abac_role_linked_create)
[5d06689]224
225   bool role_is_principal() const
226     return true if the role is a principal object(made from
227     a data term), the right hand side of,
228       [keyid:A].role:r <- [keyid:B]
[669b481]229     (C:abac_role_is_principal)
[5d06689]230
231   bool role_is_linking() const
232     returns true if the role is a linking role like
233     the right hand side of,
234       [keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
[669b481]235     (C:abac_role_is_linking)
[5d06689]236
237   char *string() const
238     returns literal string of the role
[669b481]239     (C:abac_role_string)
[5d06689]240
241   char *typed_string() const
242     returns typed literal string of the role
[669b481]243     (C:abac_role_typed_string)
[5d06689]244
245   char *role_linked_role() const
246     returns linked part of a linking role, for
247       [keyid:A].role:r1.role:r2, it returns r1
[669b481]248     (C:abac_role_linked_role)
[5d06689]249
250   char *role_name() const
251     returns the role name of any role (the part after the last dot)
252       [keyid:A].role.r1.role:r2, it returns r2
253       [keyid:A].role.r1, it returns r1
[669b481]254     (C:abac_role_name)
[5d06689]255
256   char *role_principal() const
257     returns the principal of role (the part before the first dot)
258       [keyid:A].role.r1, it returns A
[669b481]259     (C:abac_role_principal)
[5d06689]260
261   void role_add_data_term(DataTerm&)
262     add a data term to the role
[669b481]263     (C:abac_role_add_data_term)
[5d06689]264
265   std::vector<DataTerm> get_data_terms(bool &)
266     return the data terms bound to this role.
[669b481]267     (C:abac_role_get_data_terms)
[5d06689]268
269   void role_add_linked_data_term(DataTerm&)
270     add a data term to the linking role
[669b481]271     (C:abac_role_add_linked_data_term)
[5d06689]272
273   std::vector<DataTerm> get_linked_data_terms(bool &)
274     return the data terms bound to this role's linking role.
[669b481]275     (C:abac_role_get_linked_data_terms)
[2e9455f]276     (C::abac_terms_free)
[5d06689]277
278ABAC::Oset
279   An Oset is oset specification of a set of entitities for a principal
280
281   Oset()
282     default constructor, do not use, for swig only
283
284   Oset(const Oset &)
285     copy constructor, used for cloning an oset
[2e9455f]286     (C:abac_aspect_dup)
[5d06689]287
288   ~Oset()
289     default destructor
[2e9455f]290     (C:abac_aspect_free)
[5d06689]291
292   Oset(char *)
293     constructor that makes a principal oset, ie [keyid:B]
[2e9455f]294     (C:abac_oset_principal_create)
[5d06689]295
296   Oset(char *, char *)
297     constructor that makes a regular oset, ie. [keyid:B].oset:o
[2e9455f]298     (C:abac_oset_create)
[669b481]299
300   Oset(char *, char*, char *)
301     constructor that makes a linked oset, ie. [keyid:B].role:r.oset:o
302     (C:abac_oset_linked_create)
[5d06689]303
304   Oset(DataTerm&)
305     constructor that makes an object oset, ie. [urn:'file/fileA']
[669b481]306     (C:abac_oset_object_create)
[5d06689]307
308   bool oset_is_object(), ie <- [integer:10]
309     return ture if this oset is an object oset
[669b481]310     (C:abac_oset_is_object)
[5d06689]311
312   bool oset_is_principal() const
313     return true if the oset is a principal object(made from
314     a data term), the right hand side of,
315       [keyid:A].oset:o <- [keyid:B]
[669b481]316     (C:abac_oset_is_principal)
[5d06689]317
318   bool oset_is_linking() const
319     returns true if the oset is a linking oset like
320     the right hand side of,
321       [keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
[669b481]322     (C:abac_oset_is_linking)
[5d06689]323
324   char *string() const
325     returns literal string of the oset
[669b481]326     (C:abac_oset_string)
[5d06689]327
328   char *typed_string() const
329     returns typed literal string of the oset
[669b481]330     (C:abac_oset_typed_string)
[5d06689]331
332   char *oset_linked_role() const
333     returns linked part of a linking oset, for
334       [keyid:A].role:r1.oset:o1, it returns r1
[669b481]335     (C:abac_oset_linked_role)
[5d06689]336
337   char *oset_name() const
338     returns oset name,
339       [keyid:A].role:r1.oset:o1, it returns o1
340       [keyid:A].oset:o1, it returns o1
[669b481]341     (C:abac_oset_name)
[5d06689]342
343   char *oset_principal() const
344     returns principal name,
345       [keyid:A].role:r1.oset:o1, it returns A
[669b481]346     (C:abac_oset_principal)
[5d06689]347
348   char *oset_object() const
349     returns object's name when the oset is a principal object
350       [keyid:A].oset:values <- [integer:10], it returns 10
[669b481]351     (C:abac_oset_object)
[5d06689]352
353   void add_data_term(DataTerm&)
354     add a data term to this oset's parameter set
[669b481]355     (C:abac_oset_add_data_term)
[5d06689]356
357   std::vector<DataTerm> get_data_terms(bool &)
358     returns the data terms bound to this oset. 
[669b481]359     (C:abac_oset_get_data_terms)
[2e9455f]360     (C::abac_terms_free)
[5d06689]361
362   void oset_add_linked_data_term(DataTerm&)
363     add a data term to this oset's linking role's parameter set.
[669b481]364     (C:abac_oset_add_linked_data_term)
[5d06689]365
366   std::vector<DataTerm> get_linked_data_terms(bool &)
367     returns the data terms bound to this oset's linking role. 
[669b481]368     (C:abac_oset_get_linked_data_terms)
[2e9455f]369     (C::abac_terms_free)
[5d06689]370
371ABAC::ID
372   An ID holds a principal credential. It maybe imported from an existing
373   ID credential via external files, constructed from a streaming chunk,
374   or instantiated on the fly 
375
376   ID()
377     default constructor, do not use, for swig only
378
379   ID(const ID &)
380     copy constructor, used for cloning an ID
[2e9455f]381     (C:abac_id_dup)
[5d06689]382
383   ~ID()
384     default destructor
[2e9455f]385     (C:abac_id_free)
[5d06689]386
387   ID(char *)
388     load an ID cert from a file, will throw an exception
389     if the cert cannot be loaded
[669b481]390     (C:abac_id_from_file)
[5d06689]391
[dfe6b61]392   ID_chunk(abac_chunk_t chunk)
[09496b3]393     create an ID cert from an cert chunk, will
394     throw an exception if the cert cannot be loaded
395     (C:abac_id_from_chunk)
396
[5d06689]397   ID(char *,int)
[ba6027a]398     generates a new ID(cert&key) with the supplied CN and validity period
[5d06689]399     - CN must be alphanumeric and begin with a letter
400     - validity must be at least one second
401     will throw an exception if either of the above is violated
[669b481]402     (C:abac_id_generate)
[5d06689]403
[ba6027a]404   ID(char *,int, char*, char*)
405     generates a new ID from a supplied CN, keyfile, passphrase(optional) file
406     and validity period
407     - CN must be alphanumeric and begin with a letter
408     - validity must be at least one second
[2e9455f]409     - optional passphrase is when the keyfile is encrypted
[ba6027a]410     will throw an exception if either of the above is violated
411     (C:abac_id_generate_with_key)
412
[5d06689]413   void id_load_privkey_file(char *)
[ba6027a]414     loads the private key associated with the ID credential,
[5d06689]415     will throw an exception if the key cannot be loaded
[669b481]416     (C:abac_id_load_privkey_file)
[5d06689]417
[ba6027a]418   void id_load_encrypted_privkey_file(char *, char*)
419     loads an encrypted private key and pfile associated with the
420     ID credential, will throw an exception if the key cannot be loaded
421     (C:abac_id_load_enc_privkey_file)
422
[5d06689]423   char *id_keyid()
424     returns the SHA1 keyid of the id cert
[669b481]425     (C:abac_id_keyid)
[5d06689]426
427   char *id_name()
428     returns the CN (the parameter passed to the constructor or the
429     CN of the cert).
[669b481]430     (C:abac_id_cn)
[5d06689]431
432   bool id_has_privkey()
433     returns true if the ID has an associated private key
[669b481]434     (C:abac_id_has_privkey)
[5d06689]435
436   void id_write_cert(FILE *)
437     writes a PEM-encoded cert to the file handle
[669b481]438     (C:abac_id_write_cert)
[5d06689]439
440   void id_write_cert(char *)
441     writes a PEM-encoded cert to a file named out
[669b481]442     (C:abac_id_write_cert_fname)
[5d06689]443
444   void id_write_privkey(FILE *)
445     writes a PEM-encoded private key to the file handle
446     throws an exception if no private key is loaded
[669b481]447     (C:abac_id_write_privkey)
[5d06689]448
449   void id_write_privkey(char *)
450      writes a PEM-encoded private key a file named out
451      throws an exception if no private key is loaded
[669b481]452     (C:abac_id_write_privkey_fname)
[5d06689]453
454   abac_chunk_t id_cert_chunk()
455     returns a DER-encoded binary representation of the X.509 ID cert
456     associated with this ID.
457     can be passed to libabac's Context::load_id_chunk()
[669b481]458     (C:abac_id_cert_chunk)
[5d06689]459
[9b43fc3]460   abac_chunk_t id_privkey_chunk()
461     returns a PEM-encoded binary representation of the private key
462     associated with this ID.
463     can be passed to libabac's Context::load_id_chunks()
464     (C:abac_id_privkey_chunk)
465
[5d06689]466   char *string()
467     returns literal string of the id credential
[669b481]468     (C:abac_id_string)
[5d06689]469
470ABAC::Attribute
471   This is the attribute representation for the access policy rule
472       LHS <- RHS
473   The sequence of generation is to
474       first, instantiate the object, ie, LHS (head)
475       second, adding subject(s) to it, ie, RHS (tail)
476       and then baking it.
477   Only once it's baked can you access the X.509 cert.
478   Once it's been baked you can no longer add subjects to it
479
480   Attribute()
481     default constructor, do not use, for swig only
482
483   Attribute(const Attribute &)
484     copy constructor, used for cloning an attribute
[2e9455f]485     (C:abac_attribute_dup)
[5d06689]486
487   ~Attribute()
488     default destructor
[2e9455f]489     (C:abac_attribute_free)
[5d06689]490
491   Attribute(Role&, int)
492     constructor that creates an attribute policy to be signed by the issuer
493     with the given role with a specified validity period
494     An exception will be thrown if:
495       - the issuer has no private key
496       - the Head role is invalid
497       - the validity period is invalid (must be >= 1 second)
[669b481]498     (C:abac_attribute_create)
[5d06689]499
500   Attribute(Oset&, int)
501     constructor that creates an attribute policy to be signed by the issuer
502     with the given oset with a specified validity period
503     An exception will be thrown if:
504       - the issuer has no private key
505       - the Head oset is invalid
506       - the validity period is invalid (must be >= 1 second)
[669b481]507     (C:abac_attribute_create)
[5d06689]508
[dfe6b61]509   Attribute_chunk(abac_chunk_t chunk)
510     constructor that creates an attribute policy to be signed by the issuer
511     with a given cert chunk.
512     (C:abac_attribute_from_chunk)
513
[5d06689]514   bool attribute_add_tail(Role&)
[669b481]515      Add a role tail.  Call multiple times for intersection
516     (C:abac_attribute_add_tail)
[5d06689]517
518   bool attribute_add_tail(Oset&)
[669b481]519      Add an oset tail.  Call multiple times for intersection
520     (C:abac_attribute_add_tail)
[5d06689]521
[2e9455f]522   void attribute_set_using_this()
523      Allow user set whether this attribute has '?This' in its
524      attribute rule
525     (C:abac_attribute_set_using_this)
526/***
527
[5d06689]528   char *head_string()
529     returns literal string of head of the attribute
[669b481]530     (C:abac_head_string)
[5d06689]531
532   char *tail_string()
533     returns literal string of tail of the attribute
[669b481]534     (C:abac_tail_string)
[5d06689]535
536   char *head_typed_string()
537     returns typed literal string of head of the attribute
[669b481]538     (C:abac_head_typed_string)
[5d06689]539
540   char *tail_typed_string()
541     returns typed literal string of tail of the attribute
[669b481]542     (C:abac_tail_typed_string)
[5d06689]543
544   char *string()
545     returns literal string of the attribute
[669b481]546     (C:abac_attribute_string)
[5d06689]547
548   char *typed_string()
549     returns typed literal string of the attribute
[669b481]550     (C:abac_attribute_typed_string)
[5d06689]551
552   const Role &role_head()
553     returns the head role
[2e9455f]554     (C:abac_attribute_head)
[5d06689]555
556   const Oset &oset_head()
557     returns the oset head
[2e9455f]558     (C:abac_attribute_head)
[5d06689]559
560   std::vector<Role> role_tails(bool &)
561     retrieve tail role which maybe more than 1 if intersecting
[669b481]562     (C:abac_attribute_role_tails)
[2e9455f]563     (C::abac_attribute_is_role)
564     (C::abac_aspects_free)
[5d06689]565
566   std::vector<Oset> oset_tails(bool &)
567     retrieve tail oset which maybe more than 1 if intersecting
[669b481]568     (C:abac_attribute_oset_tails)
[2e9455f]569     (C::abac_attribute_is_role)
570     (C::abac_aspects_free)
[5d06689]571
572   bool attribute_bake()
573     Generate the cert. Call this after you've added subjects to your cert.
574     This returns false if there are no subjects
575     This will throw an exception if the cert's already been baked.
[669b481]576     (C:abac_attribute_bake)
[5d06689]577
578   bool attribute_baked()
579     returns true iff the cert has been baked.
[669b481]580     (C:abac_attribute_baked)
[5d06689]581
582   void attribute_write_cert(FILE *)
583     write the DER-encoded X.509 attribute cert to the open file handle
584     Throws an exception if the cert isn't baked
[669b481]585     (C:abac_attribute_write_cert)
[5d06689]586
587   void attribute_write_cert(char *)
588     write the DER-encoded X.509 attribute cert to a file named out
589     Throws an exception if the cert isn't baked
[669b481]590     (C:abac_attribute_write_cert_fname)
[5d06689]591
592   abac_chunk_t cert_chunk()
593     returns a DER-encoded binary representation of the X.509 attribute
594     cert associated with this cert
595     Throws an exception if the cert isn't baked
596     the chunk can be passed to libabac's Context::load_attribute_chunk()
[669b481]597     (C:abac_attribute_cert_chunk)
[5d06689]598
599ABAC::Context
600    An ABAC Context
601
602   Context()
603     default constructor
[2e9455f]604     (C:abac_context_new)
[5d06689]605
606   Context(const Context &)
607     copy constructor, used for cloning the context
[2e9455f]608     (C:abac_context_dup)
[5d06689]609
610   ~Context()
611     default destructor
[2e9455f]612     (C:abac_context_free)
[5d06689]613
614   int load_id(ABAC::ID&)
615     load id cert from ID
[669b481]616     (C:abac_context_load_id)
[5d06689]617
618   int load_id_file(char *)
[ba6027a]619     load id cert from an idkey combo file. key retrieval will be attempted
[5d06689]620     but won't fail if not found
[2e9455f]621     (C:abac_context_load_id_idkey_file)
[5d06689]622
[ba6027a]623   int load_id_encrypted_file(char *, char *)
624     load id cert from an idkey combo file and a pfile. Encrypted key
625     retrieval will be attempted but won't fail if not found
626     (C:abac_context_load_encrypted_id_file)
627
[5d06689]628   int load_id_files(char *, char *)
629     load id cert from an id file and a key file
[669b481]630     (C:abac_context_load_id_files)
[5d06689]631
[ba6027a]632   int load_id_encrypted_files(char *, char *, char *)
633     load id cert from an id file, an encrypted key file, and a pfile
634     (C:abac_context_load_encrypted_id_files)
635
[5d06689]636   int load_id_chunk(abac_chunk_t)
637     load id cert from a chunk structure
[669b481]638     (C:abac_context_load_id_chunk)
[9b43fc3]639
640   int load_id_chunks(abac_chunk_t, abac_chunk_t)
[ba6027a]641     load id & privkey from chunk structures
[9b43fc3]642     (C:abac_context_load_id_privkey_chunk)
[ba6027a]643
644   int load_id_encrypted_chunks(abac_chunk_t, abac_chunk_t,char *pfile)
645     load id & encrypted privkey from chunk structures
646     (C:abac_context_load_id_enc_privkey_chunk)
[5d06689]647     returns:
648       ABAC_CERT_SUCCESS   successfully loaded
649       ABAC_CERT_INVALID   invalid certificate (or file not found)
650       ABAC_CERT_BAD_SIG   invalid signature
651
652   int load_attribute(ABAC::Attribute&)
653     load attribute credential from attribute structure
[669b481]654     (C:abac_context_load_attribute)
[5d06689]655
656   int load_attribute_file(char *)
657     load attribute credential from a file
[669b481]658     (C:abac_context_load_attribute_file)
[5d06689]659
660   int load_attribute_chunk(abac_chunk_t)
661     load attribute credential from a chunk
[669b481]662     (C:abac_context_load_attribute_chunk)
[5d06689]663
664     returns the same values as above, additionally
665     returns ABAC_CERT_MISSING_ISSUER if the issuer
666     certificate has not been loaded
[fe5682f]667
[2efdff5]668   void load_principals(char *)
669     load a directory full of principals only:
670
671        first: ${path}/*_ID.{der,pem} as identity certificates
672               implicitly looking for ${path}/*_private.{der,pem} as
673               the private key file
674        then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
675      (C:abac_context_load_principals)
676
[5d06689]677   void load_directory(char *)
678     load a directory full of certificates:
[fe5682f]679
[5d06689]680        first: ${path}/*_ID.{der,pem} as identity certificates
681               implicitly looking for ${path}/*_private.{der,pem} as
682               the private key file
683        then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
684        last: ${path}/*_attr.der as attribute certificates
[669b481]685      (C:abac_context_load_directory)
[fe5682f]686
[646e57e]687   void set_no_partial_proof()
688      (C:abac_context_set_no_partial_proof)
689   void set_want_partial_proof()
690        enable and disable the partial proof on query proof failure
691      (C:abac_context_set_want_partial_proof)
692
[5d06689]693   std::vector<Attribute> query(char *, char *, bool &)
694     the string version is for query that is composed by hand with SHA or
695     in non ABAC_CN mode 
[669b481]696     (C:abac_context_query)
[2e9455f]697     (C::abac_free_credentials)
[fe5682f]698
[5d06689]699   std::vector<Attribute> query(Role &, Role &, bool &)
[669b481]700     (C:abac_context_query_with_structure)
[2e9455f]701     (C::abac_free_credentials)
[5d06689]702   std::vector<Attribute> query(Oset &, Oset &, bool &)
[669b481]703     (C:abac_context_query_with_structure)
[2e9455f]704     (C::abac_free_credentials)
[5d06689]705     runs the query:
706       role <-?- principal
707       oset <-?- principal/obj
708     returns true/false in success
709     returns a proof upon success,
[646e57e]710             a partial proof on failure by default
[fe5682f]711
[abf8d5d]712   std::vector<Attribute> next_proof(bool &)
713     (C:abac_context_query_again)
[2e9455f]714     (C::abac_free_credentials)
[abf8d5d]715     force backtrack and try to get next solution proof:
716     returns true/false in success
717     returns a proof upon success,
718
[5d06689]719   std::vector<Attribute> context_credentials(bool &)
720     returns a vector of all the credentials loaded in the context
721     extracted from the internal data structure
[669b481]722     (C:abac_context_credentials)
[2e9455f]723     (C::abac_free_credentials)
724
725   int credential_count()
726     returns the number of credentials loaded in the context currently
727     (C:abac_context_credential_count()
[5308660]728
[5d06689]729   std::vector<Attribute> context_principals(bool &)
730     returns a vector of all the principals loaded in the context
731     extracted from the internal data structure
[669b481]732     (C:abac_context_principals)
[2e9455f]733     (C::abac_free_principals)
734
735   int principal_count()
736     returns the number of principals loaded in the context currently
737     (C:abac_context_principal_count()
[fe5682f]738
[ba6027a]739   ID lookup_principal(char *)
740     find a particular principal from the context
[2e9455f]741     (C:abac_context_principal_lookup)
[ba6027a]742
[5d06689]743   char *version()
744     return the version of this interface
[58ba801]745C API
[fe5682f]746
747The C API is nearly identical to the C++ API. Due to lack of namespaces,
748all function names are preceeded by abac_. Furthermore, the parameter
[669b481]749representing the object must be passed explicitly. Each of the C++ calls
750are appended with a matching C routine call. The C function declaration
751can be found in abac.h
752
753Examples:
754
755    C++:    head.role_name()
756    C:      abac_role_name(head)
757    or
758    C++:    ctxt.load_attribute_file("test_attr.der")
[2e9455f]759    C:      abac_context_load_attribute_file(ctxt, "test_attr.der")
[669b481]760
761Instead of copy constructors, the C API uses _dup.  Therefore,
762to copy a role use abac_aspect_dup(m_role),
763to copy a oset use abac_aspect_dup(m_oset),
[2e9455f]764to copy a context use abac_context_dup(m_ctxt),
[669b481]765to copy a constraint use abac_condition_dup(m_constraint),
766to copy a data term use abac_term_dup(m_term),
767to copy a ID use abac_id_dup(m_id)
768and to copy an attribute use abac_attribute_dup(m_attr)
769
770Various flavors of abac_context_query() and abac_context_credentials()
771return NULL-terminated arrays of Attribute objects (abac_credential_t * in C).
772abac_context_principals() returns NULL-terminated array of ID objects
773(abac_id_credential_t * in C)
[58ba801]774
775When you are done with them, you must free the whole array at once using
[2e9455f]776abac_free_credentials() and abac_free_principals() respectively.
[58ba801]777
[4a72b30]778PERL, PYTHON AND JAVA API
[fe5682f]779
[4a72b30]780The Perl, Python and Java APIs are even more similar to the C++ API. The main
[fe5682f]781changes are the use of native types instead of C/C++ types.
782
783    - native strings instead of char *
784
[4a72b30]785    Java:
786        - String instead of char *
787        - Context::query returns a vector of Credentials:
[2e9455f]788            credentials = ctxt.query(role, principal)
[4a72b30]789            success if credentials' size is > 0
790
[fe5682f]791    Perl:
792        - arrayref instead of vector
793        - string instead of chunk_t
794        - Context::query returns a list of two elements:
[2e9455f]795            my ($success, $credentials) = $ctxt->query($role, $principal)
[fe5682f]796            $success is a boolean
797            $credentials is an arrayref of Credential objects
798
799    Python:
800        - tuple instead of vector
801        - bytearray instead of chunk_t (>= 2.6)
802        - string instead of chunk_t (< 2.6)
803        - Context::query returns a tuple with two elements:
[2e9455f]804            (success, credentials) = ctxt.query(role, principal)
[fe5682f]805            success is a boolean
806            credentials is a tuple of Credential objects
[4a72b30]807
Note: See TracBrowser for help on using the repository browser.