source: doc/API @ d2b198c

abac0-leakabac0-meitvf-new-xml
Last change on this file since d2b198c was 94605f2, checked in by Ted Faber <faber@…>, 11 years ago

checkpoint Lots of the way toward mnemonic names, some parsing fixes

  • Property mode set to 100644
File size: 12.1 KB
RevLine 
[58ba801]1C++ API
2
[e197b65]3(see bottom for notes on C, Perl, Python and Java)
[fe5682f]4
5ABAC::abac_chunk_t
[e197b65]6   Structure, represents a blob of memory
7   used to load/return Identity credentials and Attribute certificates
8     -unsigned char *data
9     -int len
[fe5682f]10
[94605f2]11ABAC::Context
12    An ABAC Context
13
14   Context()
15     default constructor
16     (C:abac_context_new)
17
18   Context(const Context &)
19     copy constructor, used for cloning the context
20     (C:abac_context_dup)
21
22   ~Context()
23     default destructor
24     (C:abac_context_free)
25
26   int load_id_file(char *)
27     load identity certificate from an id file
28     (C:abac_context_load_id_file)
29
30   int load_id_chunk(abac_chunk_t)
31     load id certificate from an chunk
32     (C:abac_context_load_id_chunk)
33
34   int load_attribute_file(char *)
35     load attribute certificate from an id file.
36     (C:abac_context_load_attribute_file)
37
38   int load_attribute_chunk(abac_chunk_t)
39     load attribute certificate from an chunk
40     (C:abac_context_load_attribute_chunk)
41
42   returns :
43        ABAC_CERT_SUCCESS   successfully loaded
44        ABAC_CERT_INVALID   invalid certificate (or file not found)
45        ABAC_CERT_BAD_SIG   invalid signature
46
47   void load_directory(char *)
48     load a directory full of certificates:
49
50        first: ${path}/*_ID.{der,pem} as identity certificates
51               implicitly looking for ${path}/*_private.{der,pem} as
52               the private key file
53        last: ${path}/*_attr.xml as attribute certificates
54      (C:abac_context_load_directory)
55
56   std::vector<Credential> query(char *, char *, bool &)
57     run the query:
58        role <-?- principal
59     returns true/false in success
60     returns a proof upon success, partial proof on failure
61     (C:abac_context_query)
62     (C::abac_free_credentials_free)
63
64   std::vector<Credential> credentials(bool &)
65     returns a vector of all the credentials loaded in the context
66     (C:abac_context_credentials)
67     (C::abac_context_credentials_free)
68
[fe5682f]69ABAC::Role
[e197b65]70   A Role, most calls are rarely used outside the library
[fe5682f]71
[e197b65]72   Role()
73     default constructor, do not use, for swig only
[461541a]74
[e197b65]75   Role(abac_role_t*)
76     copy constructor, used for cloning an Role
77     (C:abac_role_dup)
[461541a]78
[e197b65]79   Role(char *)
80     instantiate a role from a string
81     (C:abac_role_from_string)
[461541a]82
[e197b65]83   Role(const Role &)
84     copy constructor, used for cloning an Role
85     (C:abac_role_dup)
[461541a]86
[e197b65]87   ~Role()
88     default destructor
89     (C:abac_role_free)
[461541a]90
[e197b65]91   bool is_principal()
92     (C:abac_role_is_principal)
[461541a]93
[e197b65]94   bool is_role()
95     (C:abac_role_is_role)
[461541a]96
[e197b65]97   bool is_linking()
98     (C:abac_role_is_linking)
99     indicates the type of role encoded
[461541a]100
[e197b65]101   char* string()
102     string representation of the role
103     (C:abac_role_string)
[461541a]104
[94605f2]105   char* short_string()
106     string representation of the role
107     (C:abac_role_string)
108
[e197b65]109   char* linked_role()
110     the linked role of a linking role
111     i.e., A.r1.r2, linked_role() returns A.r1
112     (C:abac_role_linked_role)
[461541a]113
[e197b65]114   char* role_name()
115     the role name of any role (the part after the last dot)
116     (C:abac_role_role_name)
[461541a]117
[e197b65]118   char* principal()
119     the principal part of any role
120     (C:abac_role_principal)
[461541a]121
[e197b65]122ABAC::Credential
123   This is never instantiated directly. These will only ever be
124   returned as a result of calls to Context::query or
125   Context::credentials.
[461541a]126
[e197b65]127   Credential()
128     default constructor, do not use, for swig only
[461541a]129
[e197b65]130   Credential(abac_credential_t*)
131     copy constructor, used for cloning a credential
132     (C:abac_credential_head)
133     (C:abac_credential_tail)
134     (C:abac_credential_dup)
[461541a]135
[e197b65]136   Credential(const Credential&)
137     copy constructor, used for cloning a credential
138     (C:abac_credential_head)
139     (C:abac_credential_tail)
140     (C:abac_credential_dup)
[461541a]141
[e197b65]142   ~Credential()
143     default destructor
144     (C:abac_credential_free)
[461541a]145
[e197b65]146   Role &head()
147     returns the head of the credential
[461541a]148
[e197b65]149   Role &tail()
150     returns the tail of the credential
[461541a]151
[e197b65]152   abac_chunk_t attribute_cert()
153     returns the attribute certificate in chunk, suitable for
154     transmission over the network or storage in a file
155     (C:abac_credential_attribute_cert)
[461541a]156
[e197b65]157   abac_chunk_t issuer_cert()
158     returns the issuer certificate in chunk, again suitable for
159     network transmission or file storage
160     (C:abac_credential_issuer_cert)
[461541a]161
[e197b65]162ABAC::ID
163   An ID holds a principal credential. It maybe imported from an existing
164   ID credential via external files, constructed from a streaming chunk,
165   or instantiated on the fly
166
167   ID()
168     default constructor, do not use, for swig only
169
170   ID(const ID &)
171     copy constructor, used for cloning an ID
172     (C:abac_id_dup)
173
174   ~ID()
175     default destructor
176     (C:abac_id_free)
177
178   ID(char *)
179     load an ID certificate from a file, will throw an exception
180     if the certificate cannot be loaded
181     (C:abac_id_from_file)
182
183   ID_chunk(abac_chunk_t chunk)
184     create an ID certificate from an certificate chunk, will
185     throw an exception if the certificate cannot be loaded
186     (C:abac_id_from_chunk)
187
188   ID(char *,int)
189     generates a new ID(cert&key) with the supplied CN and validity period
190     - CN must be alphanumeric and begin with a letter
191     - validity must be at least one second
192     will throw an exception if either of the above is violated
193     (C:abac_id_generate)
194
[a02c849]195   void load_privkey(char *)
[e197b65]196     loads the private key associated with the ID credential,
197     will throw an exception if the key cannot be loaded
198     (C:abac_id_privkey_from_file)
199
[a02c849]200   void load_privkey_chunk(abac_chunk_t)
201     loads the private key associated with the ID credential,
202     will throw an exception if the key cannot be loaded
203     (C:abac_id_privkey_from_chunk)
204
205   int has_privkey()
206     check to see if there is a privkey in this ID
207     (C:abac_id_has_privkey)
208
[e197b65]209   char *keyid()
210     returns the SHA1 keyid of the id cert
211     (C:abac_id_keyid)
212
213   char *cert_filename()
214     returns the default libabac filename for the cert.
215     value must be freed by caller.
216     (C:abac_id_cert_filename)
217
218   void write_cert(FILE *)
219     writes a PEM-encoded certificate to a file handle
220     (C:abac_id_write_cert)
221
222   void write_cert(string &)
223     writes a PEM-encoded certificate to a file named in string
224
[a02c849]225   void write_cert_file(const char *)
[e197b65]226     writes a PEM-encoded certificate to a file
227
[a02c849]228   void write_cert_name(const char *)
[92661b4]229     writes a PEM-encoded certificate to a file
230     (added to support original libcreddy users)
231
[e197b65]232   char *privkey_filename()
233     returns the default libabac filename for the private key.
234     value must be freed by caller.
235     (C:abac_id_privkey_filename)
236
[92661b4]237   void write_privkey(FILE *)
[e197b65]238     write the private key to a file handle
239     throws a std::logic_error if no private key is loaded
240     (C:abac_id_write_privkey)
241
[92661b4]242   void write_privkey(string &)
[e197b65]243     writes a private key to file named in string
244
[a02c849]245   void write_privkey_file(const char *)
[e197b65]246     writes a private key to a file
247
[a02c849]248   void write_privkey_name(const char *)
[92661b4]249     writes a private key to a file
250     (added to support original libcreddy users)
251
[e197b65]252   abac_chunk_t cert_chunk()
253     returns a DER-encoded binary representation of the X.509 ID cert
254     associated with this ID.
255     can be passed to libabac's Context::load_id_chunk()
256     (C:abac_id_cert_chunk)
257
258   abac_chunk_t privkey_chunk()
259     returns a PEM-encoded binary representation of the private key
260     associated with this ID.
261     (C:abac_id_privkey_chunk)
[461541a]262
[e197b65]263ABAC::Attribute
264   This is the attribute representation for the access policy rule
265       LHS <- RHS
266   The sequence of generation is to
267       first, instantiate the object, ie, LHS (head)
268       second, adding subject(s) to it, ie, RHS (tail)
269       and then baking it.
270   Only once it's baked can you access the X.509 cert.
271   Once it's been baked you can no longer add subjects to it
272
273   Attribute()
274     default constructor, do not use, for swig only
275
276   ~Attribute()
277     default destructor
278     (C:abac_attribute_free)
279
280   Attribute(ID&, char*,int)
281     constructor that creates an attribute policy to be signed by the issuer
282     with the given role with a specified validity period
283     An exception will be thrown if:
284       - the issuer has no private key
285       - the Head role is invalid
286       - the validity period is invalid (must be >= 0 second)
287       - The issuer is invalid
288     (C:abac_attribute_create)
289
[6d3fc40]290   bool principal(char *keyid)
291     {keyid}
[e197b65]292     validate the principal and insert into the attribute
293     throw a std::logic_error if the cert's been baked and keyid bad
294     (C:abac_attribute_principal)
295
[6d3fc40]296  bool role(char *keyid, char *role)
297     {keyid.role}
[e197b65]298     validate the principal and role and insert into the attribute
299     throw a std::logic_error if the cert's been baked and keyid bad
300     (C:abac_attribute_role)
301
[6d3fc40]302  bool linking_role(char *keyid, char *role, char *linked)
303     {keyid.linked.role}
[e197b65]304     validate the role and linking role and insert into the attribute
305     throw a std::logic_error if the cert's been baked and keyid bad
306     (C:abac_attribute_linking_role)
307
308   bool bake()
309     Generate the cert. Call this after you've added subjects to your cert.
310     This returns false if there are no subjects
311     This will throw an exception if the cert's already been baked.
312     (C:abac_attribute_bake)
313
314   bool baked()
315     returns true iff the certificate has been baked.
316     (C:abac_attribute_baked)
317
[bc12f3d]318   set_output_format(char *fmt)
319     {fmt}
320     Set the attribute's output format.  Valid choices are GENIv1.0 and
321     GENIV1.1.  Default is GENIv1.1.
322
[e197b65]323   void write(FILE *)
324     write an attribute certificate in XML to an open file handle
325     Throws an exception if the certificate isn't baked
326     (C:abac_attribute_write)
327
328   void write(const string&)
329     write an attribute certificate in XML to file named in string
330
331   void write_file(const char *)
332     write an attribute certificate in XML to file
333
[92661b4]334   void write_name(const char *)
335     write an attribute certificate in XML to file
336     (added to support original libcreddy users)
337
[e197b65]338   abac_chunk_t cert_chunk()
339     returns a XML structure of the attribute certificate in a abac_chunk_t
340     Throws an exception if the certificate isn't baked
341     the chunk can be passed to libabac's Context::load_attribute_chunk()
342     (C:abac_attribute_cert_chunk)
[58ba801]343C API
[fe5682f]344
345The C API is nearly identical to the C++ API. Due to lack of namespaces,
346all function names are preceeded by abac_. Furthermore, the parameter
[e197b65]347representing the object must be passed explicitly. Each of the C++ calls
348are appended with a matching C routine call. The C function declaration
349can be found in abac.h
[fe5682f]350
[e197b65]351Examples:
[fe5682f]352
[e197b65]353    C++:    head.role_name()
354    C:      abac_role_name(head)
355    or
356    C++:    ctxt.load_attribute_file("test_attr.der")
357    C:      abac_context_load_attribute_file(ctxt, "test_attr.der")
[58ba801]358
[e197b65]359Instead of copy constructors, the C API uses _dup.  Therefore,
360to copy a role use abac_role_dup(m_role),
361to copy a context use abac_context_dup(m_ctxt),
362to copy a ID use abac_id_dup(m_id)
363and to copy an attribute use abac_attribute_dup(m_attr)
[58ba801]364
365abac_context_query() and abac_context_credentials() return
366NULL-terminated arrays of Credential objects (abac_credential_t * in C).
367When you are done with them, you must free the whole array at once using
368abac_context_credentials_free().
369
[e197b65]370PERL, PYTHON AND JAVA API
[fe5682f]371
[e197b65]372The Perl, Python and Java APIs are even more similar to the C++ API. The main
[fe5682f]373changes are the use of native types instead of C/C++ types.
374
375    - native strings instead of char *
376
[e197b65]377    Java:
378        - String instead of char *
379        - Context::query returns a vector of Credentials:
380            credentials = ctxt.query(role, principal)
381            success if credentials' size is > 0
382
[fe5682f]383    Perl:
384        - arrayref instead of vector
385        - string instead of chunk_t
386        - Context::query returns a list of two elements:
[e197b65]387            my ($success, $credentials) = $ctxt->query($role, $principal)
[fe5682f]388            $success is a boolean
389            $credentials is an arrayref of Credential objects
390
391    Python:
392        - tuple instead of vector
393        - bytearray instead of chunk_t (>= 2.6)
394        - string instead of chunk_t (< 2.6)
395        - Context::query returns a tuple with two elements:
[e197b65]396            (success, credentials) = ctxt.query(role, principal)
[fe5682f]397            success is a boolean
398            credentials is a tuple of Credential objects
[e197b65]399
Note: See TracBrowser for help on using the repository browser.