Context Navigation

source: doc/API @ 08c8a53

mei_rt2mei_rt2_fix_1

Last change on this file since 08c8a53 was 2efdff5, checked in by Mei <mei@…>, 12 years ago

1) fix the missing check for 'This' rt2.y when called from creddy/prover

combo

2) patch up the stringify of abac_term that is of time type.
3) update the testing to reflect the changes to baseline output

Property mode set to 100644

File size: 21.2 KB

Line
1	C++ API
2
3	(see bottom for notes on C, Perl, and Python.)
4
5	ABAC::abac_chunk_t
6	Structure, represents a blob of memory
7	used to load/return DER-encoded X509 certificates
8	-unsigned char *data
9	-int len
10
11	ABAC::Constraint
12	Constraint on a data term.
13	There are 3 types:
14	- Role constraint on a principal
15	- Oset constraint on a principal, or a data object
16	- Range/List constraint on a data object
17	It holds a ptr to a abac_condition_t structure
18
19	Constraint()
20	default constructor, do not use, for swig only
21
22	Constraint(const Constraint &)
23	copy constructor, used for cloning a constraint
24
25	~Constraint()
26	default destructor
27
28	Constraint(Role &)
29	constructor that takes a constraining role
30	[role:?R[{role-constraint}]
31	(C:abac_constraint_from_role)
32
33	Constraint(Oset &)
34	constructor that takes a constraining oset
35	[oset:?O[{oset-constraint}]
36	[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
37	(C:abac_constraint_from_oset)
38
39	Constraint(char *)
40	constructor that takes one of following string
41	as its vartype to set up a range constraint:
42	"integer"
43	"urn"
44	"float"
45	"boolean"
46	"time"
47	"string"
48	it should be followed with one or many of following utility
49	calls.
50	(C:abac_constraint_create)
51
52	void constraint_add_integer_max(int)
53	(C:abac_constraint_add_integer_max)
54	void constraint_add_integer_min(int)
55	utility routines to setup a integer range constraint
56	[integer:?I[10 .. 20]]
57	(C:abac_constraint_add_integer_min)
58
59	void constraint_add_integer_target(int)
60	utility routine to setup a integer list constraint
61	[integer:?I[10,20]]
62	(C:abac_constraint_add_integer_target)
63
64	void constraint_add_float_max(float)
65	(C:abac_constraint_add_float_max)
66	void constraint_add_float_min(float)
67	utility routines to setup a float range constraint
68	[float:?F[1.0 .. 2.5]]
69	(C:abac_constraint_add_float_min)
70
71	void constraint_add_float_target(float)
72	utility routine to setup a float list constraint
73	[float:?F[0.5, 2.5]]
74	(C:abac_constraint_add_float_target)
75
76	void constraint_add_time_max(char*)
77	(C:abac_constraint_add_time_max)
78	void constraint_add_time_min(char*)
79	utility routines to setup a time range constraint,
80	takes quoted string values, beyond T is optional
81	[time:?F["20120228T" .. "20120228T090000"]]
82	(C:abac_constraint_add_time_min)
83
84	void constraint_add_time_target(char*)
85	utility routine to setup a time list constraint
86	[time:?M["20201101T182930","20201101T"]]
87	(C:abac_constraint_add_time_target)
88
89	void constraint_add_urn_target(char*)
90	utility routine to setup a an urn list constraint
91	[urn:?U["fileA","http://fileB"]]
92	(C:abac_constraint_add_urn_target)
93
94	void constraint_add_string_target(char*)
95	utility routine to setup a a string list constraint
96	[string:?S["abc",'efg',"hij"]]
97	(C:abac_constraint_add_string_target)
98
99	void constraint_add_boolean_target(char*)
100	utility routine to setup a a boolean list constraint
101	[boolean:?B['true']]
102	(C:abac_constraint_add_boolean_target)
103
104	char *string() const
105	returns literal string of the constraint
106	(C:abac_constraint_string)
107
108	char *typed_string() const
109	returns typed literal string of the constraint
110	(C:abac_constraint_typed_string)
111
112	ABAC::DataTerm
113	A data term is associated with Role or Oset as a parameter that
114	maybe be instantiated, or uninstantiated but being constrained,
115	or as a principal oset term (standalone right handside of an oset
116	policy rule). It holds a pointer to a abac_term_t structure.
117	Types of data terms are:
118	"integer"
119	"urn"
120	"float"
121	"boolean"
122	"string"
123	"time"
124	"principal"
125	"anonymous"
126
127	DataTerm()
128	default constructor, do not use, for swig only
129
130	DataTerm(const DataTerm &)
131	copy constructor, used for cloning a data term
132
133	~DataTerm()
134	default destructor
135
136	DataTerm(char*)
137	constructor to make named principal data term for the oset RHS
138	(C: abac_term_named_create)
139
140	DataTerm(const ID&)
141	constructor to make named principal data term for parameter term
142	(C: abac_term_id_create)
143
144	DataTerm(char, char, Constraint*)
145	constructor for making a variable data term
146	(C: abac_term_create)
147
148	DataTerm(char, char)
149	constructor for making an instantiated data term
150	(C: abac_term_create)
151
152	char *string() const
153	returns literal string of the data term
154	(C:abac_term_string)
155
156	char *typed_string() const
157	returns typed literal string of the data term
158	(C:abac_term_typed_string)
159
160	bool term_is_time() const
161	(C:abac_term_is_time)
162	bool term_is_string() const
163	(C:abac_term_is_string)
164	bool term_is_urn() const
165	(C:abac_term_is_urn)
166	bool term_is_integer() const
167	(C:abac_term_is_integer)
168	returns true if data term is of certain type
169
170	int term_add_constraint(Contraint&)
171	utiltiy routine to add a constraint to this data term
172	(C:abac_term_add_constraint)
173
174	int term_type() const
175	returns subtype of the data term
176	(C:abac_term_type)
177
178	char *term_name() const
179	returns the name of the data term
180	(C:abac_term_name)
181
182	ABAC::Role
183	A Role is role specification of a set of entitities for a principal
184
185	Role()
186	default constructor, do not use, for swig only
187
188	Role(const Role &)
189	copy constructor, used for cloning a role
190
191	~Role()
192	default destructor
193
194	Role(char*)
195	constructor that builds a bare bone role with just principal's name
196	(C:abac_role_principal_create)
197
198	Role(char, char)
199	constructor that builds a bare bone role with just principal's name
200	and a role name
201	(C:abac_role_create)
202
203	Role(char, char, char*)
204	constructor that builds a bare bone role with just principal's name
205	and a linking role name and a role name
206	(C:abac_role_linked_create)
207
208	bool role_is_principal() const
209	return true if the role is a principal object(made from
210	a data term), the right hand side of,
211	[keyid:A].role:r <- [keyid:B]
212	(C:abac_role_is_principal)
213
214	bool role_is_linking() const
215	returns true if the role is a linking role like
216	the right hand side of,
217	[keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
218	(C:abac_role_is_linking)
219
220	char *string() const
221	returns literal string of the role
222	(C:abac_role_string)
223
224	char *typed_string() const
225	returns typed literal string of the role
226	(C:abac_role_typed_string)
227
228	char *role_linked_role() const
229	returns linked part of a linking role, for
230	[keyid:A].role:r1.role:r2, it returns r1
231	(C:abac_role_linked_role)
232
233	char *role_name() const
234	returns the role name of any role (the part after the last dot)
235	[keyid:A].role.r1.role:r2, it returns r2
236	[keyid:A].role.r1, it returns r1
237	(C:abac_role_name)
238
239	char *role_principal() const
240	returns the principal of role (the part before the first dot)
241	[keyid:A].role.r1, it returns A
242	(C:abac_role_principal)
243
244	void role_add_data_term(DataTerm&)
245	add a data term to the role
246	(C:abac_role_add_data_term)
247
248	std::vector<DataTerm> get_data_terms(bool &)
249	return the data terms bound to this role.
250	(C:abac_role_get_data_terms)
251
252	void role_add_linked_data_term(DataTerm&)
253	add a data term to the linking role
254	(C:abac_role_add_linked_data_term)
255
256	std::vector<DataTerm> get_linked_data_terms(bool &)
257	return the data terms bound to this role's linking role.
258	(C:abac_role_get_linked_data_terms)
259
260	ABAC::Oset
261	An Oset is oset specification of a set of entitities for a principal
262
263	Oset()
264	default constructor, do not use, for swig only
265
266	Oset(const Oset &)
267	copy constructor, used for cloning an oset
268
269	~Oset()
270	default destructor
271
272	Oset(char *)
273	constructor that makes a principal oset, ie [keyid:B]
274	(C:abac_role_principal_create)
275
276	Oset(char , char )
277	constructor that makes a regular oset, ie. [keyid:B].oset:o
278	(C:abac_role_create)
279
280	Oset(char , char, char *)
281	constructor that makes a linked oset, ie. [keyid:B].role:r.oset:o
282	(C:abac_oset_linked_create)
283
284	Oset(DataTerm&)
285	constructor that makes an object oset, ie. [urn:'file/fileA']
286	(C:abac_oset_object_create)
287
288	bool oset_is_object(), ie <- [integer:10]
289	return ture if this oset is an object oset
290	(C:abac_oset_is_object)
291
292	bool oset_is_principal() const
293	return true if the oset is a principal object(made from
294	a data term), the right hand side of,
295	[keyid:A].oset:o <- [keyid:B]
296	(C:abac_oset_is_principal)
297
298	bool oset_is_linking() const
299	returns true if the oset is a linking oset like
300	the right hand side of,
301	[keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
302	(C:abac_oset_is_linking)
303
304	char *string() const
305	returns literal string of the oset
306	(C:abac_oset_string)
307
308	char *typed_string() const
309	returns typed literal string of the oset
310	(C:abac_oset_typed_string)
311
312	char *oset_linked_role() const
313	returns linked part of a linking oset, for
314	[keyid:A].role:r1.oset:o1, it returns r1
315	(C:abac_oset_linked_role)
316
317	char *oset_name() const
318	returns oset name,
319	[keyid:A].role:r1.oset:o1, it returns o1
320	[keyid:A].oset:o1, it returns o1
321	(C:abac_oset_name)
322
323	char *oset_principal() const
324	returns principal name,
325	[keyid:A].role:r1.oset:o1, it returns A
326	(C:abac_oset_principal)
327
328	char *oset_object() const
329	returns object's name when the oset is a principal object
330	[keyid:A].oset:values <- [integer:10], it returns 10
331	(C:abac_oset_object)
332
333	void add_data_term(DataTerm&)
334	add a data term to this oset's parameter set
335	(C:abac_oset_add_data_term)
336
337	std::vector<DataTerm> get_data_terms(bool &)
338	returns the data terms bound to this oset.
339	(C:abac_oset_get_data_terms)
340
341	void oset_add_linked_data_term(DataTerm&)
342	add a data term to this oset's linking role's parameter set.
343	(C:abac_oset_add_linked_data_term)
344
345	std::vector<DataTerm> get_linked_data_terms(bool &)
346	returns the data terms bound to this oset's linking role.
347	(C:abac_oset_get_linked_data_terms)
348
349	ABAC::ID
350	An ID holds a principal credential. It maybe imported from an existing
351	ID credential via external files, constructed from a streaming chunk,
352	or instantiated on the fly
353
354	ID()
355	default constructor, do not use, for swig only
356
357	ID(const ID &)
358	copy constructor, used for cloning an ID
359
360	~ID()
361	default destructor
362
363	ID(char *)
364	load an ID cert from a file, will throw an exception
365	if the cert cannot be loaded
366	(C:abac_id_from_file)
367
368	ID(char *,int)
369	generates a new ID with the supplied CN and validity period
370	- CN must be alphanumeric and begin with a letter
371	- validity must be at least one second
372	will throw an exception if either of the above is violated
373	(C:abac_id_generate)
374
375	void id_load_privkey_file(char *)
376	loads the private key associated with the ID credential
377	will throw an exception if the key cannot be loaded
378	(C:abac_id_load_privkey_file)
379
380	char *id_keyid()
381	returns the SHA1 keyid of the id cert
382	(C:abac_id_keyid)
383
384	char *id_name()
385	returns the CN (the parameter passed to the constructor or the
386	CN of the cert).
387	(C:abac_id_cn)
388
389	bool id_has_privkey()
390	returns true if the ID has an associated private key
391	(C:abac_id_has_privkey)
392
393	void id_write_cert(FILE *)
394	writes a PEM-encoded cert to the file handle
395	(C:abac_id_write_cert)
396
397	void id_write_cert(char *)
398	writes a PEM-encoded cert to a file named out
399	(C:abac_id_write_cert_fname)
400
401	void id_write_privkey(FILE *)
402	writes a PEM-encoded private key to the file handle
403	throws an exception if no private key is loaded
404	(C:abac_id_write_privkey)
405
406	void id_write_privkey(char *)
407	writes a PEM-encoded private key a file named out
408	throws an exception if no private key is loaded
409	(C:abac_id_write_privkey_fname)
410
411	abac_chunk_t id_cert_chunk()
412	returns a DER-encoded binary representation of the X.509 ID cert
413	associated with this ID.
414	can be passed to libabac's Context::load_id_chunk()
415	(C:abac_id_cert_chunk)
416
417	char *string()
418	returns literal string of the id credential
419	(C:abac_id_string)
420
421	ABAC::Attribute
422	This is the attribute representation for the access policy rule
423	LHS <- RHS
424	The sequence of generation is to
425	first, instantiate the object, ie, LHS (head)
426	second, adding subject(s) to it, ie, RHS (tail)
427	and then baking it.
428	Only once it's baked can you access the X.509 cert.
429	Once it's been baked you can no longer add subjects to it
430
431	Attribute()
432	default constructor, do not use, for swig only
433
434	Attribute(const Attribute &)
435	copy constructor, used for cloning an attribute
436
437	~Attribute()
438	default destructor
439
440	Attribute(Role&, int)
441	constructor that creates an attribute policy to be signed by the issuer
442	with the given role with a specified validity period
443	An exception will be thrown if:
444	- the issuer has no private key
445	- the Head role is invalid
446	- the validity period is invalid (must be >= 1 second)
447	(C:abac_attribute_create)
448
449	Attribute(Oset&, int)
450	constructor that creates an attribute policy to be signed by the issuer
451	with the given oset with a specified validity period
452	An exception will be thrown if:
453	- the issuer has no private key
454	- the Head oset is invalid
455	- the validity period is invalid (must be >= 1 second)
456	(C:abac_attribute_create)
457
458	bool attribute_add_tail(Role&)
459	Add a role tail. Call multiple times for intersection
460	(C:abac_attribute_add_tail)
461
462	bool attribute_add_tail(Oset&)
463	Add an oset tail. Call multiple times for intersection
464	(C:abac_attribute_add_tail)
465
466	char *head_string()
467	returns literal string of head of the attribute
468	(C:abac_head_string)
469
470	char *tail_string()
471	returns literal string of tail of the attribute
472	(C:abac_tail_string)
473
474	char *head_typed_string()
475	returns typed literal string of head of the attribute
476	(C:abac_head_typed_string)
477
478	char *tail_typed_string()
479	returns typed literal string of tail of the attribute
480	(C:abac_tail_typed_string)
481
482	char *string()
483	returns literal string of the attribute
484	(C:abac_attribute_string)
485
486	char *typed_string()
487	returns typed literal string of the attribute
488	(C:abac_attribute_typed_string)
489
490	const Role &role_head()
491	returns the head role
492
493	const Oset &oset_head()
494	returns the oset head
495
496	std::vector<Role> role_tails(bool &)
497	retrieve tail role which maybe more than 1 if intersecting
498	(C:abac_attribute_role_tails)
499
500	std::vector<Oset> oset_tails(bool &)
501	retrieve tail oset which maybe more than 1 if intersecting
502	(C:abac_attribute_oset_tails)
503
504	bool attribute_bake()
505	Generate the cert. Call this after you've added subjects to your cert.
506	This returns false if there are no subjects
507	This will throw an exception if the cert's already been baked.
508	(C:abac_attribute_bake)
509
510	bool attribute_baked()
511	returns true iff the cert has been baked.
512	(C:abac_attribute_baked)
513
514	void attribute_write_cert(FILE *)
515	write the DER-encoded X.509 attribute cert to the open file handle
516	Throws an exception if the cert isn't baked
517	(C:abac_attribute_write_cert)
518
519	void attribute_write_cert(char *)
520	write the DER-encoded X.509 attribute cert to a file named out
521	Throws an exception if the cert isn't baked
522	(C:abac_attribute_write_cert_fname)
523
524	abac_chunk_t cert_chunk()
525	returns a DER-encoded binary representation of the X.509 attribute
526	cert associated with this cert
527	Throws an exception if the cert isn't baked
528	the chunk can be passed to libabac's Context::load_attribute_chunk()
529	(C:abac_attribute_cert_chunk)
530
531	ABAC::Context
532	An ABAC Context
533
534	Context()
535	default constructor
536
537	Context(const Context &)
538	copy constructor, used for cloning the context
539
540	~Context()
541	default destructor
542
543	void dump_yap_db()
544	dump the complete yap prolog database
545	(C:show_yap_db)
546
547	int load_id(ABAC::ID&)
548	load id cert from ID
549	(C:abac_context_load_id)
550
551	int load_id_file(char *)
552	load id cert from an idkey combo file. key retrieval will be attempt
553	but won't fail if not found
554	(C:abac_context_load_id_file)
555
556	int load_id_files(char , char )
557	load id cert from an id file and a key file
558	(C:abac_context_load_id_files)
559
560	int load_id_chunk(abac_chunk_t)
561	load id cert from a chunk structure
562	(C:abac_context_load_id_chunk)
563	returns:
564	ABAC_CERT_SUCCESS successfully loaded
565	ABAC_CERT_INVALID invalid certificate (or file not found)
566	ABAC_CERT_BAD_SIG invalid signature
567
568	int load_attribute(ABAC::Attribute&)
569	load attribute credential from attribute structure
570	(C:abac_context_load_attribute)
571
572	int load_attribute_file(char *)
573	load attribute credential from a file
574	(C:abac_context_load_attribute_file)
575
576	int load_attribute_chunk(abac_chunk_t)
577	load attribute credential from a chunk
578	(C:abac_context_load_attribute_chunk)
579
580	returns the same values as above, additionally
581	returns ABAC_CERT_MISSING_ISSUER if the issuer
582	certificate has not been loaded
583
584	void load_principals(char *)
585	load a directory full of principals only:
586
587	first: ${path}/*_ID.{der,pem} as identity certificates
588	implicitly looking for ${path}/*_private.{der,pem} as
589	the private key file
590	then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
591	(C:abac_context_load_principals)
592
593	void load_directory(char *)
594	load a directory full of certificates:
595
596	first: ${path}/*_ID.{der,pem} as identity certificates
597	implicitly looking for ${path}/*_private.{der,pem} as
598	the private key file
599	then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
600	last: ${path}/*_attr.der as attribute certificates
601	(C:abac_context_load_directory)
602
603	std::vector<Attribute> query(char , char , bool &)
604	the string version is for query that is composed by hand with SHA or
605	in non ABAC_CN mode
606	(C:abac_context_query)
607
608	std::vector<Attribute> query(Role &, Role &, bool &)
609	(C:abac_context_query_with_structure)
610	std::vector<Attribute> query(Oset &, Oset &, bool &)
611	(C:abac_context_query_with_structure)
612	runs the query:
613	role <-?- principal
614	oset <-?- principal/obj
615	returns true/false in success
616	returns a proof upon success,
617	partial proof on failure (not implemented yet)
618
619	std::vector<Attribute> context_credentials(bool &)
620	returns a vector of all the credentials loaded in the context
621	extracted from the internal data structure
622	(C:abac_context_credentials)
623
624	std::vector<Attribute> context_principals(bool &)
625	returns a vector of all the principals loaded in the context
626	extracted from the internal data structure
627	(C:abac_context_principals)
628
629	char *version()
630	return the version of this interface
631	C API
632
633	The C API is nearly identical to the C++ API. Due to lack of namespaces,
634	all function names are preceeded by abac_. Furthermore, the parameter
635	representing the object must be passed explicitly. Each of the C++ calls
636	are appended with a matching C routine call. The C function declaration
637	can be found in abac.h
638
639	Examples:
640
641	C++: head.role_name()
642	C: abac_role_name(head)
643	or
644	C++: ctxt.load_attribute_file("test_attr.der")
645	C: abac_context_load_attribute_file(ctx, "test_attr.der")
646
647	Instead of copy constructors, the C API uses _dup. Therefore,
648	to copy a role use abac_aspect_dup(m_role),
649	to copy a oset use abac_aspect_dup(m_oset),
650	to copy a context use abac_context_dup(m_ctx),
651	to copy a constraint use abac_condition_dup(m_constraint),
652	to copy a data term use abac_term_dup(m_term),
653	to copy a ID use abac_id_dup(m_id)
654	and to copy an attribute use abac_attribute_dup(m_attr)
655
656	Various flavors of abac_context_query() and abac_context_credentials()
657	return NULL-terminated arrays of Attribute objects (abac_credential_t * in C).
658	abac_context_principals() returns NULL-terminated array of ID objects
659	(abac_id_credential_t * in C)
660
661	When you are done with them, you must free the whole array at once using
662	abac_context_credentials_free() and abac_context_principals_free() respectively.
663
664	PERL AND PYTHON API
665
666	The Perl and Python APIs are even more similar to the C++ API. The main
667	changes are the use of native types instead of C/C++ types.
668
669	- native strings instead of char *
670
671	Perl:
672	- arrayref instead of vector
673	- string instead of chunk_t
674	- Context::query returns a list of two elements:
675	my ($success, $credentials) = $ctx->query($role, $principal);
676	$success is a boolean
677	$credentials is an arrayref of Credential objects
678
679	Python:
680	- tuple instead of vector
681	- bytearray instead of chunk_t (>= 2.6)
682	- string instead of chunk_t (< 2.6)
683	- Context::query returns a tuple with two elements:
684	(success, credentials) = ctx.query(role, principal)
685	success is a boolean
686	credentials is a tuple of Credential objects

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format