Context Navigation

source: doc/API @ 09496b3

mei_rt2mei_rt2_fix_1

Last change on this file since 09496b3 was 09496b3, checked in by Mei <mei@…>, 12 years ago
1) add ID api that takes abac_chunk_t*
Property mode set to `100644`
File size: 23.6 KB

Line
1	C++ API
2
3	(see bottom for notes on C, Perl, and Python.)
4
5	ABAC::abac_chunk_t
6	Structure, represents a blob of memory
7	used to load/return DER-encoded X509 certificates
8	-unsigned char *data
9	-int len
10
11	ABAC::Constraint
12	Constraint on a data term.
13	There are 3 types:
14	- Role constraint on a principal
15	- Oset constraint on a principal, or a data object
16	- Range/List constraint on a data object
17	It holds a ptr to a abac_condition_t structure
18
19	Constraint()
20	default constructor, do not use, for swig only
21
22	Constraint(const Constraint &)
23	copy constructor, used for cloning a constraint
24
25	~Constraint()
26	default destructor
27
28	Constraint(Role &)
29	constructor that takes a constraining role
30	[role:?R[{role-constraint}]
31	(C:abac_constraint_from_role)
32
33	Constraint(Oset &)
34	constructor that takes a constraining oset
35	[oset:?O[{oset-constraint}]
36	[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
37	(C:abac_constraint_from_oset)
38
39	Constraint(char *)
40	constructor that takes one of following string
41	as its vartype to set up a range constraint:
42	"integer"
43	"urn"
44	"float"
45	"boolean"
46	"time"
47	"string"
48	it should be followed with one or many of following utility
49	calls.
50	(C:abac_constraint_create)
51
52	void constraint_add_integer_max(int)
53	(C:abac_constraint_add_integer_max)
54	void constraint_add_integer_min(int)
55	utility routines to setup a integer range constraint
56	[integer:?I[10 .. 20]]
57	(C:abac_constraint_add_integer_min)
58
59	void constraint_add_integer_target(int)
60	utility routine to setup a integer list constraint
61	[integer:?I[10,20]]
62	(C:abac_constraint_add_integer_target)
63
64	void constraint_add_float_max(float)
65	(C:abac_constraint_add_float_max)
66	void constraint_add_float_min(float)
67	utility routines to setup a float range constraint
68	[float:?F[1.0 .. 2.5]]
69	(C:abac_constraint_add_float_min)
70
71	void constraint_add_float_target(float)
72	utility routine to setup a float list constraint
73	[float:?F[0.5, 2.5]]
74	(C:abac_constraint_add_float_target)
75
76	void constraint_add_time_max(char*)
77	(C:abac_constraint_add_time_max)
78	void constraint_add_time_min(char*)
79	utility routines to setup a time range constraint,
80	takes quoted string values, beyond T is optional
81	[time:?F["20120228T" .. "20120228T090000"]]
82	(C:abac_constraint_add_time_min)
83
84	void constraint_add_time_target(char*)
85	utility routine to setup a time list constraint
86	[time:?M["20201101T182930","20201101T"]]
87	(C:abac_constraint_add_time_target)
88
89	void constraint_add_urn_target(char*)
90	utility routine to setup a an urn list constraint
91	[urn:?U["fileA","http://fileB"]]
92	(C:abac_constraint_add_urn_target)
93
94	void constraint_add_string_target(char*)
95	utility routine to setup a a string list constraint
96	[string:?S["abc",'efg',"hij"]]
97	(C:abac_constraint_add_string_target)
98
99	void constraint_add_boolean_target(char*)
100	utility routine to setup a a boolean list constraint
101	[boolean:?B['true']]
102	(C:abac_constraint_add_boolean_target)
103
104	char *string() const
105	returns literal string of the constraint
106	(C:abac_constraint_string)
107
108	char *typed_string() const
109	returns typed literal string of the constraint
110	(C:abac_constraint_typed_string)
111
112	ABAC::DataTerm
113	A data term is associated with Role or Oset as a parameter that
114	maybe be instantiated, or uninstantiated but being constrained,
115	or as a principal oset term (standalone right handside of an oset
116	policy rule). It holds a pointer to a abac_term_t structure.
117	Types of data terms are:
118	"integer"
119	"urn"
120	"float"
121	"boolean"
122	"string"
123	"time"
124	"principal"
125	"anonymous"
126
127	DataTerm()
128	default constructor, do not use, for swig only
129
130	DataTerm(const DataTerm &)
131	copy constructor, used for cloning a data term
132
133	~DataTerm()
134	default destructor
135
136	DataTerm(char*)
137	constructor to make named principal data term for the oset RHS
138	(C: abac_term_named_create)
139
140	DataTerm(const ID&)
141	constructor to make named principal data term for parameter term
142	(C: abac_term_id_create)
143
144	DataTerm(char, char, Constraint*)
145	constructor for making a variable data term
146	(C: abac_term_create)
147
148	DataTerm(char, char)
149	constructor for making an instantiated data term
150	(C: abac_term_create)
151
152	char *string() const
153	returns literal string of the data term
154	(C:abac_term_string)
155
156	char *typed_string() const
157	returns typed literal string of the data term
158	(C:abac_term_typed_string)
159
160	bool term_is_time() const
161	(C:abac_term_is_time)
162	bool term_is_string() const
163	(C:abac_term_is_string)
164	bool term_is_urn() const
165	(C:abac_term_is_urn)
166	bool term_is_integer() const
167	(C:abac_term_is_integer)
168	returns true if data term is of certain type
169
170	int term_add_constraint(Contraint&)
171	utiltiy routine to add a constraint to this data term
172	(C:abac_term_add_constraint)
173
174	int term_type() const
175	returns subtype of the data term
176	(C:abac_term_type)
177
178	char *term_name() const
179	returns the name of the data term
180	(C:abac_term_name)
181
182	ABAC::Role
183	A Role is role specification of a set of entitities for a principal
184
185	Role()
186	default constructor, do not use, for swig only
187
188	Role(const Role &)
189	copy constructor, used for cloning a role
190
191	~Role()
192	default destructor
193
194	Role(char*)
195	constructor that builds a bare bone role with just principal's name
196	(C:abac_role_principal_create)
197
198	Role(char, char)
199	constructor that builds a bare bone role with just principal's name
200	and a role name
201	(C:abac_role_create)
202
203	Role(char, char, char*)
204	constructor that builds a bare bone role with just principal's name
205	and a linking role name and a role name
206	(C:abac_role_linked_create)
207
208	bool role_is_principal() const
209	return true if the role is a principal object(made from
210	a data term), the right hand side of,
211	[keyid:A].role:r <- [keyid:B]
212	(C:abac_role_is_principal)
213
214	bool role_is_linking() const
215	returns true if the role is a linking role like
216	the right hand side of,
217	[keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
218	(C:abac_role_is_linking)
219
220	char *string() const
221	returns literal string of the role
222	(C:abac_role_string)
223
224	char *typed_string() const
225	returns typed literal string of the role
226	(C:abac_role_typed_string)
227
228	char *role_linked_role() const
229	returns linked part of a linking role, for
230	[keyid:A].role:r1.role:r2, it returns r1
231	(C:abac_role_linked_role)
232
233	char *role_name() const
234	returns the role name of any role (the part after the last dot)
235	[keyid:A].role.r1.role:r2, it returns r2
236	[keyid:A].role.r1, it returns r1
237	(C:abac_role_name)
238
239	char *role_principal() const
240	returns the principal of role (the part before the first dot)
241	[keyid:A].role.r1, it returns A
242	(C:abac_role_principal)
243
244	void role_add_data_term(DataTerm&)
245	add a data term to the role
246	(C:abac_role_add_data_term)
247
248	std::vector<DataTerm> get_data_terms(bool &)
249	return the data terms bound to this role.
250	(C:abac_role_get_data_terms)
251
252	void role_add_linked_data_term(DataTerm&)
253	add a data term to the linking role
254	(C:abac_role_add_linked_data_term)
255
256	std::vector<DataTerm> get_linked_data_terms(bool &)
257	return the data terms bound to this role's linking role.
258	(C:abac_role_get_linked_data_terms)
259
260	ABAC::Oset
261	An Oset is oset specification of a set of entitities for a principal
262
263	Oset()
264	default constructor, do not use, for swig only
265
266	Oset(const Oset &)
267	copy constructor, used for cloning an oset
268
269	~Oset()
270	default destructor
271
272	Oset(char *)
273	constructor that makes a principal oset, ie [keyid:B]
274	(C:abac_role_principal_create)
275
276	Oset(char , char )
277	constructor that makes a regular oset, ie. [keyid:B].oset:o
278	(C:abac_role_create)
279
280	Oset(char , char, char *)
281	constructor that makes a linked oset, ie. [keyid:B].role:r.oset:o
282	(C:abac_oset_linked_create)
283
284	Oset(DataTerm&)
285	constructor that makes an object oset, ie. [urn:'file/fileA']
286	(C:abac_oset_object_create)
287
288	bool oset_is_object(), ie <- [integer:10]
289	return ture if this oset is an object oset
290	(C:abac_oset_is_object)
291
292	bool oset_is_principal() const
293	return true if the oset is a principal object(made from
294	a data term), the right hand side of,
295	[keyid:A].oset:o <- [keyid:B]
296	(C:abac_oset_is_principal)
297
298	bool oset_is_linking() const
299	returns true if the oset is a linking oset like
300	the right hand side of,
301	[keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
302	(C:abac_oset_is_linking)
303
304	char *string() const
305	returns literal string of the oset
306	(C:abac_oset_string)
307
308	char *typed_string() const
309	returns typed literal string of the oset
310	(C:abac_oset_typed_string)
311
312	char *oset_linked_role() const
313	returns linked part of a linking oset, for
314	[keyid:A].role:r1.oset:o1, it returns r1
315	(C:abac_oset_linked_role)
316
317	char *oset_name() const
318	returns oset name,
319	[keyid:A].role:r1.oset:o1, it returns o1
320	[keyid:A].oset:o1, it returns o1
321	(C:abac_oset_name)
322
323	char *oset_principal() const
324	returns principal name,
325	[keyid:A].role:r1.oset:o1, it returns A
326	(C:abac_oset_principal)
327
328	char *oset_object() const
329	returns object's name when the oset is a principal object
330	[keyid:A].oset:values <- [integer:10], it returns 10
331	(C:abac_oset_object)
332
333	void add_data_term(DataTerm&)
334	add a data term to this oset's parameter set
335	(C:abac_oset_add_data_term)
336
337	std::vector<DataTerm> get_data_terms(bool &)
338	returns the data terms bound to this oset.
339	(C:abac_oset_get_data_terms)
340
341	void oset_add_linked_data_term(DataTerm&)
342	add a data term to this oset's linking role's parameter set.
343	(C:abac_oset_add_linked_data_term)
344
345	std::vector<DataTerm> get_linked_data_terms(bool &)
346	returns the data terms bound to this oset's linking role.
347	(C:abac_oset_get_linked_data_terms)
348
349	ABAC::ID
350	An ID holds a principal credential. It maybe imported from an existing
351	ID credential via external files, constructed from a streaming chunk,
352	or instantiated on the fly
353
354	ID()
355	default constructor, do not use, for swig only
356
357	ID(const ID &)
358	copy constructor, used for cloning an ID
359
360	~ID()
361	default destructor
362
363	ID(char *)
364	load an ID cert from a file, will throw an exception
365	if the cert cannot be loaded
366	(C:abac_id_from_file)
367
368	ID(abac_chunk_t *chunk)
369	create an ID cert from an cert chunk, will
370	throw an exception if the cert cannot be loaded
371	(C:abac_id_from_chunk)
372
373	ID(char *,int)
374	generates a new ID(cert&key) with the supplied CN and validity period
375	- CN must be alphanumeric and begin with a letter
376	- validity must be at least one second
377	will throw an exception if either of the above is violated
378	(C:abac_id_generate)
379
380	ID(char ,int, char, char*)
381	generates a new ID from a supplied CN, keyfile, passphrase(optional) file
382	and validity period
383	- CN must be alphanumeric and begin with a letter
384	- validity must be at least one second
385	will throw an exception if either of the above is violated
386	(C:abac_id_generate_with_key)
387
388	void id_load_privkey_file(char *)
389	loads the private key associated with the ID credential,
390	will throw an exception if the key cannot be loaded
391	(C:abac_id_load_privkey_file)
392
393	void id_load_encrypted_privkey_file(char , char)
394	loads an encrypted private key and pfile associated with the
395	ID credential, will throw an exception if the key cannot be loaded
396	(C:abac_id_load_enc_privkey_file)
397
398	char *id_keyid()
399	returns the SHA1 keyid of the id cert
400	(C:abac_id_keyid)
401
402	char *id_name()
403	returns the CN (the parameter passed to the constructor or the
404	CN of the cert).
405	(C:abac_id_cn)
406
407	bool id_has_privkey()
408	returns true if the ID has an associated private key
409	(C:abac_id_has_privkey)
410
411	void id_write_cert(FILE *)
412	writes a PEM-encoded cert to the file handle
413	(C:abac_id_write_cert)
414
415	void id_write_cert(char *)
416	writes a PEM-encoded cert to a file named out
417	(C:abac_id_write_cert_fname)
418
419	void id_write_privkey(FILE *)
420	writes a PEM-encoded private key to the file handle
421	throws an exception if no private key is loaded
422	(C:abac_id_write_privkey)
423
424	void id_write_privkey(char *)
425	writes a PEM-encoded private key a file named out
426	throws an exception if no private key is loaded
427	(C:abac_id_write_privkey_fname)
428
429	abac_chunk_t *id_cert_chunk_ptr()
430	returns a DER-encoded binary representation of the X.509 ID cert
431	associated with this ID. (chunk ptr version)
432	can be passed to libabac's Context::load_id_chunk()
433	(C:abac_id_cert_chunk_ptr)
434
435	abac_chunk_t *id_privkey_chunk_ptr()
436	returns a PEM-encoded binary representation of the private key
437	associated with this ID. (chunk ptr version)
438	can be passed to libabac's Context::load_id_chunks()
439	(C:abac_id_privkey_chunk_ptr)
440
441	abac_chunk_t id_cert_chunk()
442	returns a DER-encoded binary representation of the X.509 ID cert
443	associated with this ID.
444	can be passed to libabac's Context::load_id_chunk()
445	(C:abac_id_cert_chunk)
446
447	abac_chunk_t id_privkey_chunk()
448	returns a PEM-encoded binary representation of the private key
449	associated with this ID.
450	can be passed to libabac's Context::load_id_chunks()
451	(C:abac_id_privkey_chunk)
452
453	char *string()
454	returns literal string of the id credential
455	(C:abac_id_string)
456
457	ABAC::Attribute
458	This is the attribute representation for the access policy rule
459	LHS <- RHS
460	The sequence of generation is to
461	first, instantiate the object, ie, LHS (head)
462	second, adding subject(s) to it, ie, RHS (tail)
463	and then baking it.
464	Only once it's baked can you access the X.509 cert.
465	Once it's been baked you can no longer add subjects to it
466
467	Attribute()
468	default constructor, do not use, for swig only
469
470	Attribute(const Attribute &)
471	copy constructor, used for cloning an attribute
472
473	~Attribute()
474	default destructor
475
476	Attribute(Role&, int)
477	constructor that creates an attribute policy to be signed by the issuer
478	with the given role with a specified validity period
479	An exception will be thrown if:
480	- the issuer has no private key
481	- the Head role is invalid
482	- the validity period is invalid (must be >= 1 second)
483	(C:abac_attribute_create)
484
485	Attribute(Oset&, int)
486	constructor that creates an attribute policy to be signed by the issuer
487	with the given oset with a specified validity period
488	An exception will be thrown if:
489	- the issuer has no private key
490	- the Head oset is invalid
491	- the validity period is invalid (must be >= 1 second)
492	(C:abac_attribute_create)
493
494	bool attribute_add_tail(Role&)
495	Add a role tail. Call multiple times for intersection
496	(C:abac_attribute_add_tail)
497
498	bool attribute_add_tail(Oset&)
499	Add an oset tail. Call multiple times for intersection
500	(C:abac_attribute_add_tail)
501
502	char *head_string()
503	returns literal string of head of the attribute
504	(C:abac_head_string)
505
506	char *tail_string()
507	returns literal string of tail of the attribute
508	(C:abac_tail_string)
509
510	char *head_typed_string()
511	returns typed literal string of head of the attribute
512	(C:abac_head_typed_string)
513
514	char *tail_typed_string()
515	returns typed literal string of tail of the attribute
516	(C:abac_tail_typed_string)
517
518	char *string()
519	returns literal string of the attribute
520	(C:abac_attribute_string)
521
522	char *typed_string()
523	returns typed literal string of the attribute
524	(C:abac_attribute_typed_string)
525
526	const Role &role_head()
527	returns the head role
528
529	const Oset &oset_head()
530	returns the oset head
531
532	std::vector<Role> role_tails(bool &)
533	retrieve tail role which maybe more than 1 if intersecting
534	(C:abac_attribute_role_tails)
535
536	std::vector<Oset> oset_tails(bool &)
537	retrieve tail oset which maybe more than 1 if intersecting
538	(C:abac_attribute_oset_tails)
539
540	bool attribute_bake()
541	Generate the cert. Call this after you've added subjects to your cert.
542	This returns false if there are no subjects
543	This will throw an exception if the cert's already been baked.
544	(C:abac_attribute_bake)
545
546	bool attribute_baked()
547	returns true iff the cert has been baked.
548	(C:abac_attribute_baked)
549
550	void attribute_write_cert(FILE *)
551	write the DER-encoded X.509 attribute cert to the open file handle
552	Throws an exception if the cert isn't baked
553	(C:abac_attribute_write_cert)
554
555	void attribute_write_cert(char *)
556	write the DER-encoded X.509 attribute cert to a file named out
557	Throws an exception if the cert isn't baked
558	(C:abac_attribute_write_cert_fname)
559
560	abac_chunk_t cert_chunk()
561	returns a DER-encoded binary representation of the X.509 attribute
562	cert associated with this cert
563	Throws an exception if the cert isn't baked
564	the chunk can be passed to libabac's Context::load_attribute_chunk()
565	(C:abac_attribute_cert_chunk)
566
567	ABAC::Context
568	An ABAC Context
569
570	Context()
571	default constructor
572
573	Context(const Context &)
574	copy constructor, used for cloning the context
575
576	~Context()
577	default destructor
578
579	void dump_yap_db()
580	dump the complete yap prolog database
581	(C:show_yap_db)
582
583	int load_id(ABAC::ID&)
584	load id cert from ID
585	(C:abac_context_load_id)
586
587	int load_id_file(char *)
588	load id cert from an idkey combo file. key retrieval will be attempted
589	but won't fail if not found
590	(C:abac_context_load_id_file)
591
592	int load_id_encrypted_file(char , char )
593	load id cert from an idkey combo file and a pfile. Encrypted key
594	retrieval will be attempted but won't fail if not found
595	(C:abac_context_load_encrypted_id_file)
596
597	int load_id_files(char , char )
598	load id cert from an id file and a key file
599	(C:abac_context_load_id_files)
600
601	int load_id_encrypted_files(char , char , char *)
602	load id cert from an id file, an encrypted key file, and a pfile
603	(C:abac_context_load_encrypted_id_files)
604
605	int load_id_chunk(abac_chunk_t)
606	load id cert from a chunk structure
607	(C:abac_context_load_id_chunk)
608
609	int load_id_chunks(abac_chunk_t, abac_chunk_t)
610	load id & privkey from chunk structures
611	(C:abac_context_load_id_privkey_chunk)
612
613	int load_id_encrypted_chunks(abac_chunk_t, abac_chunk_t,char *pfile)
614	load id & encrypted privkey from chunk structures
615	(C:abac_context_load_id_enc_privkey_chunk)
616	returns:
617	ABAC_CERT_SUCCESS successfully loaded
618	ABAC_CERT_INVALID invalid certificate (or file not found)
619	ABAC_CERT_BAD_SIG invalid signature
620
621	int load_attribute(ABAC::Attribute&)
622	load attribute credential from attribute structure
623	(C:abac_context_load_attribute)
624
625	int load_attribute_file(char *)
626	load attribute credential from a file
627	(C:abac_context_load_attribute_file)
628
629	int load_attribute_chunk(abac_chunk_t)
630	load attribute credential from a chunk
631	(C:abac_context_load_attribute_chunk)
632
633	returns the same values as above, additionally
634	returns ABAC_CERT_MISSING_ISSUER if the issuer
635	certificate has not been loaded
636
637	void load_principals(char *)
638	load a directory full of principals only:
639
640	first: ${path}/*_ID.{der,pem} as identity certificates
641	implicitly looking for ${path}/*_private.{der,pem} as
642	the private key file
643	then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
644	(C:abac_context_load_principals)
645
646	void load_directory(char *)
647	load a directory full of certificates:
648
649	first: ${path}/*_ID.{der,pem} as identity certificates
650	implicitly looking for ${path}/*_private.{der,pem} as
651	the private key file
652	then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
653	last: ${path}/*_attr.der as attribute certificates
654	(C:abac_context_load_directory)
655
656	std::vector<Attribute> query(char , char , bool &)
657	the string version is for query that is composed by hand with SHA or
658	in non ABAC_CN mode
659	(C:abac_context_query)
660
661	std::vector<Attribute> query(Role &, Role &, bool &)
662	(C:abac_context_query_with_structure)
663	std::vector<Attribute> query(Oset &, Oset &, bool &)
664	(C:abac_context_query_with_structure)
665	runs the query:
666	role <-?- principal
667	oset <-?- principal/obj
668	returns true/false in success
669	returns a proof upon success,
670	partial proof on failure (not implemented yet)
671
672	std::vector<Attribute> next_proof(bool &)
673	(C:abac_context_query_again)
674	force backtrack and try to get next solution proof:
675	returns true/false in success
676	returns a proof upon success,
677
678	std::vector<Attribute> context_credentials(bool &)
679	returns a vector of all the credentials loaded in the context
680	extracted from the internal data structure
681	(C:abac_context_credentials)
682
683	std::vector<Attribute> context_principals(bool &)
684	returns a vector of all the principals loaded in the context
685	extracted from the internal data structure
686	(C:abac_context_principals)
687
688	ID lookup_principal(char *)
689	find a particular principal from the context
690
691	char *version()
692	return the version of this interface
693	C API
694
695	The C API is nearly identical to the C++ API. Due to lack of namespaces,
696	all function names are preceeded by abac_. Furthermore, the parameter
697	representing the object must be passed explicitly. Each of the C++ calls
698	are appended with a matching C routine call. The C function declaration
699	can be found in abac.h
700
701	Examples:
702
703	C++: head.role_name()
704	C: abac_role_name(head)
705	or
706	C++: ctxt.load_attribute_file("test_attr.der")
707	C: abac_context_load_attribute_file(ctx, "test_attr.der")
708
709	Instead of copy constructors, the C API uses _dup. Therefore,
710	to copy a role use abac_aspect_dup(m_role),
711	to copy a oset use abac_aspect_dup(m_oset),
712	to copy a context use abac_context_dup(m_ctx),
713	to copy a constraint use abac_condition_dup(m_constraint),
714	to copy a data term use abac_term_dup(m_term),
715	to copy a ID use abac_id_dup(m_id)
716	and to copy an attribute use abac_attribute_dup(m_attr)
717
718	Various flavors of abac_context_query() and abac_context_credentials()
719	return NULL-terminated arrays of Attribute objects (abac_credential_t * in C).
720	abac_context_principals() returns NULL-terminated array of ID objects
721	(abac_id_credential_t * in C)
722
723	When you are done with them, you must free the whole array at once using
724	abac_context_credentials_free() and abac_context_principals_free() respectively.
725
726	PERL AND PYTHON API
727
728	The Perl and Python APIs are even more similar to the C++ API. The main
729	changes are the use of native types instead of C/C++ types.
730
731	- native strings instead of char *
732
733	Perl:
734	- arrayref instead of vector
735	- string instead of chunk_t
736	- Context::query returns a list of two elements:
737	my ($success, $credentials) = $ctx->query($role, $principal);
738	$success is a boolean
739	$credentials is an arrayref of Credential objects
740
741	Python:
742	- tuple instead of vector
743	- bytearray instead of chunk_t (>= 2.6)
744	- string instead of chunk_t (< 2.6)
745	- Context::query returns a tuple with two elements:
746	(success, credentials) = ctx.query(role, principal)
747	success is a boolean
748	credentials is a tuple of Credential objects

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format