Context Navigation

source: doc/API @ 34565bf

abac0-leakabac0-meitvf-new-xml

Last change on this file since 34565bf was 34565bf, checked in by Ted Faber <faber@…>, 11 years ago
INterface additions
Property mode set to `100644`
File size: 12.7 KB

Line
1	C++ API
2
3	(see bottom for notes on C, Perl, Python and Java)
4
5	ABAC::abac_chunk_t
6	Structure, represents a blob of memory
7	used to load/return Identity credentials and Attribute certificates
8	-unsigned char *data
9	-int len
10
11	ABAC::Context
12	An ABAC Context
13
14	Context()
15	default constructor
16	(C:abac_context_new)
17
18	Context(const Context &)
19	copy constructor, used for cloning the context
20	(C:abac_context_dup)
21
22	~Context()
23	default destructor
24	(C:abac_context_free)
25
26	int load_id_file(char *)
27	load identity certificate from an id file
28	(C:abac_context_load_id_file)
29
30	int load_id_chunk(abac_chunk_t)
31	load id certificate from an chunk
32	(C:abac_context_load_id_chunk)
33
34	int load_attribute_file(char *)
35	load attribute certificate from an id file.
36	(C:abac_context_load_attribute_file)
37
38	int load_attribute_chunk(abac_chunk_t)
39	load attribute certificate from an chunk
40	(C:abac_context_load_attribute_chunk)
41
42	returns :
43	ABAC_CERT_SUCCESS successfully loaded
44	ABAC_CERT_INVALID invalid certificate (or file not found)
45	ABAC_CERT_BAD_SIG invalid signature
46
47	void load_directory(char *)
48	load a directory full of certificates:
49
50	first: ${path}/*_ID.{der,pem} as identity certificates
51	implicitly looking for ${path}/*_private.{der,pem} as
52	the private key file
53	last: ${path}/*_attr.xml as attribute certificates
54	(C:abac_context_load_directory)
55
56	std::vector<Credential> query(char , char , bool &)
57	run the query:
58	role <-?- principal
59	returns true/false in success
60	returns a proof upon success, partial proof on failure
61	(C:abac_context_query)
62	(C::abac_free_credentials_free)
63
64	std::vector<Credential> credentials(bool &)
65	returns a vector of all the credentials loaded in the context
66	(C:abac_context_credentials)
67	(C::abac_context_credentials_free)
68
69	void set_nickname(char key, char nick)
70	Set the nickname (value printed) for keyid. The substitution is made
71	in Role::short_string(Context) and when bake(Context) is called on a new
72	attribute.
73
74	ABAC::Role
75	A Role, most calls are rarely used outside the library
76
77	Role()
78	default constructor, do not use, for swig only
79
80	Role(abac_role_t*)
81	copy constructor, used for cloning an Role
82	(C:abac_role_dup)
83
84	Role(char *)
85	instantiate a role from a string
86	(C:abac_role_from_string)
87
88	Role(const Role &)
89	copy constructor, used for cloning an Role
90	(C:abac_role_dup)
91
92	~Role()
93	default destructor
94	(C:abac_role_free)
95
96	bool is_principal()
97	(C:abac_role_is_principal)
98
99	bool is_role()
100	(C:abac_role_is_role)
101
102	bool is_linking()
103	(C:abac_role_is_linking)
104	indicates the type of role encoded
105
106	char* string()
107	string representation of the role
108	(C:abac_role_string)
109
110	char* short_string()
111	string representation of the role
112	(C:abac_role_string)
113
114	char* linked_role()
115	the linked role of a linking role
116	i.e., A.r1.r2, linked_role() returns A.r1
117	(C:abac_role_linked_role)
118
119	char* role_name()
120	the role name of any role (the part after the last dot)
121	(C:abac_role_role_name)
122
123	char* principal()
124	the principal part of any role
125	(C:abac_role_principal)
126
127	ABAC::Credential
128	This is never instantiated directly. These will only ever be
129	returned as a result of calls to Context::query or
130	Context::credentials.
131
132	Credential()
133	default constructor, do not use, for swig only
134
135	Credential(abac_credential_t*)
136	copy constructor, used for cloning a credential
137	(C:abac_credential_head)
138	(C:abac_credential_tail)
139	(C:abac_credential_dup)
140
141	Credential(const Credential&)
142	copy constructor, used for cloning a credential
143	(C:abac_credential_head)
144	(C:abac_credential_tail)
145	(C:abac_credential_dup)
146
147	~Credential()
148	default destructor
149	(C:abac_credential_free)
150
151	Role &head()
152	returns the head of the credential
153
154	Role &tail()
155	returns the tail of the credential
156
157	abac_chunk_t attribute_cert()
158	returns the attribute certificate in chunk, suitable for
159	transmission over the network or storage in a file
160	(C:abac_credential_attribute_cert)
161
162	abac_chunk_t issuer_cert()
163	returns the issuer certificate in chunk, again suitable for
164	network transmission or file storage
165	(C:abac_credential_issuer_cert)
166
167	ABAC::ID
168	An ID holds a principal credential. It maybe imported from an existing
169	ID credential via external files, constructed from a streaming chunk,
170	or instantiated on the fly
171
172	ID()
173	default constructor, do not use, for swig only
174
175	ID(const ID &)
176	copy constructor, used for cloning an ID
177	(C:abac_id_dup)
178
179	~ID()
180	default destructor
181	(C:abac_id_free)
182
183	ID(char *)
184	load an ID certificate from a file, will throw an exception
185	if the certificate cannot be loaded
186	(C:abac_id_from_file)
187
188	ID_chunk(abac_chunk_t chunk)
189	create an ID certificate from an certificate chunk, will
190	throw an exception if the certificate cannot be loaded
191	(C:abac_id_from_chunk)
192
193	ID(char *,int)
194	generates a new ID(cert&key) with the supplied CN and validity period
195	- CN must be alphanumeric and begin with a letter
196	- validity must be at least one second
197	will throw an exception if either of the above is violated
198	(C:abac_id_generate)
199
200	void load_privkey(char *)
201	loads the private key associated with the ID credential,
202	will throw an exception if the key cannot be loaded
203	(C:abac_id_privkey_from_file)
204
205	void load_privkey_chunk(abac_chunk_t)
206	loads the private key associated with the ID credential,
207	will throw an exception if the key cannot be loaded
208	(C:abac_id_privkey_from_chunk)
209
210	int has_privkey()
211	check to see if there is a privkey in this ID
212	(C:abac_id_has_privkey)
213
214	char *keyid()
215	returns the SHA1 keyid of the id cert
216	(C:abac_id_keyid)
217
218	char *cert_filename()
219	returns the default libabac filename for the cert.
220	value must be freed by caller.
221	(C:abac_id_cert_filename)
222
223	void write_cert(FILE *)
224	writes a PEM-encoded certificate to a file handle
225	(C:abac_id_write_cert)
226
227	void write_cert(string &)
228	writes a PEM-encoded certificate to a file named in string
229
230	void write_cert_file(const char *)
231	writes a PEM-encoded certificate to a file
232
233	void write_cert_name(const char *)
234	writes a PEM-encoded certificate to a file
235	(added to support original libcreddy users)
236
237	char *privkey_filename()
238	returns the default libabac filename for the private key.
239	value must be freed by caller.
240	(C:abac_id_privkey_filename)
241
242	void write_privkey(FILE *)
243	write the private key to a file handle
244	throws a std::logic_error if no private key is loaded
245	(C:abac_id_write_privkey)
246
247	void write_privkey(string &)
248	writes a private key to file named in string
249
250	void write_privkey_file(const char *)
251	writes a private key to a file
252
253	void write_privkey_name(const char *)
254	writes a private key to a file
255	(added to support original libcreddy users)
256
257	abac_chunk_t cert_chunk()
258	returns a DER-encoded binary representation of the X.509 ID cert
259	associated with this ID.
260	can be passed to libabac's Context::load_id_chunk()
261	(C:abac_id_cert_chunk)
262
263	abac_chunk_t privkey_chunk()
264	returns a PEM-encoded binary representation of the private key
265	associated with this ID.
266	(C:abac_id_privkey_chunk)
267
268	ABAC::Attribute
269	This is the attribute representation for the access policy rule
270	LHS <- RHS
271	The sequence of generation is to
272	first, instantiate the object, ie, LHS (head)
273	second, adding subject(s) to it, ie, RHS (tail)
274	and then baking it.
275	Only once it's baked can you access the X.509 cert.
276	Once it's been baked you can no longer add subjects to it
277
278	Attribute()
279	default constructor, do not use, for swig only
280
281	~Attribute()
282	default destructor
283	(C:abac_attribute_free)
284
285	Attribute(ID&, char*,int)
286	constructor that creates an attribute policy to be signed by the issuer
287	with the given role with a specified validity period
288	An exception will be thrown if:
289	- the issuer has no private key
290	- the Head role is invalid
291	- the validity period is invalid (must be >= 0 second)
292	- The issuer is invalid
293	(C:abac_attribute_create)
294
295	bool principal(char *keyid)
296	{keyid}
297	validate the principal and insert into the attribute
298	throw a std::logic_error if the cert's been baked and keyid bad
299	(C:abac_attribute_principal)
300
301	bool role(char keyid, char role)
302	{keyid.role}
303	validate the principal and role and insert into the attribute
304	throw a std::logic_error if the cert's been baked and keyid bad
305	(C:abac_attribute_role)
306
307	bool linking_role(char keyid, char role, char *linked)
308	{keyid.linked.role}
309	validate the role and linking role and insert into the attribute
310	throw a std::logic_error if the cert's been baked and keyid bad
311	(C:abac_attribute_linking_role)
312
313	bool bake()
314	Generate the cert. Call this after you've added subjects to your cert.
315	This returns false if there are no subjects
316	This will throw an exception if the cert's already been baked.
317	(C:abac_attribute_bake)
318
319	bool bake(Context c)
320	Generate the cert. Call this after you've added subjects to your cert.
321	This returns false if there are no subjects
322	This will throw an exception if the cert's already been baked.
323	This version annotated the baked credential with any mnemonic names in the
324	context.
325	(C:abac_attribute_bake)
326
327	bool baked()
328	returns true iff the certificate has been baked.
329	(C:abac_attribute_baked)
330
331	set_output_format(char *fmt)
332	{fmt}
333	Set the attribute's output format. Valid choices are GENIv1.0 and
334	GENIV1.1. Default is GENIv1.1.
335
336	get_output_format(char *fmt)
337	Get the attribute's output format. Do not delete the string/
338
339	void write(FILE *)
340	write an attribute certificate in XML to an open file handle
341	Throws an exception if the certificate isn't baked
342	(C:abac_attribute_write)
343
344	void write(const string&)
345	write an attribute certificate in XML to file named in string
346
347	void write_file(const char *)
348	write an attribute certificate in XML to file
349
350	void write_name(const char *)
351	write an attribute certificate in XML to file
352	(added to support original libcreddy users)
353
354	abac_chunk_t cert_chunk()
355	returns a XML structure of the attribute certificate in a abac_chunk_t
356	Throws an exception if the certificate isn't baked
357	the chunk can be passed to libabac's Context::load_attribute_chunk()
358	(C:abac_attribute_cert_chunk)
359	C API
360
361	The C API is nearly identical to the C++ API. Due to lack of namespaces,
362	all function names are preceeded by abac_. Furthermore, the parameter
363	representing the object must be passed explicitly. Each of the C++ calls
364	are appended with a matching C routine call. The C function declaration
365	can be found in abac.h
366
367	Examples:
368
369	C++: head.role_name()
370	C: abac_role_name(head)
371	or
372	C++: ctxt.load_attribute_file("test_attr.der")
373	C: abac_context_load_attribute_file(ctxt, "test_attr.der")
374
375	Instead of copy constructors, the C API uses _dup. Therefore,
376	to copy a role use abac_role_dup(m_role),
377	to copy a context use abac_context_dup(m_ctxt),
378	to copy a ID use abac_id_dup(m_id)
379	and to copy an attribute use abac_attribute_dup(m_attr)
380
381	abac_context_query() and abac_context_credentials() return
382	NULL-terminated arrays of Credential objects (abac_credential_t * in C).
383	When you are done with them, you must free the whole array at once using
384	abac_context_credentials_free().
385
386	PERL, PYTHON AND JAVA API
387
388	The Perl, Python and Java APIs are even more similar to the C++ API. The main
389	changes are the use of native types instead of C/C++ types.
390
391	- native strings instead of char *
392
393	Java:
394	- String instead of char *
395	- Context::query returns a vector of Credentials:
396	credentials = ctxt.query(role, principal)
397	success if credentials' size is > 0
398
399	Perl:
400	- arrayref instead of vector
401	- string instead of chunk_t
402	- Context::query returns a list of two elements:
403	my ($success, $credentials) = $ctxt->query($role, $principal)
404	$success is a boolean
405	$credentials is an arrayref of Credential objects
406
407	Python:
408	- tuple instead of vector
409	- bytearray instead of chunk_t (>= 2.6)
410	- string instead of chunk_t (< 2.6)
411	- Context::query returns a tuple with two elements:
412	(success, credentials) = ctxt.query(role, principal)
413	success is a boolean
414	credentials is a tuple of Credential objects
415

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format