source: doc/API @ 4feb5be

abac0-leakabac0-meitvf-new-xml
Last change on this file since 4feb5be was 34565bf, checked in by Ted Faber <faber@…>, 11 years ago

INterface additions

  • Property mode set to 100644
File size: 12.7 KB
Line 
1C++ API
2
3(see bottom for notes on C, Perl, Python and Java)
4
5ABAC::abac_chunk_t
6   Structure, represents a blob of memory
7   used to load/return Identity credentials and Attribute certificates
8     -unsigned char *data
9     -int len
10
11ABAC::Context
12    An ABAC Context
13
14   Context()
15     default constructor
16     (C:abac_context_new)
17
18   Context(const Context &)
19     copy constructor, used for cloning the context
20     (C:abac_context_dup)
21
22   ~Context()
23     default destructor
24     (C:abac_context_free)
25
26   int load_id_file(char *)
27     load identity certificate from an id file
28     (C:abac_context_load_id_file)
29
30   int load_id_chunk(abac_chunk_t)
31     load id certificate from an chunk
32     (C:abac_context_load_id_chunk)
33
34   int load_attribute_file(char *)
35     load attribute certificate from an id file.
36     (C:abac_context_load_attribute_file)
37
38   int load_attribute_chunk(abac_chunk_t)
39     load attribute certificate from an chunk
40     (C:abac_context_load_attribute_chunk)
41
42   returns :
43        ABAC_CERT_SUCCESS   successfully loaded
44        ABAC_CERT_INVALID   invalid certificate (or file not found)
45        ABAC_CERT_BAD_SIG   invalid signature
46
47   void load_directory(char *)
48     load a directory full of certificates:
49
50        first: ${path}/*_ID.{der,pem} as identity certificates
51               implicitly looking for ${path}/*_private.{der,pem} as
52               the private key file
53        last: ${path}/*_attr.xml as attribute certificates
54      (C:abac_context_load_directory)
55
56   std::vector<Credential> query(char *, char *, bool &)
57     run the query:
58        role <-?- principal
59     returns true/false in success
60     returns a proof upon success, partial proof on failure
61     (C:abac_context_query)
62     (C::abac_free_credentials_free)
63
64   std::vector<Credential> credentials(bool &)
65     returns a vector of all the credentials loaded in the context
66     (C:abac_context_credentials)
67     (C::abac_context_credentials_free)
68
69   void set_nickname(char *key, char *nick)
70     Set the nickname (value printed) for keyid.  The substitution is made
71     in Role::short_string(Context) and when bake(Context) is called on a new
72     attribute.
73
74ABAC::Role
75   A Role, most calls are rarely used outside the library
76
77   Role()
78     default constructor, do not use, for swig only
79
80   Role(abac_role_t*)
81     copy constructor, used for cloning an Role
82     (C:abac_role_dup)
83
84   Role(char *)
85     instantiate a role from a string
86     (C:abac_role_from_string)
87
88   Role(const Role &)
89     copy constructor, used for cloning an Role
90     (C:abac_role_dup)
91
92   ~Role()
93     default destructor
94     (C:abac_role_free)
95
96   bool is_principal()
97     (C:abac_role_is_principal)
98
99   bool is_role()
100     (C:abac_role_is_role)
101
102   bool is_linking()
103     (C:abac_role_is_linking)
104     indicates the type of role encoded
105
106   char* string()
107     string representation of the role
108     (C:abac_role_string)
109
110   char* short_string()
111     string representation of the role
112     (C:abac_role_string)
113
114   char* linked_role()
115     the linked role of a linking role
116     i.e., A.r1.r2, linked_role() returns A.r1
117     (C:abac_role_linked_role)
118
119   char* role_name()
120     the role name of any role (the part after the last dot)
121     (C:abac_role_role_name)
122
123   char* principal()
124     the principal part of any role
125     (C:abac_role_principal)
126
127ABAC::Credential
128   This is never instantiated directly. These will only ever be
129   returned as a result of calls to Context::query or
130   Context::credentials.
131
132   Credential()
133     default constructor, do not use, for swig only
134
135   Credential(abac_credential_t*)
136     copy constructor, used for cloning a credential
137     (C:abac_credential_head)
138     (C:abac_credential_tail)
139     (C:abac_credential_dup)
140
141   Credential(const Credential&)
142     copy constructor, used for cloning a credential
143     (C:abac_credential_head)
144     (C:abac_credential_tail)
145     (C:abac_credential_dup)
146
147   ~Credential()
148     default destructor
149     (C:abac_credential_free)
150
151   Role &head()
152     returns the head of the credential
153
154   Role &tail()
155     returns the tail of the credential
156
157   abac_chunk_t attribute_cert()
158     returns the attribute certificate in chunk, suitable for
159     transmission over the network or storage in a file
160     (C:abac_credential_attribute_cert)
161
162   abac_chunk_t issuer_cert()
163     returns the issuer certificate in chunk, again suitable for
164     network transmission or file storage
165     (C:abac_credential_issuer_cert)
166
167ABAC::ID
168   An ID holds a principal credential. It maybe imported from an existing
169   ID credential via external files, constructed from a streaming chunk,
170   or instantiated on the fly
171
172   ID()
173     default constructor, do not use, for swig only
174
175   ID(const ID &)
176     copy constructor, used for cloning an ID
177     (C:abac_id_dup)
178
179   ~ID()
180     default destructor
181     (C:abac_id_free)
182
183   ID(char *)
184     load an ID certificate from a file, will throw an exception
185     if the certificate cannot be loaded
186     (C:abac_id_from_file)
187
188   ID_chunk(abac_chunk_t chunk)
189     create an ID certificate from an certificate chunk, will
190     throw an exception if the certificate cannot be loaded
191     (C:abac_id_from_chunk)
192
193   ID(char *,int)
194     generates a new ID(cert&key) with the supplied CN and validity period
195     - CN must be alphanumeric and begin with a letter
196     - validity must be at least one second
197     will throw an exception if either of the above is violated
198     (C:abac_id_generate)
199
200   void load_privkey(char *)
201     loads the private key associated with the ID credential,
202     will throw an exception if the key cannot be loaded
203     (C:abac_id_privkey_from_file)
204
205   void load_privkey_chunk(abac_chunk_t)
206     loads the private key associated with the ID credential,
207     will throw an exception if the key cannot be loaded
208     (C:abac_id_privkey_from_chunk)
209
210   int has_privkey()
211     check to see if there is a privkey in this ID
212     (C:abac_id_has_privkey)
213
214   char *keyid()
215     returns the SHA1 keyid of the id cert
216     (C:abac_id_keyid)
217
218   char *cert_filename()
219     returns the default libabac filename for the cert.
220     value must be freed by caller.
221     (C:abac_id_cert_filename)
222
223   void write_cert(FILE *)
224     writes a PEM-encoded certificate to a file handle
225     (C:abac_id_write_cert)
226
227   void write_cert(string &)
228     writes a PEM-encoded certificate to a file named in string
229
230   void write_cert_file(const char *)
231     writes a PEM-encoded certificate to a file
232
233   void write_cert_name(const char *)
234     writes a PEM-encoded certificate to a file
235     (added to support original libcreddy users)
236
237   char *privkey_filename()
238     returns the default libabac filename for the private key.
239     value must be freed by caller.
240     (C:abac_id_privkey_filename)
241
242   void write_privkey(FILE *)
243     write the private key to a file handle
244     throws a std::logic_error if no private key is loaded
245     (C:abac_id_write_privkey)
246
247   void write_privkey(string &)
248     writes a private key to file named in string
249
250   void write_privkey_file(const char *)
251     writes a private key to a file
252
253   void write_privkey_name(const char *)
254     writes a private key to a file
255     (added to support original libcreddy users)
256
257   abac_chunk_t cert_chunk()
258     returns a DER-encoded binary representation of the X.509 ID cert
259     associated with this ID.
260     can be passed to libabac's Context::load_id_chunk()
261     (C:abac_id_cert_chunk)
262
263   abac_chunk_t privkey_chunk()
264     returns a PEM-encoded binary representation of the private key
265     associated with this ID.
266     (C:abac_id_privkey_chunk)
267
268ABAC::Attribute
269   This is the attribute representation for the access policy rule
270       LHS <- RHS
271   The sequence of generation is to
272       first, instantiate the object, ie, LHS (head)
273       second, adding subject(s) to it, ie, RHS (tail)
274       and then baking it.
275   Only once it's baked can you access the X.509 cert.
276   Once it's been baked you can no longer add subjects to it
277
278   Attribute()
279     default constructor, do not use, for swig only
280
281   ~Attribute()
282     default destructor
283     (C:abac_attribute_free)
284
285   Attribute(ID&, char*,int)
286     constructor that creates an attribute policy to be signed by the issuer
287     with the given role with a specified validity period
288     An exception will be thrown if:
289       - the issuer has no private key
290       - the Head role is invalid
291       - the validity period is invalid (must be >= 0 second)
292       - The issuer is invalid
293     (C:abac_attribute_create)
294
295   bool principal(char *keyid)
296     {keyid}
297     validate the principal and insert into the attribute
298     throw a std::logic_error if the cert's been baked and keyid bad
299     (C:abac_attribute_principal)
300
301  bool role(char *keyid, char *role)
302     {keyid.role}
303     validate the principal and role and insert into the attribute
304     throw a std::logic_error if the cert's been baked and keyid bad
305     (C:abac_attribute_role)
306
307  bool linking_role(char *keyid, char *role, char *linked)
308     {keyid.linked.role}
309     validate the role and linking role and insert into the attribute
310     throw a std::logic_error if the cert's been baked and keyid bad
311     (C:abac_attribute_linking_role)
312
313   bool bake()
314     Generate the cert. Call this after you've added subjects to your cert.
315     This returns false if there are no subjects
316     This will throw an exception if the cert's already been baked.
317     (C:abac_attribute_bake)
318
319   bool bake(Context c)
320     Generate the cert. Call this after you've added subjects to your cert.
321     This returns false if there are no subjects
322     This will throw an exception if the cert's already been baked.
323     This version annotated the baked credential with any mnemonic names in the
324     context.
325     (C:abac_attribute_bake)
326
327   bool baked()
328     returns true iff the certificate has been baked.
329     (C:abac_attribute_baked)
330
331   set_output_format(char *fmt)
332     {fmt}
333     Set the attribute's output format.  Valid choices are GENIv1.0 and
334     GENIV1.1.  Default is GENIv1.1.
335
336   get_output_format(char *fmt)
337     Get the attribute's output format.  Do not delete the string/
338
339   void write(FILE *)
340     write an attribute certificate in XML to an open file handle
341     Throws an exception if the certificate isn't baked
342     (C:abac_attribute_write)
343
344   void write(const string&)
345     write an attribute certificate in XML to file named in string
346
347   void write_file(const char *)
348     write an attribute certificate in XML to file
349
350   void write_name(const char *)
351     write an attribute certificate in XML to file
352     (added to support original libcreddy users)
353
354   abac_chunk_t cert_chunk()
355     returns a XML structure of the attribute certificate in a abac_chunk_t
356     Throws an exception if the certificate isn't baked
357     the chunk can be passed to libabac's Context::load_attribute_chunk()
358     (C:abac_attribute_cert_chunk)
359C API
360
361The C API is nearly identical to the C++ API. Due to lack of namespaces,
362all function names are preceeded by abac_. Furthermore, the parameter
363representing the object must be passed explicitly. Each of the C++ calls
364are appended with a matching C routine call. The C function declaration
365can be found in abac.h
366
367Examples:
368
369    C++:    head.role_name()
370    C:      abac_role_name(head)
371    or
372    C++:    ctxt.load_attribute_file("test_attr.der")
373    C:      abac_context_load_attribute_file(ctxt, "test_attr.der")
374
375Instead of copy constructors, the C API uses _dup.  Therefore,
376to copy a role use abac_role_dup(m_role),
377to copy a context use abac_context_dup(m_ctxt),
378to copy a ID use abac_id_dup(m_id)
379and to copy an attribute use abac_attribute_dup(m_attr)
380
381abac_context_query() and abac_context_credentials() return
382NULL-terminated arrays of Credential objects (abac_credential_t * in C).
383When you are done with them, you must free the whole array at once using
384abac_context_credentials_free().
385
386PERL, PYTHON AND JAVA API
387
388The Perl, Python and Java APIs are even more similar to the C++ API. The main
389changes are the use of native types instead of C/C++ types.
390
391    - native strings instead of char *
392
393    Java:
394        - String instead of char *
395        - Context::query returns a vector of Credentials:
396            credentials = ctxt.query(role, principal)
397            success if credentials' size is > 0
398
399    Perl:
400        - arrayref instead of vector
401        - string instead of chunk_t
402        - Context::query returns a list of two elements:
403            my ($success, $credentials) = $ctxt->query($role, $principal)
404            $success is a boolean
405            $credentials is an arrayref of Credential objects
406
407    Python:
408        - tuple instead of vector
409        - bytearray instead of chunk_t (>= 2.6)
410        - string instead of chunk_t (< 2.6)
411        - Context::query returns a tuple with two elements:
412            (success, credentials) = ctxt.query(role, principal)
413            success is a boolean
414            credentials is a tuple of Credential objects
415
Note: See TracBrowser for help on using the repository browser.