source: doc/API @ 5338995

mei_rt2mei_rt2_fix_1
Last change on this file since 5338995 was 9b43fc3, checked in by Mei <mei@…>, 12 years ago

1) add code to load id into context with both cert chunk and privkey
chunk
2) test out the sample scripts in swig/perl and swig/python

  • Property mode set to 100644
File size: 21.6 KB
Line 
1C++ API
2
3(see bottom for notes on C, Perl, and Python.)
4
5ABAC::abac_chunk_t
6   Structure, represents a blob of memory
7   used to load/return DER-encoded X509 certificates
8     -unsigned char *data
9     -int len
10
11ABAC::Constraint
12   Constraint on a data term.
13   There are 3 types:
14     - Role constraint on a principal
15     - Oset constraint on a principal, or a data object
16     - Range/List constraint on a data object
17   It holds a ptr to a abac_condition_t structure
18
19   Constraint()
20     default constructor, do not use, for swig only
21
22   Constraint(const Constraint &)
23     copy constructor, used for cloning a constraint
24
25   ~Constraint()
26     default destructor
27
28   Constraint(Role &)
29     constructor that takes a constraining role
30       [role:?R[{role-constraint}]
31     (C:abac_constraint_from_role)
32
33   Constraint(Oset &)
34     constructor that takes a constraining oset
35       [oset:?O[{oset-constraint}]
36       [urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
37     (C:abac_constraint_from_oset)
38
39   Constraint(char *)
40     constructor that takes one of following string
41     as its vartype to set up a range constraint:
42       "integer"
43       "urn"
44       "float"
45       "boolean"
46       "time"
47       "string"
48     it should be followed with one or many of following utility
49     calls.
50     (C:abac_constraint_create)
51
52   void constraint_add_integer_max(int)
53     (C:abac_constraint_add_integer_max)
54   void constraint_add_integer_min(int)
55     utility routines to setup a integer range constraint
56       [integer:?I[10 .. 20]]
57     (C:abac_constraint_add_integer_min)
58
59   void constraint_add_integer_target(int)
60     utility routine to setup a integer list constraint
61       [integer:?I[10,20]]
62     (C:abac_constraint_add_integer_target)
63
64   void constraint_add_float_max(float)
65     (C:abac_constraint_add_float_max)
66   void constraint_add_float_min(float)
67     utility routines to setup a float range constraint
68       [float:?F[1.0 .. 2.5]]
69     (C:abac_constraint_add_float_min)
70
71   void constraint_add_float_target(float)
72     utility routine to setup a float list constraint
73       [float:?F[0.5, 2.5]]
74     (C:abac_constraint_add_float_target)
75
76   void constraint_add_time_max(char*)
77     (C:abac_constraint_add_time_max)
78   void constraint_add_time_min(char*)
79     utility routines to setup a time range constraint,
80     takes quoted string values, beyond T is optional
81       [time:?F["20120228T" .. "20120228T090000"]]
82     (C:abac_constraint_add_time_min)
83
84   void constraint_add_time_target(char*)
85     utility routine to setup a time list constraint
86       [time:?M["20201101T182930","20201101T"]]
87     (C:abac_constraint_add_time_target)
88
89   void constraint_add_urn_target(char*)
90     utility routine to setup a an urn list constraint
91       [urn:?U["fileA","http://fileB"]]
92     (C:abac_constraint_add_urn_target)
93
94   void constraint_add_string_target(char*)
95     utility routine to setup a a string list constraint
96       [string:?S["abc",'efg',"hij"]]
97     (C:abac_constraint_add_string_target)
98
99   void constraint_add_boolean_target(char*)
100     utility routine to setup a a boolean list constraint
101       [boolean:?B['true']]
102     (C:abac_constraint_add_boolean_target)
103
104   char *string() const
105     returns literal string of the constraint
106     (C:abac_constraint_string)
107
108   char *typed_string() const
109     returns typed literal string of the constraint
110     (C:abac_constraint_typed_string)
111
112ABAC::DataTerm
113   A data term is associated with Role or Oset as a parameter that
114   maybe be instantiated, or uninstantiated but being constrained,
115   or as a principal oset term (standalone right handside of an oset
116   policy rule).  It holds a pointer to a abac_term_t structure.
117   Types of data terms are:
118     "integer"
119     "urn"
120     "float"
121     "boolean"
122     "string"
123     "time"
124     "principal"
125     "anonymous"
126
127   DataTerm()
128     default constructor, do not use, for swig only
129
130   DataTerm(const DataTerm &)
131     copy constructor, used for cloning a data term
132
133   ~DataTerm()
134     default destructor
135
136   DataTerm(char*)
137     constructor to make named principal data term for the oset RHS
138     (C: abac_term_named_create)
139
140   DataTerm(const ID&)
141     constructor to make named principal data term for parameter term
142     (C: abac_term_id_create)
143
144   DataTerm(char*, char*, Constraint*)
145     constructor for making a variable data term
146     (C: abac_term_create)
147
148   DataTerm(char*, char*)
149     constructor for making an instantiated data term
150     (C: abac_term_create)
151
152   char *string() const
153     returns literal string of the data term
154     (C:abac_term_string)
155
156   char *typed_string() const
157     returns typed literal string of the data term
158     (C:abac_term_typed_string)
159
160   bool term_is_time() const
161     (C:abac_term_is_time)
162   bool term_is_string() const
163     (C:abac_term_is_string)
164   bool term_is_urn() const
165     (C:abac_term_is_urn)
166   bool term_is_integer() const
167     (C:abac_term_is_integer)
168     returns true if data term is of certain type
169
170   int term_add_constraint(Contraint&)
171     utiltiy routine to add a constraint to this data term
172     (C:abac_term_add_constraint)
173
174   int term_type() const
175     returns subtype of the data term
176     (C:abac_term_type)
177
178   char *term_name() const
179     returns the name of the data term
180     (C:abac_term_name)
181
182ABAC::Role
183   A Role is role specification of a set of entitities for a principal
184
185   Role()
186     default constructor, do not use, for swig only
187
188   Role(const Role &)
189     copy constructor, used for cloning a role
190
191   ~Role()
192     default destructor
193
194   Role(char*)
195     constructor that builds a bare bone role with just principal's name
196     (C:abac_role_principal_create)
197
198   Role(char*, char*)
199     constructor that builds a bare bone role with just principal's name
200     and a role name
201     (C:abac_role_create)
202
203   Role(char*, char*, char*)
204     constructor that builds a bare bone role with just principal's name
205     and a linking role name and a role name
206     (C:abac_role_linked_create)
207
208   bool role_is_principal() const
209     return true if the role is a principal object(made from
210     a data term), the right hand side of,
211       [keyid:A].role:r <- [keyid:B]
212     (C:abac_role_is_principal)
213
214   bool role_is_linking() const
215     returns true if the role is a linking role like
216     the right hand side of,
217       [keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
218     (C:abac_role_is_linking)
219
220   char *string() const
221     returns literal string of the role
222     (C:abac_role_string)
223
224   char *typed_string() const
225     returns typed literal string of the role
226     (C:abac_role_typed_string)
227
228   char *role_linked_role() const
229     returns linked part of a linking role, for
230       [keyid:A].role:r1.role:r2, it returns r1
231     (C:abac_role_linked_role)
232
233   char *role_name() const
234     returns the role name of any role (the part after the last dot)
235       [keyid:A].role.r1.role:r2, it returns r2
236       [keyid:A].role.r1, it returns r1
237     (C:abac_role_name)
238
239   char *role_principal() const
240     returns the principal of role (the part before the first dot)
241       [keyid:A].role.r1, it returns A
242     (C:abac_role_principal)
243
244   void role_add_data_term(DataTerm&)
245     add a data term to the role
246     (C:abac_role_add_data_term)
247
248   std::vector<DataTerm> get_data_terms(bool &)
249     return the data terms bound to this role.
250     (C:abac_role_get_data_terms)
251
252   void role_add_linked_data_term(DataTerm&)
253     add a data term to the linking role
254     (C:abac_role_add_linked_data_term)
255
256   std::vector<DataTerm> get_linked_data_terms(bool &)
257     return the data terms bound to this role's linking role.
258     (C:abac_role_get_linked_data_terms)
259
260ABAC::Oset
261   An Oset is oset specification of a set of entitities for a principal
262
263   Oset()
264     default constructor, do not use, for swig only
265
266   Oset(const Oset &)
267     copy constructor, used for cloning an oset
268
269   ~Oset()
270     default destructor
271
272   Oset(char *)
273     constructor that makes a principal oset, ie [keyid:B]
274     (C:abac_role_principal_create)
275
276   Oset(char *, char *)
277     constructor that makes a regular oset, ie. [keyid:B].oset:o
278     (C:abac_role_create)
279
280   Oset(char *, char*, char *)
281     constructor that makes a linked oset, ie. [keyid:B].role:r.oset:o
282     (C:abac_oset_linked_create)
283
284   Oset(DataTerm&)
285     constructor that makes an object oset, ie. [urn:'file/fileA']
286     (C:abac_oset_object_create)
287
288   bool oset_is_object(), ie <- [integer:10]
289     return ture if this oset is an object oset
290     (C:abac_oset_is_object)
291
292   bool oset_is_principal() const
293     return true if the oset is a principal object(made from
294     a data term), the right hand side of,
295       [keyid:A].oset:o <- [keyid:B]
296     (C:abac_oset_is_principal)
297
298   bool oset_is_linking() const
299     returns true if the oset is a linking oset like
300     the right hand side of,
301       [keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
302     (C:abac_oset_is_linking)
303
304   char *string() const
305     returns literal string of the oset
306     (C:abac_oset_string)
307
308   char *typed_string() const
309     returns typed literal string of the oset
310     (C:abac_oset_typed_string)
311
312   char *oset_linked_role() const
313     returns linked part of a linking oset, for
314       [keyid:A].role:r1.oset:o1, it returns r1
315     (C:abac_oset_linked_role)
316
317   char *oset_name() const
318     returns oset name,
319       [keyid:A].role:r1.oset:o1, it returns o1
320       [keyid:A].oset:o1, it returns o1
321     (C:abac_oset_name)
322
323   char *oset_principal() const
324     returns principal name,
325       [keyid:A].role:r1.oset:o1, it returns A
326     (C:abac_oset_principal)
327
328   char *oset_object() const
329     returns object's name when the oset is a principal object
330       [keyid:A].oset:values <- [integer:10], it returns 10
331     (C:abac_oset_object)
332
333   void add_data_term(DataTerm&)
334     add a data term to this oset's parameter set
335     (C:abac_oset_add_data_term)
336
337   std::vector<DataTerm> get_data_terms(bool &)
338     returns the data terms bound to this oset. 
339     (C:abac_oset_get_data_terms)
340
341   void oset_add_linked_data_term(DataTerm&)
342     add a data term to this oset's linking role's parameter set.
343     (C:abac_oset_add_linked_data_term)
344
345   std::vector<DataTerm> get_linked_data_terms(bool &)
346     returns the data terms bound to this oset's linking role. 
347     (C:abac_oset_get_linked_data_terms)
348
349ABAC::ID
350   An ID holds a principal credential. It maybe imported from an existing
351   ID credential via external files, constructed from a streaming chunk,
352   or instantiated on the fly 
353
354   ID()
355     default constructor, do not use, for swig only
356
357   ID(const ID &)
358     copy constructor, used for cloning an ID
359
360   ~ID()
361     default destructor
362
363   ID(char *)
364     load an ID cert from a file, will throw an exception
365     if the cert cannot be loaded
366     (C:abac_id_from_file)
367
368   ID(char *,int)
369     generates a new ID with the supplied CN and validity period
370     - CN must be alphanumeric and begin with a letter
371     - validity must be at least one second
372     will throw an exception if either of the above is violated
373     (C:abac_id_generate)
374
375   void id_load_privkey_file(char *)
376     loads the private key associated with the ID credential
377     will throw an exception if the key cannot be loaded
378     (C:abac_id_load_privkey_file)
379
380   char *id_keyid()
381     returns the SHA1 keyid of the id cert
382     (C:abac_id_keyid)
383
384   char *id_name()
385     returns the CN (the parameter passed to the constructor or the
386     CN of the cert).
387     (C:abac_id_cn)
388
389   bool id_has_privkey()
390     returns true if the ID has an associated private key
391     (C:abac_id_has_privkey)
392
393   void id_write_cert(FILE *)
394     writes a PEM-encoded cert to the file handle
395     (C:abac_id_write_cert)
396
397   void id_write_cert(char *)
398     writes a PEM-encoded cert to a file named out
399     (C:abac_id_write_cert_fname)
400
401   void id_write_privkey(FILE *)
402     writes a PEM-encoded private key to the file handle
403     throws an exception if no private key is loaded
404     (C:abac_id_write_privkey)
405
406   void id_write_privkey(char *)
407      writes a PEM-encoded private key a file named out
408      throws an exception if no private key is loaded
409     (C:abac_id_write_privkey_fname)
410
411   abac_chunk_t id_cert_chunk()
412     returns a DER-encoded binary representation of the X.509 ID cert
413     associated with this ID.
414     can be passed to libabac's Context::load_id_chunk()
415     (C:abac_id_cert_chunk)
416
417   abac_chunk_t id_privkey_chunk()
418     returns a PEM-encoded binary representation of the private key
419     associated with this ID.
420     can be passed to libabac's Context::load_id_chunks()
421     (C:abac_id_privkey_chunk)
422
423   char *string()
424     returns literal string of the id credential
425     (C:abac_id_string)
426
427ABAC::Attribute
428   This is the attribute representation for the access policy rule
429       LHS <- RHS
430   The sequence of generation is to
431       first, instantiate the object, ie, LHS (head)
432       second, adding subject(s) to it, ie, RHS (tail)
433       and then baking it.
434   Only once it's baked can you access the X.509 cert.
435   Once it's been baked you can no longer add subjects to it
436
437   Attribute()
438     default constructor, do not use, for swig only
439
440   Attribute(const Attribute &)
441     copy constructor, used for cloning an attribute
442
443   ~Attribute()
444     default destructor
445
446   Attribute(Role&, int)
447     constructor that creates an attribute policy to be signed by the issuer
448     with the given role with a specified validity period
449     An exception will be thrown if:
450       - the issuer has no private key
451       - the Head role is invalid
452       - the validity period is invalid (must be >= 1 second)
453     (C:abac_attribute_create)
454
455   Attribute(Oset&, int)
456     constructor that creates an attribute policy to be signed by the issuer
457     with the given oset with a specified validity period
458     An exception will be thrown if:
459       - the issuer has no private key
460       - the Head oset is invalid
461       - the validity period is invalid (must be >= 1 second)
462     (C:abac_attribute_create)
463
464   bool attribute_add_tail(Role&)
465      Add a role tail.  Call multiple times for intersection
466     (C:abac_attribute_add_tail)
467
468   bool attribute_add_tail(Oset&)
469      Add an oset tail.  Call multiple times for intersection
470     (C:abac_attribute_add_tail)
471
472   char *head_string()
473     returns literal string of head of the attribute
474     (C:abac_head_string)
475
476   char *tail_string()
477     returns literal string of tail of the attribute
478     (C:abac_tail_string)
479
480   char *head_typed_string()
481     returns typed literal string of head of the attribute
482     (C:abac_head_typed_string)
483
484   char *tail_typed_string()
485     returns typed literal string of tail of the attribute
486     (C:abac_tail_typed_string)
487
488   char *string()
489     returns literal string of the attribute
490     (C:abac_attribute_string)
491
492   char *typed_string()
493     returns typed literal string of the attribute
494     (C:abac_attribute_typed_string)
495
496   const Role &role_head()
497     returns the head role
498
499   const Oset &oset_head()
500     returns the oset head
501
502   std::vector<Role> role_tails(bool &)
503     retrieve tail role which maybe more than 1 if intersecting
504     (C:abac_attribute_role_tails)
505
506   std::vector<Oset> oset_tails(bool &)
507     retrieve tail oset which maybe more than 1 if intersecting
508     (C:abac_attribute_oset_tails)
509
510   bool attribute_bake()
511     Generate the cert. Call this after you've added subjects to your cert.
512     This returns false if there are no subjects
513     This will throw an exception if the cert's already been baked.
514     (C:abac_attribute_bake)
515
516   bool attribute_baked()
517     returns true iff the cert has been baked.
518     (C:abac_attribute_baked)
519
520   void attribute_write_cert(FILE *)
521     write the DER-encoded X.509 attribute cert to the open file handle
522     Throws an exception if the cert isn't baked
523     (C:abac_attribute_write_cert)
524
525   void attribute_write_cert(char *)
526     write the DER-encoded X.509 attribute cert to a file named out
527     Throws an exception if the cert isn't baked
528     (C:abac_attribute_write_cert_fname)
529
530   abac_chunk_t cert_chunk()
531     returns a DER-encoded binary representation of the X.509 attribute
532     cert associated with this cert
533     Throws an exception if the cert isn't baked
534     the chunk can be passed to libabac's Context::load_attribute_chunk()
535     (C:abac_attribute_cert_chunk)
536
537ABAC::Context
538    An ABAC Context
539
540   Context()
541     default constructor
542
543   Context(const Context &)
544     copy constructor, used for cloning the context
545
546   ~Context()
547     default destructor
548
549   void dump_yap_db()
550     dump the complete yap prolog database
551     (C:show_yap_db)
552
553   int load_id(ABAC::ID&)
554     load id cert from ID
555     (C:abac_context_load_id)
556
557   int load_id_file(char *)
558     load id cert from an idkey combo file. key retrieval will be attempt
559     but won't fail if not found
560     (C:abac_context_load_id_file)
561
562   int load_id_files(char *, char *)
563     load id cert from an id file and a key file
564     (C:abac_context_load_id_files)
565
566   int load_id_chunk(abac_chunk_t)
567     load id cert from a chunk structure
568     (C:abac_context_load_id_chunk)
569
570   int load_id_chunks(abac_chunk_t, abac_chunk_t)
571     load id privkey from a chunk structure
572     (C:abac_context_load_id_privkey_chunk)
573     returns:
574       ABAC_CERT_SUCCESS   successfully loaded
575       ABAC_CERT_INVALID   invalid certificate (or file not found)
576       ABAC_CERT_BAD_SIG   invalid signature
577
578   int load_attribute(ABAC::Attribute&)
579     load attribute credential from attribute structure
580     (C:abac_context_load_attribute)
581
582   int load_attribute_file(char *)
583     load attribute credential from a file
584     (C:abac_context_load_attribute_file)
585
586   int load_attribute_chunk(abac_chunk_t)
587     load attribute credential from a chunk
588     (C:abac_context_load_attribute_chunk)
589
590     returns the same values as above, additionally
591     returns ABAC_CERT_MISSING_ISSUER if the issuer
592     certificate has not been loaded
593
594   void load_principals(char *)
595     load a directory full of principals only:
596
597        first: ${path}/*_ID.{der,pem} as identity certificates
598               implicitly looking for ${path}/*_private.{der,pem} as
599               the private key file
600        then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
601      (C:abac_context_load_principals)
602
603   void load_directory(char *)
604     load a directory full of certificates:
605
606        first: ${path}/*_ID.{der,pem} as identity certificates
607               implicitly looking for ${path}/*_private.{der,pem} as
608               the private key file
609        then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
610        last: ${path}/*_attr.der as attribute certificates
611      (C:abac_context_load_directory)
612
613   std::vector<Attribute> query(char *, char *, bool &)
614     the string version is for query that is composed by hand with SHA or
615     in non ABAC_CN mode 
616     (C:abac_context_query)
617
618   std::vector<Attribute> query(Role &, Role &, bool &)
619     (C:abac_context_query_with_structure)
620   std::vector<Attribute> query(Oset &, Oset &, bool &)
621     (C:abac_context_query_with_structure)
622     runs the query:
623       role <-?- principal
624       oset <-?- principal/obj
625     returns true/false in success
626     returns a proof upon success,
627     partial proof on failure (not implemented yet)
628
629   std::vector<Attribute> context_credentials(bool &)
630     returns a vector of all the credentials loaded in the context
631     extracted from the internal data structure
632     (C:abac_context_credentials)
633
634   std::vector<Attribute> context_principals(bool &)
635     returns a vector of all the principals loaded in the context
636     extracted from the internal data structure
637     (C:abac_context_principals)
638
639   char *version()
640     return the version of this interface
641C API
642
643The C API is nearly identical to the C++ API. Due to lack of namespaces,
644all function names are preceeded by abac_. Furthermore, the parameter
645representing the object must be passed explicitly. Each of the C++ calls
646are appended with a matching C routine call. The C function declaration
647can be found in abac.h
648
649Examples:
650
651    C++:    head.role_name()
652    C:      abac_role_name(head)
653    or
654    C++:    ctxt.load_attribute_file("test_attr.der")
655    C:      abac_context_load_attribute_file(ctx, "test_attr.der")
656
657Instead of copy constructors, the C API uses _dup.  Therefore,
658to copy a role use abac_aspect_dup(m_role),
659to copy a oset use abac_aspect_dup(m_oset),
660to copy a context use abac_context_dup(m_ctx),
661to copy a constraint use abac_condition_dup(m_constraint),
662to copy a data term use abac_term_dup(m_term),
663to copy a ID use abac_id_dup(m_id)
664and to copy an attribute use abac_attribute_dup(m_attr)
665
666Various flavors of abac_context_query() and abac_context_credentials()
667return NULL-terminated arrays of Attribute objects (abac_credential_t * in C).
668abac_context_principals() returns NULL-terminated array of ID objects
669(abac_id_credential_t * in C)
670
671When you are done with them, you must free the whole array at once using
672abac_context_credentials_free() and abac_context_principals_free() respectively.
673
674PERL AND PYTHON API
675
676The Perl and Python APIs are even more similar to the C++ API. The main
677changes are the use of native types instead of C/C++ types.
678
679    - native strings instead of char *
680
681    Perl:
682        - arrayref instead of vector
683        - string instead of chunk_t
684        - Context::query returns a list of two elements:
685            my ($success, $credentials) = $ctx->query($role, $principal);
686            $success is a boolean
687            $credentials is an arrayref of Credential objects
688
689    Python:
690        - tuple instead of vector
691        - bytearray instead of chunk_t (>= 2.6)
692        - string instead of chunk_t (< 2.6)
693        - Context::query returns a tuple with two elements:
694            (success, credentials) = ctx.query(role, principal)
695            success is a boolean
696            credentials is a tuple of Credential objects
Note: See TracBrowser for help on using the repository browser.