source: java/net/deterlab/abac/CredentialGraph.java @ 5bf874d

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml
Last change on this file since 5bf874d was 5bf874d, checked in by Mike Ryan <mikeryan@…>, 14 years ago

dirty flag to rederive edges only when the graph is changed

  • Property mode set to 100644
File size: 6.0 KB
Line 
1package net.deterlab.abac;
2
3import org.apache.commons.collections15.*;
4import org.apache.commons.collections15.functors.*;
5
6import edu.uci.ics.jung.graph.*;
7import edu.uci.ics.jung.graph.event.*;
8import edu.uci.ics.jung.graph.util.*;
9
10import java.awt.geom.Point2D;
11import java.io.*;
12import java.util.*;
13
14/**
15 * Represents a global graph of credentials in the form of principals and
16 * attributes.
17 */
18public class CredentialGraph {
19    private Graph<Role,Credential> g = null;
20    private java.util.Set<Credential> derived_edges = new HashSet<Credential>();
21    private Query pq;
22    private boolean m_dirty;
23
24    public CredentialGraph() {
25        /* create the graph */
26        g = Graphs.<Role,Credential>synchronizedDirectedGraph(new DirectedSparseGraph<Role,Credential>());
27        pq = new Query(g);
28    }
29
30    /**
31     * Returns a Query object which can be used to query the graph. This object
32     * becomes invalid if the graph is modified.
33     */
34    public Query querier() {
35        derive_implied_edges();
36        return new Query(g);
37    }
38
39    /**
40     * Add a credential to the graph.
41     */
42    public void add_credential(Credential cred) {
43        Role tail = cred.tail();
44        Role head = cred.head();
45
46        /* explicitly add the vertices, otherwise get a null pointer exception */
47        g.addVertex(tail);
48        g.addVertex(head);
49
50        g.addEdge(cred, tail, head);
51
52        // add the prereqs of an intersection to the graph
53        if (tail.is_intersection())
54            for (Role prereq : tail.prereqs())
55                g.addVertex(prereq);
56
57        m_dirty = true;
58    }
59
60    /**
61     * Remove a credential from the graph.
62     */
63    public void remove_credential(Credential cred) {
64        g.removeEdge(cred);
65        m_dirty = true;
66    }
67
68    /**
69     * Returns a collection of the credentials in the graph.
70     */
71    public Collection<Credential> credentials() {
72        Collection<Credential> creds = new HashSet<Credential>();
73        for (Credential cred : g.getEdges()) {
74            // FIXME: this should check if there's a cert on the cred
75            // this supports all types of derived edges, including intersection
76
77            Role head = g.getDest(cred);
78
79            /* any edge to a linking node is derived, so skip it */
80            if (!head.is_linking())
81                creds.add(cred);
82        }
83        return creds;
84    }
85
86    /**
87     * Derive the implied edges in the graph, according to RT0 derivation rules.
88     * They are added to this graph. See "Distributed Credential Chain Discovery
89     * in Trust Management" by Ninghui Li et al. for details. Note that a
90     * derived linking edge can imply a new intersection edge and vice versa.
91     * Therefore we iteratively derive edges, giving up when an iteration
92     * produces 0 new edges.
93     */
94    private synchronized void derive_implied_edges() {
95        // nothing to do on a clean graph
96        if (!m_dirty)
97            return;
98
99        clear_old_edges();
100
101        // iteratively derive links. continue as long as new links are added
102        while (derive_links_iter() > 0)
103            ;
104
105        m_dirty = false;
106    }
107
108    /**
109     * Single iteration of deriving implied edges. Returns the number of new
110     * links added.
111     */
112    private int derive_links_iter() {
113        int count = 0;
114
115        /* for every node in the graph.. */
116        for (Role vertex : g.getVertices()) {
117            if (vertex.is_intersection()) {
118                // for each prereq edge:
119                //     find set of principals that have the prereq
120                // find the intersection of all sets (i.e., principals that satisfy all prereqs)
121                // for each principal in intersection:
122                //     add derived edge
123
124                Set<Role> principals = null;
125
126                for (Role prereq : vertex.prereqs()) {
127                    Set<Role> cur_principals = pq.find_principals(prereq);
128
129                    if (principals == null)
130                        principals = cur_principals;
131                    else
132                        // no, they couldn't just call it "intersection"
133                        principals.retainAll(cur_principals);
134
135                    if (principals.size() == 0)
136                        break;
137                }
138
139                // add em
140                for (Role principal : principals)
141                    if (add_derived_edge(vertex, principal))
142                        ++count;
143            }
144
145            else if (vertex.is_linking()) {
146                // make the rest of the code a bit clearer
147                Role A_r1_r2 = vertex;
148
149                Role A_r1 = new Role(A_r1_r2.A_r1());
150                String r2 = A_r1_r2.r2();
151
152                /* locate the node A.r1 */
153                if (!g.containsVertex(A_r1)) continue; /* boring: nothing of the form A.r1 */
154
155                /* for each B that satisfies A_r1 */
156                for (Role principal : pq.find_principals(A_r1)) {
157                    Role B_r2 = new Role(principal + "." + r2);
158                    if (!g.containsVertex(B_r2)) continue;
159
160                    if (add_derived_edge(A_r1_r2, B_r2))
161                        ++count;
162                }
163            }
164        }
165
166        return count;
167    }
168
169    /**
170     * Add a derived edge in the graph. Returns true only if the edge does not
171     * exist.
172     */
173    private boolean add_derived_edge(Role head, Role tail) {
174        // edge exists: return false
175        if (g.findEdge(tail, head) != null)
176            return false;
177
178        // add the new edge
179        Credential derived_edge = new Credential(head, tail);
180        derived_edges.add(derived_edge);
181        g.addEdge(derived_edge, tail, head);
182
183        return true;
184    }
185
186    /**
187     * Clear the derived edges that currently exist in the graph. This is done
188     * before the edges are rederived. The derived edges in filtered graphs are
189     * also cleared.
190     */
191    private void clear_old_edges() {
192        for (Credential i: derived_edges)
193            g.removeEdge(i);
194        derived_edges = new HashSet<Credential>();
195    }
196}
Note: See TracBrowser for help on using the repository browser.