Context Navigation

source: java/net/deterlab/abac/CredentialGraph.java @ 5bf874d

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since 5bf874d was 5bf874d, checked in by Mike Ryan <mikeryan@…>, 13 years ago
dirty flag to rederive edges only when the graph is changed
Property mode set to `100644`
File size: 6.0 KB

Line
1	package net.deterlab.abac;
2
3	import org.apache.commons.collections15.*;
4	import org.apache.commons.collections15.functors.*;
5
6	import edu.uci.ics.jung.graph.*;
7	import edu.uci.ics.jung.graph.event.*;
8	import edu.uci.ics.jung.graph.util.*;
9
10	import java.awt.geom.Point2D;
11	import java.io.*;
12	import java.util.*;
13
14	/**
15	* Represents a global graph of credentials in the form of principals and
16	* attributes.
17	*/
18	public class CredentialGraph {
19	private Graph<Role,Credential> g = null;
20	private java.util.Set<Credential> derived_edges = new HashSet<Credential>();
21	private Query pq;
22	private boolean m_dirty;
23
24	public CredentialGraph() {
25	/* create the graph */
26	g = Graphs.<Role,Credential>synchronizedDirectedGraph(new DirectedSparseGraph<Role,Credential>());
27	pq = new Query(g);
28	}
29
30	/**
31	* Returns a Query object which can be used to query the graph. This object
32	* becomes invalid if the graph is modified.
33	*/
34	public Query querier() {
35	derive_implied_edges();
36	return new Query(g);
37	}
38
39	/**
40	* Add a credential to the graph.
41	*/
42	public void add_credential(Credential cred) {
43	Role tail = cred.tail();
44	Role head = cred.head();
45
46	/* explicitly add the vertices, otherwise get a null pointer exception */
47	g.addVertex(tail);
48	g.addVertex(head);
49
50	g.addEdge(cred, tail, head);
51
52	// add the prereqs of an intersection to the graph
53	if (tail.is_intersection())
54	for (Role prereq : tail.prereqs())
55	g.addVertex(prereq);
56
57	m_dirty = true;
58	}
59
60	/**
61	* Remove a credential from the graph.
62	*/
63	public void remove_credential(Credential cred) {
64	g.removeEdge(cred);
65	m_dirty = true;
66	}
67
68	/**
69	* Returns a collection of the credentials in the graph.
70	*/
71	public Collection<Credential> credentials() {
72	Collection<Credential> creds = new HashSet<Credential>();
73	for (Credential cred : g.getEdges()) {
74	// FIXME: this should check if there's a cert on the cred
75	// this supports all types of derived edges, including intersection
76
77	Role head = g.getDest(cred);
78
79	/* any edge to a linking node is derived, so skip it */
80	if (!head.is_linking())
81	creds.add(cred);
82	}
83	return creds;
84	}
85
86	/**
87	* Derive the implied edges in the graph, according to RT0 derivation rules.
88	* They are added to this graph. See "Distributed Credential Chain Discovery
89	* in Trust Management" by Ninghui Li et al. for details. Note that a
90	* derived linking edge can imply a new intersection edge and vice versa.
91	* Therefore we iteratively derive edges, giving up when an iteration
92	* produces 0 new edges.
93	*/
94	private synchronized void derive_implied_edges() {
95	// nothing to do on a clean graph
96	if (!m_dirty)
97	return;
98
99	clear_old_edges();
100
101	// iteratively derive links. continue as long as new links are added
102	while (derive_links_iter() > 0)
103	;
104
105	m_dirty = false;
106	}
107
108	/**
109	* Single iteration of deriving implied edges. Returns the number of new
110	* links added.
111	*/
112	private int derive_links_iter() {
113	int count = 0;
114
115	/* for every node in the graph.. */
116	for (Role vertex : g.getVertices()) {
117	if (vertex.is_intersection()) {
118	// for each prereq edge:
119	// find set of principals that have the prereq
120	// find the intersection of all sets (i.e., principals that satisfy all prereqs)
121	// for each principal in intersection:
122	// add derived edge
123
124	Set<Role> principals = null;
125
126	for (Role prereq : vertex.prereqs()) {
127	Set<Role> cur_principals = pq.find_principals(prereq);
128
129	if (principals == null)
130	principals = cur_principals;
131	else
132	// no, they couldn't just call it "intersection"
133	principals.retainAll(cur_principals);
134
135	if (principals.size() == 0)
136	break;
137	}
138
139	// add em
140	for (Role principal : principals)
141	if (add_derived_edge(vertex, principal))
142	++count;
143	}
144
145	else if (vertex.is_linking()) {
146	// make the rest of the code a bit clearer
147	Role A_r1_r2 = vertex;
148
149	Role A_r1 = new Role(A_r1_r2.A_r1());
150	String r2 = A_r1_r2.r2();
151
152	/* locate the node A.r1 */
153	if (!g.containsVertex(A_r1)) continue; /* boring: nothing of the form A.r1 */
154
155	/* for each B that satisfies A_r1 */
156	for (Role principal : pq.find_principals(A_r1)) {
157	Role B_r2 = new Role(principal + "." + r2);
158	if (!g.containsVertex(B_r2)) continue;
159
160	if (add_derived_edge(A_r1_r2, B_r2))
161	++count;
162	}
163	}
164	}
165
166	return count;
167	}
168
169	/**
170	* Add a derived edge in the graph. Returns true only if the edge does not
171	* exist.
172	*/
173	private boolean add_derived_edge(Role head, Role tail) {
174	// edge exists: return false
175	if (g.findEdge(tail, head) != null)
176	return false;
177
178	// add the new edge
179	Credential derived_edge = new Credential(head, tail);
180	derived_edges.add(derived_edge);
181	g.addEdge(derived_edge, tail, head);
182
183	return true;
184	}
185
186	/**
187	* Clear the derived edges that currently exist in the graph. This is done
188	* before the edges are rederived. The derived edges in filtered graphs are
189	* also cleared.
190	*/
191	private void clear_old_edges() {
192	for (Credential i: derived_edges)
193	g.removeEdge(i);
194	derived_edges = new HashSet<Credential>();
195	}
196	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: