source: java/net/deterlab/abac/Query.java @ edf7920

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0tvf-new-xml
Last change on this file since edf7920 was b67a7ac, checked in by Ted Faber <faber@…>, 14 years ago

Add docs

  • Property mode set to 100644
File size: 12.6 KB
RevLine 
[31b67d5]1package net.deterlab.abac;
2
3import org.apache.commons.collections15.*;
4
5import edu.uci.ics.jung.graph.*;
6import edu.uci.ics.jung.graph.util.*;
7
8import java.util.*;
9
10/**
11 * A class for making queries against the graph. It supports direct queries as
12 * well as reachability in either direction. See the run method for details.
[b67a7ac]13 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
14 * @version 1.3
[31b67d5]15 */
[0595372]16class Query {
[b67a7ac]17    /** Internal graph representation */
[31b67d5]18    private Graph<Role,Credential> g;
[b67a7ac]19    /** Count of vertices in g */
[31b67d5]20    private int vertex_count;
21
[b67a7ac]22    /**
23     * Create a query to be run against the credential graph.
24     * @param g a Graph represneting the credentials and implicit connections.
25     */
[31b67d5]26    public Query(Graph<Role,Credential> g) {
27        this.g = g;
28    }
29
30    /**
31     * Run a query against the graph, returning a graph of the results. If the
32     * results are empty or the query fails, an empty graph is returned. When
33     * derived edges are involved, the subgraphs that imply those edges are
34     * included.
[b67a7ac]35     * @param attr a String containing the role to look for
36     * @param prin a String containing the principal
37     * @return a Graph with the proof or partial proof.
[31b67d5]38     */
39    public Graph<Role,Credential> run(String attr, String prin) {
[f8bac55]40        Role attribute = null, principal = null;;
41
42        if (!attr.isEmpty()) attribute = new Role(attr);
43        if (!prin.isEmpty()) principal = new Role(prin);
44
[31b67d5]45        Graph<Role,Credential> ret =
46            Graphs.<Role,Credential>synchronizedDirectedGraph(
47                    new DirectedSparseGraph<Role,Credential>());
48
[84f0e7a]49        /* empty attribute, non-empty principal: find everywhere the principal
50         * can go */
[31b67d5]51        if (attr.isEmpty() && !prin.isEmpty()) {
52            if (g.containsVertex(principal)) {
53                CollectReversePath collect = new CollectReversePath(ret);
54                forward_dfs(principal, collect);
55            }
56        }
57
58        /* otherwise we're going to do some kind of a reverse dfs */
59        else if (g.containsVertex(attribute)) { 
60            if ( prin == null || prin.isEmpty()) {
61                CollectQueryGraph  collect = new CollectQueryGraph(ret);
[ac39e39]62                reverse_dfs(attribute, collect);
[31b67d5]63            }
64            else {
65                if ( g.containsVertex(principal)) {
[84f0e7a]66                    CollectQueryPath  collect = new CollectQueryPath(ret,
67                            principal);
[ac39e39]68                    reverse_dfs(attribute, collect);
[31b67d5]69                }
70            }
71        }
72
73        vertex_count = ret.getVertexCount();
74
75        return ret;
76    }
77
78    /**
79     * Returns true after running a query that returns a non-empty set of
80     * vertices.
[b67a7ac]81     * @return a boolean, true after running a query that returns a non-empty
82     * set of vertices.
[31b67d5]83     */
84    public boolean successful() {
85        return vertex_count > 0;
86    }
87
88    /**
89     * Returns a collection of principals reachable from a Role when
90     * traversing edges in the reverse direction.
[b67a7ac]91     * @param n the Role to start from
92     * @return a Set containinf the principals
[31b67d5]93     */
[cac4c76]94    public Set<Role> find_principals(Role n) {
95        Set<Role> principals = new HashSet<Role>();
[31b67d5]96   
97        GetPrincipals f = new GetPrincipals(principals);
98        reverse_dfs(n, f);
99        return principals;
100    }
101
102
103    /**
[b67a7ac]104     * Interface to pass to the reverse_dfs class that operates on nodes in the
105     * graph as part of the depth first search (DFS).
[31b67d5]106     */
107    interface DfsFcn {
[b67a7ac]108        /**
109         * Called when the node is first encountered on the DFS.
110         * @param x the Role being visited
111         */
[31b67d5]112        public void node(Role x);
[b67a7ac]113        /**
114         * Called when all the node's children have been visited on the DFS.
115         * @param x the Role being visited
116         */
[31b67d5]117        public void node_after(Role x);
118    }
119
120    /**
121     * Class used to pull all the principals out of a reverse_dfs searched
122     * graph.  It takes a collection to the constructor and adds all principals
123     * it sees to that collection.  In no collection is passed in, it creates a
124     * local HashSet of vertices.  The collection is accessible via the p
125     * (i.e., principals) member.
126     */
127    private class GetPrincipals implements DfsFcn {
[b67a7ac]128        /** The principals collected */
[31b67d5]129        public Collection<Role> p;
130
[b67a7ac]131        /**
132         * Initialize the principals collection.
133         * @param vc the initial collection.  May be null.
134         */
[31b67d5]135        public GetPrincipals(Collection<Role> vc) {
136            if ( vc != null) { p =vc;}
137            else { p = new HashSet<Role>(); }
138        }
139
[b67a7ac]140        /**
141         * Adds principals to the collection, called by the DFS.
142         * @param r the Role visited.
143         */
[31b67d5]144        public void node(Role r) {
145            if ( r.is_principal() ) p.add(r);
146        }
[b67a7ac]147        /**
148         * Does nothing.
149         * @param r a Role, a dummy
150         */
[31b67d5]151        public void node_after(Role r) { }
152    }
153
154    /**
[8fac851]155     * Collect a subgraph. Add every node and outgoing arc we encounter, and
156     * pull in the linking node and intersection subtrees as well. Because it's
157     * possible that these subtrees have been encountered more than once, we're
158     * careful not to pull them in twice. The created graph is found in the
[31b67d5]159     * public ng member.
160     */
161    private class CollectQueryGraph implements DfsFcn {
[b67a7ac]162        /** The subgraph being collected */
[31b67d5]163        public Graph<Role, Credential> ng;
[b67a7ac]164        /** The linking roles already added to the sub-graph */
[31b67d5]165        protected HashSet<Role> linking_roles_seen;
[b67a7ac]166        /** The intersection roles already added to the sub-graph */
[8fac851]167        protected HashSet<Role> intersection_roles_seen;
[31b67d5]168
[b67a7ac]169        /**
170         * Initialize the graph into which to gather nodes/edges.
171         * @param g A graph to collect
172         */
[31b67d5]173        public CollectQueryGraph(Graph<Role,Credential> g) {
174            ng = g;
175            linking_roles_seen = new HashSet<Role>();
[8fac851]176            intersection_roles_seen = new HashSet<Role>();
[31b67d5]177        }
178
[b67a7ac]179
180        /**
181         * Do the collection on each node we visit.
182         * @param r a Role, the current node in the DFS.
183         */
[31b67d5]184        public void node(Role r) {
185            if (r.is_linking() && !linking_roles_seen.contains(r)) {
186                // Collect this linking role subgraph
187                reverse_dfs(new Role(r.principal_part()), this);
188                linking_roles_seen.add(r);
189            }
[8fac851]190
191            // collect subgraph for each intersection prereq
192            if (r.is_intersection() && !intersection_roles_seen.contains(r)) {
193                for (Role prereq : r.prereqs())
194                    reverse_dfs(prereq, this);
195                intersection_roles_seen.add(r);
196            }
197
[31b67d5]198            // Add this node's children
199            for (Credential c : g.getInEdges(r) ) {
200                Role tail = g.getSource(c);
201                ng.addEdge(c, tail, r); // FIXME tail and r can come from c [?]
202            }
203        }
[b67a7ac]204        /**
205         * Does nothing.
206         * @param r a Role, a dummy
207         */
[31b67d5]208        public void node_after(Role r) { }
209
210    }
211
212    /**
[b67a7ac]213     * Collect the path from one node to another. It includes vertices that
[31b67d5]214     * are traversed to reach the node. It also includes subgraphs that imply
[8fac851]215     * the linking/intersection edges traversed.
[31b67d5]216     */
217    private class CollectQueryPath extends CollectQueryGraph {
[b67a7ac]218        /** Vertices on the path to the principal */
219        HashSet<Role> onPath;
220        /**
221         * Establish the collection graph and the destination.
222         * @param g the graph that collects the result
223         * @param dest the Role to find
224         */
[31b67d5]225        public CollectQueryPath(Graph<Role,Credential> g, Role dest) {
226            super(g);
227            onPath = new HashSet<Role>();
228            onPath.add(dest);
229        }
230
[b67a7ac]231        /**
232         * Does nothing.
233         * @param r a Role, a dummy
234         */
[31b67d5]235        public void node(Role r) { }
236
[b67a7ac]237        /**
238         * Do the collection on each node we visit.
239         * @param r a Role, the current node in the DFS.
240         */
[31b67d5]241        public void node_after(Role r) {
242            for (Credential c : g.getInEdges(r)) {
243                Role child = c.tail();
244
245                if (onPath.contains(child)) {
246                    Credential edge = g.findEdge(child, r);
247                    if (edge == null)
[b67a7ac]248                        throw new RuntimeException("Credential missing from " +
249                                "parent graph, state is messed up");
[31b67d5]250
251                    ng.addEdge(edge, child, r);
252                    onPath.add(r);
253
254                    // For linking roles, collect the whole subgraph of the
255                    // authorizer
256                    if (r.is_linking()) {
[b67a7ac]257                        CollectQueryPath link = new CollectQueryPath(ng, 
258                                new Role(child.principal_part()));
[31b67d5]259                        reverse_dfs(new Role(r.principal_part()), link);
260                    }
[8fac851]261
262                    // intersection: collect the subgraph of each prereq
263                    else if (r.is_intersection()) {
[b67a7ac]264                        CollectQueryPath prereq_finder = 
265                            new CollectQueryPath(ng, child);
[8fac851]266                        for (Role prereq : r.prereqs())
267                            reverse_dfs(prereq, prereq_finder);
268                    }
[31b67d5]269                }
270            }
271        }
272    }
273
274    /**
275     * Collect the path that a node can reach. It includes subgraphs that imply
[8fac851]276     * the linked/intersection edges traversed.
[31b67d5]277     */
278    private class CollectReversePath extends CollectQueryGraph {
[b67a7ac]279        /**
280         * Initialize the collection graph.
281         * @param g a Graph that collects the results.
282         */
[31b67d5]283        public CollectReversePath(Graph<Role,Credential> g) {
284            super(g);
285        }
286
[b67a7ac]287        /**
288         * add all of the node's parents
289         * @param r a Role, the current node being visited
290         */
[31b67d5]291        public void node(Role r) {
292            for (Credential c : g.getOutEdges(r)) {
293                Role head = g.getDest(c);
294                Credential cred = g.findEdge(r, head);
295                if (cred == null)
[b67a7ac]296                    throw new RuntimeException("Credential missing from " + 
297                            "parent graph, state is messed up");
[31b67d5]298
299                ng.addEdge(cred, r, head);
300            }
301        }
302
[b67a7ac]303        /**
304         * Do the collection on each node we visit.
305         * @param r a Role, the current node in the DFS.
306         */
[31b67d5]307        public void node_after(Role r) {
308            for (Credential c : g.getOutEdges(r)) {
309                Role parent = g.getDest(c);
310
[8fac851]311                // if any of the links we follow is from a linking node, copy
312                // the subgraph that implies said link
[31b67d5]313                if (parent.is_linking()) {
[b67a7ac]314                    CollectQueryPath link = new CollectQueryPath(ng, 
315                            new Role(r.principal_part()));
[31b67d5]316                    reverse_dfs(new Role(parent.principal_part()), link);
317                }
[8fac851]318
319                // intersection roles do not need to be treated specially
320                // because the forward path from the principal will traverse all
321                // edges that imply the edge to the intersection node
[31b67d5]322            }
323        }
324    }
325
326    /**
327     * Interface to the reverse_dfs member that does allocates the visited map
328     * so the user doesn't have to.
[b67a7ac]329     * @param r a Role from which to start the search
330     * @param f a DfsFcn that customizes the search operation
331     */
[31b67d5]332    private void reverse_dfs(Role r, DfsFcn f) {
333        reverse_dfs(r, new HashSet<Role>(), f);
334    }
335
336    /**
337     * Member function to walk the edges in reverse from a given Role.  Each
338     * Role is visited once and has the node() function of the dfs_fcn called
339     * on it.  Order is not guaranteed.
[b67a7ac]340     * @param r a Role from which to start the search
341     * @param visited a HashSet of Roles that tells which nodes have been
342     * visited.
343     * @param f a DfsFcn that customizes the search operation
[31b67d5]344     */
345    private void reverse_dfs(Role r, HashSet<Role> visited,
346            DfsFcn f) {
347        if (visited.contains(r)) return;
348
349        f.node(r);
350        visited.add(r);
351
352        for (Credential c : g.getInEdges(r)) 
353            reverse_dfs(g.getSource(c), visited, f);
354        f.node_after(r);
355    }
356
357    /**
358     * Interface to the forward_dfs member that allocates the visited map so
359     * the user doesn't have to.
[b67a7ac]360     * @param r a Role from which to start the search
361     * @param f a DfsFcn that customizes the search operation
[31b67d5]362     */
363    private void forward_dfs(Role r, DfsFcn f) {
364        forward_dfs(r, new HashSet<Role>(), f);
365    }
366
367    /**
368     * Member function to walk the edges from a given Role. Each Role is
369     * visited once and has the node() function of the dfs_fcn called on it.
370     * Order is not guaranteed
[b67a7ac]371     * @param r a Role from which to start the search
372     * @param visited a HashSet of Roles that tells which nodes have been
373     * visited.
374     * @param f a DfsFcn that customizes the search operation
[31b67d5]375     */
376    private void forward_dfs(Role r, Set<Role> visited, DfsFcn f) {
377        if (visited.contains(r)) return;
378
379        f.node(r);
380        visited.add(r);
381
382        for (Credential c : g.getOutEdges(r))
383            forward_dfs(g.getDest(c), visited, f);
384        f.node_after(r);
385    }
386}
Note: See TracBrowser for help on using the repository browser.