[461541a] | 1 | /* abac.c */ |
---|
| 2 | |
---|
[90d20f0] | 3 | #include <assert.h> |
---|
[0bf0e67] | 4 | #include <err.h> |
---|
[bec30b5] | 5 | #include <sys/types.h> |
---|
| 6 | #include <sys/stat.h> |
---|
[7cefdb4] | 7 | #include <sys/param.h> |
---|
[bec30b5] | 8 | #include <unistd.h> |
---|
| 9 | #include <dirent.h> |
---|
[90d20f0] | 10 | |
---|
[9efbfbf] | 11 | #include "abac.h" |
---|
[4721618] | 12 | #include "abac_list.h" |
---|
[06293d1] | 13 | #include "abac_graph.h" |
---|
[3c251d0] | 14 | #include "abac_util.h" |
---|
[43e3b71] | 15 | #include "abac_verifier.h" |
---|
[90d20f0] | 16 | |
---|
[bec30b5] | 17 | abac_id_cert_t **abac_context_principals(abac_context_t *ctx); |
---|
| 18 | void abac_context_id_credentials_free(abac_id_cert_t **id_credentials); |
---|
| 19 | |
---|
[390f749] | 20 | struct _abac_context_t { |
---|
[bec30b5] | 21 | /* list of principal id credentials, abac_id_cert_t */ |
---|
| 22 | abac_list_t *id_certs; |
---|
[06293d1] | 23 | abac_graph_t *graph; |
---|
[94605f2] | 24 | abac_keyid_map_t *keymap; |
---|
[90d20f0] | 25 | }; |
---|
| 26 | |
---|
| 27 | /** |
---|
| 28 | * Init the library. |
---|
| 29 | */ |
---|
| 30 | void libabac_init(void) { |
---|
[55c272b] | 31 | void libabac_deinit(void); |
---|
| 32 | static int has_been_init = 0; |
---|
| 33 | |
---|
| 34 | // called every time a context is created, so only do it once |
---|
| 35 | if (!has_been_init) { |
---|
| 36 | abac_verifier_init(); |
---|
| 37 | atexit(libabac_deinit); |
---|
| 38 | has_been_init = 1; |
---|
| 39 | } |
---|
[90d20f0] | 40 | } |
---|
| 41 | |
---|
| 42 | /** |
---|
| 43 | * Deinit the library. |
---|
| 44 | */ |
---|
| 45 | void libabac_deinit(void) { |
---|
[43e3b71] | 46 | abac_verifier_deinit(); |
---|
[90d20f0] | 47 | } |
---|
| 48 | |
---|
| 49 | /** |
---|
| 50 | * Create a new abac context. |
---|
| 51 | */ |
---|
[390f749] | 52 | abac_context_t *abac_context_new(void) { |
---|
[55c272b] | 53 | libabac_init(); |
---|
| 54 | |
---|
[390f749] | 55 | abac_context_t *ctx = abac_xmalloc(sizeof(abac_context_t)); |
---|
| 56 | ctx->graph = abac_graph_new(); |
---|
[bec30b5] | 57 | ctx->id_certs=abac_list_new(); |
---|
[94605f2] | 58 | ctx->keymap = abac_keyid_map_new(); |
---|
[390f749] | 59 | return ctx; |
---|
[90d20f0] | 60 | } |
---|
| 61 | |
---|
| 62 | /** |
---|
| 63 | * Deep copy an abac context. |
---|
| 64 | */ |
---|
[390f749] | 65 | abac_context_t *abac_context_dup(abac_context_t *ctx) { |
---|
| 66 | assert(ctx != NULL); |
---|
[bec30b5] | 67 | |
---|
[390f749] | 68 | abac_context_t *dup = abac_xmalloc(sizeof(abac_context_t)); |
---|
| 69 | dup->graph = abac_graph_dup(ctx->graph); |
---|
[bec30b5] | 70 | dup->id_certs=abac_list_new(); |
---|
| 71 | |
---|
| 72 | abac_id_cert_t *id_cert; |
---|
| 73 | abac_list_foreach(ctx->id_certs, id_cert, |
---|
| 74 | abac_list_add(dup->id_certs, abac_id_cert_dup(id_cert)); |
---|
| 75 | ); |
---|
[90d20f0] | 76 | |
---|
[d2b198c] | 77 | dup->keymap = abac_keyid_map_clone(ctx->keymap); |
---|
[90d20f0] | 78 | return dup; |
---|
| 79 | } |
---|
| 80 | |
---|
| 81 | /** |
---|
| 82 | * Free an abac context. |
---|
| 83 | */ |
---|
[390f749] | 84 | void abac_context_free(abac_context_t *ctx) { |
---|
| 85 | assert(ctx != NULL); |
---|
[90d20f0] | 86 | |
---|
[390f749] | 87 | abac_graph_free(ctx->graph); |
---|
[bec30b5] | 88 | |
---|
| 89 | abac_id_cert_t *id_cert; |
---|
| 90 | abac_list_foreach(ctx->id_certs, id_cert, |
---|
| 91 | abac_id_cert_free(id_cert); |
---|
| 92 | ); |
---|
| 93 | abac_list_free(ctx->id_certs); |
---|
[94605f2] | 94 | abac_keyid_map_free(ctx->keymap); |
---|
[390f749] | 95 | free(ctx); |
---|
[90d20f0] | 96 | } |
---|
| 97 | |
---|
| 98 | /** |
---|
| 99 | * Load an ID cert from a file. |
---|
| 100 | */ |
---|
[390f749] | 101 | int abac_context_load_id_file(abac_context_t *ctx, char *filename) { |
---|
| 102 | assert(ctx != NULL); assert(filename != NULL); |
---|
[94605f2] | 103 | return abac_verifier_load_id_file(ctx->id_certs,filename, ctx->keymap); |
---|
[90d20f0] | 104 | } |
---|
| 105 | |
---|
| 106 | /** |
---|
| 107 | * Load an ID cert from a chunk. |
---|
| 108 | */ |
---|
[461541a] | 109 | int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert_chunk) { |
---|
[390f749] | 110 | assert(ctx != NULL); |
---|
[94605f2] | 111 | return abac_verifier_load_id_chunk(ctx->id_certs,cert_chunk, ctx->keymap); |
---|
[90d20f0] | 112 | } |
---|
| 113 | |
---|
[f2622ee] | 114 | /** |
---|
| 115 | * Load an ID cert from a id. |
---|
| 116 | */ |
---|
[7764378] | 117 | int abac_context_load_id_id(abac_context_t *ctx, abac_id_t *id) { |
---|
[f2622ee] | 118 | assert(ctx != NULL); |
---|
| 119 | return abac_verifier_load_id_id(ctx->id_certs,id, ctx->keymap); |
---|
| 120 | } |
---|
| 121 | |
---|
| 122 | |
---|
[90d20f0] | 123 | /** |
---|
| 124 | * Load an attribute cert from a file. |
---|
| 125 | */ |
---|
[390f749] | 126 | int abac_context_load_attribute_file(abac_context_t *ctx, char *filename) { |
---|
[0779c99] | 127 | int ret, add_ret; |
---|
[461541a] | 128 | abac_list_t *cred_list=abac_list_new(); // could be more than 1 |
---|
[0779c99] | 129 | abac_credential_t *cred; |
---|
[6dd2d1a] | 130 | |
---|
[390f749] | 131 | assert(ctx != NULL); assert(filename != NULL); |
---|
[90d20f0] | 132 | |
---|
[d2b198c] | 133 | ret = abac_verifier_load_attribute_cert_file(ctx->id_certs, filename, cred_list, ctx->keymap); |
---|
[461541a] | 134 | |
---|
[0779c99] | 135 | if (ret == ABAC_CERT_SUCCESS) { |
---|
[461541a] | 136 | int size = abac_list_size(cred_list); |
---|
| 137 | if(size) { |
---|
| 138 | abac_list_foreach(cred_list, cred, |
---|
| 139 | add_ret = abac_graph_add_credential(ctx->graph, cred); |
---|
| 140 | assert(add_ret != ABAC_GRAPH_CRED_INVALID); |
---|
| 141 | abac_credential_free(cred); |
---|
| 142 | ); |
---|
| 143 | } |
---|
[6dd2d1a] | 144 | } |
---|
[7764378] | 145 | abac_list_free(cred_list); |
---|
[6dd2d1a] | 146 | return ret; |
---|
[90d20f0] | 147 | } |
---|
| 148 | |
---|
| 149 | /** |
---|
| 150 | * Load an attribute cert from a chunk. |
---|
| 151 | */ |
---|
[461541a] | 152 | int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert_chunk) { |
---|
[0779c99] | 153 | int ret, add_ret; |
---|
[4721618] | 154 | abac_list_t *cred_list=abac_list_new(); // could be more than 1 |
---|
[0779c99] | 155 | abac_credential_t *cred; |
---|
| 156 | |
---|
[390f749] | 157 | assert(ctx != NULL); |
---|
[90d20f0] | 158 | |
---|
[d2b198c] | 159 | ret = abac_verifier_load_attribute_cert_chunk(ctx->id_certs, cert_chunk, cred_list, ctx->keymap); |
---|
[0779c99] | 160 | if (ret == ABAC_CERT_SUCCESS) { |
---|
[461541a] | 161 | int size = abac_list_size(cred_list); |
---|
| 162 | if(size) { |
---|
| 163 | abac_list_foreach(cred_list, cred, |
---|
| 164 | add_ret = abac_graph_add_credential(ctx->graph, cred); |
---|
| 165 | assert(add_ret != ABAC_GRAPH_CRED_INVALID); |
---|
| 166 | abac_credential_free(cred); |
---|
| 167 | ); |
---|
| 168 | abac_list_free(cred_list); |
---|
| 169 | } |
---|
[0779c99] | 170 | } |
---|
| 171 | |
---|
| 172 | return ret; |
---|
[90d20f0] | 173 | } |
---|
| 174 | |
---|
[50b9dc9] | 175 | #define ID_PAT "/*_ID.{der,pem}" |
---|
[461541a] | 176 | #define ATTR_PAT "/*_attr.xml" |
---|
[03b3293] | 177 | |
---|
[bec30b5] | 178 | static int is_regular_file(char *filename) |
---|
| 179 | { |
---|
| 180 | struct stat sb; |
---|
| 181 | if(stat(filename,&sb) == -1) |
---|
| 182 | return 0; |
---|
| 183 | if((sb.st_mode & S_IFMT) == S_IFREG) |
---|
| 184 | return 1; |
---|
| 185 | return 0; |
---|
| 186 | } |
---|
| 187 | |
---|
[03b3293] | 188 | /** |
---|
| 189 | * Load a directory full of certs. |
---|
| 190 | */ |
---|
[390f749] | 191 | void abac_context_load_directory(abac_context_t *ctx, char *path) { |
---|
[bec30b5] | 192 | DIR *dp; |
---|
| 193 | struct dirent *ep; |
---|
[7cefdb4] | 194 | static char pathname[MAXPATHLEN]; |
---|
[bec30b5] | 195 | |
---|
| 196 | dp = opendir (path); |
---|
| 197 | if (dp != NULL) { |
---|
[756011e] | 198 | while ((ep = readdir (dp))) { |
---|
[7cefdb4] | 199 | snprintf(pathname,MAXPATHLEN, "%s/%s", path, ep->d_name); |
---|
| 200 | if(is_regular_file(pathname)) { |
---|
| 201 | int ret = abac_context_load_id_file(ctx, pathname); |
---|
[bec30b5] | 202 | if (ret == ABAC_CERT_SUCCESS) { |
---|
| 203 | continue; |
---|
| 204 | } |
---|
[7cefdb4] | 205 | ret = abac_context_load_attribute_file(ctx, pathname); |
---|
[bec30b5] | 206 | } |
---|
| 207 | } |
---|
| 208 | (void) closedir (dp); |
---|
| 209 | } else fprintf(stderr, "abac_load_directory, Couldn't open the directory\n"); |
---|
[03b3293] | 210 | } |
---|
| 211 | |
---|
[90d20f0] | 212 | /** |
---|
[dc62c68] | 213 | * Run a query on the data in an abac context. Returns a NULL-terminated array |
---|
[38782df] | 214 | * of abac_credential_t. Success/failure in *success. |
---|
[90d20f0] | 215 | */ |
---|
[4e426c9] | 216 | abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success) { |
---|
[401a054] | 217 | abac_credential_t **credentials = NULL, *cur; |
---|
[dc62c68] | 218 | int i = 0; |
---|
| 219 | |
---|
[3613ab8] | 220 | assert(ctx != NULL); assert(role != NULL); assert(principal != NULL); assert(success != NULL); |
---|
[90d20f0] | 221 | |
---|
[390f749] | 222 | abac_graph_t *result_graph = abac_graph_query(ctx->graph, role, principal); |
---|
[401a054] | 223 | abac_list_t *result = abac_graph_credentials(result_graph); |
---|
[90d20f0] | 224 | |
---|
[06293d1] | 225 | abac_graph_free(result_graph); |
---|
[90d20f0] | 226 | |
---|
[6d5623e] | 227 | int size = abac_list_size(result); |
---|
[4e426c9] | 228 | if (size > 0) |
---|
| 229 | *success = 1; |
---|
| 230 | |
---|
| 231 | // if there is no actual path, return everything that can reach the role |
---|
| 232 | else { |
---|
| 233 | *success = 0; |
---|
| 234 | abac_list_free(result); |
---|
[d4b3b52] | 235 | |
---|
| 236 | // TODO: This can probably be better, but it now returns an |
---|
| 237 | // approximation of a partial proof. It returns all the attributes the |
---|
| 238 | // principal can reach and all the attributes that will lead to a |
---|
| 239 | // success. |
---|
| 240 | |
---|
| 241 | /* Get all the attributes of the principal. This calls sub-queries to |
---|
| 242 | * flesh out the indirect proofs. */ |
---|
| 243 | result_graph = abac_graph_principal_creds(ctx->graph, principal); |
---|
| 244 | |
---|
| 245 | /* This gets all the attributes linked to the target en route to the |
---|
| 246 | * principal. */ |
---|
| 247 | result = abac_graph_postorder_credentials(ctx->graph, role); |
---|
| 248 | |
---|
| 249 | /* Merge responses */ |
---|
[f6576c4] | 250 | int add_ret; |
---|
[d4b3b52] | 251 | abac_list_foreach(result, cur, |
---|
[f6576c4] | 252 | add_ret=abac_graph_add_credential(result_graph, cur); |
---|
| 253 | assert(add_ret != ABAC_GRAPH_CRED_INVALID); |
---|
| 254 | abac_credential_free(cur); |
---|
[d4b3b52] | 255 | ); |
---|
| 256 | abac_list_free(result); |
---|
| 257 | abac_graph_derive_links(result_graph); |
---|
| 258 | |
---|
| 259 | result = abac_graph_credentials(result_graph); |
---|
| 260 | abac_graph_free(result_graph); |
---|
[4e426c9] | 261 | |
---|
| 262 | size = abac_list_size(result); |
---|
| 263 | } |
---|
| 264 | |
---|
[38782df] | 265 | // make the array (leave space to NULL terminate it) |
---|
| 266 | // n.b., even if the list is empty, we still return an array that |
---|
| 267 | // only contains the NULL terminator |
---|
| 268 | credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1)); |
---|
| 269 | abac_list_foreach(result, cur, |
---|
| 270 | credentials[i++] = cur; |
---|
| 271 | ); |
---|
| 272 | credentials[i] = NULL; |
---|
[dc62c68] | 273 | |
---|
[6d5623e] | 274 | abac_list_free(result); |
---|
[dc62c68] | 275 | |
---|
[401a054] | 276 | return credentials; |
---|
[90d20f0] | 277 | } |
---|
| 278 | |
---|
[bec30b5] | 279 | |
---|
[90d20f0] | 280 | /** |
---|
[3c4fd68] | 281 | * A NULL-terminated array of all the credentials in the context. |
---|
[90d20f0] | 282 | */ |
---|
[3c4fd68] | 283 | abac_credential_t **abac_context_credentials(abac_context_t *ctx) { |
---|
| 284 | abac_credential_t *cred; |
---|
| 285 | int i = 0; |
---|
| 286 | |
---|
| 287 | assert(ctx != NULL); |
---|
| 288 | |
---|
| 289 | abac_list_t *cred_list = abac_graph_credentials(ctx->graph); |
---|
| 290 | int size = abac_list_size(cred_list); |
---|
| 291 | |
---|
| 292 | abac_credential_t **credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1)); |
---|
| 293 | abac_list_foreach(cred_list, cred, |
---|
| 294 | credentials[i++] = cred; |
---|
| 295 | ); |
---|
| 296 | credentials[i] = NULL; |
---|
| 297 | |
---|
| 298 | abac_list_free(cred_list); |
---|
| 299 | |
---|
[0a1ee31] | 300 | /* EXTRA: print out a list of principal stored within the context.. */ |
---|
| 301 | if(0) { |
---|
[bec30b5] | 302 | abac_id_cert_t **ilist=abac_context_principals(ctx); |
---|
| 303 | abac_id_cert_t *cert; |
---|
| 304 | if (ilist != NULL) |
---|
| 305 | for (i = 0; ilist[i] != NULL; ++i) { |
---|
| 306 | cert = ilist[i]; |
---|
| 307 | printf("id[%d] %s\n",i, abac_id_cert_keyid(cert)); |
---|
| 308 | } |
---|
| 309 | abac_context_id_credentials_free(ilist); |
---|
| 310 | } |
---|
| 311 | |
---|
[3c4fd68] | 312 | return credentials; |
---|
| 313 | } |
---|
| 314 | |
---|
[94605f2] | 315 | /* |
---|
| 316 | * Replace known keyids with their nicknames (mnemonic names). If a non-NULL |
---|
| 317 | * string is returned it needs to be freed by the caller. |
---|
| 318 | */ |
---|
| 319 | char *abac_context_expand_key(abac_context_t *ctxt, char *s ) { |
---|
| 320 | if ( ctxt->keymap ) |
---|
| 321 | return abac_keyid_map_expand_key(ctxt->keymap, s); |
---|
| 322 | else |
---|
| 323 | return NULL; |
---|
| 324 | } |
---|
| 325 | |
---|
| 326 | /* |
---|
| 327 | * Replace known nicknames(mnemonic names) with their keyids. If a non-NULL |
---|
| 328 | * string is returned it needs to be freed by the caller. |
---|
| 329 | */ |
---|
| 330 | char *abac_context_expand_nickname(abac_context_t *ctxt, char *s ) { |
---|
| 331 | if ( ctxt->keymap ) |
---|
| 332 | return abac_keyid_map_expand_nickname(ctxt->keymap, s); |
---|
| 333 | else |
---|
| 334 | return NULL; |
---|
| 335 | } |
---|
| 336 | |
---|
[d2b198c] | 337 | /* |
---|
| 338 | * Add a nickname to the context. The keyid must be known to the context. If |
---|
| 339 | * the nickname is in use, it is disambiguated. Call abac_context_expand_key |
---|
| 340 | * to see the assigned name if that is required. Existing nickname for keyid |
---|
| 341 | * is overwritten. Returns true if the change was successful. |
---|
| 342 | */ |
---|
| 343 | int abac_context_set_nickname(abac_context_t *ctxt, char *key, char*nick) { |
---|
| 344 | char *p = NULL; |
---|
| 345 | |
---|
| 346 | if ( !ctxt->keymap) return 0; |
---|
| 347 | /* Make sure we know the key. Free the returned nickname */ |
---|
| 348 | if ( !(p = abac_keyid_map_key_to_nickname(ctxt->keymap, key))) return 0; |
---|
| 349 | else free(p); |
---|
| 350 | |
---|
| 351 | abac_keyid_map_remove_keyid(ctxt->keymap, key); |
---|
| 352 | return abac_keyid_map_add_nickname(ctxt->keymap, key, nick); |
---|
| 353 | } |
---|
| 354 | |
---|
[afcafea] | 355 | /* |
---|
| 356 | * Get direct access to the context's keyid mapping. Used internally. This |
---|
| 357 | * does not make a reference to the map, use abac_keyid_map_dup if that is |
---|
| 358 | * required. |
---|
| 359 | */ |
---|
| 360 | abac_keyid_map_t *abac_context_get_keyid_map(abac_context_t *ctxt) { |
---|
| 361 | return ctxt->keymap; |
---|
| 362 | } |
---|
[d2b198c] | 363 | |
---|
| 364 | |
---|
[bec30b5] | 365 | /** |
---|
| 366 | * A NULL-terminated array of all the principals in the context. |
---|
| 367 | */ |
---|
| 368 | abac_id_cert_t **abac_context_principals(abac_context_t *ctx) |
---|
| 369 | { |
---|
[756011e] | 370 | abac_id_cert_t **principals = NULL; |
---|
[bec30b5] | 371 | assert(ctx != NULL); |
---|
| 372 | |
---|
| 373 | int size = abac_list_size(ctx->id_certs); |
---|
| 374 | |
---|
| 375 | // make the array (leave space to NULL terminate it) |
---|
| 376 | // n.b., even if the list is empty, we still return an array that |
---|
| 377 | // only contains the NULL terminator |
---|
| 378 | principals = abac_xmalloc(sizeof(abac_id_cert_t *) * (size + 1)); |
---|
| 379 | int i = 0; |
---|
| 380 | abac_id_cert_t *id_cert; |
---|
| 381 | abac_list_foreach(ctx->id_certs, id_cert, |
---|
| 382 | principals[i]=abac_id_cert_dup(id_cert); |
---|
| 383 | i++; |
---|
| 384 | ); |
---|
| 385 | principals[i] = NULL; |
---|
| 386 | |
---|
| 387 | return principals; |
---|
| 388 | } |
---|
| 389 | |
---|
| 390 | |
---|
[3c4fd68] | 391 | /** |
---|
| 392 | * Frees a NULL-terminated list of credentials. |
---|
| 393 | */ |
---|
| 394 | void abac_context_credentials_free(abac_credential_t **credentials) { |
---|
[dc62c68] | 395 | int i; |
---|
[90d20f0] | 396 | |
---|
[401a054] | 397 | if (credentials == NULL) |
---|
[90d20f0] | 398 | return; |
---|
| 399 | |
---|
[401a054] | 400 | for (i = 0; credentials[i] != NULL; ++i) |
---|
| 401 | abac_credential_free(credentials[i]); |
---|
| 402 | free(credentials); |
---|
[90d20f0] | 403 | } |
---|
[bec30b5] | 404 | |
---|
| 405 | /** |
---|
| 406 | * Frees a NULL-terminated list of id credentials |
---|
| 407 | */ |
---|
| 408 | void abac_context_id_credentials_free(abac_id_cert_t **id_credentials) { |
---|
| 409 | int i; |
---|
| 410 | |
---|
| 411 | if (id_credentials == NULL) |
---|
| 412 | return; |
---|
| 413 | |
---|
| 414 | for (i = 0; id_credentials[i] != NULL; ++i) { |
---|
| 415 | abac_id_cert_free(id_credentials[i]); |
---|
| 416 | } |
---|
| 417 | free(id_credentials); |
---|
| 418 | } |
---|
| 419 | |
---|
| 420 | |
---|