[90d20f0] | 1 | #include <assert.h> |
---|
[0bf0e67] | 2 | #include <err.h> |
---|
[03b3293] | 3 | #include <glob.h> |
---|
[90d20f0] | 4 | |
---|
[9efbfbf] | 5 | #include <chunk.h> |
---|
[90d20f0] | 6 | |
---|
[9efbfbf] | 7 | #include "abac.h" |
---|
[06293d1] | 8 | #include "abac_graph.h" |
---|
[3c251d0] | 9 | #include "abac_util.h" |
---|
[43e3b71] | 10 | #include "abac_verifier.h" |
---|
[90d20f0] | 11 | |
---|
[390f749] | 12 | struct _abac_context_t { |
---|
[06293d1] | 13 | abac_graph_t *graph; |
---|
[90d20f0] | 14 | }; |
---|
| 15 | |
---|
| 16 | /** |
---|
| 17 | * Init the library. |
---|
| 18 | */ |
---|
| 19 | void libabac_init(void) { |
---|
[43e3b71] | 20 | abac_verifier_init(); |
---|
[90d20f0] | 21 | } |
---|
| 22 | |
---|
| 23 | /** |
---|
| 24 | * Deinit the library. |
---|
| 25 | */ |
---|
| 26 | void libabac_deinit(void) { |
---|
[43e3b71] | 27 | abac_verifier_deinit(); |
---|
[90d20f0] | 28 | } |
---|
| 29 | |
---|
| 30 | /** |
---|
| 31 | * Create a new abac context. |
---|
| 32 | */ |
---|
[390f749] | 33 | abac_context_t *abac_context_new(void) { |
---|
| 34 | abac_context_t *ctx = abac_xmalloc(sizeof(abac_context_t)); |
---|
| 35 | ctx->graph = abac_graph_new(); |
---|
| 36 | return ctx; |
---|
[90d20f0] | 37 | } |
---|
| 38 | |
---|
| 39 | /** |
---|
| 40 | * Deep copy an abac context. |
---|
| 41 | */ |
---|
[390f749] | 42 | abac_context_t *abac_context_dup(abac_context_t *ctx) { |
---|
| 43 | assert(ctx != NULL); |
---|
[90d20f0] | 44 | |
---|
[390f749] | 45 | abac_context_t *dup = abac_xmalloc(sizeof(abac_context_t)); |
---|
| 46 | dup->graph = abac_graph_dup(ctx->graph); |
---|
[90d20f0] | 47 | |
---|
| 48 | return dup; |
---|
| 49 | } |
---|
| 50 | |
---|
| 51 | /** |
---|
| 52 | * Free an abac context. |
---|
| 53 | */ |
---|
[390f749] | 54 | void abac_context_free(abac_context_t *ctx) { |
---|
| 55 | assert(ctx != NULL); |
---|
[90d20f0] | 56 | |
---|
[390f749] | 57 | abac_graph_free(ctx->graph); |
---|
| 58 | free(ctx); |
---|
[90d20f0] | 59 | } |
---|
| 60 | |
---|
| 61 | /** |
---|
| 62 | * Load an ID cert from a file. |
---|
| 63 | */ |
---|
[390f749] | 64 | int abac_context_load_id_file(abac_context_t *ctx, char *filename) { |
---|
| 65 | assert(ctx != NULL); assert(filename != NULL); |
---|
[43e3b71] | 66 | return abac_verifier_load_id_file(filename); |
---|
[90d20f0] | 67 | } |
---|
| 68 | |
---|
| 69 | /** |
---|
| 70 | * Load an ID cert from a chunk. |
---|
| 71 | */ |
---|
[390f749] | 72 | int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert) { |
---|
| 73 | assert(ctx != NULL); |
---|
[9efbfbf] | 74 | chunk_t cert_chunk = { cert.ptr, cert.len }; |
---|
[43e3b71] | 75 | return abac_verifier_load_id_chunk(cert_chunk); |
---|
[90d20f0] | 76 | } |
---|
| 77 | |
---|
| 78 | /** |
---|
| 79 | * Load an attribute cert from a file. |
---|
| 80 | */ |
---|
[390f749] | 81 | int abac_context_load_attribute_file(abac_context_t *ctx, char *filename) { |
---|
[6dd2d1a] | 82 | int ret = 0; |
---|
| 83 | |
---|
[390f749] | 84 | assert(ctx != NULL); assert(filename != NULL); |
---|
[90d20f0] | 85 | |
---|
[401a054] | 86 | abac_credential_t *cred = abac_verifier_load_attribute_cert_file(filename); |
---|
| 87 | if (cred != NULL) { |
---|
| 88 | ret = abac_graph_add_credential(ctx->graph, cred); |
---|
| 89 | abac_credential_free(cred); |
---|
[6dd2d1a] | 90 | } |
---|
| 91 | |
---|
| 92 | return ret; |
---|
[90d20f0] | 93 | } |
---|
| 94 | |
---|
| 95 | /** |
---|
| 96 | * Load an attribute cert from a chunk. |
---|
| 97 | */ |
---|
[390f749] | 98 | int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert) { |
---|
| 99 | assert(ctx != NULL); |
---|
[90d20f0] | 100 | |
---|
[9efbfbf] | 101 | chunk_t cert_chunk = { cert.ptr, cert.len }; |
---|
[401a054] | 102 | abac_credential_t *cred = abac_verifier_load_attribute_cert_chunk(cert_chunk); |
---|
| 103 | if (cred != NULL) |
---|
| 104 | return abac_graph_add_credential(ctx->graph, cred); |
---|
[90d20f0] | 105 | else |
---|
| 106 | return 0; |
---|
| 107 | } |
---|
| 108 | |
---|
[03b3293] | 109 | #define ID_PAT "/*_ID.der" |
---|
| 110 | #define ATTR_PAT "/*_attr.der" |
---|
| 111 | |
---|
| 112 | /** |
---|
| 113 | * Load a directory full of certs. |
---|
| 114 | */ |
---|
[390f749] | 115 | void abac_context_load_directory(abac_context_t *ctx, char *path) { |
---|
[03b3293] | 116 | char *glob_pat; |
---|
| 117 | glob_t glob_buf; |
---|
| 118 | int i, ret; |
---|
| 119 | |
---|
[390f749] | 120 | assert(ctx != NULL); assert(path != NULL); |
---|
[03b3293] | 121 | |
---|
| 122 | int dirlen = strlen(path); |
---|
[3c251d0] | 123 | glob_pat = abac_xmalloc(dirlen + sizeof(ATTR_PAT)); |
---|
[03b3293] | 124 | memcpy(glob_pat, path, dirlen); |
---|
| 125 | |
---|
| 126 | // first load ID certs |
---|
| 127 | memcpy(glob_pat + dirlen, ID_PAT, sizeof(ID_PAT)); |
---|
| 128 | glob(glob_pat, 0, NULL, &glob_buf); // TODO check for error |
---|
| 129 | for (i = 0; i < glob_buf.gl_pathc; ++i) { |
---|
| 130 | char *cert_file = glob_buf.gl_pathv[i]; |
---|
| 131 | |
---|
[390f749] | 132 | ret = abac_context_load_id_file(ctx, cert_file); |
---|
[03b3293] | 133 | if (!ret) |
---|
| 134 | warnx("Couldn't load ID cert %s\n", cert_file); |
---|
| 135 | } |
---|
| 136 | globfree(&glob_buf); |
---|
| 137 | |
---|
| 138 | // then load attr certs |
---|
| 139 | memcpy(glob_pat + dirlen, ATTR_PAT, sizeof(ATTR_PAT)); |
---|
| 140 | glob(glob_pat, 0, NULL, &glob_buf); // TODO check for error |
---|
| 141 | for (i = 0; i < glob_buf.gl_pathc; ++i) { |
---|
| 142 | char *cert_file = glob_buf.gl_pathv[i]; |
---|
| 143 | |
---|
[390f749] | 144 | ret = abac_context_load_attribute_file(ctx, cert_file); |
---|
[03b3293] | 145 | if (!ret) |
---|
| 146 | warnx("Couldn't load attribute cert %s\n", cert_file); |
---|
| 147 | } |
---|
| 148 | globfree(&glob_buf); |
---|
| 149 | |
---|
| 150 | free(glob_pat); |
---|
| 151 | } |
---|
| 152 | |
---|
[90d20f0] | 153 | /** |
---|
[dc62c68] | 154 | * Run a query on the data in an abac context. Returns a NULL-terminated array |
---|
[401a054] | 155 | * of abac_credential_t. |
---|
[90d20f0] | 156 | */ |
---|
[4e426c9] | 157 | abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success) { |
---|
[401a054] | 158 | abac_credential_t **credentials = NULL, *cur; |
---|
[dc62c68] | 159 | int i = 0; |
---|
| 160 | |
---|
[4e426c9] | 161 | assert(ctx != NULL); assert(role != NULL); assert(principal != NULL); assert(success != NULL); |
---|
[90d20f0] | 162 | |
---|
[390f749] | 163 | abac_graph_t *result_graph = abac_graph_query(ctx->graph, role, principal); |
---|
[401a054] | 164 | abac_list_t *result = abac_graph_credentials(result_graph); |
---|
[90d20f0] | 165 | |
---|
[06293d1] | 166 | abac_graph_free(result_graph); |
---|
[90d20f0] | 167 | |
---|
[6d5623e] | 168 | int size = abac_list_size(result); |
---|
[4e426c9] | 169 | if (size > 0) |
---|
| 170 | *success = 1; |
---|
| 171 | |
---|
| 172 | // if there is no actual path, return everything that can reach the role |
---|
| 173 | else { |
---|
| 174 | *success = 0; |
---|
| 175 | abac_list_free(result); |
---|
| 176 | |
---|
| 177 | result = abac_graph_postorder_credentials(ctx->graph, role); |
---|
| 178 | size = abac_list_size(result); |
---|
| 179 | } |
---|
| 180 | |
---|
[dc62c68] | 181 | if (size > 0) { |
---|
| 182 | // make the array (leave space to NULL terminate it) |
---|
[401a054] | 183 | credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1)); |
---|
[6d5623e] | 184 | abac_list_foreach(result, cur, |
---|
[401a054] | 185 | credentials[i++] = cur; |
---|
[dc62c68] | 186 | ); |
---|
[401a054] | 187 | credentials[i] = NULL; |
---|
[90d20f0] | 188 | } |
---|
[dc62c68] | 189 | |
---|
[6d5623e] | 190 | abac_list_free(result); |
---|
[dc62c68] | 191 | |
---|
[401a054] | 192 | return credentials; |
---|
[90d20f0] | 193 | } |
---|
| 194 | |
---|
| 195 | /** |
---|
| 196 | * Frees the result of an abac query. |
---|
| 197 | */ |
---|
[401a054] | 198 | void abac_context_query_free(abac_credential_t **credentials) { |
---|
[dc62c68] | 199 | int i; |
---|
[90d20f0] | 200 | |
---|
[401a054] | 201 | if (credentials == NULL) |
---|
[90d20f0] | 202 | return; |
---|
| 203 | |
---|
[401a054] | 204 | for (i = 0; credentials[i] != NULL; ++i) |
---|
| 205 | abac_credential_free(credentials[i]); |
---|
| 206 | free(credentials); |
---|
[90d20f0] | 207 | } |
---|