source: libabac/abac.c @ 53e540d

#include <assert.h>
#include <err.h>
#include <glob.h>

#include <chunk.h>

#include "abac.h"
#include "abac_graph.h"
#include "abac_util.h"
#include "abac_verifier.h"

struct _abac_context_t {
    abac_graph_t *graph;
};

/**
 * Init the library.
 */
void libabac_init(void) {
    void libabac_deinit(void);
    static int has_been_init = 0;

    // called every time a context is created, so only do it once
    if (!has_been_init) {
        abac_verifier_init();
        atexit(libabac_deinit);
        has_been_init = 1;
    }
}

/**
 * Deinit the library.
 */
void libabac_deinit(void) {
    abac_verifier_deinit();
}

/**
 * Create a new abac context.
 */
abac_context_t *abac_context_new(void) {
    libabac_init();

    abac_context_t *ctx = abac_xmalloc(sizeof(abac_context_t));
    ctx->graph = abac_graph_new();
    return ctx;
}

/**
 * Deep copy an abac context.
 */
abac_context_t *abac_context_dup(abac_context_t *ctx) {
    assert(ctx != NULL);

    abac_context_t *dup = abac_xmalloc(sizeof(abac_context_t));
    dup->graph = abac_graph_dup(ctx->graph);

    return dup;
}

/**
 * Free an abac context.
 */
void abac_context_free(abac_context_t *ctx) {
    assert(ctx != NULL);

    abac_graph_free(ctx->graph);
    free(ctx);
}

/**
 * Load an ID cert from a file.
 */
int abac_context_load_id_file(abac_context_t *ctx, char *filename) {
    assert(ctx != NULL); assert(filename != NULL);
    return abac_verifier_load_id_file(filename);
}

/**
 * Load an ID cert from a chunk.
 */
int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert) {
    assert(ctx != NULL);
    chunk_t cert_chunk = { cert.ptr, cert.len };
    return abac_verifier_load_id_chunk(cert_chunk);
}

/**
 * Load an attribute cert from a file.
 */
int abac_context_load_attribute_file(abac_context_t *ctx, char *filename) {
    int ret, add_ret;
    abac_credential_t *cred;

    assert(ctx != NULL); assert(filename != NULL);

    ret = abac_verifier_load_attribute_cert_file(filename, &cred);
    if (ret == ABAC_CERT_SUCCESS) {
        add_ret = abac_graph_add_credential(ctx->graph, cred);
        assert(add_ret != ABAC_GRAPH_CRED_INVALID);
        abac_credential_free(cred);
    }

    return ret;
}

/**
 * Load an attribute cert from a chunk.
 */
int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert) {
    int ret, add_ret;
    abac_credential_t *cred;

    assert(ctx != NULL);

    chunk_t cert_chunk = { cert.ptr, cert.len };

    ret = abac_verifier_load_attribute_cert_chunk(cert_chunk, &cred);
    if (ret == ABAC_CERT_SUCCESS) {
        add_ret = abac_graph_add_credential(ctx->graph, cred);
        assert(add_ret != ABAC_GRAPH_CRED_INVALID);
        abac_credential_free(cred);
    }

    return ret;
}

#define ID_PAT "/*_ID.{der,pem}"
#define ATTR_PAT "/*_attr.der"

/**
 * Load a directory full of certs.
 */
void abac_context_load_directory(abac_context_t *ctx, char *path) {
    char *glob_pat;
    glob_t glob_buf;
    int i, ret;

    assert(ctx != NULL); assert(path != NULL);

    int dirlen = strlen(path);
    glob_pat = abac_xmalloc(dirlen + sizeof(ID_PAT));
    memcpy(glob_pat, path, dirlen);

    // first load ID certs
    memcpy(glob_pat + dirlen, ID_PAT, sizeof(ID_PAT));
    glob(glob_pat, GLOB_BRACE, NULL, &glob_buf); // TODO check for error
    for (i = 0; i < glob_buf.gl_pathc; ++i) {
        char *cert_file = glob_buf.gl_pathv[i];

        printf("--> ID cert... %s\n", cert_file);
        ret = abac_context_load_id_file(ctx, cert_file);
        if (ret != ABAC_CERT_SUCCESS)
            warnx("Couldn't load ID cert %s", cert_file);
    }
    globfree(&glob_buf);

    // then load attr certs
    memcpy(glob_pat + dirlen, ATTR_PAT, sizeof(ATTR_PAT));
    glob(glob_pat, 0, NULL, &glob_buf); // TODO check for error
    for (i = 0; i < glob_buf.gl_pathc; ++i) {
        char *cert_file = glob_buf.gl_pathv[i];

        printf("--> attr cert... %s\n", cert_file);
        ret = abac_context_load_attribute_file(ctx, cert_file);
        if (ret != ABAC_CERT_SUCCESS)
            warnx("Couldn't load attribute cert %s", cert_file);
    }
    globfree(&glob_buf);

    free(glob_pat);
}

/**
 * Run a query on the data in an abac context. Returns a NULL-terminated array
 * of abac_credential_t. Success/failure in *success.
 */
abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success) {
    abac_credential_t **credentials = NULL, *cur;
    int i = 0;

    assert(ctx != NULL); assert(role != NULL); assert(principal != NULL); assert(success != NULL);

    abac_graph_t *result_graph = abac_graph_query(ctx->graph, role, principal);
    abac_list_t *result = abac_graph_credentials(result_graph);

    abac_graph_free(result_graph);

    int size = abac_list_size(result);
    if (size > 0)
        *success = 1;

    // if there is no actual path, return everything that can reach the role
    else {
        *success = 0;
        abac_list_free(result);

        // TODO: fix this when we can return a sane value for partial proofs
        // result = abac_graph_postorder_credentials(ctx->graph, role);
        result = abac_graph_credentials(ctx->graph);
        size = abac_list_size(result);
    }

    // make the array (leave space to NULL terminate it)
    //      n.b., even if the list is empty, we still return an array that
    //            only contains the NULL terminator
    credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1));
    abac_list_foreach(result, cur,
        credentials[i++] = cur;
    );
    credentials[i] = NULL;

    abac_list_free(result);

    return credentials;
}

/**
 * A NULL-terminated array of all the credentials in the context.
 */
abac_credential_t **abac_context_credentials(abac_context_t *ctx) {
    abac_credential_t *cred;
    int i = 0;

    assert(ctx != NULL);

    abac_list_t *cred_list = abac_graph_credentials(ctx->graph);
    int size = abac_list_size(cred_list);

    abac_credential_t **credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1));
    abac_list_foreach(cred_list, cred,
        credentials[i++] = cred;
    );
    credentials[i] = NULL;

    abac_list_free(cred_list);

    return credentials;
}

/**
 * Frees a NULL-terminated list of credentials.
 */
void abac_context_credentials_free(abac_credential_t **credentials) {
    int i;

    if (credentials == NULL)
        return;

    for (i = 0; credentials[i] != NULL; ++i)
        abac_credential_free(credentials[i]);
    free(credentials);
}