[461541a] | 1 | /* abac.c */ |
---|
| 2 | |
---|
[90d20f0] | 3 | #include <assert.h> |
---|
[0bf0e67] | 4 | #include <err.h> |
---|
[03b3293] | 5 | #include <glob.h> |
---|
[90d20f0] | 6 | |
---|
[9efbfbf] | 7 | #include "abac.h" |
---|
[4721618] | 8 | #include "abac_list.h" |
---|
[06293d1] | 9 | #include "abac_graph.h" |
---|
[3c251d0] | 10 | #include "abac_util.h" |
---|
[43e3b71] | 11 | #include "abac_verifier.h" |
---|
[90d20f0] | 12 | |
---|
[390f749] | 13 | struct _abac_context_t { |
---|
[06293d1] | 14 | abac_graph_t *graph; |
---|
[90d20f0] | 15 | }; |
---|
| 16 | |
---|
| 17 | /** |
---|
| 18 | * Init the library. |
---|
| 19 | */ |
---|
| 20 | void libabac_init(void) { |
---|
[55c272b] | 21 | void libabac_deinit(void); |
---|
| 22 | static int has_been_init = 0; |
---|
| 23 | |
---|
| 24 | // called every time a context is created, so only do it once |
---|
| 25 | if (!has_been_init) { |
---|
| 26 | abac_verifier_init(); |
---|
| 27 | atexit(libabac_deinit); |
---|
| 28 | has_been_init = 1; |
---|
| 29 | } |
---|
[90d20f0] | 30 | } |
---|
| 31 | |
---|
| 32 | /** |
---|
| 33 | * Deinit the library. |
---|
| 34 | */ |
---|
| 35 | void libabac_deinit(void) { |
---|
[43e3b71] | 36 | abac_verifier_deinit(); |
---|
[90d20f0] | 37 | } |
---|
| 38 | |
---|
| 39 | /** |
---|
| 40 | * Create a new abac context. |
---|
| 41 | */ |
---|
[390f749] | 42 | abac_context_t *abac_context_new(void) { |
---|
[55c272b] | 43 | libabac_init(); |
---|
| 44 | |
---|
[390f749] | 45 | abac_context_t *ctx = abac_xmalloc(sizeof(abac_context_t)); |
---|
| 46 | ctx->graph = abac_graph_new(); |
---|
| 47 | return ctx; |
---|
[90d20f0] | 48 | } |
---|
| 49 | |
---|
| 50 | /** |
---|
| 51 | * Deep copy an abac context. |
---|
| 52 | */ |
---|
[390f749] | 53 | abac_context_t *abac_context_dup(abac_context_t *ctx) { |
---|
| 54 | assert(ctx != NULL); |
---|
[90d20f0] | 55 | |
---|
[390f749] | 56 | abac_context_t *dup = abac_xmalloc(sizeof(abac_context_t)); |
---|
| 57 | dup->graph = abac_graph_dup(ctx->graph); |
---|
[90d20f0] | 58 | |
---|
| 59 | return dup; |
---|
| 60 | } |
---|
| 61 | |
---|
| 62 | /** |
---|
| 63 | * Free an abac context. |
---|
| 64 | */ |
---|
[390f749] | 65 | void abac_context_free(abac_context_t *ctx) { |
---|
| 66 | assert(ctx != NULL); |
---|
[90d20f0] | 67 | |
---|
[390f749] | 68 | abac_graph_free(ctx->graph); |
---|
| 69 | free(ctx); |
---|
[90d20f0] | 70 | } |
---|
| 71 | |
---|
| 72 | /** |
---|
| 73 | * Load an ID cert from a file. |
---|
| 74 | */ |
---|
[390f749] | 75 | int abac_context_load_id_file(abac_context_t *ctx, char *filename) { |
---|
| 76 | assert(ctx != NULL); assert(filename != NULL); |
---|
[43e3b71] | 77 | return abac_verifier_load_id_file(filename); |
---|
[90d20f0] | 78 | } |
---|
| 79 | |
---|
| 80 | /** |
---|
| 81 | * Load an ID cert from a chunk. |
---|
| 82 | */ |
---|
[461541a] | 83 | int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert_chunk) { |
---|
[390f749] | 84 | assert(ctx != NULL); |
---|
[43e3b71] | 85 | return abac_verifier_load_id_chunk(cert_chunk); |
---|
[90d20f0] | 86 | } |
---|
| 87 | |
---|
| 88 | /** |
---|
| 89 | * Load an attribute cert from a file. |
---|
| 90 | */ |
---|
[390f749] | 91 | int abac_context_load_attribute_file(abac_context_t *ctx, char *filename) { |
---|
[0779c99] | 92 | int ret, add_ret; |
---|
[461541a] | 93 | abac_list_t *cred_list=abac_list_new(); // could be more than 1 |
---|
[0779c99] | 94 | abac_credential_t *cred; |
---|
[6dd2d1a] | 95 | |
---|
[390f749] | 96 | assert(ctx != NULL); assert(filename != NULL); |
---|
[90d20f0] | 97 | |
---|
[461541a] | 98 | ret = abac_verifier_load_attribute_cert_file(filename, cred_list); |
---|
| 99 | |
---|
[0779c99] | 100 | if (ret == ABAC_CERT_SUCCESS) { |
---|
[461541a] | 101 | int size = abac_list_size(cred_list); |
---|
| 102 | if(size) { |
---|
| 103 | abac_list_foreach(cred_list, cred, |
---|
| 104 | add_ret = abac_graph_add_credential(ctx->graph, cred); |
---|
| 105 | assert(add_ret != ABAC_GRAPH_CRED_INVALID); |
---|
| 106 | abac_credential_free(cred); |
---|
| 107 | ); |
---|
| 108 | abac_list_free(cred_list); |
---|
| 109 | } |
---|
[6dd2d1a] | 110 | } |
---|
| 111 | return ret; |
---|
[90d20f0] | 112 | } |
---|
| 113 | |
---|
| 114 | /** |
---|
| 115 | * Load an attribute cert from a chunk. |
---|
| 116 | */ |
---|
[461541a] | 117 | int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert_chunk) { |
---|
[0779c99] | 118 | int ret, add_ret; |
---|
[4721618] | 119 | abac_list_t *cred_list=abac_list_new(); // could be more than 1 |
---|
[0779c99] | 120 | abac_credential_t *cred; |
---|
| 121 | |
---|
[390f749] | 122 | assert(ctx != NULL); |
---|
[90d20f0] | 123 | |
---|
[461541a] | 124 | ret = abac_verifier_load_attribute_cert_chunk(cert_chunk, cred_list); |
---|
[0779c99] | 125 | if (ret == ABAC_CERT_SUCCESS) { |
---|
[461541a] | 126 | int size = abac_list_size(cred_list); |
---|
| 127 | if(size) { |
---|
| 128 | abac_list_foreach(cred_list, cred, |
---|
| 129 | add_ret = abac_graph_add_credential(ctx->graph, cred); |
---|
| 130 | assert(add_ret != ABAC_GRAPH_CRED_INVALID); |
---|
| 131 | abac_credential_free(cred); |
---|
| 132 | ); |
---|
| 133 | abac_list_free(cred_list); |
---|
| 134 | } |
---|
[0779c99] | 135 | } |
---|
| 136 | |
---|
| 137 | return ret; |
---|
[90d20f0] | 138 | } |
---|
| 139 | |
---|
[50b9dc9] | 140 | #define ID_PAT "/*_ID.{der,pem}" |
---|
[461541a] | 141 | #define ATTR_PAT "/*_attr.xml" |
---|
[03b3293] | 142 | |
---|
| 143 | /** |
---|
| 144 | * Load a directory full of certs. |
---|
| 145 | */ |
---|
[390f749] | 146 | void abac_context_load_directory(abac_context_t *ctx, char *path) { |
---|
[03b3293] | 147 | char *glob_pat; |
---|
| 148 | glob_t glob_buf; |
---|
| 149 | int i, ret; |
---|
| 150 | |
---|
[390f749] | 151 | assert(ctx != NULL); assert(path != NULL); |
---|
[03b3293] | 152 | |
---|
| 153 | int dirlen = strlen(path); |
---|
[50b9dc9] | 154 | glob_pat = abac_xmalloc(dirlen + sizeof(ID_PAT)); |
---|
[03b3293] | 155 | memcpy(glob_pat, path, dirlen); |
---|
| 156 | |
---|
| 157 | // first load ID certs |
---|
| 158 | memcpy(glob_pat + dirlen, ID_PAT, sizeof(ID_PAT)); |
---|
[50b9dc9] | 159 | glob(glob_pat, GLOB_BRACE, NULL, &glob_buf); // TODO check for error |
---|
[03b3293] | 160 | for (i = 0; i < glob_buf.gl_pathc; ++i) { |
---|
| 161 | char *cert_file = glob_buf.gl_pathv[i]; |
---|
| 162 | |
---|
[390f749] | 163 | ret = abac_context_load_id_file(ctx, cert_file); |
---|
[0779c99] | 164 | if (ret != ABAC_CERT_SUCCESS) |
---|
[50b9dc9] | 165 | warnx("Couldn't load ID cert %s", cert_file); |
---|
[03b3293] | 166 | } |
---|
| 167 | globfree(&glob_buf); |
---|
| 168 | |
---|
| 169 | // then load attr certs |
---|
| 170 | memcpy(glob_pat + dirlen, ATTR_PAT, sizeof(ATTR_PAT)); |
---|
| 171 | glob(glob_pat, 0, NULL, &glob_buf); // TODO check for error |
---|
| 172 | for (i = 0; i < glob_buf.gl_pathc; ++i) { |
---|
| 173 | char *cert_file = glob_buf.gl_pathv[i]; |
---|
| 174 | |
---|
[390f749] | 175 | ret = abac_context_load_attribute_file(ctx, cert_file); |
---|
[0779c99] | 176 | if (ret != ABAC_CERT_SUCCESS) |
---|
[50b9dc9] | 177 | warnx("Couldn't load attribute cert %s", cert_file); |
---|
[03b3293] | 178 | } |
---|
| 179 | globfree(&glob_buf); |
---|
| 180 | |
---|
| 181 | free(glob_pat); |
---|
| 182 | } |
---|
| 183 | |
---|
[90d20f0] | 184 | /** |
---|
[dc62c68] | 185 | * Run a query on the data in an abac context. Returns a NULL-terminated array |
---|
[38782df] | 186 | * of abac_credential_t. Success/failure in *success. |
---|
[90d20f0] | 187 | */ |
---|
[4e426c9] | 188 | abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success) { |
---|
[401a054] | 189 | abac_credential_t **credentials = NULL, *cur; |
---|
[dc62c68] | 190 | int i = 0; |
---|
| 191 | |
---|
[4e426c9] | 192 | assert(ctx != NULL); assert(role != NULL); assert(principal != NULL); assert(success != NULL); |
---|
[90d20f0] | 193 | |
---|
[390f749] | 194 | abac_graph_t *result_graph = abac_graph_query(ctx->graph, role, principal); |
---|
[401a054] | 195 | abac_list_t *result = abac_graph_credentials(result_graph); |
---|
[90d20f0] | 196 | |
---|
[06293d1] | 197 | abac_graph_free(result_graph); |
---|
[90d20f0] | 198 | |
---|
[6d5623e] | 199 | int size = abac_list_size(result); |
---|
[4e426c9] | 200 | if (size > 0) |
---|
| 201 | *success = 1; |
---|
| 202 | |
---|
| 203 | // if there is no actual path, return everything that can reach the role |
---|
| 204 | else { |
---|
| 205 | *success = 0; |
---|
| 206 | abac_list_free(result); |
---|
[d4b3b52] | 207 | result_graph = abac_graph_new(); |
---|
| 208 | |
---|
| 209 | // TODO: This can probably be better, but it now returns an |
---|
| 210 | // approximation of a partial proof. It returns all the attributes the |
---|
| 211 | // principal can reach and all the attributes that will lead to a |
---|
| 212 | // success. |
---|
| 213 | |
---|
| 214 | /* Get all the attributes of the principal. This calls sub-queries to |
---|
| 215 | * flesh out the indirect proofs. */ |
---|
| 216 | result_graph = abac_graph_principal_creds(ctx->graph, principal); |
---|
| 217 | |
---|
| 218 | /* This gets all the attributes linked to the target en route to the |
---|
| 219 | * principal. */ |
---|
| 220 | result = abac_graph_postorder_credentials(ctx->graph, role); |
---|
| 221 | |
---|
| 222 | /* Merge responses */ |
---|
| 223 | abac_list_foreach(result, cur, |
---|
| 224 | abac_graph_add_credential(result_graph, cur); |
---|
| 225 | ); |
---|
| 226 | abac_list_free(result); |
---|
| 227 | abac_graph_derive_links(result_graph); |
---|
| 228 | |
---|
| 229 | result = abac_graph_credentials(result_graph); |
---|
| 230 | abac_graph_free(result_graph); |
---|
[4e426c9] | 231 | |
---|
| 232 | size = abac_list_size(result); |
---|
| 233 | } |
---|
| 234 | |
---|
[38782df] | 235 | // make the array (leave space to NULL terminate it) |
---|
| 236 | // n.b., even if the list is empty, we still return an array that |
---|
| 237 | // only contains the NULL terminator |
---|
| 238 | credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1)); |
---|
| 239 | abac_list_foreach(result, cur, |
---|
| 240 | credentials[i++] = cur; |
---|
| 241 | ); |
---|
| 242 | credentials[i] = NULL; |
---|
[dc62c68] | 243 | |
---|
[6d5623e] | 244 | abac_list_free(result); |
---|
[dc62c68] | 245 | |
---|
[401a054] | 246 | return credentials; |
---|
[90d20f0] | 247 | } |
---|
| 248 | |
---|
| 249 | /** |
---|
[3c4fd68] | 250 | * A NULL-terminated array of all the credentials in the context. |
---|
[90d20f0] | 251 | */ |
---|
[3c4fd68] | 252 | abac_credential_t **abac_context_credentials(abac_context_t *ctx) { |
---|
| 253 | abac_credential_t *cred; |
---|
| 254 | int i = 0; |
---|
| 255 | |
---|
| 256 | assert(ctx != NULL); |
---|
| 257 | |
---|
| 258 | abac_list_t *cred_list = abac_graph_credentials(ctx->graph); |
---|
| 259 | int size = abac_list_size(cred_list); |
---|
| 260 | |
---|
| 261 | abac_credential_t **credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1)); |
---|
| 262 | abac_list_foreach(cred_list, cred, |
---|
| 263 | credentials[i++] = cred; |
---|
| 264 | ); |
---|
| 265 | credentials[i] = NULL; |
---|
| 266 | |
---|
| 267 | abac_list_free(cred_list); |
---|
| 268 | |
---|
| 269 | return credentials; |
---|
| 270 | } |
---|
| 271 | |
---|
| 272 | /** |
---|
| 273 | * Frees a NULL-terminated list of credentials. |
---|
| 274 | */ |
---|
| 275 | void abac_context_credentials_free(abac_credential_t **credentials) { |
---|
[dc62c68] | 276 | int i; |
---|
[90d20f0] | 277 | |
---|
[401a054] | 278 | if (credentials == NULL) |
---|
[90d20f0] | 279 | return; |
---|
| 280 | |
---|
[401a054] | 281 | for (i = 0; credentials[i] != NULL; ++i) |
---|
| 282 | abac_credential_free(credentials[i]); |
---|
| 283 | free(credentials); |
---|
[90d20f0] | 284 | } |
---|