source: libabac/abac.c @ 549656e

mei_rt2mei_rt2_fix_1
Last change on this file since 549656e was 2efdff5, checked in by Mei <mei@…>, 12 years ago

1) fix the missing check for 'This' rt2.y when called from creddy/prover

combo

2) patch up the stringify of abac_term that is of time type.
3) update the testing to reflect the changes to baseline output
  • Property mode set to 100644
File size: 12.0 KB
Line 
1
2/* abac.c using prolog */
3
4#include <assert.h>
5#include <err.h>
6#include <glob.h>
7
8#include <chunk.h>
9
10#include "abac_internal.h"
11
12#include "abac_pl_yap.h"
13#include "abac_util.h"
14#include "abac_verifier.h"
15
16static int debug=0;
17
18struct _abac_context_t {
19    abac_pl_t *pl;
20};
21
22/**
23 * Init the library.
24 */
25void libabac_init(void) {
26    void libabac_deinit(void);
27    static int has_been_init = 0;
28
29    // called every time a context is created, so only do it once
30    if (!has_been_init) {
31        abac_verifier_init();
32        atexit(libabac_deinit);
33        has_been_init = 1;
34    }
35}
36
37/**
38 * Deinit the library.
39 */
40void libabac_deinit(void) {
41    abac_verifier_deinit();
42}
43
44/**
45 * Create a new abac context.
46 */
47abac_context_t *abac_context_new(void) {
48    libabac_init();
49
50    abac_context_t *ctx = abac_xmalloc(sizeof(abac_context_t));
51    ctx->pl = abac_pl_new();
52    return ctx;
53}
54
55/**
56 * Deep copy an abac context. -- XXX dummy stub
57 */
58abac_context_t *abac_context_dup(abac_context_t *ctx) {
59    assert(ctx != NULL);
60    abac_context_t *dup = abac_xmalloc(sizeof(abac_context_t));
61    return dup;
62}
63
64
65/**
66 * Free an abac context.
67 */
68void abac_context_free(abac_context_t *ctx) {
69    assert(ctx != NULL);
70
71    abac_pl_free(ctx->pl);
72    free(ctx);
73}
74
75/**
76 * Load an ID cert from an abac_id_t.
77 */
78int abac_context_load_id_id(abac_context_t *ctx, abac_id_t *id) {
79    assert(ctx != NULL); assert(id);
80    abac_id_credential_t *id_cert=NULL;
81    int ret = abac_verifier_load_id_id(id,&id_cert);
82    if(id_cert) {
83        int add_ret = abac_pl_add_type_credential(ctx->pl, id_cert);
84    }
85    return ret;
86}
87
88/**
89 * Load an ID cert from a file.
90 */
91int abac_context_load_id_id_file_key_file(abac_context_t *ctx, char *filename, char *keyfilename) {
92    assert(ctx != NULL); assert(filename != NULL); assert(keyfilename!=NULL);
93    abac_id_credential_t *id_cert=NULL;
94    int ret = abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cert);
95    if(id_cert) {
96        int add_ret = abac_pl_add_type_credential(ctx->pl, id_cert);
97    }
98    return ret;
99}
100/**
101 * Load an ID cert from a file, it may contain key part but not necessary.
102 */
103int abac_context_load_id_idkey_file(abac_context_t *ctx, char *filename) {
104    assert(ctx != NULL); assert(filename != NULL); 
105    abac_id_credential_t *id_cert=NULL;
106    int ret = abac_verifier_load_idkey_file(filename,&id_cert);
107    if(id_cert) {
108        int add_ret = abac_pl_add_type_credential(ctx->pl, id_cert);
109    }
110    return ret;
111}
112
113/**
114 * Load an ID cert from a chunk.
115 */
116int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert) {
117    assert(ctx != NULL);
118    abac_id_credential_t *id_cert=NULL;
119    chunk_t cert_chunk = { cert.ptr, cert.len };
120    int ret=abac_verifier_load_id_chunk(cert_chunk,&id_cert);
121    if(id_cert) {
122        int add_ret = abac_pl_add_type_credential(ctx->pl, id_cert);
123    }
124    return ret;
125}
126
127/**
128 * Load an attribute cert from an abac_attribute_t.
129 */
130int abac_context_load_attribute_attribute(abac_context_t *ctx, abac_attribute_t *ptr)
131{
132    int ret, add_ret;
133    abac_credential_t *cred=NULL;
134
135    assert(ctx != NULL);
136
137    ret = abac_verifier_load_attribute_cert_attribute(ptr, &cred);
138    if (ret == ABAC_CERT_SUCCESS) {
139        add_ret = abac_pl_add_credential(ctx->pl, cred);
140        assert(add_ret != ABAC_PL_CRED_INVALID);
141    }
142
143    return ret;
144
145}
146
147/**
148 * Load an attribute cert from a file.
149 */
150int abac_context_load_attribute_file(abac_context_t *ctx, char *filename) {
151    int ret, add_ret;
152    abac_credential_t *cred=NULL;
153
154    assert(ctx != NULL); assert(filename != NULL);
155
156    ret = abac_verifier_load_attribute_cert_file(filename, &cred);
157    if (ret == ABAC_CERT_SUCCESS) {
158        add_ret = abac_pl_add_credential(ctx->pl, cred);
159        assert(add_ret != ABAC_PL_CRED_INVALID);
160    }
161
162    return ret;
163}
164
165/**
166 * Load an attribute cert from a chunk.
167 */
168int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert) {
169    int ret, add_ret;
170    abac_credential_t *cred=NULL;
171
172    assert(ctx != NULL);
173
174    chunk_t cert_chunk = { cert.ptr, cert.len };
175
176    ret = abac_verifier_load_attribute_cert_chunk(cert_chunk, &cred);
177    if (ret == ABAC_CERT_SUCCESS) {
178        add_ret = abac_pl_add_credential(ctx->pl, cred);
179        assert(add_ret != ABAC_PL_CRED_INVALID);
180        abac_credential_free(cred);
181    }
182
183    return ret;
184}
185
186#define KEY_PAT "/*_private.{der,pem}"
187#define ID_PAT "/*_ID.{der,pem}"
188#define ATTR_PAT "/*_attr.der"
189#define IDKEY_PAT "/*_IDKEY.{der,pem}"
190
191char *_make_key_filename(char *cert_file)
192{
193    char *p=strstr(cert_file,"_ID.");
194    char *head=strndup(cert_file,p-cert_file);
195    char *tail=p+4;
196    char *keyfile=NULL;
197    asprintf(&keyfile,"%s_private.%s",head,tail);
198    free(head);
199    return keyfile;
200}
201
202
203/**
204 * Load a directory full of principal certs.
205 */
206void abac_context_load_principals(abac_context_t *ctx, char *path) {
207    char *glob_pat, *key_pat;
208    glob_t glob_buf;
209    int i, ret;
210
211    assert(ctx != NULL); assert(path != NULL);
212
213    int dirlen = strlen(path);
214
215    /* make sure pick the larger one */
216    glob_pat = abac_xmalloc(dirlen + sizeof(IDKEY_PAT));
217    memcpy(glob_pat, path, dirlen);
218
219    // load ID certs
220    memcpy(glob_pat + dirlen, ID_PAT, sizeof(ID_PAT));
221    glob(glob_pat, GLOB_BRACE, NULL, &glob_buf); // TODO check for error
222    for (i = 0; i < glob_buf.gl_pathc; ++i) {
223        /* blah_ID.pem */
224        char *cert_file = glob_buf.gl_pathv[i];
225        /* blah_private.pem */
226        char *key_file=_make_key_filename(cert_file);
227        if(debug) {
228            printf("--> ID cert... %s\n", cert_file);
229            printf("--> KEY cert... %s\n", key_file);
230        }
231        ret = abac_context_load_id_id_file_key_file(ctx, cert_file, key_file);
232        if (ret != ABAC_CERT_SUCCESS)
233            warnx("Couldn't load ID cert %s", cert_file);
234    }
235    globfree(&glob_buf);
236
237    // next load IDKEY certs
238    memcpy(glob_pat + dirlen, IDKEY_PAT, sizeof(IDKEY_PAT));
239    glob(glob_pat, GLOB_BRACE, NULL, &glob_buf); // TODO check for error
240    for (i = 0; i < glob_buf.gl_pathc; ++i) {
241        /* blah_IDKEY.pem */
242        char *certkey_file = glob_buf.gl_pathv[i];
243        if(debug) printf("--> IDKEY certkey... %s\n", certkey_file);
244        ret = abac_context_load_id_idkey_file(ctx, certkey_file);
245        if (ret != ABAC_CERT_SUCCESS)
246            warnx("Couldn't load ID/KEY IDKEY cert %s", certkey_file);
247    }
248    globfree(&glob_buf);
249
250    free(glob_pat);
251}
252
253/**
254 * Load a directory full of certs.
255 */
256void abac_context_load_directory(abac_context_t *ctx, char *path) {
257    char *glob_pat, *key_pat;
258    glob_t glob_buf;
259    int i, ret;
260
261    abac_context_load_principals(ctx,path);
262    int dirlen = strlen(path);
263
264    /* make sure pick the larger one */
265    glob_pat = abac_xmalloc(dirlen + sizeof(IDKEY_PAT));
266    memcpy(glob_pat, path, dirlen);
267
268    memcpy(glob_pat + dirlen, ATTR_PAT, sizeof(ATTR_PAT));
269    glob(glob_pat, 0, NULL, &glob_buf); // TODO check for error
270    for (i = 0; i < glob_buf.gl_pathc; ++i) {
271        char *cert_file = glob_buf.gl_pathv[i];
272
273        if(debug) printf("--> attr file... (%s)\n", cert_file);
274        ret = abac_context_load_attribute_file(ctx, cert_file);
275        if (ret != ABAC_CERT_SUCCESS)
276            warnx("Couldn't load attribute cert %s", cert_file);
277        if(debug) printf("Loaded.. (%s)\n", cert_file);
278    }
279    globfree(&glob_buf);
280
281    free(glob_pat);
282}
283
284/**
285 * Run a query on the data in an abac context. Returns a NULL-terminated array
286 * of abac_credential_t. Success/failure in *success.
287 * queryfor(either role or oset), with(either keyid or object type)
288 */
289abac_credential_t **abac_context_query(abac_context_t *ctx, char *queryfor, char *with, int *success) {
290    if(debug) printf("abac_context_query about(%s) with(%s)\n", queryfor, with);
291    abac_credential_t **credentials = NULL, *cur;
292    assert(ctx != NULL); assert(queryfor != NULL);
293    assert(with != NULL); assert(success != NULL);
294
295    abac_stack_t *result = abac_pl_query(ctx->pl, queryfor, with);
296
297    int size = abac_stack_size(result);
298    if (size > 0) {
299        *success = 1;
300    } else {
301    // XXX NOT SURE YET..
302    // return partial proof
303        *success = 0;
304    }
305
306    // make the array (leave space to NULL terminate it)
307    //      n.b., even if the list is empty, we still return an array that
308    //            only contains the NULL terminator
309    credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1));
310    int i = 0;
311    if(size) {
312        while(i<size) { 
313            cur=(abac_credential_t *) abac_stack_pop(result);
314            credentials[i++] = cur;
315        } 
316    }
317    credentials[i] = NULL;
318
319    if(result)
320        abac_stack_free(result);
321
322    return credentials;
323}
324
325abac_credential_t **abac_context_query_with_structure(abac_context_t *ctx,
326abac_aspect_t *queryfor, abac_aspect_t *with, int *success)
327{
328    if(debug) printf("abac_context_query_with_structure\n");
329    abac_credential_t **credentials = NULL, *cur;
330    assert(ctx != NULL); assert(queryfor != NULL);
331    assert(with != NULL); assert(success != NULL);
332
333    abac_stack_t *result = abac_pl_query_with_structure(ctx->pl, queryfor, with);
334
335    int size = abac_stack_size(result);
336    if (size > 0) {
337        *success = 1;
338    } else {
339    // XXX NOT SURE YET..
340    // return partial proof
341        *success = 0;
342    }
343
344    // make the array (leave space to NULL terminate it)
345    //      n.b., even if the list is empty, we still return an array that
346    //            only contains the NULL terminator
347    credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1));
348    int i = 0;
349    if(size) {
350        while(i<size) { 
351            cur=(abac_credential_t *) abac_stack_pop(result);
352            credentials[i++] = cur;
353        } 
354    }
355    credentials[i] = NULL;
356
357    if(result)
358        abac_stack_free(result);
359
360    return credentials;
361}
362
363/**
364 * A NULL-terminated array of all the credentials in the context.
365 */
366abac_credential_t **abac_context_credentials(abac_context_t *ctx) {
367    abac_credential_t **credentials = NULL, *cur;
368    assert(ctx != NULL);
369
370    abac_stack_t *result = abac_pl_credentials(ctx->pl);
371    int size = abac_stack_size(result);
372
373    // make the array (leave space to NULL terminate it)
374    //      n.b., even if the list is empty, we still return an array that
375    //            only contains the NULL terminator
376    credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1));
377    int i = 0;
378    if(size) {
379        while(i<size) { 
380            cur=(abac_credential_t *) abac_stack_pop(result);
381            /* if not in there yet, add into it */
382            credentials[i++] = cur;
383        } 
384    }
385    credentials[i] = NULL;
386
387    if(result)
388        abac_stack_free(result);
389    return credentials;
390}
391
392/**
393 * Frees a NULL-terminated list of credentials.
394 */
395void abac_context_credentials_free(abac_credential_t **credentials) {
396    int i;
397
398    if (credentials == NULL)
399        return;
400
401    for (i = 0; credentials[i] != NULL; ++i)
402        abac_credential_free(credentials[i]);
403    free(credentials);
404}
405
406/**
407 * A NULL-terminated array of all the principals in the context.
408 */
409abac_id_credential_t **abac_context_principals(abac_context_t *ctx) {
410    abac_id_credential_t **principals = NULL, *cur;
411    assert(ctx != NULL);
412
413    abac_stack_t *result = abac_pl_principals(ctx->pl);
414
415    int size = abac_stack_size(result);
416
417    // make the array (leave space to NULL terminate it)
418    //      n.b., even if the list is empty, we still return an array that
419    //            only contains the NULL terminator
420    principals = abac_xmalloc(sizeof(abac_id_credential_t *) * (size + 1));
421    int i = 0;
422    if(size) {
423        while(i<size) { 
424            cur=(abac_id_credential_t *) abac_stack_pop(result);
425            /* if not in there yet, add into it */
426            principals[i++] = cur;
427        } 
428    }
429    principals[i] = NULL;
430
431    if(result)
432        abac_stack_free(result);
433    return principals;
434}
435
436/**
437 * Frees a NULL-terminated list of principals.
438 */
439void abac_context_principals_free(abac_id_credential_t **principals) {
440    int i;
441
442    if (principals == NULL)
443        return;
444
445    for (i = 0; principals[i] != NULL; ++i)
446        abac_id_credential_free(principals[i]);
447    free(principals);
448}
449
Note: See TracBrowser for help on using the repository browser.