source: libabac/abac.c @ 461541a

/* abac.c */

#include <assert.h>
#include <err.h>
#include <glob.h>

#include "abac.h"
#include "abac_graph.h"
#include "abac_util.h"
#include "abac_verifier.h"

struct _abac_context_t {
    abac_graph_t *graph;
};

/**
 * Init the library.
 */
void libabac_init(void) {
    void libabac_deinit(void);
    static int has_been_init = 0;

    // called every time a context is created, so only do it once
    if (!has_been_init) {
        abac_verifier_init();
        atexit(libabac_deinit);
        has_been_init = 1;
    }
}

/**
 * Deinit the library.
 */
void libabac_deinit(void) {
    abac_verifier_deinit();
}

/**
 * Create a new abac context.
 */
abac_context_t *abac_context_new(void) {
    libabac_init();

    abac_context_t *ctx = abac_xmalloc(sizeof(abac_context_t));
    ctx->graph = abac_graph_new();
    return ctx;
}

/**
 * Deep copy an abac context.
 */
abac_context_t *abac_context_dup(abac_context_t *ctx) {
    assert(ctx != NULL);

    abac_context_t *dup = abac_xmalloc(sizeof(abac_context_t));
    dup->graph = abac_graph_dup(ctx->graph);

    return dup;
}

/**
 * Free an abac context.
 */
void abac_context_free(abac_context_t *ctx) {
    assert(ctx != NULL);

    abac_graph_free(ctx->graph);
    free(ctx);
}

/**
 * Load an ID cert from a file.
 */
int abac_context_load_id_file(abac_context_t *ctx, char *filename) {
    assert(ctx != NULL); assert(filename != NULL);
    return abac_verifier_load_id_file(filename);
}

/**
 * Load an ID cert from a chunk.
 */
int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert_chunk) {
    assert(ctx != NULL);
    return abac_verifier_load_id_chunk(cert_chunk);
}

/**
 * Load an attribute cert from a file.
 */
int abac_context_load_attribute_file(abac_context_t *ctx, char *filename) {
    int ret, add_ret;
    abac_list_t *cred_list=abac_list_new(); // could be more than 1
    abac_credential_t *cred;

    assert(ctx != NULL); assert(filename != NULL);

    ret = abac_verifier_load_attribute_cert_file(filename, cred_list);

    if (ret == ABAC_CERT_SUCCESS) {
        int size = abac_list_size(cred_list);
        if(size) {
            abac_list_foreach(cred_list, cred,
                add_ret = abac_graph_add_credential(ctx->graph, cred);
                assert(add_ret != ABAC_GRAPH_CRED_INVALID);
                abac_credential_free(cred);
            );
            abac_list_free(cred_list);
        }
    }
    return ret;
}

/**
 * Load an attribute cert from a chunk.
 */
int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert_chunk) {
    int ret, add_ret;
    abac_list_t  *cred_list=NULL;
    abac_credential_t *cred;

    assert(ctx != NULL);

    ret = abac_verifier_load_attribute_cert_chunk(cert_chunk, cred_list);
    if (ret == ABAC_CERT_SUCCESS) {
        int size = abac_list_size(cred_list);
        if(size) {
            abac_list_foreach(cred_list, cred,
                add_ret = abac_graph_add_credential(ctx->graph, cred);
                assert(add_ret != ABAC_GRAPH_CRED_INVALID);
                abac_credential_free(cred);
            );
            abac_list_free(cred_list);
        }
    }

    return ret;
}

#define ID_PAT "/*_ID.{der,pem}"
#define ATTR_PAT "/*_attr.xml"

/**
 * Load a directory full of certs.
 */
void abac_context_load_directory(abac_context_t *ctx, char *path) {
    char *glob_pat;
    glob_t glob_buf;
    int i, ret;

    assert(ctx != NULL); assert(path != NULL);

    int dirlen = strlen(path);
    glob_pat = abac_xmalloc(dirlen + sizeof(ID_PAT));
    memcpy(glob_pat, path, dirlen);

    // first load ID certs
    memcpy(glob_pat + dirlen, ID_PAT, sizeof(ID_PAT));
    glob(glob_pat, GLOB_BRACE, NULL, &glob_buf); // TODO check for error
    for (i = 0; i < glob_buf.gl_pathc; ++i) {
        char *cert_file = glob_buf.gl_pathv[i];

        ret = abac_context_load_id_file(ctx, cert_file);
        if (ret != ABAC_CERT_SUCCESS)
            warnx("Couldn't load ID cert %s", cert_file);
    }
    globfree(&glob_buf);

    // then load attr certs
    memcpy(glob_pat + dirlen, ATTR_PAT, sizeof(ATTR_PAT));
    glob(glob_pat, 0, NULL, &glob_buf); // TODO check for error
    for (i = 0; i < glob_buf.gl_pathc; ++i) {
        char *cert_file = glob_buf.gl_pathv[i];

        ret = abac_context_load_attribute_file(ctx, cert_file);
        if (ret != ABAC_CERT_SUCCESS)
            warnx("Couldn't load attribute cert %s", cert_file);
    }
    globfree(&glob_buf);

    free(glob_pat);
}

/**
 * Run a query on the data in an abac context. Returns a NULL-terminated array
 * of abac_credential_t. Success/failure in *success.
 */
abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success) {
    abac_credential_t **credentials = NULL, *cur;
    int i = 0;

    assert(ctx != NULL); assert(role != NULL); assert(principal != NULL); assert(success != NULL);

    abac_graph_t *result_graph = abac_graph_query(ctx->graph, role, principal);
    abac_list_t *result = abac_graph_credentials(result_graph);

    abac_graph_free(result_graph);

    int size = abac_list_size(result);
    if (size > 0)
        *success = 1;

    // if there is no actual path, return everything that can reach the role
    else {
        *success = 0;
        abac_list_free(result);
        result_graph = abac_graph_new();

        // TODO: This can probably be better, but it now returns an
        // approximation of a partial proof.  It returns all the attributes the
        // principal can reach and all the attributes that will lead to a
        // success.

        /* Get all the attributes of the principal.  This calls sub-queries to
         * flesh out the indirect proofs. */
        result_graph = abac_graph_principal_creds(ctx->graph, principal);

        /* This gets all the attributes linked to the target en route to the
         * principal. */
        result = abac_graph_postorder_credentials(ctx->graph, role);

        /* Merge responses */
        abac_list_foreach(result, cur,
            abac_graph_add_credential(result_graph, cur);
        );
        abac_list_free(result);
        abac_graph_derive_links(result_graph);

        result = abac_graph_credentials(result_graph);
        abac_graph_free(result_graph);

        size = abac_list_size(result);
    }

    // make the array (leave space to NULL terminate it)
    //      n.b., even if the list is empty, we still return an array that
    //            only contains the NULL terminator
    credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1));
    abac_list_foreach(result, cur,
        credentials[i++] = cur;
    );
    credentials[i] = NULL;

    abac_list_free(result);

    return credentials;
}

/**
 * A NULL-terminated array of all the credentials in the context.
 */
abac_credential_t **abac_context_credentials(abac_context_t *ctx) {
    abac_credential_t *cred;
    int i = 0;

    assert(ctx != NULL);

    abac_list_t *cred_list = abac_graph_credentials(ctx->graph);
    int size = abac_list_size(cred_list);

    abac_credential_t **credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1));
    abac_list_foreach(cred_list, cred,
        credentials[i++] = cred;
    );
    credentials[i] = NULL;

    abac_list_free(cred_list);

    return credentials;
}

/**
 * Frees a NULL-terminated list of credentials.
 */
void abac_context_credentials_free(abac_credential_t **credentials) {
    int i;

    if (credentials == NULL)
        return;

    for (i = 0; credentials[i] != NULL; ++i)
        abac_credential_free(credentials[i]);
    free(credentials);
}