Context Navigation

source: libabac/abac.c @ 63dcd99

abac0-leak

Last change on this file since 63dcd99 was f43e42c, checked in by Mei <mei@…>, 11 years ago
Merge branch 'abac0-mei' of git://abac.deterlab.net/abac
Property mode set to `100644`
File size: 11.1 KB

Line
1	/* abac.c */
2
3	#include <assert.h>
4	#include <err.h>
5	#include <sys/types.h>
6	#include <sys/stat.h>
7	#include <unistd.h>
8	#include <dirent.h>
9
10	#include "abac.h"
11	#include "abac_list.h"
12	#include "abac_graph.h"
13	#include "abac_util.h"
14	#include "abac_verifier.h"
15
16	int debug=0;
17	abac_id_cert_t *abac_context_principals(abac_context_t ctx);
18	void abac_context_id_credentials_free(abac_id_cert_t **id_credentials);
19
20	struct _abac_context_t {
21	/* list of principal id credentials, abac_id_cert_t */
22	abac_list_t *id_certs;
23	abac_graph_t *graph;
24	abac_keyid_map_t *keymap;
25	};
26
27	/**
28	* Init the library.
29	*/
30	void libabac_init(void) {
31	void libabac_deinit(void);
32	static int has_been_init = 0;
33
34	// called every time a context is created, so only do it once
35	if (!has_been_init) {
36	abac_verifier_init();
37	atexit(libabac_deinit);
38	has_been_init = 1;
39	}
40	}
41
42	/**
43	* Deinit the library.
44	*/
45	void libabac_deinit(void) {
46	abac_verifier_deinit();
47	}
48
49	/**
50	* Create a new abac context.
51	*/
52	abac_context_t *abac_context_new(void) {
53	libabac_init();
54
55	abac_context_t *ctx = abac_xmalloc(sizeof(abac_context_t));
56	ctx->graph = abac_graph_new();
57	ctx->id_certs=abac_list_new();
58	ctx->keymap = abac_keyid_map_new();
59	return ctx;
60	}
61
62	/**
63	* Deep copy an abac context.
64	*/
65	abac_context_t abac_context_dup(abac_context_t ctx) {
66	assert(ctx != NULL);
67
68	abac_context_t *dup = abac_xmalloc(sizeof(abac_context_t));
69	dup->graph = abac_graph_dup(ctx->graph);
70	dup->id_certs=abac_list_new();
71
72	abac_id_cert_t *id_cert;
73	abac_list_foreach(ctx->id_certs, id_cert,
74	abac_list_add(dup->id_certs, abac_id_cert_dup(id_cert));
75	);
76
77	dup->keymap = abac_keyid_map_clone(ctx->keymap);
78	return dup;
79	}
80
81	/**
82	* Free an abac context.
83	*/
84	void abac_context_free(abac_context_t *ctx) {
85	assert(ctx != NULL);
86
87	abac_graph_free(ctx->graph);
88
89	abac_id_cert_t *id_cert;
90	abac_list_foreach(ctx->id_certs, id_cert,
91	abac_id_cert_free(id_cert);
92	);
93	abac_list_free(ctx->id_certs);
94	abac_keyid_map_free(ctx->keymap);
95	free(ctx);
96	}
97
98	/**
99	* Load an ID cert from a file.
100	*/
101	int abac_context_load_id_file(abac_context_t ctx, char filename) {
102	assert(ctx != NULL); assert(filename != NULL);
103	return abac_verifier_load_id_file(ctx->id_certs,filename, ctx->keymap);
104	}
105
106	/**
107	* Load an ID cert from a chunk.
108	*/
109	int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert_chunk) {
110	assert(ctx != NULL);
111	return abac_verifier_load_id_chunk(ctx->id_certs,cert_chunk, ctx->keymap);
112	}
113
114	/**
115	* Load an attribute cert from a file.
116	*/
117	int abac_context_load_attribute_file(abac_context_t ctx, char filename) {
118	int ret, add_ret;
119	abac_list_t *cred_list=abac_list_new(); // could be more than 1
120	abac_credential_t *cred;
121
122	assert(ctx != NULL); assert(filename != NULL);
123
124	ret = abac_verifier_load_attribute_cert_file(ctx->id_certs, filename, cred_list, ctx->keymap);
125
126	if (ret == ABAC_CERT_SUCCESS) {
127	int size = abac_list_size(cred_list);
128	if(size) {
129	abac_list_foreach(cred_list, cred,
130	add_ret = abac_graph_add_credential(ctx->graph, cred);
131	assert(add_ret != ABAC_GRAPH_CRED_INVALID);
132	abac_credential_free(cred);
133	);
134	}
135	}
136	abac_list_free(cred_list);
137	return ret;
138	}
139
140	/**
141	* Load an attribute cert from a chunk.
142	*/
143	int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert_chunk) {
144	int ret, add_ret;
145	abac_list_t *cred_list=abac_list_new(); // could be more than 1
146	abac_credential_t *cred;
147
148	assert(ctx != NULL);
149
150	ret = abac_verifier_load_attribute_cert_chunk(ctx->id_certs, cert_chunk, cred_list, ctx->keymap);
151	if (ret == ABAC_CERT_SUCCESS) {
152	int size = abac_list_size(cred_list);
153	if(size) {
154	abac_list_foreach(cred_list, cred,
155	add_ret = abac_graph_add_credential(ctx->graph, cred);
156	assert(add_ret != ABAC_GRAPH_CRED_INVALID);
157	abac_credential_free(cred);
158	);
159	abac_list_free(cred_list);
160	}
161	}
162
163	return ret;
164	}
165
166	#define ID_PAT "/*_ID.{der,pem}"
167	#define ATTR_PAT "/*_attr.xml"
168
169	static int is_regular_file(char *filename)
170	{
171	struct stat sb;
172	if(stat(filename,&sb) == -1)
173	return 0;
174	if((sb.st_mode & S_IFMT) == S_IFREG)
175	return 1;
176	return 0;
177	}
178
179	/**
180	* Load a directory full of certs.
181	*/
182	void abac_context_load_directory(abac_context_t ctx, char path) {
183	DIR *dp;
184	struct dirent *ep;
185
186	dp = opendir (path);
187	if (dp != NULL) {
188	while (ep = readdir (dp)) {
189	if(is_regular_file(ep->d_name)) {
190	int ret = abac_context_load_id_file(ctx, ep->d_name);
191	if (ret == ABAC_CERT_SUCCESS) {
192	if(debug) fprintf(stderr,"abac_context_load_directory, found an id %s\n",ep->d_name);
193	continue;
194	}
195	ret = abac_context_load_attribute_file(ctx, ep->d_name);
196	if (ret == ABAC_CERT_SUCCESS) {
197	if(debug) fprintf(stderr,"abac_context_load_directory, found an attr %s\n",ep->d_name);
198	}
199	}
200	}
201	(void) closedir (dp);
202	} else fprintf(stderr, "abac_load_directory, Couldn't open the directory\n");
203	}
204
205	/**
206	* Run a query on the data in an abac context. Returns a NULL-terminated array
207	* of abac_credential_t. Success/failure in *success.
208	*/
209	abac_credential_t *abac_context_query(abac_context_t ctx, char role, char principal, int *success) {
210	abac_credential_t *credentials = NULL, cur;
211	int i = 0;
212
213	assert(ctx != NULL);
214	assert(role != NULL);
215	assert(principal != NULL);
216	assert(success != NULL);
217
218	abac_graph_t *result_graph = abac_graph_query(ctx->graph, role, principal);
219	abac_list_t *result = abac_graph_credentials(result_graph);
220
221	abac_graph_free(result_graph);
222
223	int size = abac_list_size(result);
224	if (size > 0)
225	*success = 1;
226
227	// if there is no actual path, return everything that can reach the role
228	else {
229	*success = 0;
230	abac_list_free(result);
231	result_graph = abac_graph_new();
232
233	// TODO: This can probably be better, but it now returns an
234	// approximation of a partial proof. It returns all the attributes the
235	// principal can reach and all the attributes that will lead to a
236	// success.
237
238	/* Get all the attributes of the principal. This calls sub-queries to
239	* flesh out the indirect proofs. */
240	result_graph = abac_graph_principal_creds(ctx->graph, principal);
241
242	/* This gets all the attributes linked to the target en route to the
243	* principal. */
244	result = abac_graph_postorder_credentials(ctx->graph, role);
245
246	/* Merge responses */
247	abac_list_foreach(result, cur,
248	abac_graph_add_credential(result_graph, cur);
249	);
250	abac_list_free(result);
251	abac_graph_derive_links(result_graph);
252
253	result = abac_graph_credentials(result_graph);
254	abac_graph_free(result_graph);
255
256	size = abac_list_size(result);
257	}
258
259	// make the array (leave space to NULL terminate it)
260	// n.b., even if the list is empty, we still return an array that
261	// only contains the NULL terminator
262	credentials = abac_xmalloc(sizeof(abac_credential_t ) (size + 1));
263	abac_list_foreach(result, cur,
264	credentials[i++] = cur;
265	);
266	credentials[i] = NULL;
267
268	abac_list_free(result);
269
270	return credentials;
271	}
272
273
274	/**
275	* A NULL-terminated array of all the credentials in the context.
276	*/
277	abac_credential_t *abac_context_credentials(abac_context_t ctx) {
278	abac_credential_t *cred;
279	int i = 0;
280
281	assert(ctx != NULL);
282
283	abac_list_t *cred_list = abac_graph_credentials(ctx->graph);
284	int size = abac_list_size(cred_list);
285
286	abac_credential_t *credentials = abac_xmalloc(sizeof(abac_credential_t ) * (size + 1));
287	abac_list_foreach(cred_list, cred,
288	credentials[i++] = cred;
289	);
290	credentials[i] = NULL;
291
292	abac_list_free(cred_list);
293
294	if(debug) {
295	abac_id_cert_t **ilist=abac_context_principals(ctx);
296	abac_id_cert_t *cert;
297	if (ilist != NULL)
298	for (i = 0; ilist[i] != NULL; ++i) {
299	cert = ilist[i];
300	printf("id[%d] %s\n",i, abac_id_cert_keyid(cert));
301	}
302	abac_context_id_credentials_free(ilist);
303	}
304
305	return credentials;
306	}
307
308	/*
309	* Replace known keyids with their nicknames (mnemonic names). If a non-NULL
310	* string is returned it needs to be freed by the caller.
311	*/
312	char abac_context_expand_key(abac_context_t ctxt, char *s ) {
313	if ( ctxt->keymap )
314	return abac_keyid_map_expand_key(ctxt->keymap, s);
315	else
316	return NULL;
317	}
318
319	/*
320	* Replace known nicknames(mnemonic names) with their keyids. If a non-NULL
321	* string is returned it needs to be freed by the caller.
322	*/
323	char abac_context_expand_nickname(abac_context_t ctxt, char *s ) {
324	if ( ctxt->keymap )
325	return abac_keyid_map_expand_nickname(ctxt->keymap, s);
326	else
327	return NULL;
328	}
329
330	/*
331	* Add a nickname to the context. The keyid must be known to the context. If
332	* the nickname is in use, it is disambiguated. Call abac_context_expand_key
333	* to see the assigned name if that is required. Existing nickname for keyid
334	* is overwritten. Returns true if the change was successful.
335	*/
336	int abac_context_set_nickname(abac_context_t ctxt, char key, char*nick) {
337	char *p = NULL;
338
339	if ( !ctxt->keymap) return 0;
340	/* Make sure we know the key. Free the returned nickname */
341	if ( !(p = abac_keyid_map_key_to_nickname(ctxt->keymap, key))) return 0;
342	else free(p);
343
344	abac_keyid_map_remove_keyid(ctxt->keymap, key);
345	return abac_keyid_map_add_nickname(ctxt->keymap, key, nick);
346	}
347
348	/*
349	* Get direct access to the context's keyid mapping. Used internally. This
350	* does not make a reference to the map, use abac_keyid_map_dup if that is
351	* required.
352	*/
353	abac_keyid_map_t abac_context_get_keyid_map(abac_context_t ctxt) {
354	return ctxt->keymap;
355	}
356
357
358	/**
359	* A NULL-terminated array of all the principals in the context.
360	*/
361	abac_id_cert_t *abac_context_principals(abac_context_t ctx)
362	{
363	abac_id_cert_t *principals = NULL, cur;
364	assert(ctx != NULL);
365
366	int size = abac_list_size(ctx->id_certs);
367
368	// make the array (leave space to NULL terminate it)
369	// n.b., even if the list is empty, we still return an array that
370	// only contains the NULL terminator
371	principals = abac_xmalloc(sizeof(abac_id_cert_t ) (size + 1));
372	int i = 0;
373	abac_id_cert_t *id_cert;
374	abac_list_foreach(ctx->id_certs, id_cert,
375	principals[i]=abac_id_cert_dup(id_cert);
376	i++;
377	);
378	principals[i] = NULL;
379
380	return principals;
381	}
382
383
384	/**
385	* Frees a NULL-terminated list of credentials.
386	*/
387	void abac_context_credentials_free(abac_credential_t **credentials) {
388	int i;
389
390	if (credentials == NULL)
391	return;
392
393	for (i = 0; credentials[i] != NULL; ++i)
394	abac_credential_free(credentials[i]);
395	free(credentials);
396	}
397
398	/**
399	* Frees a NULL-terminated list of id credentials
400	*/
401	void abac_context_id_credentials_free(abac_id_cert_t **id_credentials) {
402	int i;
403
404	if (id_credentials == NULL)
405	return;
406
407	for (i = 0; id_credentials[i] != NULL; ++i) {
408	abac_id_cert_free(id_credentials[i]);
409	}
410	free(id_credentials);
411	}
412
413

Note: See TracBrowser for help on using the repository browser.

Download in other formats: