[90d20f0] | 1 | #ifndef __ABAC_H__ |
---|
| 2 | #define __ABAC_H__ |
---|
| 3 | |
---|
[461541a] | 4 | #include <time.h> // for struct tm |
---|
| 5 | #include <stdio.h> // for FILE |
---|
| 6 | #include "abac_list.h" |
---|
[11e3eb7] | 7 | |
---|
[390f749] | 8 | typedef struct _abac_context_t abac_context_t; |
---|
[401a054] | 9 | typedef struct _abac_credential_t abac_credential_t; |
---|
[1743825] | 10 | typedef struct _abac_role_t abac_role_t; |
---|
[90d20f0] | 11 | |
---|
[461541a] | 12 | typedef struct _abac_id_t abac_id_t; |
---|
| 13 | typedef struct _abac_attribute_t abac_attribute_t; |
---|
| 14 | |
---|
| 15 | typedef struct _abac_chunk_t { |
---|
| 16 | unsigned char *ptr; |
---|
| 17 | int len; |
---|
| 18 | } abac_chunk_t; |
---|
| 19 | |
---|
[0bf0e67] | 20 | /* |
---|
| 21 | * ABAC functions, operating on an ABAC context. |
---|
| 22 | */ |
---|
[390f749] | 23 | abac_context_t *abac_context_new(void); |
---|
| 24 | abac_context_t *abac_context_dup(abac_context_t *ctx); |
---|
| 25 | void abac_context_free(abac_context_t *ctx); |
---|
[90d20f0] | 26 | |
---|
[0779c99] | 27 | /* see the bottom of the file for possible return codes */ |
---|
[390f749] | 28 | int abac_context_load_id_file(abac_context_t *ctx, char *filename); |
---|
| 29 | int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert); |
---|
| 30 | int abac_context_load_attribute_file(abac_context_t *ctx, char *filename); |
---|
| 31 | int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert); |
---|
[90d20f0] | 32 | |
---|
[03b3293] | 33 | /* load an entire directory full of certs */ |
---|
[390f749] | 34 | void abac_context_load_directory(abac_context_t *ctx, char *path); |
---|
[03b3293] | 35 | |
---|
[401a054] | 36 | /* abac query, returns a NULL-terminated array of credentials on success, NULL on fail */ |
---|
[4e426c9] | 37 | abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success); |
---|
[3c4fd68] | 38 | |
---|
| 39 | /* get all the credentials from the context, returns a NULL-terminated array of credentials */ |
---|
| 40 | abac_credential_t **abac_context_credentials(abac_context_t *ctx); |
---|
| 41 | |
---|
| 42 | /* use this to free the results of either of the previous two functions */ |
---|
| 43 | void abac_context_credentials_free(abac_credential_t **credentials); |
---|
[90d20f0] | 44 | |
---|
[0bf0e67] | 45 | /* |
---|
[401a054] | 46 | * Operations on credentials |
---|
[0bf0e67] | 47 | */ |
---|
[401a054] | 48 | abac_role_t *abac_credential_head(abac_credential_t *cred); |
---|
| 49 | abac_role_t *abac_credential_tail(abac_credential_t *cred); |
---|
| 50 | abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred); |
---|
| 51 | abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred); |
---|
[0bf0e67] | 52 | |
---|
[401a054] | 53 | abac_credential_t *abac_credential_dup(abac_credential_t *cred); |
---|
| 54 | void abac_credential_free(abac_credential_t *cred); |
---|
[0bf0e67] | 55 | |
---|
| 56 | /* |
---|
| 57 | * Operations on roles. |
---|
| 58 | */ |
---|
[dcc1a8e] | 59 | abac_role_t *abac_role_principal_new(char *principal); |
---|
| 60 | abac_role_t *abac_role_role_new(char *principal, char *abac_role_name); |
---|
| 61 | abac_role_t *abac_role_linking_new(char *principal, char *linked_role, char *abac_role_name); |
---|
[0bf0e67] | 62 | |
---|
[dcc1a8e] | 63 | void abac_role_free(abac_role_t *role); |
---|
[0bf0e67] | 64 | |
---|
[dcc1a8e] | 65 | abac_role_t *abac_role_from_string(char *string); |
---|
| 66 | abac_role_t *abac_role_dup(abac_role_t *role); |
---|
[0bf0e67] | 67 | |
---|
[dcc1a8e] | 68 | int abac_role_is_principal(abac_role_t *role); |
---|
| 69 | int abac_role_is_role(abac_role_t *role); |
---|
| 70 | int abac_role_is_linking(abac_role_t *role); |
---|
[9a411d7] | 71 | int abac_role_is_intersection(abac_role_t *role); |
---|
[0bf0e67] | 72 | |
---|
[dcc1a8e] | 73 | char *abac_role_string(abac_role_t *role); |
---|
| 74 | char *abac_role_linked_role(abac_role_t *role); |
---|
| 75 | char *abac_role_role_name(abac_role_t *role); |
---|
| 76 | char *abac_role_principal(abac_role_t *role); |
---|
[0bf0e67] | 77 | |
---|
[dcc1a8e] | 78 | char *abac_role_attr_key(abac_role_t *head_role, abac_role_t *tail_role); |
---|
[0bf0e67] | 79 | |
---|
[461541a] | 80 | /* |
---|
| 81 | * Operations on ID |
---|
| 82 | */ |
---|
| 83 | // create an ID from an X.509 certificate |
---|
| 84 | abac_id_t *abac_id_from_file(char *); |
---|
| 85 | |
---|
| 86 | // create an ID from a X.509 certificate PEM chunk |
---|
| 87 | abac_id_t *abac_id_from_chunk(abac_chunk_t chunk); |
---|
| 88 | |
---|
| 89 | // load an X.509 private key from a file |
---|
| 90 | int abac_id_privkey_from_file(abac_id_t *id, char *filename); |
---|
| 91 | |
---|
| 92 | // generate an ID |
---|
| 93 | // returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top) |
---|
| 94 | int abac_id_generate(abac_id_t **ret, char *cn, long validity); |
---|
| 95 | |
---|
| 96 | // get the SHA1 keyid, pointer is valid for the lifetime of the object |
---|
| 97 | char *abac_id_keyid(abac_id_t *id); |
---|
| 98 | |
---|
| 99 | // get the name of the issuer |
---|
| 100 | // caller must free the returned string |
---|
| 101 | char *abac_id_issuer(abac_id_t *id); |
---|
| 102 | |
---|
| 103 | // get the DN of the subject |
---|
| 104 | // caller must free the returned string |
---|
| 105 | char *abac_id_subject(abac_id_t *id); |
---|
| 106 | |
---|
| 107 | // check if the cert is still valid |
---|
| 108 | int abac_id_still_valid(abac_id_t *id); |
---|
| 109 | |
---|
| 110 | // check if the principal cert's keyid is specified |
---|
| 111 | int abac_id_has_keyid(abac_id_t *id, char *); |
---|
| 112 | |
---|
| 113 | // check if the cert is has a private key |
---|
| 114 | int abac_id_has_privkey(abac_id_t *id); |
---|
| 115 | |
---|
| 116 | // get the validity period of the cert |
---|
| 117 | int abac_id_validity(abac_id_t *id, struct tm *not_before, struct tm *not_after); |
---|
| 118 | |
---|
| 119 | // default filename for the cert: ${CN}_ID.pem |
---|
| 120 | // caller must free the returned string |
---|
| 121 | char *abac_id_cert_filename(abac_id_t *id); |
---|
| 122 | |
---|
| 123 | // write the cert fo an open file pointer |
---|
| 124 | int abac_id_write_cert(abac_id_t *id, FILE *out); |
---|
| 125 | |
---|
| 126 | // default filename for the private key: ${CN}_key.pem |
---|
| 127 | // caller must free the return value |
---|
| 128 | char *abac_id_privkey_filename(abac_id_t *id); |
---|
| 129 | |
---|
| 130 | // write the private key to a file |
---|
| 131 | // it is recommended that you open this file mode 0600 |
---|
| 132 | // returns false if there's no private key loaded |
---|
| 133 | int abac_id_write_privkey(abac_id_t *id, FILE *out); |
---|
| 134 | |
---|
| 135 | // get a chunk representing the cert |
---|
| 136 | // you must free the ptr of the chunk when done |
---|
| 137 | abac_chunk_t abac_id_cert_chunk(abac_id_t *id); |
---|
| 138 | |
---|
| 139 | // dup an ID (increases its refcount) |
---|
| 140 | abac_id_t *abac_id_dup(abac_id_t *id); |
---|
| 141 | |
---|
| 142 | // destroy the id |
---|
| 143 | // decreases refcount and destroys when it hits 0 |
---|
| 144 | void abac_id_free(abac_id_t *id); |
---|
| 145 | |
---|
| 146 | /* |
---|
| 147 | * Operations on Attribute |
---|
| 148 | */ |
---|
| 149 | // |
---|
| 150 | // Here's the skinny: |
---|
| 151 | // Attribute cert objects don't contain an actual cert until they're baked. |
---|
| 152 | // First you construct the object using abac_attribute_create, then you add |
---|
| 153 | // subjects to it using abac_attribute_{principal,role,linking_role}. |
---|
| 154 | // Finally you bake it. Once you've done that, you can keep it as XML chunk |
---|
| 155 | // or write it to a file. |
---|
| 156 | // |
---|
| 157 | |
---|
| 158 | // create an attribute cert |
---|
| 159 | // validity is in days |
---|
| 160 | // returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top) |
---|
| 161 | int abac_attribute_create(abac_attribute_t **attr, abac_id_t *issuer, char *role, long validity); |
---|
| 162 | |
---|
| 163 | // add a head string to the cert |
---|
| 164 | void abac_attribute_set_head(abac_attribute_t *attr, char *string); |
---|
| 165 | |
---|
| 166 | // return the head string of the attribute |
---|
| 167 | char *abac_attribute_get_head(abac_attribute_t *); |
---|
| 168 | |
---|
| 169 | // add a tail role string to the cert |
---|
| 170 | void abac_attribute_set_tail(abac_attribute_t *attr, char *string); |
---|
| 171 | |
---|
| 172 | // return the tail string of the attribute |
---|
| 173 | char *abac_attribute_get_tail(abac_attribute_t *); |
---|
| 174 | |
---|
| 175 | // add a principal subject to the cert |
---|
| 176 | int abac_attribute_principal(abac_attribute_t *attr, char *keyid); |
---|
| 177 | |
---|
| 178 | // add a role subject |
---|
| 179 | int abac_attribute_role(abac_attribute_t *attr, char *keyid, char *role); |
---|
| 180 | |
---|
| 181 | // add a linking role subject |
---|
| 182 | int abac_attribute_linking_role(abac_attribute_t *attr, char *keyid, char *role, char *linked); |
---|
| 183 | |
---|
| 184 | // create the attribute cert once all the subjects have been added |
---|
| 185 | // can return 0 if there are no subjects or there's a problem building the cert |
---|
| 186 | int abac_attribute_bake(abac_attribute_t *attr); |
---|
| 187 | |
---|
| 188 | // returns true iff the cert's been baked |
---|
| 189 | int abac_attribute_baked(abac_attribute_t *attr); |
---|
| 190 | |
---|
| 191 | // write the cert to a file. returns 0 if the cert hasn't been baked |
---|
| 192 | int abac_attribute_write(abac_attribute_t *attr, FILE *out); |
---|
| 193 | |
---|
| 194 | // get chunked cert |
---|
| 195 | // returns 0 if the cert isn't baked |
---|
| 196 | int abac_attribute_cert_chunk(abac_attribute_t *, abac_chunk_t *); |
---|
| 197 | |
---|
| 198 | // destroy the cert |
---|
| 199 | void abac_attribute_free(abac_attribute_t *); |
---|
| 200 | |
---|
| 201 | // load a list of attr cert from file (aborts on fail) |
---|
| 202 | abac_list_t *abac_attribute_certs_from_file(char *); |
---|
| 203 | |
---|
| 204 | // load a list of attr cert from chunk (aborts on fail) |
---|
| 205 | abac_list_t *abac_attribute_certs_from_chunk(abac_chunk_t); |
---|
| 206 | |
---|
| 207 | // get the attribute role string |
---|
| 208 | char *abac_attribute_role_string(abac_attribute_t *attr); |
---|
| 209 | |
---|
| 210 | // get the issuer id of an attribute |
---|
| 211 | abac_id_t *abac_attribute_issuer_id(abac_attribute_t *ptr); |
---|
| 212 | |
---|
| 213 | // get the validity period of the attribute cert |
---|
| 214 | int abac_attribute_validity(abac_attribute_t *attr, struct tm *not_before, struct tm *not_after); |
---|
| 215 | |
---|
| 216 | // return the principal from an attribute's role string |
---|
| 217 | // callee must free the space |
---|
| 218 | char *abac_attribute_get_principal(abac_attribute_t *attr); |
---|
| 219 | |
---|
| 220 | // check if the attribute cert is still valid |
---|
| 221 | int abac_attribute_still_valid(abac_attribute_t *attr); |
---|
| 222 | |
---|
| 223 | |
---|
[0779c99] | 224 | /* |
---|
| 225 | * Error codes for loading certificates. |
---|
| 226 | */ |
---|
| 227 | #define ABAC_CERT_SUCCESS 0 // certificate loaded, all is well |
---|
| 228 | #define ABAC_CERT_INVALID -1 // invalid format; also file not found |
---|
| 229 | #define ABAC_CERT_BAD_SIG -2 // invalid signature |
---|
| 230 | #define ABAC_CERT_MISSING_ISSUER -3 // missing ID cert that issued the attribute cert |
---|
[461541a] | 231 | #define ABAC_CERT_BAD_PRINCIPAL -4 // Principal of attribute cert issuer has mismatch keyid |
---|
| 232 | #define ABAC_CERT_INVALID_ISSUER -5 // Issuer of attribute cert is invalid |
---|
| 233 | #define ABAC_CERT_SIGNER_NOKEY -6 // Signer of attribute cert is missing private key |
---|
| 234 | |
---|
| 235 | /* |
---|
| 236 | * Error codes for IDs and Attributes |
---|
| 237 | */ |
---|
| 238 | #define ABAC_SUCCESS 0 |
---|
| 239 | #define ABAC_FAILURE 1 /* catch all */ |
---|
| 240 | #define ABAC_GENERATE_INVALID_CN -1 |
---|
| 241 | #define ABAC_GENERATE_INVALID_VALIDITY -2 |
---|
| 242 | #define ABAC_ATTRIBUTE_ISSUER_NOKEY -3 |
---|
| 243 | #define ABAC_ATTRIBUTE_INVALID_ROLE -4 |
---|
| 244 | #define ABAC_ATTRIBUTE_INVALID_VALIDITY -5 |
---|
| 245 | #define ABAC_ATTRIBUTE_INVALID_ISSUER -6 |
---|
| 246 | |
---|
| 247 | |
---|
[0779c99] | 248 | |
---|
[90d20f0] | 249 | #endif /* __ABAC_H__ */ |
---|