1 | #ifndef __ABAC_H__ |
---|
2 | #define __ABAC_H__ |
---|
3 | |
---|
4 | #include <time.h> // for struct tm |
---|
5 | #include <stdio.h> // for FILE |
---|
6 | |
---|
7 | typedef struct _abac_context_t abac_context_t; |
---|
8 | typedef struct _abac_credential_t abac_credential_t; |
---|
9 | typedef struct _abac_id_cert_t abac_id_cert_t; |
---|
10 | typedef struct _abac_role_t abac_role_t; |
---|
11 | |
---|
12 | typedef struct _abac_id_t abac_id_t; |
---|
13 | typedef struct _abac_attribute_t abac_attribute_t; |
---|
14 | |
---|
15 | typedef struct _abac_list_t ABAC_LIST_T; |
---|
16 | |
---|
17 | typedef struct _abac_chunk_t { |
---|
18 | unsigned char *ptr; |
---|
19 | int len; |
---|
20 | } abac_chunk_t; |
---|
21 | |
---|
22 | |
---|
23 | typedef struct abac_keyid_mapping_t abac_keyid_mapping_t; |
---|
24 | typedef struct abac_keyid_map_t abac_keyid_map_t; |
---|
25 | |
---|
26 | /* |
---|
27 | * ABAC functions, operating on an ABAC context. |
---|
28 | */ |
---|
29 | abac_context_t *abac_context_new(void); |
---|
30 | abac_context_t *abac_context_dup(abac_context_t *ctx); |
---|
31 | void abac_context_free(abac_context_t *ctx); |
---|
32 | |
---|
33 | /* see the bottom of the file for possible return codes */ |
---|
34 | int abac_context_load_id_file(abac_context_t *ctx, char *filename); |
---|
35 | int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert); |
---|
36 | int abac_context_load_attribute_file(abac_context_t *ctx, char *filename); |
---|
37 | int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert); |
---|
38 | |
---|
39 | /* load an entire directory full of certs */ |
---|
40 | void abac_context_load_directory(abac_context_t *ctx, char *path); |
---|
41 | |
---|
42 | /* abac query, returns a NULL-terminated array of credentials on success, NULL on fail */ |
---|
43 | abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success); |
---|
44 | |
---|
45 | /* get all the credentials from the context, returns a NULL-terminated array of credentials */ |
---|
46 | abac_credential_t **abac_context_credentials(abac_context_t *ctx); |
---|
47 | |
---|
48 | /* get all the principals from the context, returns a NULL-terminated array of credentials */ |
---|
49 | abac_id_cert_t **abac_context_principals(abac_context_t *ctx); |
---|
50 | |
---|
51 | /* use this to free the results of either of the previous two functions */ |
---|
52 | void abac_context_credentials_free(abac_credential_t **credentials); |
---|
53 | /* Used to pretty print */ |
---|
54 | int abac_context_set_nickname(abac_context_t *ctxt, char *key, char*nick); |
---|
55 | char *abac_context_expand_key(abac_context_t *ctxt, char *s ); |
---|
56 | char *abac_context_expand_nickname(abac_context_t *ctxt, char *s ); |
---|
57 | abac_keyid_map_t *abac_context_get_keyid_map(abac_context_t *ctxt); |
---|
58 | |
---|
59 | /* |
---|
60 | * Operations on credentials |
---|
61 | */ |
---|
62 | abac_role_t *abac_credential_head(abac_credential_t *cred); |
---|
63 | abac_role_t *abac_credential_tail(abac_credential_t *cred); |
---|
64 | abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred); |
---|
65 | abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred); |
---|
66 | |
---|
67 | abac_credential_t *abac_credential_dup(abac_credential_t *cred); |
---|
68 | void abac_credential_free(abac_credential_t *cred); |
---|
69 | char *abac_id_cert_keyid(abac_id_cert_t *); |
---|
70 | |
---|
71 | /* |
---|
72 | * Operations on roles. |
---|
73 | */ |
---|
74 | abac_role_t *abac_role_principal_new(char *principal); |
---|
75 | abac_role_t *abac_role_role_new(char *principal, char *abac_role_name); |
---|
76 | abac_role_t *abac_role_linking_new(char *principal, char *linked_role, char *abac_role_name); |
---|
77 | |
---|
78 | void abac_role_free(abac_role_t *role); |
---|
79 | |
---|
80 | abac_role_t *abac_role_from_string(char *string); |
---|
81 | abac_role_t *abac_role_dup(abac_role_t *role); |
---|
82 | |
---|
83 | int abac_role_is_principal(abac_role_t *role); |
---|
84 | int abac_role_is_role(abac_role_t *role); |
---|
85 | int abac_role_is_linking(abac_role_t *role); |
---|
86 | int abac_role_is_intersection(abac_role_t *role); |
---|
87 | |
---|
88 | char *abac_role_string(abac_role_t *role); |
---|
89 | char *abac_role_short_string(abac_role_t *role, abac_context_t *ctxt); |
---|
90 | char *abac_role_linked_role(abac_role_t *role); |
---|
91 | char *abac_role_linking_role(abac_role_t *role); |
---|
92 | char *abac_role_role_name(abac_role_t *role); |
---|
93 | char *abac_role_principal(abac_role_t *role); |
---|
94 | |
---|
95 | char *abac_role_attr_key(abac_role_t *head_role, abac_role_t *tail_role); |
---|
96 | |
---|
97 | /* |
---|
98 | * Operations on ID |
---|
99 | */ |
---|
100 | // create an ID from an X.509 certificate |
---|
101 | abac_id_t *abac_id_from_file(char *); |
---|
102 | |
---|
103 | // create an ID from a X.509 certificate PEM chunk |
---|
104 | abac_id_t *abac_id_from_chunk(abac_chunk_t chunk); |
---|
105 | |
---|
106 | // load an X.509 private key from a file |
---|
107 | int abac_id_privkey_from_file(abac_id_t *id, char *filename); |
---|
108 | |
---|
109 | // load an X.509 private key from a chunk |
---|
110 | int abac_id_privkey_from_chunk(abac_id_t *id, abac_chunk_t chunk); |
---|
111 | |
---|
112 | // generate an ID |
---|
113 | // returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top) |
---|
114 | int abac_id_generate(abac_id_t **ret, char *cn, long validity); |
---|
115 | |
---|
116 | // generate an ID using supplied private key |
---|
117 | // returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top) |
---|
118 | int abac_id_generate_with_key(abac_id_t **ret, char *cn, long validity, char *keyfile); |
---|
119 | |
---|
120 | // get the SHA1 keyid, pointer is valid for the lifetime of the object |
---|
121 | char *abac_id_keyid(abac_id_t *id); |
---|
122 | |
---|
123 | // get the name of the issuer |
---|
124 | // caller must free the returned string |
---|
125 | char *abac_id_issuer(abac_id_t *id); |
---|
126 | |
---|
127 | // get the DN of the subject |
---|
128 | // caller must free the returned string |
---|
129 | char *abac_id_subject(abac_id_t *id); |
---|
130 | |
---|
131 | // check if the cert is still valid |
---|
132 | int abac_id_still_valid(abac_id_t *id); |
---|
133 | |
---|
134 | // check if the principal cert's keyid is specified |
---|
135 | int abac_id_has_keyid(abac_id_t *id, char *); |
---|
136 | |
---|
137 | // check if the cert is has a private key |
---|
138 | int abac_id_has_privkey(abac_id_t *id); |
---|
139 | |
---|
140 | // get the validity period of the cert |
---|
141 | int abac_id_validity(abac_id_t *id, struct tm *not_before, struct tm *not_after); |
---|
142 | |
---|
143 | // default filename for the cert: ${CN}_ID.pem |
---|
144 | // caller must free the returned string |
---|
145 | char *abac_id_cert_filename(abac_id_t *id); |
---|
146 | |
---|
147 | // write the cert fo an open file pointer |
---|
148 | int abac_id_write_cert(abac_id_t *id, FILE *out); |
---|
149 | |
---|
150 | // default filename for the private key: ${CN}_key.pem |
---|
151 | // caller must free the return value |
---|
152 | char *abac_id_privkey_filename(abac_id_t *id); |
---|
153 | |
---|
154 | // write the private key to a file |
---|
155 | // it is recommended that you open this file mode 0600 |
---|
156 | // returns false if there's no private key loaded |
---|
157 | int abac_id_write_privkey(abac_id_t *id, FILE *out); |
---|
158 | |
---|
159 | // get a chunk representing the cert |
---|
160 | // you must free the ptr of the chunk when done |
---|
161 | abac_chunk_t abac_id_cert_chunk(abac_id_t *id); |
---|
162 | |
---|
163 | // get a chunk representing the private key of the id |
---|
164 | abac_chunk_t abac_id_privkey_chunk(abac_id_t *id); |
---|
165 | |
---|
166 | // dup an ID (increases its refcount) |
---|
167 | abac_id_t *abac_id_dup(abac_id_t *id); |
---|
168 | |
---|
169 | // destroy the id |
---|
170 | // decreases refcount and destroys when it hits 0 |
---|
171 | void abac_id_free(abac_id_t *id); |
---|
172 | |
---|
173 | /* |
---|
174 | * Operations on Attribute |
---|
175 | */ |
---|
176 | // |
---|
177 | // Here's the skinny: |
---|
178 | // Attribute cert objects don't contain an actual cert until they're baked. |
---|
179 | // First you construct the object using abac_attribute_create, then you add |
---|
180 | // subjects to it using abac_attribute_{principal,role,linking_role}. |
---|
181 | // Finally you bake it. Once you've done that, you can keep it as XML chunk |
---|
182 | // or write it to a file. |
---|
183 | // |
---|
184 | |
---|
185 | // create an attribute cert |
---|
186 | // validity is in days |
---|
187 | // returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top) |
---|
188 | int abac_attribute_create(abac_attribute_t **attr, abac_id_t *issuer, char *role, long validity); |
---|
189 | |
---|
190 | // add a head string to the cert |
---|
191 | void abac_attribute_set_head(abac_attribute_t *attr, char *string); |
---|
192 | |
---|
193 | // return the head string of the attribute |
---|
194 | char *abac_attribute_get_head(abac_attribute_t *); |
---|
195 | |
---|
196 | // add a principal subject to the cert |
---|
197 | int abac_attribute_principal(abac_attribute_t *attr, char *keyid); |
---|
198 | |
---|
199 | // add a role subject |
---|
200 | int abac_attribute_role(abac_attribute_t *attr, char *keyid, char *role); |
---|
201 | |
---|
202 | // add a linking role subject |
---|
203 | int abac_attribute_linking_role(abac_attribute_t *attr, char *keyid, char *role, char *linked); |
---|
204 | |
---|
205 | // create the attribute cert once all the subjects have been added |
---|
206 | // can return 0 if there are no subjects or there's a problem building the cert |
---|
207 | int abac_attribute_bake(abac_attribute_t *attr); |
---|
208 | int abac_attribute_bake_context(abac_attribute_t *attr, abac_context_t *ctxt); |
---|
209 | |
---|
210 | // returns true iff the cert's been baked |
---|
211 | int abac_attribute_baked(abac_attribute_t *attr); |
---|
212 | |
---|
213 | // write the cert to a file. returns 0 if the cert hasn't been baked |
---|
214 | int abac_attribute_write(abac_attribute_t *attr, FILE *out); |
---|
215 | int abac_attribute_write_file(abac_attribute_t *attr, const char *fname); |
---|
216 | |
---|
217 | /* |
---|
218 | * Return the number of tail strings |
---|
219 | */ |
---|
220 | int abac_attribute_get_ntails(abac_attribute_t *a); |
---|
221 | |
---|
222 | /* |
---|
223 | * Return the nth tail string or NULL if it is undefined |
---|
224 | */ |
---|
225 | char *abac_attribute_get_tail_n(abac_attribute_t *a, int n); |
---|
226 | |
---|
227 | // get chunked cert |
---|
228 | // returns 0 if the cert isn't baked |
---|
229 | abac_chunk_t abac_attribute_cert_chunk(abac_attribute_t *); |
---|
230 | |
---|
231 | // destroy the cert |
---|
232 | void abac_attribute_free(abac_attribute_t *); |
---|
233 | |
---|
234 | // load a list of attr cert from file (aborts on fail) |
---|
235 | ABAC_LIST_T *abac_attribute_certs_from_file(ABAC_LIST_T *,char *); |
---|
236 | |
---|
237 | // load a list of attr cert from chunk (aborts on fail) |
---|
238 | ABAC_LIST_T *abac_attribute_certs_from_chunk(ABAC_LIST_T *,abac_chunk_t); |
---|
239 | |
---|
240 | // get the attribute role string |
---|
241 | char *abac_attribute_role_string(abac_attribute_t *attr); |
---|
242 | |
---|
243 | // get the issuer id of an attribute |
---|
244 | abac_id_t *abac_attribute_issuer_id(abac_attribute_t *ptr); |
---|
245 | |
---|
246 | // get the attribute output format |
---|
247 | char *abac_attribute_get_output_format(abac_attribute_t *); |
---|
248 | |
---|
249 | // set the attribute output format |
---|
250 | // Valid formats GENIv1.0, GENIv1.1 |
---|
251 | void abac_attribute_set_output_format(abac_attribute_t *, char *); |
---|
252 | |
---|
253 | // get the validity period of the attribute cert |
---|
254 | int abac_attribute_validity(abac_attribute_t *attr, struct tm *not_before, struct tm *not_after); |
---|
255 | abac_keyid_map_t *abac_attribute_get_keyid_map(abac_attribute_t *); |
---|
256 | |
---|
257 | // return the principal from an attribute's role string |
---|
258 | // callee must free the space |
---|
259 | char *abac_attribute_get_principal(abac_attribute_t *attr); |
---|
260 | |
---|
261 | // check if the attribute cert is still valid |
---|
262 | int abac_attribute_still_valid(abac_attribute_t *attr); |
---|
263 | |
---|
264 | /* abac name mappings. These are used internally, mostly */ |
---|
265 | abac_keyid_mapping_t *abac_keyid_mapping_new(char *k, char *v); |
---|
266 | void abac_keyid_mapping_free(abac_keyid_mapping_t *m); |
---|
267 | abac_keyid_map_t *abac_keyid_map_new(); |
---|
268 | abac_keyid_map_t *abac_keyid_map_dup(abac_keyid_map_t *); |
---|
269 | abac_keyid_map_t *abac_keyid_map_clone(abac_keyid_map_t *); |
---|
270 | void abac_keyid_map_free(abac_keyid_map_t *m); |
---|
271 | char *abac_keyid_map_key_to_nickname(abac_keyid_map_t *m, char *key); |
---|
272 | char *abac_keyid_map_nickname_to_key(abac_keyid_map_t *m, char *nick); |
---|
273 | int abac_keyid_map_remove_keyid(abac_keyid_map_t *m, char *key); |
---|
274 | int abac_keyid_map_add_nickname(abac_keyid_map_t *m, char *key, char *nick); |
---|
275 | void abac_keyid_map_merge(abac_keyid_map_t *d, abac_keyid_map_t *s, |
---|
276 | int overwrite); |
---|
277 | char *abac_keyid_map_expand_key(abac_keyid_map_t *m, char *s); |
---|
278 | char *abac_keyid_map_expand_nickname(abac_keyid_map_t *m, char *s); |
---|
279 | /* |
---|
280 | * Return code for libabac |
---|
281 | */ |
---|
282 | #define ABAC_RC_SUCCESS 0 |
---|
283 | #define ABAC_RC_FAILURE 1 |
---|
284 | |
---|
285 | /* |
---|
286 | * Error codes for loading certificates. |
---|
287 | */ |
---|
288 | #define ABAC_CERT_SUCCESS 0 // certificate loaded, all is well |
---|
289 | #define ABAC_CERT_INVALID -1 // invalid format; also file not found |
---|
290 | #define ABAC_CERT_BAD_SIG -2 // invalid signature |
---|
291 | #define ABAC_CERT_MISSING_ISSUER -3 // missing ID cert that issued the attribute cert |
---|
292 | #define ABAC_CERT_BAD_PRINCIPAL -4 // Principal of attribute cert issuer has mismatch keyid |
---|
293 | #define ABAC_CERT_INVALID_ISSUER -5 // Issuer of attribute cert is invalid |
---|
294 | #define ABAC_CERT_SIGNER_NOKEY -6 // Signer of attribute cert is missing private key |
---|
295 | |
---|
296 | /* |
---|
297 | * Error codes for IDs and Attributes |
---|
298 | */ |
---|
299 | #define ABAC_SUCCESS 0 |
---|
300 | #define ABAC_FAILURE 1 /* catch all */ |
---|
301 | #define ABAC_GENERATE_INVALID_CN -1 |
---|
302 | #define ABAC_GENERATE_INVALID_VALIDITY -2 |
---|
303 | #define ABAC_ATTRIBUTE_ISSUER_NOKEY -3 |
---|
304 | #define ABAC_ATTRIBUTE_INVALID_ROLE -4 |
---|
305 | #define ABAC_ATTRIBUTE_INVALID_VALIDITY -5 |
---|
306 | #define ABAC_ATTRIBUTE_INVALID_ISSUER -6 |
---|
307 | |
---|
308 | |
---|
309 | |
---|
310 | #endif /* __ABAC_H__ */ |
---|