Context Navigation

source: libabac/abac.h @ 94605f2

abac0-leakabac0-meitvf-new-xml

Last change on this file since 94605f2 was 94605f2, checked in by Ted Faber <faber@…>, 11 years ago
checkpoint Lots of the way toward mnemonic names, some parsing fixes
Property mode set to `100644`
File size: 10.8 KB

Line
1	#ifndef __ABAC_H__
2	#define __ABAC_H__
3
4	#include <time.h> // for struct tm
5	#include <stdio.h> // for FILE
6
7	typedef struct _abac_context_t abac_context_t;
8	typedef struct _abac_credential_t abac_credential_t;
9	typedef struct _abac_id_cert_t abac_id_cert_t;
10	typedef struct _abac_role_t abac_role_t;
11
12	typedef struct _abac_id_t abac_id_t;
13	typedef struct _abac_attribute_t abac_attribute_t;
14
15	typedef struct _abac_list_t ABAC_LIST_T;
16
17	typedef struct _abac_chunk_t {
18	unsigned char *ptr;
19	int len;
20	} abac_chunk_t;
21
22
23	typedef struct abac_keyid_mapping_t abac_keyid_mapping_t;
24	typedef struct abac_keyid_map_t abac_keyid_map_t;
25
26	/*
27	* ABAC functions, operating on an ABAC context.
28	*/
29	abac_context_t *abac_context_new(void);
30	abac_context_t abac_context_dup(abac_context_t ctx);
31	void abac_context_free(abac_context_t *ctx);
32
33	/* see the bottom of the file for possible return codes */
34	int abac_context_load_id_file(abac_context_t ctx, char filename);
35	int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert);
36	int abac_context_load_attribute_file(abac_context_t ctx, char filename);
37	int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert);
38
39	/* load an entire directory full of certs */
40	void abac_context_load_directory(abac_context_t ctx, char path);
41
42	/* abac query, returns a NULL-terminated array of credentials on success, NULL on fail */
43	abac_credential_t *abac_context_query(abac_context_t ctx, char role, char principal, int *success);
44
45	/* get all the credentials from the context, returns a NULL-terminated array of credentials */
46	abac_credential_t *abac_context_credentials(abac_context_t ctx);
47
48	/* get all the principals from the context, returns a NULL-terminated array of credentials */
49	abac_id_cert_t *abac_context_principals(abac_context_t ctx);
50
51	/* use this to free the results of either of the previous two functions */
52	void abac_context_credentials_free(abac_credential_t **credentials);
53	/* Used to pretty print */
54	char abac_context_expand_key(abac_context_t ctxt, char *s );
55	char abac_context_expand_nickname(abac_context_t ctxt, char *s );
56
57	/*
58	* Operations on credentials
59	*/
60	abac_role_t abac_credential_head(abac_credential_t cred);
61	abac_role_t abac_credential_tail(abac_credential_t cred);
62	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred);
63	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred);
64
65	abac_credential_t abac_credential_dup(abac_credential_t cred);
66	void abac_credential_free(abac_credential_t *cred);
67	char abac_id_cert_keyid(abac_id_cert_t );
68
69	/*
70	* Operations on roles.
71	*/
72	abac_role_t abac_role_principal_new(char principal);
73	abac_role_t abac_role_role_new(char principal, char *abac_role_name);
74	abac_role_t abac_role_linking_new(char principal, char linked_role, char abac_role_name);
75
76	void abac_role_free(abac_role_t *role);
77
78	abac_role_t abac_role_from_string(char string);
79	abac_role_t abac_role_dup(abac_role_t role);
80
81	int abac_role_is_principal(abac_role_t *role);
82	int abac_role_is_role(abac_role_t *role);
83	int abac_role_is_linking(abac_role_t *role);
84	int abac_role_is_intersection(abac_role_t *role);
85
86	char abac_role_string(abac_role_t role);
87	char abac_role_short_string(abac_role_t role, abac_context_t *ctxt);
88	char abac_role_linked_role(abac_role_t role);
89	char abac_role_linking_role(abac_role_t role);
90	char abac_role_role_name(abac_role_t role);
91	char abac_role_principal(abac_role_t role);
92
93	char abac_role_attr_key(abac_role_t head_role, abac_role_t *tail_role);
94
95	/*
96	* Operations on ID
97	*/
98	// create an ID from an X.509 certificate
99	abac_id_t abac_id_from_file(char );
100
101	// create an ID from a X.509 certificate PEM chunk
102	abac_id_t *abac_id_from_chunk(abac_chunk_t chunk);
103
104	// load an X.509 private key from a file
105	int abac_id_privkey_from_file(abac_id_t id, char filename);
106
107	// load an X.509 private key from a chunk
108	int abac_id_privkey_from_chunk(abac_id_t *id, abac_chunk_t chunk);
109
110	// generate an ID
111	// returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top)
112	int abac_id_generate(abac_id_t *ret, char cn, long validity);
113
114	// generate an ID using supplied private key
115	// returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top)
116	int abac_id_generate_with_key(abac_id_t *ret, char cn, long validity, char *keyfile);
117
118	// get the SHA1 keyid, pointer is valid for the lifetime of the object
119	char abac_id_keyid(abac_id_t id);
120
121	// get the name of the issuer
122	// caller must free the returned string
123	char abac_id_issuer(abac_id_t id);
124
125	// get the DN of the subject
126	// caller must free the returned string
127	char abac_id_subject(abac_id_t id);
128
129	// check if the cert is still valid
130	int abac_id_still_valid(abac_id_t *id);
131
132	// check if the principal cert's keyid is specified
133	int abac_id_has_keyid(abac_id_t id, char );
134
135	// check if the cert is has a private key
136	int abac_id_has_privkey(abac_id_t *id);
137
138	// get the validity period of the cert
139	int abac_id_validity(abac_id_t id, struct tm not_before, struct tm *not_after);
140
141	// default filename for the cert: ${CN}_ID.pem
142	// caller must free the returned string
143	char abac_id_cert_filename(abac_id_t id);
144
145	// write the cert fo an open file pointer
146	int abac_id_write_cert(abac_id_t id, FILE out);
147
148	// default filename for the private key: ${CN}_key.pem
149	// caller must free the return value
150	char abac_id_privkey_filename(abac_id_t id);
151
152	// write the private key to a file
153	// it is recommended that you open this file mode 0600
154	// returns false if there's no private key loaded
155	int abac_id_write_privkey(abac_id_t id, FILE out);
156
157	// get a chunk representing the cert
158	// you must free the ptr of the chunk when done
159	abac_chunk_t abac_id_cert_chunk(abac_id_t *id);
160
161	// get a chunk representing the private key of the id
162	abac_chunk_t abac_id_privkey_chunk(abac_id_t *id);
163
164	// dup an ID (increases its refcount)
165	abac_id_t abac_id_dup(abac_id_t id);
166
167	// destroy the id
168	// decreases refcount and destroys when it hits 0
169	void abac_id_free(abac_id_t *id);
170
171	/*
172	* Operations on Attribute
173	*/
174	//
175	// Here's the skinny:
176	// Attribute cert objects don't contain an actual cert until they're baked.
177	// First you construct the object using abac_attribute_create, then you add
178	// subjects to it using abac_attribute_{principal,role,linking_role}.
179	// Finally you bake it. Once you've done that, you can keep it as XML chunk
180	// or write it to a file.
181	//
182
183	// create an attribute cert
184	// validity is in days
185	// returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top)
186	int abac_attribute_create(abac_attribute_t *attr, abac_id_t issuer, char *role, long validity);
187
188	// add a head string to the cert
189	void abac_attribute_set_head(abac_attribute_t attr, char string);
190
191	// return the head string of the attribute
192	char abac_attribute_get_head(abac_attribute_t );
193
194	// add a principal subject to the cert
195	int abac_attribute_principal(abac_attribute_t attr, char keyid);
196
197	// add a role subject
198	int abac_attribute_role(abac_attribute_t attr, char keyid, char *role);
199
200	// add a linking role subject
201	int abac_attribute_linking_role(abac_attribute_t attr, char keyid, char role, char linked);
202
203	// create the attribute cert once all the subjects have been added
204	// can return 0 if there are no subjects or there's a problem building the cert
205	int abac_attribute_bake(abac_attribute_t *attr);
206
207	// returns true iff the cert's been baked
208	int abac_attribute_baked(abac_attribute_t *attr);
209
210	// write the cert to a file. returns 0 if the cert hasn't been baked
211	int abac_attribute_write(abac_attribute_t attr, FILE out);
212	int abac_attribute_write_file(abac_attribute_t attr, const char fname);
213
214	/*
215	* Return the number of tail strings
216	*/
217	int abac_attribute_get_ntails(abac_attribute_t *a);
218
219	/*
220	* Return the nth tail string or NULL if it is undefined
221	*/
222	char abac_attribute_get_tail_n(abac_attribute_t a, int n);
223
224	// get chunked cert
225	// returns 0 if the cert isn't baked
226	abac_chunk_t abac_attribute_cert_chunk(abac_attribute_t *);
227
228	// destroy the cert
229	void abac_attribute_free(abac_attribute_t *);
230
231	// load a list of attr cert from file (aborts on fail)
232	ABAC_LIST_T abac_attribute_certs_from_file(ABAC_LIST_T ,char *);
233
234	// load a list of attr cert from chunk (aborts on fail)
235	ABAC_LIST_T abac_attribute_certs_from_chunk(ABAC_LIST_T ,abac_chunk_t);
236
237	// get the attribute role string
238	char abac_attribute_role_string(abac_attribute_t attr);
239
240	// get the issuer id of an attribute
241	abac_id_t abac_attribute_issuer_id(abac_attribute_t ptr);
242
243	// get the attribute output format (internal)
244	char abac_attribute_get_output_format(abac_attribute_t );
245
246	// set the attribute output format
247	// Valid formats GENIv1.0, GENIv1.1
248	void abac_attribute_set_output_format(abac_attribute_t , char );
249
250	// get the validity period of the attribute cert
251	int abac_attribute_validity(abac_attribute_t attr, struct tm not_before, struct tm *not_after);
252
253	// return the principal from an attribute's role string
254	// callee must free the space
255	char abac_attribute_get_principal(abac_attribute_t attr);
256
257	// check if the attribute cert is still valid
258	int abac_attribute_still_valid(abac_attribute_t *attr);
259
260	/* abac name mappings. These are used internally, mostly */
261	abac_keyid_mapping_t abac_keyid_mapping_new(char k, char *v);
262	void abac_keyid_mapping_free(abac_keyid_mapping_t *m);
263	abac_keyid_map_t *abac_keyid_map_new();
264	abac_keyid_map_t abac_keyid_map_dup(abac_keyid_map_t );
265	void abac_keyid_map_free(abac_keyid_map_t *m);
266	char abac_keyid_map_key_to_nickname(abac_keyid_map_t m, char *key);
267	char abac_keyid_map_nickname_to_key(abac_keyid_map_t m, char *nick);
268	int abac_keyid_map_remove_keyid(abac_keyid_map_t m, char key);
269	int abac_keyid_map_add_nickname(abac_keyid_map_t m, char key, char *nick);
270	char abac_keyid_map_expand_key(abac_keyid_map_t m, char *s);
271	char abac_keyid_map_expand_nickname(abac_keyid_map_t m, char *s);
272	/*
273	* Return code for libabac
274	*/
275	#define ABAC_RC_SUCCESS 0
276	#define ABAC_RC_FAILURE 1
277
278	/*
279	* Error codes for loading certificates.
280	*/
281	#define ABAC_CERT_SUCCESS 0 // certificate loaded, all is well
282	#define ABAC_CERT_INVALID -1 // invalid format; also file not found
283	#define ABAC_CERT_BAD_SIG -2 // invalid signature
284	#define ABAC_CERT_MISSING_ISSUER -3 // missing ID cert that issued the attribute cert
285	#define ABAC_CERT_BAD_PRINCIPAL -4 // Principal of attribute cert issuer has mismatch keyid
286	#define ABAC_CERT_INVALID_ISSUER -5 // Issuer of attribute cert is invalid
287	#define ABAC_CERT_SIGNER_NOKEY -6 // Signer of attribute cert is missing private key
288
289	/*
290	* Error codes for IDs and Attributes
291	*/
292	#define ABAC_SUCCESS 0
293	#define ABAC_FAILURE 1 /* catch all */
294	#define ABAC_GENERATE_INVALID_CN -1
295	#define ABAC_GENERATE_INVALID_VALIDITY -2
296	#define ABAC_ATTRIBUTE_ISSUER_NOKEY -3
297	#define ABAC_ATTRIBUTE_INVALID_ROLE -4
298	#define ABAC_ATTRIBUTE_INVALID_VALIDITY -5
299	#define ABAC_ATTRIBUTE_INVALID_ISSUER -6
300
301
302
303	#endif /* __ABAC_H__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: