source: libabac/abac.h @ e50f807

abac0-leakabac0-meitvf-new-xml
Last change on this file since e50f807 was e50f807, checked in by Ted Faber <faber@…>, 11 years ago

Parse and produce 1.1 credentials. Small tweaks, too.

  • Property mode set to 100644
File size: 9.5 KB
Line 
1#ifndef __ABAC_H__
2#define __ABAC_H__
3
4#include <time.h>  // for struct tm
5#include <stdio.h> // for FILE
6
7typedef struct _abac_context_t abac_context_t;
8typedef struct _abac_credential_t abac_credential_t;
9typedef struct _abac_id_cert_t abac_id_cert_t;
10typedef struct _abac_role_t abac_role_t;
11
12typedef struct _abac_id_t abac_id_t;
13typedef struct _abac_attribute_t abac_attribute_t;
14
15typedef struct _abac_list_t ABAC_LIST_T;
16
17typedef struct _abac_chunk_t {
18    unsigned char *ptr;
19    int len;
20} abac_chunk_t;
21
22/*
23 * ABAC functions, operating on an ABAC context.
24 */
25abac_context_t *abac_context_new(void);
26abac_context_t *abac_context_dup(abac_context_t *ctx);
27void abac_context_free(abac_context_t *ctx);
28
29/* see the bottom of the file for possible return codes */
30int abac_context_load_id_file(abac_context_t *ctx, char *filename);
31int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert);
32int abac_context_load_attribute_file(abac_context_t *ctx, char *filename);
33int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert);
34
35/* load an entire directory full of certs */
36void abac_context_load_directory(abac_context_t *ctx, char *path);
37
38/* abac query, returns a NULL-terminated array of credentials on success, NULL on fail */
39abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success);
40
41/* get all the credentials from the context, returns a NULL-terminated array of credentials */
42abac_credential_t **abac_context_credentials(abac_context_t *ctx);
43
44/* get all the principals from the context, returns a NULL-terminated array of credentials */
45abac_id_cert_t **abac_context_principals(abac_context_t *ctx);
46
47/* use this to free the results of either of the previous two functions */
48void abac_context_credentials_free(abac_credential_t **credentials);
49
50/*
51 * Operations on credentials
52 */
53abac_role_t *abac_credential_head(abac_credential_t *cred);
54abac_role_t *abac_credential_tail(abac_credential_t *cred);
55abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred);
56abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred);
57
58abac_credential_t *abac_credential_dup(abac_credential_t *cred);
59void abac_credential_free(abac_credential_t *cred);
60char *abac_id_cert_keyid(abac_id_cert_t *);
61
62/*
63 * Operations on roles.
64 */
65abac_role_t *abac_role_principal_new(char *principal);
66abac_role_t *abac_role_role_new(char *principal, char *abac_role_name);
67abac_role_t *abac_role_linking_new(char *principal, char *linked_role, char *abac_role_name);
68
69void abac_role_free(abac_role_t *role);
70
71abac_role_t *abac_role_from_string(char *string);
72abac_role_t *abac_role_dup(abac_role_t *role);
73
74int abac_role_is_principal(abac_role_t *role);
75int abac_role_is_role(abac_role_t *role);
76int abac_role_is_linking(abac_role_t *role);
77int abac_role_is_intersection(abac_role_t *role);
78
79char *abac_role_string(abac_role_t *role);
80char *abac_role_linked_role(abac_role_t *role);
81char *abac_role_linking_role(abac_role_t *role);
82char *abac_role_role_name(abac_role_t *role);
83char *abac_role_principal(abac_role_t *role);
84
85char *abac_role_attr_key(abac_role_t *head_role, abac_role_t *tail_role);
86
87/*
88 * Operations on ID
89 */
90// create an ID from an X.509 certificate
91abac_id_t *abac_id_from_file(char *);
92
93// create an ID from a X.509 certificate PEM chunk
94abac_id_t *abac_id_from_chunk(abac_chunk_t chunk);
95
96// load an X.509 private key from a file
97int abac_id_privkey_from_file(abac_id_t *id, char *filename);
98
99// load an X.509 private key from a chunk
100int abac_id_privkey_from_chunk(abac_id_t *id, abac_chunk_t chunk);
101
102// generate an ID
103// returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top)
104int abac_id_generate(abac_id_t **ret, char *cn, long validity);
105
106// generate an ID using supplied private key
107// returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top)
108int abac_id_generate_with_key(abac_id_t **ret, char *cn, long validity, char *keyfile);
109
110// get the SHA1 keyid, pointer is valid for the lifetime of the object
111char *abac_id_keyid(abac_id_t *id);
112
113// get the name of the issuer
114// caller must free the returned string
115char *abac_id_issuer(abac_id_t *id);
116
117// get the DN of the subject
118// caller must free the returned string
119char *abac_id_subject(abac_id_t *id);
120
121// check if the cert is still valid
122int abac_id_still_valid(abac_id_t *id);
123
124// check if the principal cert's keyid is specified
125int abac_id_has_keyid(abac_id_t *id, char *);
126
127// check if the cert is has a private key
128int abac_id_has_privkey(abac_id_t *id);
129
130// get the validity period of the cert
131int abac_id_validity(abac_id_t *id, struct tm *not_before, struct tm *not_after);
132
133// default filename for the cert: ${CN}_ID.pem
134// caller must free the returned string
135char *abac_id_cert_filename(abac_id_t *id);
136
137// write the cert fo an open file pointer
138int abac_id_write_cert(abac_id_t *id, FILE *out);
139
140// default filename for the private key: ${CN}_key.pem
141// caller must free the return value
142char *abac_id_privkey_filename(abac_id_t *id);
143
144// write the private key to a file
145// it is recommended that you open this file mode 0600
146// returns false if there's no private key loaded
147int abac_id_write_privkey(abac_id_t *id, FILE *out);
148
149// get a chunk representing the cert
150// you must free the ptr of the chunk when done
151abac_chunk_t abac_id_cert_chunk(abac_id_t *id);
152
153// get a chunk representing the private key of the id
154abac_chunk_t abac_id_privkey_chunk(abac_id_t *id);
155
156// dup an ID (increases its refcount)
157abac_id_t *abac_id_dup(abac_id_t *id);
158
159// destroy the id
160// decreases refcount and destroys when it hits 0
161void abac_id_free(abac_id_t *id);
162
163/*
164 * Operations on Attribute
165 */
166//
167// Here's the skinny:
168//  Attribute cert objects don't contain an actual cert until they're baked.
169//  First you construct the object using abac_attribute_create, then you add
170//  subjects to it using abac_attribute_{principal,role,linking_role}.
171//  Finally you bake it. Once you've done that, you can keep it as XML chunk
172//  or write it to a file.
173//
174
175// create an attribute cert
176// validity is in days
177// returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top)
178int abac_attribute_create(abac_attribute_t **attr, abac_id_t *issuer, char *role, long validity);
179
180// add a head string to the cert
181void abac_attribute_set_head(abac_attribute_t *attr, char *string);
182
183// return the head string of the attribute
184char *abac_attribute_get_head(abac_attribute_t *);
185
186// add a principal subject to the cert
187int abac_attribute_principal(abac_attribute_t *attr, char *keyid);
188
189// add a role subject
190int abac_attribute_role(abac_attribute_t *attr, char *keyid, char *role);
191
192// add a linking role subject
193int abac_attribute_linking_role(abac_attribute_t *attr, char *keyid, char *role, char *linked);
194
195// create the attribute cert once all the subjects have been added
196// can return 0 if there are no subjects or there's a problem building the cert
197int abac_attribute_bake(abac_attribute_t *attr);
198
199// returns true iff the cert's been baked
200int abac_attribute_baked(abac_attribute_t *attr);
201
202// write the cert to a file. returns 0 if the cert hasn't been baked
203int abac_attribute_write(abac_attribute_t *attr, FILE *out);
204int abac_attribute_write_file(abac_attribute_t *attr, const char *fname);
205
206/*
207 * Return the number of tail strings
208 */
209int abac_attribute_get_ntails(abac_attribute_t *a);
210
211/*
212 * Return the nth tail string or NULL if it is undefined
213 */
214char *abac_attribute_get_tail_n(abac_attribute_t *a, int n);
215
216// get chunked cert
217// returns 0 if the cert isn't baked
218abac_chunk_t abac_attribute_cert_chunk(abac_attribute_t *);
219
220// destroy the cert
221void abac_attribute_free(abac_attribute_t *);
222
223// load a list of attr cert from file (aborts on fail)
224ABAC_LIST_T *abac_attribute_certs_from_file(ABAC_LIST_T *,char *);
225
226// load a list of attr cert from chunk (aborts on fail)
227ABAC_LIST_T *abac_attribute_certs_from_chunk(ABAC_LIST_T *,abac_chunk_t);
228
229        // get the attribute role string
230char *abac_attribute_role_string(abac_attribute_t *attr);
231
232// get the issuer id of an attribute
233abac_id_t *abac_attribute_issuer_id(abac_attribute_t *ptr);
234
235// get the validity period of the attribute cert
236int abac_attribute_validity(abac_attribute_t *attr, struct tm *not_before, struct tm *not_after);
237
238// return the principal from an attribute's role string
239// callee must free the space
240char *abac_attribute_get_principal(abac_attribute_t *attr);
241
242// check if the attribute cert is still valid
243int abac_attribute_still_valid(abac_attribute_t *attr);
244
245/*
246 * Return code for libabac
247 */
248#define ABAC_RC_SUCCESS                0
249#define ABAC_RC_FAILURE                1
250
251/*
252 * Error codes for loading certificates.
253 */
254#define ABAC_CERT_SUCCESS           0   // certificate loaded, all is well
255#define ABAC_CERT_INVALID           -1  // invalid format; also file not found
256#define ABAC_CERT_BAD_SIG           -2  // invalid signature
257#define ABAC_CERT_MISSING_ISSUER    -3  // missing ID cert that issued the attribute cert
258#define ABAC_CERT_BAD_PRINCIPAL     -4  // Principal of attribute cert issuer has mismatch keyid
259#define ABAC_CERT_INVALID_ISSUER    -5  // Issuer of attribute cert is invalid
260#define ABAC_CERT_SIGNER_NOKEY      -6  // Signer of attribute cert is missing private key
261
262/*
263 * Error codes for IDs and Attributes
264 */
265#define ABAC_SUCCESS                          0
266#define ABAC_FAILURE                          1 /* catch all */
267#define ABAC_GENERATE_INVALID_CN             -1
268#define ABAC_GENERATE_INVALID_VALIDITY       -2
269#define ABAC_ATTRIBUTE_ISSUER_NOKEY          -3
270#define ABAC_ATTRIBUTE_INVALID_ROLE          -4
271#define ABAC_ATTRIBUTE_INVALID_VALIDITY      -5
272#define ABAC_ATTRIBUTE_INVALID_ISSUER        -6
273
274
275
276#endif /* __ABAC_H__ */
Note: See TracBrowser for help on using the repository browser.