source: libabac/abac.h @ e9b0027

Last change on this file since e9b0027 was 0a1ee31, checked in by Mei <mei@…>, 11 years ago

1) merged with ted's changes

  • Property mode set to 100644
File size: 11.7 KB
Line 
1#ifndef __ABAC_H__
2#define __ABAC_H__
3
4#include <time.h>  // for struct tm
5#include <stdio.h> // for FILE
6
7typedef struct _abac_context_t abac_context_t;
8typedef struct _abac_credential_t abac_credential_t;
9typedef struct _abac_id_cert_t abac_id_cert_t;
10typedef struct _abac_role_t abac_role_t;
11
12typedef struct _abac_id_t abac_id_t;
13typedef struct _abac_attribute_t abac_attribute_t;
14
15typedef struct _abac_list_t ABAC_LIST_T;
16
17#ifndef __ABAC_CHUNK_T__
18#define __ABAC_CHUNK_T__
19/* The len is the number of string bytes contained in the chunk,
20 * neglecting the trainling 0.  The whole chunk thing should probably
21 * be deprecated. -- tvf */
22typedef struct _abac_chunk_t {
23    unsigned char *ptr;
24    int len;
25} abac_chunk_t;
26
27void abac_chunk_free(abac_chunk_t *);
28#endif /* __ABAC_CHUNK_T__ */
29
30typedef struct abac_keyid_mapping_t abac_keyid_mapping_t;
31typedef struct abac_keyid_map_t abac_keyid_map_t;
32
33/*
34 * ABAC functions, operating on an ABAC context.
35 */
36abac_context_t *abac_context_new(void);
37abac_context_t *abac_context_dup(abac_context_t *ctx);
38void abac_context_free(abac_context_t *ctx);
39
40
41/* see the bottom of the file for possible return codes */
42int abac_context_load_id_file(abac_context_t *ctx, char *filename);
43int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert);
44int abac_context_load_id_id(abac_context_t *ctx, abac_id_t *cert);
45int abac_context_load_attribute_file(abac_context_t *ctx, char *filename);
46int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert);
47
48/* load an entire directory full of certs */
49void abac_context_load_directory(abac_context_t *ctx, char *path);
50
51/* abac query, returns a NULL-terminated array of credentials on success, NULL on fail */
52abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success);
53
54/* get all the credentials from the context, returns a NULL-terminated array of credentials */
55abac_credential_t **abac_context_credentials(abac_context_t *ctx);
56
57/* get all the principals from the context, returns a NULL-terminated array of credentials */
58abac_id_cert_t **abac_context_principals(abac_context_t *ctx);
59void abac_context_id_credentials_free(abac_id_cert_t **);
60
61/* use this to free the results of either of the previous two functions */
62void abac_context_credentials_free(abac_credential_t **credentials);
63/* Used to pretty print */
64int abac_context_set_nickname(abac_context_t *ctxt, char *key, char*nick);
65char *abac_context_expand_key(abac_context_t *ctxt, char *s );
66char *abac_context_expand_nickname(abac_context_t *ctxt, char *s );
67abac_keyid_map_t *abac_context_get_keyid_map(abac_context_t *ctxt);
68
69/*
70 * Operations on credentials
71 */
72abac_role_t *abac_credential_head(abac_credential_t *cred);
73abac_role_t *abac_credential_tail(abac_credential_t *cred);
74abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred);
75abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred);
76
77abac_credential_t *abac_credential_dup(abac_credential_t *cred);
78void abac_credential_free(abac_credential_t *cred);
79char *abac_id_cert_keyid(abac_id_cert_t *);
80char *abac_id_cert_cn(abac_id_cert_t *);
81
82/*
83 * Operations on roles.
84 */
85abac_role_t *abac_role_principal_new(char *principal);
86abac_role_t *abac_role_role_new(char *principal, char *abac_role_name);
87abac_role_t *abac_role_linking_new(char *principal, char *linked_role, char *abac_role_name);
88
89void abac_role_free(abac_role_t *role);
90
91abac_role_t *abac_role_from_string(char *string);
92abac_role_t *abac_role_dup(abac_role_t *role);
93
94int abac_role_is_principal(abac_role_t *role);
95int abac_role_is_role(abac_role_t *role);
96int abac_role_is_linking(abac_role_t *role);
97int abac_role_is_intersection(abac_role_t *role);
98
99char *abac_role_string(abac_role_t *role);
100char *abac_role_short_string(abac_role_t *role, abac_context_t *ctxt);
101char *abac_role_linked_role(abac_role_t *role);
102char *abac_role_linking_role(abac_role_t *role);
103char *abac_role_role_name(abac_role_t *role);
104char *abac_role_principal(abac_role_t *role);
105
106char *abac_role_attr_key(abac_role_t *head_role, abac_role_t *tail_role);
107
108/*
109 * Operations on ID
110 */
111// create an ID from an X.509 certificate
112abac_id_t *abac_id_from_file(char *);
113
114// create an ID from a X.509 certificate PEM chunk
115abac_id_t *abac_id_from_chunk(abac_chunk_t chunk);
116
117// load an X.509 private key from a file
118int abac_id_privkey_from_file(abac_id_t *id, char *filename);
119
120// load an X.509 private key from a chunk
121int abac_id_privkey_from_chunk(abac_id_t *id, abac_chunk_t chunk);
122
123// generate an ID
124// returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top)
125int abac_id_generate(abac_id_t **ret, char *cn, long validity);
126
127// generate an ID using supplied private key
128// returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top)
129int abac_id_generate_with_key(abac_id_t **ret, char *cn, long validity, char *keyfile);
130
131// get the SHA1 keyid, pointer is valid for the lifetime of the object
132char *abac_id_keyid(abac_id_t *id);
133
134// get the CN of keyid, pointer is valid for the lifetime of the object
135char *abac_id_cn(abac_id_t *id);
136
137// get the name of the issuer
138// caller must free the returned string
139char *abac_id_issuer(abac_id_t *id);
140
141// get the DN of the subject
142// caller must free the returned string
143char *abac_id_subject(abac_id_t *id);
144
145// check if the cert is still valid
146int abac_id_still_valid(abac_id_t *id);
147
148// check if the principal cert's keyid is specified
149int abac_id_has_keyid(abac_id_t *id, char *);
150
151// check if the cert is has a private key
152int abac_id_has_privkey(abac_id_t *id);
153
154// get the validity period of the cert
155int abac_id_validity(abac_id_t *id, struct tm *not_before, struct tm *not_after);
156
157// default filename for the cert: ${CN}_ID.pem
158// caller must free the returned string
159char *abac_id_cert_filename(abac_id_t *id);
160
161// write the cert fo an open file pointer
162int abac_id_write_cert(abac_id_t *id, FILE *out);
163
164// default filename for the private key: ${CN}_key.pem
165// caller must free the return value
166char *abac_id_privkey_filename(abac_id_t *id);
167
168// write the private key to a file
169// it is recommended that you open this file mode 0600
170// returns false if there's no private key loaded
171int abac_id_write_privkey(abac_id_t *id, FILE *out);
172
173// get a chunk representing the cert
174// you must free the ptr of the chunk when done
175abac_chunk_t abac_id_cert_chunk(abac_id_t *id);
176
177// get a chunk representing the private key of the id
178abac_chunk_t abac_id_privkey_chunk(abac_id_t *id);
179
180// dup an ID (increases its refcount)
181abac_id_t *abac_id_dup(abac_id_t *id);
182
183// destroy the id
184// decreases refcount and destroys when it hits 0
185void abac_id_free(abac_id_t *id);
186
187/*
188 * Operations on Attribute
189 */
190//
191// Here's the skinny:
192//  Attribute cert objects don't contain an actual cert until they're baked.
193//  First you construct the object using abac_attribute_create, then you add
194//  subjects to it using abac_attribute_{principal,role,linking_role}.
195//  Finally you bake it. Once you've done that, you can keep it as XML chunk
196//  or write it to a file.
197//
198
199// create an attribute cert
200// validity is in days
201// returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top)
202int abac_attribute_create(abac_attribute_t **attr, abac_id_t *issuer, char *role, long validity);
203
204// add a head string to the cert
205void abac_attribute_set_head(abac_attribute_t *attr, char *string);
206
207// return the head string of the attribute
208char *abac_attribute_get_head(abac_attribute_t *);
209
210// add a principal subject to the cert
211int abac_attribute_principal(abac_attribute_t *attr, char *keyid);
212
213// add a role subject
214int abac_attribute_role(abac_attribute_t *attr, char *keyid, char *role);
215
216// add a linking role subject
217int abac_attribute_linking_role(abac_attribute_t *attr, char *keyid, char *role, char *linked);
218
219// create the attribute cert once all the subjects have been added
220// can return 0 if there are no subjects or there's a problem building the cert
221int abac_attribute_bake(abac_attribute_t *attr);
222int abac_attribute_bake_context(abac_attribute_t *attr, abac_context_t *ctxt);
223
224// returns true iff the cert's been baked
225int abac_attribute_baked(abac_attribute_t *attr);
226
227// write the cert to a file. returns 0 if the cert hasn't been baked
228int abac_attribute_write(abac_attribute_t *attr, FILE *out);
229int abac_attribute_write_file(abac_attribute_t *attr, const char *fname);
230
231/*
232 * Return the number of tail strings
233 */
234int abac_attribute_get_ntails(abac_attribute_t *a);
235
236/*
237 * Return the nth tail string or NULL if it is undefined
238 */
239char *abac_attribute_get_tail_n(abac_attribute_t *a, int n);
240
241// get chunked cert
242// returns 0 if the cert isn't baked
243abac_chunk_t abac_attribute_cert_chunk(abac_attribute_t *);
244
245// destroy the cert
246void abac_attribute_free(abac_attribute_t *);
247
248// load a list of attr cert from file (aborts on fail)
249ABAC_LIST_T *abac_attribute_certs_from_file(ABAC_LIST_T *,char *);
250
251// load a list of attr cert from chunk (aborts on fail)
252ABAC_LIST_T *abac_attribute_certs_from_chunk(ABAC_LIST_T *,abac_chunk_t);
253
254        // get the attribute role string
255char *abac_attribute_role_string(abac_attribute_t *attr);
256
257// get the issuer id of an attribute
258abac_id_t *abac_attribute_issuer_id(abac_attribute_t *ptr);
259
260// get the attribute output format
261char *abac_attribute_get_output_format(abac_attribute_t *);
262
263// set the attribute output format
264// Valid formats GENIv1.0, GENIv1.1
265void abac_attribute_set_output_format(abac_attribute_t *, char *);
266
267// get the validity period of the attribute cert
268int abac_attribute_validity(abac_attribute_t *attr, struct tm *not_before, struct tm *not_after);
269abac_keyid_map_t *abac_attribute_get_keyid_map(abac_attribute_t *);
270
271// return the principal from an attribute's role string
272// callee must free the space
273char *abac_attribute_get_principal(abac_attribute_t *attr);
274
275// check if the attribute cert is still valid
276int abac_attribute_still_valid(abac_attribute_t *attr);
277
278/* abac name mappings.  These are used internally, mostly */
279abac_keyid_mapping_t *abac_keyid_mapping_new(char *k, char *v);
280void abac_keyid_mapping_free(abac_keyid_mapping_t *m);
281abac_keyid_map_t *abac_keyid_map_new();
282abac_keyid_map_t *abac_keyid_map_dup(abac_keyid_map_t *);
283abac_keyid_map_t *abac_keyid_map_clone(abac_keyid_map_t *);
284void abac_keyid_map_free(abac_keyid_map_t *m); 
285char *abac_keyid_map_key_to_nickname(abac_keyid_map_t *m, char *key);
286char *abac_keyid_map_nickname_to_key(abac_keyid_map_t *m, char *nick); 
287int abac_keyid_map_remove_keyid(abac_keyid_map_t *m, char *key); 
288int abac_keyid_map_add_nickname(abac_keyid_map_t *m, char *key, char *nick);
289void abac_keyid_map_merge(abac_keyid_map_t *d, abac_keyid_map_t *s, 
290        int overwrite);
291char *abac_keyid_map_expand_key(abac_keyid_map_t *m, char *s); 
292char *abac_keyid_map_expand_nickname(abac_keyid_map_t *m, char *s);
293/*
294 * Return code for libabac
295 */
296#define ABAC_RC_SUCCESS                0
297#define ABAC_RC_FAILURE                1
298
299/*
300 * Error codes for loading certificates.
301 */
302#define ABAC_CERT_SUCCESS           0   // certificate loaded, all is well
303#define ABAC_CERT_INVALID           -1  // invalid format; also file not found
304#define ABAC_CERT_BAD_SIG           -2  // invalid signature
305#define ABAC_CERT_MISSING_ISSUER    -3  // missing ID cert that issued the attribute cert
306#define ABAC_CERT_BAD_PRINCIPAL     -4  // Principal of attribute cert issuer has mismatch keyid
307#define ABAC_CERT_INVALID_ISSUER    -5  // Issuer of attribute cert is invalid
308#define ABAC_CERT_SIGNER_NOKEY      -6  // Signer of attribute cert is missing private key
309
310/*
311 * Error codes for IDs and Attributes
312 */
313#define ABAC_SUCCESS                          0
314#define ABAC_FAILURE                          1 /* catch all */
315#define ABAC_GENERATE_INVALID_CN             -1
316#define ABAC_GENERATE_INVALID_VALIDITY       -2
317#define ABAC_ATTRIBUTE_ISSUER_NOKEY          -3
318#define ABAC_ATTRIBUTE_INVALID_ROLE          -4
319#define ABAC_ATTRIBUTE_INVALID_VALIDITY      -5
320#define ABAC_ATTRIBUTE_INVALID_ISSUER        -6
321
322
323
324#endif /* __ABAC_H__ */
Note: See TracBrowser for help on using the repository browser.