Context Navigation

source: libabac/abac.hh @ 7211a95

mei_rt2mei_rt2_fix_1

Last change on this file since 7211a95 was 7211a95, checked in by Mei <mei@…>, 12 years ago

1) add more python examples
2) add the missing linking role and linking oset api calls
3) fix the output of time typed data term/oset obj in typed_string format

(transform back from yap time format to our ddddddddTdddddd format

Property mode set to 100644

File size: 40.6 KB

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <string>
5	#include <vector>
6
7	namespace ABAC {
8	extern "C" {
9	#include "abac.h"
10	}
11	static int debug=0;
12	class Role;
13	class Oset;
14	class ID;
15
16	/***
17	ABAC::Constraint
18	Constraint on a data term.
19	There are 3 types:
20	- Role constraint on a principal
21	- Oset constraint on a principal, or a data object
22	- Range/List constraint on a data object
23	It holds a ptr to a abac_condition_t structure
24	***/
25	class Constraint {
26	public:
27	/***
28	f Constraint()
29	default constructor, do not use, for swig only
30	f Constraint(const Constraint &)
31	copy constructor, used for cloning a constraint
32	f ~Constraint()
33	default destructor
34	***/
35	Constraint() : m_constraint(NULL) { }
36	Constraint(const Constraint &constraint) {
37	m_constraint =abac_condition_dup(constraint.m_constraint);
38	}
39	~Constraint() {
40	if(m_constraint) abac_condition_free(m_constraint);
41	}
42	/***
43	f Constraint(Role &)
44	constructor that takes a constraining role
45	[role:?R[{role-constraint}]
46	(c:abac_constraint_from_role)
47	f Constraint(Oset &)
48	constructor that takes a constraining oset
49	[oset:?O[{oset-constraint}]
50	[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
51	(c:abac_constraint_from_oset)
52	f Constraint(char *)
53	constructor that takes one of following string
54	as its vartype to set up a range constraint:
55	"integer"
56	"urn"
57	"float"
58	"boolean"
59	"time"
60	"string"
61	it should be followed with one or many of following utility
62	calls.
63	(C:abac_condition_create)
64	***/
65	Constraint(Role& role);
66	Constraint(Oset& oset);
67	Constraint(char *vartype)
68	{ m_constraint=abac_condition_create(vartype); }
69	/ii*
70	f Constraint(abac_condition_t *)
71	internal constructor that takes an abac_condition_t structure
72	*ii/
73	Constraint(abac_condition_t *constraint):
74	m_constraint(abac_condition_dup(constraint))
75	{ }
76	/***
77	f void constraint_add_integer_max(int)
78	(c:abac_constraint_add_integer_max)
79	void constraint_add_integer_min(int)
80	utility routines to setup a integer range constraint
81	[integer:?I[10 .. 20]]
82	(c:abac_constraint_add_integer_min)
83	f void constraint_add_integer_target(int)
84	utility routine to setup a integer list constraint
85	[integer:?I[10,20]]
86	(c:abac_constraint_add_integer_target)
87	***/
88	void constraint_add_integer_max(int val)
89	{ abac_constraint_add_integer_max(m_constraint,val); }
90	void constraint_add_integer_min(int val)
91	{ abac_constraint_add_integer_min(m_constraint,val); }
92	void constraint_add_integer_target(int val)
93	{ abac_constraint_add_integer_target(m_constraint,val); }
94	/***
95	f void constraint_add_float_max(float)
96	void constraint_add_float_min(float)
97	utility routines to setup a float range constraint
98	[float:?F[1.0 .. 2.5]]
99	f void constraint_add_float_target(float)
100	utility routine to setup a float list constraint
101	[float:?F[0.5, 2.5]]
102	***/
103	void constraint_add_float_max(float val)
104	{ abac_constraint_add_float_max(m_constraint,val); }
105	void constraint_add_float_min(float val)
106	{ abac_constraint_add_float_min(m_constraint,val); }
107	void constraint_add_float_target(float val)
108	{ abac_constraint_add_float_target(m_constraint,val); }
109	/***
110	f void constraint_add_time_max(char*)
111	void constraint_add_time_min(char*)
112	utility routines to setup a time range constraint,
113	takes quoted string values, beyond T is optional
114	[time:?F["20120228T" .. "20120228T090000"]]
115	f void constraint_add_time_target(char*)
116	utility routine to setup a time list constraint
117	[time:?M["20201101T182930","20201101T"]]
118	***/
119	void constraint_add_time_max(char* val)
120	{ abac_constraint_add_time_max(m_constraint,val); }
121	void constraint_add_time_min(char* val)
122	{ abac_constraint_add_time_min(m_constraint,val); }
123	void constraint_add_time_target(char* val)
124	{ abac_constraint_add_time_target(m_constraint,val); }
125	/***
126	f void constraint_add_urn_target(char*)
127	utility routine to setup a an urn list constraint
128	[urn:?U["fileA","http://fileB"]]
129	f void constraint_add_string_target(char*)
130	utility routine to setup a a string list constraint
131	[string:?S["abc",'efg',"hij"]]
132	f void constraint_add_boolean_target(char*)
133	utility routine to setup a a boolean list constraint
134	[boolean:?B['true']]
135	***/
136	void constraint_add_urn_target(char* val)
137	{ abac_constraint_add_urn_target(m_constraint,val); }
138	void constraint_add_string_target(char* val)
139	{ abac_constraint_add_string_target(m_constraint,val); }
140	void constraint_add_boolean_target(char* val)
141	{ abac_constraint_add_boolean_target(m_constraint,val); }
142	/***
143	f char *string() const
144	returns literal string of the constraint
145	(c:abac_condition_string)
146	f char *typed_string() const
147	returns typed literal string of the constraint
148	(c:abac_condition_typed_string)
149	***/
150	char *string() const
151	{ return abac_condition_string(m_constraint); }
152	char *typed_string() const
153	{ return abac_condition_typed_string(m_constraint); }
154	/ii*
155	f abac_condition_t *constraint()
156	internal returns internal constraint structure
157	*ii/
158	abac_condition_t *constraint()
159	{ return m_constraint; }
160	private:
161	abac_condition_t *m_constraint;
162	};
163
164	/***
165	ABAC::DataTerm
166	A data term is associated with Role or Oset as a parameter that
167	maybe be instantiated, or uninstantiated but being constrained,
168	or as a principal oset term (standalone right handside of an oset
169	policy rule). It holds a pointer to a abac_term_t structure.
170	Types of data terms are:
171	"integer"
172	"urn"
173	"float"
174	"boolean"
175	"string"
176	"time"
177	"principal"
178	"anonymous"
179	***/
180	class DataTerm {
181	public:
182	/***
183	f DataTerm()
184	default constructor, do not use, for swig only
185	f DataTerm(const DataTerm &)
186	copy constructor, used for cloning a data term
187	f ~DataTerm()
188	default destructor
189	***/
190	DataTerm() : m_term(NULL) { } // do not use: here for swig
191	DataTerm(const DataTerm &dterm) {
192	m_term=abac_term_dup(dterm.m_term);
193	}
194	~DataTerm() {
195	if(m_term) abac_term_free(m_term);
196	}
197	/ii*
198	f DataTerm(abac_term_t *)
199	internal constructor to make data term from abac_term_t structure
200	*ii/
201	DataTerm(abac_term_t *term)
202	{ m_term=abac_term_dup(term); }
203	/***
204	f DataTerm(char*)
205	constructor to make named principal data term for the oset RHS
206	(C: abac_term_named_create)
207	f DataTerm(const ID&)
208	constructor to make named principal data term for parameters
209	(C: abac_term_id_create)
210	f DataTerm(char, char, Constraint*)
211	constructor for making a variable data term
212	(C: abac_term_create)
213	f DataTerm(char, char)
214	constructor for making an instantiated data term
215	(C: abac_term_create)
216	***/
217	DataTerm(char *name) {
218	if(debug) printf("adding a Dataterm named principal(%s)\n",name);
219	m_term=abac_term_named_create(name);
220	}
221	DataTerm(ID& id);
222	DataTerm(char* typenm, char name, Constraint cond) {
223	if(debug) printf("adding a Dataterm (%s)\n",name);
224	m_term=abac_term_create(typenm,name,cond->constraint());
225	}
226	DataTerm(char* typenm, char *name) {
227	if(debug) printf("adding a Dataterm (%s)\n",name);
228	m_term=abac_term_create(typenm,name,NULL);
229	}
230	/***
231	f char *string() const
232	returns literal string of the data term
233	(c:abac_term_string)
234	f char *typed_string() const
235	returns typed literal string of the data term
236	(c:abac_term_typed_string)
237	***/
238	char *string() const
239	{ return abac_term_string(m_term); }
240	char *typed_string() const
241	{ return abac_term_typed_string(m_term); }
242	/***
243	f bool term_is_time() const
244	bool term_is_string() const
245	bool term_is_urn() const
246	bool term_is_integer() const
247	returns true if data term is of certain type
248	***/
249	bool term_is_time() const
250	{ return abac_term_is_time(m_term); }
251	bool term_is_string() const
252	{ return abac_term_is_string(m_term); }
253	bool term_is_urn() const
254	{ return abac_term_is_urn(m_term); }
255	bool term_is_integer() const
256	{ return abac_term_is_integer(m_term); }
257	/***
258	f int term_add_constraint(Contraint&)
259	utiltiy routine to add a constraint to this data term
260	***/
261	int term_add_constraint(Constraint& cond) {
262	abac_term_add_constraint(m_term, cond.constraint());
263	return 1;
264	}
265	/***
266	f int term_type() const
267	returns subtype of the data term
268	f char *term_name() const
269	returns the name of the data term
270	***/
271	int term_type() const
272	{ abac_term_type(m_term); }
273	char *term_name() const
274	{ return abac_term_name(m_term); }
275	/ii*
276	f abac_term_t *term()
277	returns abac_term_t term structure
278	*ii/
279	abac_term_t *term()
280	{ return m_term; }
281	private:
282	abac_term_t *m_term;
283	};
284
285
286	/***
287	ABAC::Role
288	A Role is role specification of a set of entitities for a principal
289	***/
290	class Role {
291	public:
292	/***
293	f Role()
294	default constructor, do not use, for swig only
295	f Role(const Role &)
296	copy constructor, used for cloning a role
297	f ~Role()
298	default destructor
299	***/
300	Role() : m_role(NULL) { } // do not use: here for swig
301	Role(const Role &role) {
302	m_role = abac_aspect_dup(role.m_role);
303	}
304	~Role() {
305	if (m_role) abac_aspect_free(m_role);
306	}
307	/ii*
308	f Role(abac_aspect_t*)
309	constructor that takes an abac_aspect_t structure
310	*ii/
311	Role(abac_aspect_t *role): m_role(abac_aspect_dup(role))
312	{ }
313	/***
314	f Role(char*)
315	constructor that builds a bare bone role with just principal's name
316	(c:abac_role_principal_create)
317	f Role(char, char)
318	constructor that builds a bare bone role with just principal's name
319	and a role name
320	(c:abac_role_create)
321	f Role(char, char, char*)
322	constructor that builds a bare bone role with just principal's name
323	and a linking role name and a role name
324	(c:abac_role_linked_create)
325	***/
326	Role(char *principal_name) :
327	m_role(abac_role_principal_create(principal_name))
328	{ }
329	Role(char principal_name, char role_name) :
330	m_role(abac_role_create(principal_name, role_name))
331	{ }
332	Role(char principal_name, char linked_role_name, char *role_name) :
333	m_role(abac_role_linked_create(principal_name, linked_role_name,role_name))
334	{ }
335	/***
336	f bool role_is_principal() const
337	return true if the role is a principal object(made from
338	a data term), the right hand side of,
339	[keyid:A].role:r <- [keyid:B]
340	***/
341	bool role_is_principal() const
342	{ return abac_role_is_principal(m_role); }
343	/***
344	f bool role_is_linking() const
345	returns true if the role is a linking role like
346	the right hand side of,
347	[keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
348	***/
349	bool is_linking() const
350	{ return abac_role_is_linking(m_role); }
351	/***
352	f char *string() const
353	returns literal string of the role
354	(c:abac_aspect_string)
355	f char *typed_string() const
356	returns typed literal string of the role
357	(c:abac_aspect_typed_string)
358	***/
359	char *string() const
360	{ return abac_aspect_string(m_role); }
361	char *typed_string()
362	{ return abac_aspect_typed_string(m_role); }
363	/***
364	f char *role_linked_role() const
365	returns linked part of a linking role, for
366	[keyid:A].role:r1.role:r2, it returns r1
367	***/
368	char *role_linked_role() const
369	{ return abac_role_linked_role(m_role); }
370	/***
371	f char *role_name() const
372	returns the role name of any role (the part after the last dot)
373	[keyid:A].role.r1.role:r2, it returns r2
374	[keyid:A].role.r1, it returns r1
375	f char *role_principal() const
376	returns the principal of role (the part before the first dot)
377	[keyid:A].role.r1, it returns A
378	***/
379	char *role_name() const
380	{ return abac_role_name(m_role); }
381	char *role_principal() const
382	{ return abac_role_principal(m_role); }
383
384	/***
385	f void role_add_data_term(DataTerm&)
386	add a data term to the role
387	***/
388	void role_add_data_term(DataTerm& d) {
389	abac_role_add_data_term(m_role, d.term());
390	}
391	/***
392	f std::vector<DataTerm> get_data_terms(bool &)
393	return the data terms bound to this role.
394	***/
395	std::vector<DataTerm> get_data_terms(bool &success) {
396	abac_term_t terms, end;
397	int i;
398	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role));
399	for (i = 0; terms[i] != NULL; ++i)
400	;
401	end = &terms[i];
402	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
403	abac_terms_free(terms);
404	success=1;
405	return dataterms;
406	}
407	/***
408	f void role_add_linked_data_term(DataTerm&)
409	add a data term to the linking role
410	***/
411	void role_add_linked_data_term(DataTerm& d) {
412	abac_role_add_linked_data_term(m_role, d.term());
413	}
414	/***
415	f std::vector<DataTerm> get_linked_data_terms(bool &)
416	return the data terms bound to this role's linking role.
417	***/
418	std::vector<DataTerm> get_linked_data_terms(bool &success) {
419	abac_term_t terms, end;
420	int i;
421	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role));
422	for (i = 0; terms[i] != NULL; ++i)
423	;
424	end = &terms[i];
425	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
426	abac_terms_free(terms);
427	success=1;
428	return dataterms;
429	}
430	/ii*
431	f abac_aspect_t *role()
432	returns the interal libabac representation of this role
433	*ii/
434	abac_aspect_t *role() {return m_role;}
435	private:
436	abac_aspect_t *m_role;
437	};
438
439	/***
440	ABAC::Oset
441	An Oset is oset specification of a set of entitities for a principal
442	***/
443	class Oset {
444	public:
445	/***
446	f Oset()
447	default constructor, do not use, for swig only
448	f Oset(const Oset &)
449	copy constructor, used for cloning an oset
450	f ~Oset()
451	default destructor
452	***/
453	Oset() : m_oset(NULL) { } // do not use: here for swig
454	Oset(const Oset &oset)
455	{ m_oset =abac_aspect_dup(oset.m_oset); }
456	~Oset()
457	{ if(m_oset) abac_aspect_free(m_oset); }
458	/ii*
459	f Oset(abac_aspect_t *)
460	constructor that takes abac_aspect_t structure
461	*ii/
462	Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset))
463	{ }
464	/***
465	f Oset(char *)
466	constructor that makes a principal oset, ie [keyid:B]
467	(c:abac_role_principal_create)
468	f Oset(char , char )
469	constructor that makes a regular oset, ie. [keyid:B].oset:o
470	(c:abac_role_create)
471	f Oset(char , char, char *)
472	constructor that makes a linked oset, ie. [keyid:B].role:r.oset:o
473	(c:abac_oset_linked_create)
474	f Oset(DataTerm&)
475	constructor that makes an object oset, ie. [urn:'file/fileA']
476	***/
477	Oset(char *oset_name) : m_oset(abac_oset_principal_create(oset_name))
478	{ }
479	Oset(char principal_name, char oset_name) :
480	m_oset(abac_oset_create(principal_name, oset_name))
481	{ }
482	Oset(char principal_name, char linked_role_name,char *oset_name) :
483	m_oset(abac_oset_linked_create(principal_name, linked_role_name, oset_name))
484	{ }
485	Oset(DataTerm& d) :
486	m_oset(abac_oset_object_create(d.term()))
487	{ }
488
489	/***
490	f bool oset_is_object(), ie <- [integer:10]
491	return ture if this oset is an object oset
492	***/
493	bool oset_is_object() const
494	{ return abac_oset_is_object(m_oset); }
495	/***
496	f bool oset_is_principal() const
497	return true if the oset is a principal object(made from
498	a data term), the right hand side of,
499	[keyid:A].oset:o <- [keyid:B]
500	***/
501	bool oset_is_principal() const
502	{ return abac_oset_is_principal(m_oset); }
503	/***
504	f bool oset_is_linking() const
505	returns true if the oset is a linking oset like
506	the right hand side of,
507	[keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
508	***/
509	bool oset_is_linking() const
510	{ return abac_oset_is_linking(m_oset); }
511	/***
512	f char *string() const
513	returns literal string of the oset
514	(c:abac_aspect_string)
515	f char *typed_string() const
516	returns typed literal string of the oset
517	(c:abac_aspect_typed_string)
518	***/
519	char *string() const
520	{ return abac_aspect_string(m_oset); }
521	char *typed_string()
522	{ return abac_aspect_typed_string(m_oset); }
523	/***
524	f char *oset_linked_role() const
525	returns linked part of a linking oset, for
526	[keyid:A].role:r1.oset:o1, it returns r1
527	***/
528	char *oset_linked_role() const
529	{ return abac_oset_linked_role(m_oset); }
530	/***
531	f char *oset_name() const
532	returns oset name,
533	[keyid:A].role:r1.oset:o1, it returns o1
534	[keyid:A].oset:o1, it returns o1
535	***/
536	char *oset_name() const
537	{ return abac_oset_name(m_oset); }
538	/***
539	f char *oset_principal() const
540	returns principal name,
541	[keyid:A].role:r1.oset:o1, it returns A
542	***/
543	char *oset_principal() const
544	{ return abac_oset_principal(m_oset); }
545	/***
546	f char *oset_object() const
547	returns object's name when the oset is a principal object
548	[keyid:A].oset:values <- [integer:10], it returns 10
549	***/
550	char *oset_object() const
551	{ return abac_oset_object(m_oset); }
552	/***
553	f void add_data_term(DataTerm&)
554	add a data term to this oset's parameter set
555	***/
556	void oset_add_data_term(DataTerm& d) {
557	abac_oset_add_data_term(m_oset, d.term());
558	}
559	/***
560	f std::vector<DataTerm> get_data_terms(bool &)
561	returns the data terms bound to this oset.
562	***/
563	std::vector<DataTerm> get_data_terms(bool &success) {
564	abac_term_t terms, end;
565	int i;
566	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset));
567	for (i = 0; terms[i] != NULL; ++i)
568	;
569	end = &terms[i];
570	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
571	abac_terms_free(terms);
572	success=1;
573	return dataterms;
574	}
575	/***
576	f void oset_add_linked_data_term(DataTerm&)
577	add a data term to this oset's linking role's parameter set.
578	***/
579	void oset_add_linked_data_term(DataTerm& d) {
580	abac_oset_add_linked_data_term(m_oset, d.term());
581	}
582	/***
583	f std::vector<DataTerm> get_linked_data_terms(bool &)
584	returns the data terms bound to this oset's linking role.
585	***/
586	std::vector<DataTerm> get_linked_data_terms(bool &success) {
587	abac_term_t terms, end;
588	int i;
589	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset));
590	for (i = 0; terms[i] != NULL; ++i)
591	;
592	end = &terms[i];
593	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
594	abac_terms_free(terms);
595	success=1;
596	return dataterms;
597	}
598	/ii*
599	f abac_aspect_t *oset()
600	internal returns the internal libabac representation of the oset
601	*ii/
602	abac_aspect_t *oset() {return m_oset;}
603	private:
604	abac_aspect_t *m_oset;
605	};
606
607
608	/***
609	ABAC::ID
610	An ID holds a principal credential. It maybe imported from an existing
611	ID credential via external files, constructed from a streaming chunk,
612	or instantiated on the fly
613	***/
614	class ID {
615	public:
616	/***
617	f ID()
618	default constructor, do not use, for swig only
619	f ID(const ID &)
620	copy constructor, used for cloning an ID
621	f ~ID()
622	default destructor
623	***/
624	ID() : m_id(NULL) { } // do not use: here for swig
625	ID(const ID &id) { m_id =abac_id_dup(id.m_id); }
626	~ID() { if(m_id) abac_id_free(m_id); }
627	/ii*
628	f ID(abac_id_t *)
629	constructor from abac_id_t
630	f ID(abac_id_credential_t *)
631	constructor from abac_id_t
632	*ii/
633	ID(abac_id_t *id): m_id(abac_id_dup(id))
634	{ }
635	ID(abac_id_credential_t *idcred) {
636	if(idcred)
637	m_id=abac_id_dup(abac_id_credential_id(idcred));
638	else m_id=NULL;
639	}
640	/***
641	f ID(char *)
642	load an ID cert from a file, will throw an exception
643	if the cert cannot be loaded
644	(c:abac_id_from_file)
645	***/
646	ID(char *filename) {
647	m_id=abac_id_from_file(filename);
648	if(m_id==NULL)
649	abac_errx(1, "Id creation from filename failed");
650	}
651	/***
652	f ID(char *,int)
653	generates a new ID with the supplied CN and validity period
654	- CN must be alphanumeric and begin with a letter
655	- validity must be at least one second
656	will throw an exception if either of the above is violated
657	(c:abac_id_generate)
658	***/
659	ID(char *cn, int validity) {
660	int rt=abac_id_generate(&m_id, cn, validity);
661	if(rt != ABAC_ID_SUCCESS)
662	abac_errx(1, "Id creation failed");
663	}
664	/***
665	f void id_load_privkey_file(char *)
666	loads the private key associated with the ID credential
667	will throw an exception if the key cannot be loaded
668	***/
669	void id_load_privkey_file(char *filename) {
670	int rt=abac_id_load_privkey_file(m_id, filename);
671	if(rt != 1)
672	abac_errx(1, "Failed to load private key");
673	}
674	/ii*
675	f abac_id_t *id()
676	returns the abac_id_t
677	returns the interal libabac representation of this id
678	*ii/
679	abac_id_t *id() { return m_id; }
680
681	/***
682	f char *id_keyid()
683	returns the SHA1 keyid of the id cert
684	f char *id_name()
685	returns the CN (the parameter passed to the constructor or the
686	CN of the cert).
687	(c:abac_id_cn)
688	***/
689	char *id_keyid() { return abac_id_keyid(m_id); }
690	char *id_name() { return abac_id_cn(m_id); }
691	/***
692	f bool id_has_privkey()
693	returns true if the ID has an associated private key
694	***/
695	bool id_has_privkey()
696	{ return abac_id_has_privkey(m_id); }
697
698	/***
699	f void id_write_cert(FILE *)
700	writes a PEM-encoded cert to the file handle
701	f void id_write_cert(char *)
702	writes a PEM-encoded cert to a file named out
703	***/
704	void id_write_cert(FILE *out)
705	{ abac_id_write_cert(m_id, out); }
706	void id_write_cert(char *filename) {
707	FILE *out = fopen(filename, "a");
708	id_write_cert(out);
709	fclose(out);
710	}
711	/***
712	f void id_write_privkey(FILE *)
713	writes a PEM-encoded private key to the file handle
714	throws an exception if no private key is loaded
715	f void id_write_privkey(char *)
716	writes a PEM-encoded private key a file named out
717	throws an exception if no private key is loaded
718	***/
719	void id_write_privkey(FILE *out) {
720	if(!id_has_privkey())
721	abac_errx(1, "No privkey to write");
722	abac_id_write_privkey(m_id, out);
723	}
724	void id_write_privkey(char *filename) {
725	FILE *out = fopen(filename, "a");
726	id_write_privkey(out);
727	fclose(out);
728	}
729	/***
730	f abac_chunk_t id_cert_chunk()
731	returns a DER-encoded binary representation of the X.509 ID cert
732	associated with this ID.
733	can be passed to libabac's Context::load_id_chunk()
734	***/
735	abac_chunk_t id_cert_chunk()
736	{ return abac_id_cert_chunk(m_id); }
737	/***
738	f char *string()
739	returns literal string of the id credential
740	(c:abac_id_string)
741	***/
742	char *string()
743	{ return abac_id_string(m_id); }
744	public:
745	abac_id_t *m_id;
746	};
747
748
749	/***
750	ABAC::Attribute
751	This is the attribute representation for the access policy rule
752	LHS <- RHS
753	The sequence of generation is to
754	first, instantiate the object, ie, LHS (head)
755	second, adding subject(s) to it, ie, RHS (tail)
756	and then baking it.
757	Only once it's baked can you access the X.509 cert.
758	Once it's been baked you can no longer add subjects to it
759	***/
760	class Attribute {
761	public:
762	/***
763	f Attribute()
764	default constructor, do not use, for swig only
765	f Attribute(const Attribute &)
766	copy constructor, used for cloning an attribute
767	f ~Attribute()
768	default destructor
769	***/
770	Attribute() : m_attr(NULL) { }
771	Attribute(const Attribute &id)
772	{ m_attr =abac_attribute_dup(id.m_attr); }
773	~Attribute()
774	{ if(m_attr) abac_attribute_free(m_attr); }
775	/ii*
776	f Attribute(abac_attribute_t *)
777	constructor that takes abac_attribute_t, locally used
778	f Attribute(abac_credential_t *)
779	constructor that takes abac_credential_t, locally used
780	*ii/
781	Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr))
782	{ }
783	Attribute(abac_credential_t *cred)
784	{ m_attr=abac_attribute_dup(abac_credential_attribute(cred)); }
785	/***
786	f Attribute(Role&, int)
787	constructor that creates an attribute policy to be signed by the issuer
788	with the given role with a specified validity period
789	An exception will be thrown if:
790	- the issuer has no private key
791	- the Head role is invalid
792	- the validity period is invalid (must be >= 1 second)
793	(c:abac_attribute_create)
794	***/
795	Attribute(Role& head, int validity) {
796	int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity);
797	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
798	abac_errx(1, "attribute(role), unable to make an attribute");
799	}
800	/***
801	f Attribute(Oset&, int)
802	constructor that creates an attribute policy to be signed by the issuer
803	with the given oset with a specified validity period
804	An exception will be thrown if:
805	- the issuer has no private key
806	- the Head oset is invalid
807	- the validity period is invalid (must be >= 1 second)
808	(c:abac_attribute_create)
809	***/
810	Attribute(Oset& head, int validity) {
811	int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity);
812	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
813	abac_errx(1, "attribute(oset), unable to make an attribute");
814	}
815	/***
816	f bool attribute_add_tail(Role&)
817	Add a role tail. Call multiple times for intersections
818	f bool attribute_add_tail(Oset&)
819	Add an oset tail. Call multiple times for intersections
820	***/
821	bool attribute_add_tail(Role& tail) {
822	if(abac_attribute_add_tail(m_attr, tail.role()))
823	return 1;
824	else return 0;
825	}
826	bool attribute_add_tail(Oset& tail) {
827	if(abac_attribute_add_tail(m_attr, tail.oset()))
828	return 1;
829	else return 0;
830	}
831	/***
832	f char *head_string()
833	returns literal string of head of the attribute
834	f char *tail_string()
835	returns literal string of tail of the attribute
836	***/
837	char *head_string()
838	{ return abac_head_string(m_attr); }
839	char *tail_string()
840	{ return abac_tail_string(m_attr); }
841	/***
842	f char *head_typed_string()
843	returns typed literal string of head of the attribute
844	f char *tail_typed_string()
845	returns typed literal string of tail of the attribute
846	***/
847	char *head_typed_string()
848	{ return abac_head_typed_string(m_attr); }
849	char *tail_typed_string()
850	{ return abac_tail_typed_string(m_attr); }
851	/***
852	f char *string()
853	returns literal string of the attribute
854	(c:abac_attribute_string)
855	f char *typed_string()
856	returns typed literal string of the attribute
857	(c:abac_attribute_typed_string)
858	***/
859	char *string()
860	{ return abac_attribute_string(m_attr); }
861	char *typed_string()
862	{ return abac_attribute_typed_string(m_attr); }
863
864	/*** ??? not sure about implmentation
865	f const Role &role_head()
866	returns the head role
867	f const Oset &oset_head()
868	returns the oset head
869	***/
870	const Role &role_head() {
871	abac_aspect_t *head=abac_attribute_head(m_attr);
872	static Role role=Role(head);
873	return role;
874	}
875	const Oset &oset_head() {
876	abac_aspect_t *head=abac_attribute_tail(m_attr);
877	static Oset oset=Oset(head);
878	return oset;
879	}
880	/***
881	f std::vector<Role> role_tails(bool &)
882	retrieve tail role which maybe more than 1 if intersecting
883	f std::vector<Oset> oset_tails(bool &)
884	retrieve tail oset which maybe more than 1 if intersecting
885	***/
886	std::vector<Role> role_tails(bool &success) {
887	abac_aspect_t tails, end;
888	int i;
889	/* make sure it is role */
890	if(!abac_attribute_is_role(m_attr)) {
891	success=0;
892	abac_errx(1, "role_tails, attribute is not a role");
893	}
894	tails = abac_attribute_tail_vectorized(m_attr);
895	for (i = 0; tails[i] != NULL; ++i)
896	;
897	end = &tails[i];
898	std::vector<Role> roles = std::vector<Role>(tails, end);
899	abac_aspects_free(tails);
900	success=1;
901	return roles;
902	}
903	std::vector<Oset> oset_tails(bool &success) {
904	abac_aspect_t tails, end;
905	int i;
906	/* make sure that tail is not role */
907	if(abac_attribute_is_role(m_attr)) {
908	success=0;
909	abac_errx(1, "oset_tails, attribute is not an oset");
910	}
911	tails = abac_attribute_tail_vectorized(m_attr);
912	for (i = 0; tails[i] != NULL; ++i)
913	;
914	end = &tails[i];
915	std::vector<Oset> osets = std::vector<Oset>(tails, end);
916	success=1;
917	abac_aspects_free(tails);
918	return osets;
919	}
920	/ii*
921	f abac_attribute_t *attribute()
922	return libabac structure for attribute
923	*ii/
924	abac_attribute_t *attribute() { return m_attr; }
925
926	/***
927	f bool attribute_bake()
928	Generate the cert. Call this after you've added subjects to your cert.
929	This returns false if there are no subjects
930	This will throw an exception if the cert's already been baked.
931	***/
932	bool attribute_bake() {
933	/* can not bake in ABAC_CN mode */
934	if(USE("ABAC_CN"))
935	abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set");
936	int rt=abac_attribute_bake(m_attr);
937	if(rt!=1)
938	abac_errx(1, "bake, can not bake the cert");
939	}
940	/***
941	f bool attribute_baked()
942	returns true iff the cert has been baked.
943	***/
944	bool attribute_baked()
945	{ return abac_attribute_baked(m_attr); }
946
947	/***
948	f void attribute_write_cert(FILE *)
949	write the DER-encoded X.509 attribute cert to the open file handle
950	Throws an exception if the cert isn't baked
951	***/
952	void attribute_write_cert(FILE *out) {
953	int rt= abac_attribute_write_cert(m_attr,out);
954	if(!rt)
955	abac_errx(1, "write, cert is not baked");
956	}
957	/***
958	f void attribute_write_cert(char *)
959	write the DER-encoded X.509 attribute cert to a file named out
960	Throws an exception if the cert isn't baked
961	***/
962	void attribute_write_cert(char *filename) {
963	FILE *out = fopen(filename, "w");
964	attribute_write_cert(out);
965	fclose(out);
966	}
967	/***
968	f abac_chunk_t cert_chunk()
969	returns a DER-encoded binary representation of the X.509 attribute
970	cert associated with this cert
971	Throws an exception if the cert isn't baked
972	the chunk can be passed to libabac's Context::load_attribute_chunk()
973	***/
974	abac_chunk_t cert_chunk()
975	{ return abac_attribute_cert_chunk(m_attr); }
976	private:
977	abac_attribute_t *m_attr;
978	};
979
980
981	/***
982	ABAC::Context
983	An ABAC Context
984	***/
985	class Context {
986	public:
987	/***
988	f Context()
989	default constructor
990	f Context(const Context &)
991	copy constructor, used for cloning the context
992	f ~Context()
993	default destructor
994	***/
995	Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); }
996	Context(const Context &context) {
997	m_ctx = abac_context_dup(context.m_ctx);
998	m_abac_version=strdup(context.m_abac_version);
999	}
1000	~Context() {
1001	abac_context_free(m_ctx);
1002	if(m_abac_version) free(m_abac_version);
1003	}
1004	/***
1005	f void dump_yap_db()
1006	dump the complete yap prolog database
1007	(c:show_yap_db)
1008	***/
1009	void dump_yap_db()
1010	{ show_yap_db("dump_yap"); }
1011
1012	/***
1013	f int load_id(ABAC::ID&)
1014	load id cert from ID
1015	(c:abac_context_load_id)
1016	f int load_id_file(char *)
1017	load id cert from an idkey combo file. key retrieval will be attempt
1018	but won't fail if not found
1019	(c:abac_context_load_id_file)
1020	f int load_id_files(char , char )
1021	load id cert from an id file and a key file
1022	(c:abac_context_load_id_files)
1023	f int load_id_chunk(abac_chunk_t)
1024	load id cert from a chunk structure
1025	(c:abac_context_load_id_chunk)
1026	returns:
1027	ABAC_CERT_SUCCESS successfully loaded
1028	ABAC_CERT_INVALID invalid certificate (or file not found)
1029	ABAC_CERT_BAD_SIG invalid signature
1030	***/
1031	int load_id(ABAC::ID& id)
1032	{ return abac_context_load_id(m_ctx, id.id()); }
1033	int load_id_file(char *filename)
1034	{ return abac_context_load_id_file(m_ctx, filename); }
1035	int load_id_files(char filename, char keyfilename)
1036	{ return abac_context_load_id_files(m_ctx, filename, keyfilename); }
1037	int load_id_chunk(abac_chunk_t cert)
1038	{ return abac_context_load_id_chunk(m_ctx, cert); }
1039
1040	/***
1041	f int load_attribute(ABAC::Attribute&)
1042	load attribute credential from attribute structure
1043	(c:abac_context_load_attribute)
1044	f int load_attribute_file(char *)
1045	load attribute credential from a file
1046	(c:abac_context_load_attribute_file)
1047	f int load_attribute_chunk(abac_chunk_t)
1048	load attribute credential from a chunk
1049	(c:abac_context_load_attribute_chunk)
1050	f returns the same values as above, additionally
1051	returns ABAC_CERT_MISSING_ISSUER if the issuer
1052	certificate has not been loaded
1053	***/
1054	int load_attribute(ABAC::Attribute& a)
1055	{ return abac_context_load_attribute(m_ctx, a.attribute()); }
1056	int load_attribute_file(char *filename)
1057	{ return abac_context_load_attribute_file(m_ctx, filename); }
1058	int load_attribute_chunk(abac_chunk_t cert)
1059	{ return abac_context_load_attribute_chunk(m_ctx, cert); }
1060	/***
1061	f void load_directory(char *)
1062	load a directory full of certificates:
1063	f first: ${path}/*_ID.{der,pem} as identity certificates
1064	implicitly looking for ${path}/*_private.{der,pem} as
1065	the private key file
1066	then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
1067	last: ${path}/*_attr.der as attribute certificates
1068	***/
1069	void load_directory(char *path)
1070	{ abac_context_load_directory(m_ctx, path); }
1071	/***
1072	f std::vector<Attribute> query(char , char , bool &)
1073	the string version is for query that is composed by hand with SHA or
1074	in non ABAC_CN mode
1075	(c:abac_context_query)
1076	f std::vector<Attribute> query(Role &, Role &, bool &)
1077	(c:abac_context_query_with_structure)
1078	std::vector<Attribute> query(Oset &, Oset &, bool &)
1079	(c:abac_context_query_with_structure)
1080	runs the query:
1081	role <-?- principal
1082	oset <-?- principal/obj
1083	returns true/false in success
1084	returns a proof upon success,
1085	partial proof on failure (not implemented yet)
1086	***/
1087	std::vector<Attribute> query(char role, char principal, bool &success) {
1088	abac_credential_t creds, end;
1089	int i, success_int;
1090
1091	creds = abac_context_query(m_ctx, role, principal, &success_int);
1092	success = success_int;
1093
1094	for (i = 0; creds[i] != NULL; ++i)
1095	;
1096
1097	end = &creds[i];
1098	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1099	if(debug) printf("query, got rules(%d)\n", i);
1100
1101	abac_context_credentials_free(creds);
1102
1103	return attributes;
1104	}
1105
1106	std::vector<Attribute> query(Role &role, Role &p_role, bool &success) {
1107	abac_credential_t creds, end;
1108	int i, success_int;
1109
1110	creds = abac_context_query_with_structure(m_ctx, role.role(), p_role.role(), &success_int);
1111	success = success_int;
1112
1113	for (i = 0; creds[i] != NULL; ++i)
1114	;
1115
1116	end = &creds[i];
1117	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1118
1119	abac_context_credentials_free(creds);
1120
1121	return attributes;
1122	}
1123
1124	std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) {
1125	abac_credential_t creds, end;
1126	int i, success_int;
1127
1128	creds = abac_context_query_with_structure(m_ctx, oset.oset(), p_oset.oset(), &success_int);
1129	success = success_int;
1130
1131	for (i = 0; creds[i] != NULL; ++i)
1132	;
1133
1134	end = &creds[i];
1135	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1136	if(debug) printf("query, returning rules(%d)\n", i);
1137
1138	abac_context_credentials_free(creds);
1139
1140	return attributes;
1141	}
1142
1143	/***
1144	f std::vector<Attribute> context_credentials(bool &)
1145	returns a vector of all the credentials loaded in the context
1146	extracted from the internal data structure
1147	***/
1148	std::vector<Attribute> context_credentials(bool &success) {
1149	abac_credential_t creds, end;
1150	int i;
1151	success = 1;
1152
1153	creds = abac_context_credentials(m_ctx);
1154	for (i = 0; creds[i] != NULL; ++i)
1155	;
1156
1157	end = &creds[i];
1158	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1159	if(debug) printf("credentials, got (%d)\n", i);
1160
1161	abac_context_credentials_free(creds);
1162	if(debug) show_yap_db("calling from context_credentials");
1163	return attributes;
1164	}
1165
1166	/***
1167	f std::vector<Attribute> context_principals(bool &)
1168	returns a vector of all the principals loaded in the context
1169	extracted from the internal data structure
1170	***/
1171	std::vector<ID> context_principals(bool &success) {
1172	abac_id_credential_t ids, end;
1173	int i;
1174	success = 1;
1175
1176	ids = abac_context_principals(m_ctx);
1177	for (i = 0; ids[i] != NULL; ++i)
1178	;
1179
1180	end = &ids[i];
1181	std::vector<ID> principals = std::vector<ID>(ids, end);
1182	if(debug) printf("principals, got (%d)\n", i);
1183
1184	abac_context_principals_free(ids);
1185	return principals;
1186	}
1187	/***
1188	f char *version()
1189	return the version of this interface
1190	***/
1191	char *version() const { return m_abac_version; }
1192
1193	private:
1194	abac_context_t *m_ctx;
1195	char *m_abac_version;
1196	};
1197
1198	Constraint::Constraint(Role& role)
1199	{ m_constraint=abac_constraint_from_role(role.role()); }
1200	Constraint::Constraint(Oset &oset)
1201	{ m_constraint=abac_constraint_from_oset(oset.oset()); }
1202	DataTerm::DataTerm(ID& id)
1203	{ m_term=abac_term_id_create(id.id()); }
1204	}
1205
1206	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: