Context Navigation

source: libabac/abac.hh @ 1621520

mei_rt2mei_rt2_fix_1

Last change on this file since 1621520 was 1621520, checked in by Mei <mei@…>, 12 years ago
1) more comments
Property mode set to `100644`
File size: 37.5 KB

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <string>
5	#include <vector>
6
7	namespace ABAC {
8	extern "C" {
9	#include "abac.h"
10	}
11	static int debug=0;
12	class Role;
13	class Oset;
14	/***
15	ABAC::Constraint
16	This is a constraint on a data term. It holds a ptr to
17	a abac_condition_t structure
18	***/
19	class Constraint {
20	public:
21	/***
22	Constraint()
23	default constructor, do not use, for swig only
24	Constraint(const Constraint &)
25	copy constructor, used for cloning a constraint
26	~Constraint()
27	default destructor
28	***/
29	Constraint() : m_constraint(NULL) { }
30	Constraint(const Constraint &constraint) {
31	m_constraint =abac_condition_dup(constraint.m_constraint);
32	}
33	~Constraint() {
34	if(m_constraint) abac_condition_free(m_constraint);
35	}
36	/***
37	Constraint(Role &)
38	constructor that takes a constraining role
39	[role:?R[{role-constraint}]
40	Constraint(Oset &)
41	constructor that takes a constraining oset
42	[oset:?O[{oset-constraint}]
43	[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
44	Constraint(abac_condition_t *)
45	constructor that takes an abac_condition_t structure
46	Constraint(char *)
47	constructor that takes one of following string
48	as its vartype to set up a range constraint:
49	"integer"
50	"urn"
51	"float"
52	"boolean"
53	"time"
54	"string"
55	it should be followed with one or many of following utility
56	calls.
57	***/
58	Constraint(Role& role);
59	Constraint(Oset& oset);
60	Constraint(abac_condition_t *constraint):
61	m_constraint(abac_condition_dup(constraint))
62	{ }
63	Constraint(char *vartype) {
64	m_constraint=abac_condition_create(vartype);
65	}
66	/***
67	void add_constraint_integer_max(int)
68	void add_constraint_integer_min(int)
69	utility routines to setup a integer range constraint
70	[integer:?I[10 .. 20]]
71	void add_constraint_integer_target(int)
72	utility routine to setup a integer list constraint
73	[integer:?I[10,20]]
74	***/
75	void add_constraint_integer_max(int val) {
76	abac_condition_add_range_integer_item(m_constraint,abac_max_item_type(),val);
77	}
78	void add_constraint_integer_min(int val) {
79	abac_condition_add_range_integer_item(m_constraint,abac_min_item_type(),val);
80	}
81	void add_constraint_integer_target(int val) {
82	abac_condition_add_range_integer_item(m_constraint,abac_target_item_type(),val);
83	}
84	/***
85	void add_constraint_float_max(float)
86	void add_constraint_float_min(float)
87	utility routines to setup a float range constraint
88	[float:?F[1.0 .. 2.5]]
89	void add_constraint_float_target(float)
90	utility routine to setup a float list constraint
91	[float:?F[0.5, 2.5]]
92	***/
93	void add_constraint_float_max(float val) {
94	abac_condition_add_range_float_item(m_constraint,abac_max_item_type(),val);
95	}
96	void add_constraint_float_min(float val) {
97	abac_condition_add_range_float_item(m_constraint,abac_min_item_type(),val);
98	}
99	void add_constraint_float_target(float val) {
100	abac_condition_add_range_float_item(m_constraint,abac_target_item_type(),val);
101	}
102	/***
103	void add_constraint_time_max(char*)
104	void add_constraint_time_min(char*)
105	utility routines to setup a time range constraint,
106	takes quoted string values, beyond T is optional
107	[time:?M["20201101T182930"]]
108	[time:?M["20201101T"]]
109	void add_constraint_time_target(char*)
110	utility routine to setup a time list constraint
111	[time:?F["20120228T080000" .. "20120228T090000"]]
112	***/
113	void add_constraint_time_max(char* val) {
114	abac_condition_add_range_time_item(m_constraint,abac_max_item_type(),val);
115	}
116	void add_constraint_time_min(char* val) {
117	abac_condition_add_range_time_item(m_constraint,abac_min_item_type(),val);
118	}
119	void add_constraint_time_target(char* val) {
120	abac_condition_add_range_time_item(m_constraint,abac_target_item_type(),val);
121	}
122	/***
123	void add_constraint_urn_target(char*)
124	utility routine to setup a an urn list constraint
125	[urn:?U["fileA","http://fileB"]]
126	void add_constraint_string_target(char*)
127	utility routine to setup a a string list constraint
128	[string:?S["abc",'efg',"hij"]]
129	void add_constraint_boolean_target(char*)
130	utility routine to setup a a boolean list constraint
131	[boolean:?B['true']]
132	***/
133	void add_constraint_urn_target(char* val)
134	{ abac_condition_add_range_urn_item(m_constraint,val); }
135	void add_constraint_string_target(char* val)
136	{ abac_condition_add_range_string_item(m_constraint,val); }
137	void add_constraint_boolean_target(char* val)
138	{ abac_condition_add_range_boolean_item(m_constraint,val); }
139	/***
140	char *string() const
141	returns literal string of the constraint
142	char *typed_string() const
143	returns typed literal string of the constraint
144	***/
145	char *string() const
146	{ return abac_condition_string(m_constraint); }
147	char *typed_string() const
148	{ return abac_condition_typed_string(m_constraint); }
149	/***
150	abac_condition_t *constraint()
151	returns internal constraint structure
152	***/
153	abac_condition_t *constraint()
154	{ return m_constraint; }
155	private:
156	abac_condition_t *m_constraint;
157	};
158
159	/***
160	ABAC::DataTerm
161	A data term is associated with Role or Oset as a parameter that
162	maybe be instantiated, or uninstantiated but being constrained,
163	or as a principal oset term (standalone right handside of an oset
164	policy rule). It holds a pointer to a abac_term_t structure and
165	an optional constraint that may be imposed on this data term if it
166	is indeed an unistantiated variable.
167	***/
168	class DataTerm {
169	public:
170	/***
171	DataTerm()
172	default constructor, do not use, for swig only
173	DataTerm(const DataTerm &)
174	copy constructor, used for cloning a data term
175	~DataTerm()
176	default destructor
177	***/
178	DataTerm() : m_term(NULL) { } // do not use: here for swig
179	DataTerm(const DataTerm &dterm) {
180	m_term =abac_term_dup(dterm.m_term);
181	abac_condition_t *constraint=abac_term_constraint(m_term);
182	if(constraint) m_cond=new Constraint(constraint);
183	else m_cond=NULL;
184	}
185	~DataTerm() {
186	if(m_term) abac_term_free(m_term);
187	if(m_cond) free(m_cond);
188	}
189	/*** ???
190	DataTerm(abac_term_t *)
191	constructor to make data term from abac_term_t structure
192	***/
193	DataTerm(abac_term_t *term) {
194	m_term=abac_term_dup(term);
195	abac_condition_t *constraint=abac_term_constraint(m_term);
196	if(constraint) m_cond=new Constraint(constraint);
197	else m_cond=NULL;
198	}
199	/***
200	DataTerm(char*)
201	constructor to make named principal data term for the oset RHS
202	DataTerm(char, char, Constraint*)
203	constructor for making a variable data term or an instantiated
204	data term
205	***/
206	DataTerm(char *sha) {
207	if(debug) printf("adding a Dataterm named principal(%s)\n",sha);
208	int isnamed=1;
209	int type=e_TERM_PRINCIPAL;
210	m_term=abac_term_named_create(type,sha);
211	}
212	DataTerm(char* typenm, char name, Constraint cond=NULL) {
213	int type=abac_verify_term_type(typenm);
214	if(debug) printf("adding a Dataterm (%s)\n",name);
215	if(type==ABAC_TERM_FAIL)
216	abac_errx(1, "DataTerm, fail to create the term");
217	if(cond) {
218	m_cond=cond;
219	m_term=abac_term_create(type,name,cond->constraint());
220	} else {
221	m_cond=NULL;
222	m_term=abac_term_create(type,name,NULL);
223	}
224	}
225	/***
226	char *string() const
227	returns literal string of the data term
228	char *typed_string() const
229	returns typed literal string of the data term
230	***/
231	char *string() const
232	{ return abac_term_string(m_term); }
233	char *typed_string() const
234	{ return abac_term_typed_string(m_term); }
235	/***
236	bool is_time() const
237	bool is_string() const
238	bool is_urn() const
239	bool is_integer() const
240	returns true if data term is of certain type
241	***/
242	bool is_time() const
243	{ return abac_term_is_time_type(m_term); }
244	bool is_string() const
245	{ return abac_term_is_string_type(m_term); }
246	bool is_urn() const
247	{ return abac_term_is_urn_type(m_term); }
248	bool is_integer() const
249	{ return abac_term_is_integer_type(m_term); }
250	/***
251	int add_constraint(const Contraint&)
252	utiltiy routine to add a constraint to this data term
253	***/
254	int add_constraint(const Constraint& cond) {
255	m_cond=new Constraint(cond);
256	abac_term_add_constraint(m_term, m_cond->constraint());
257	}
258	/***
259	int type() const
260	returns subtype of the data term
261	char *name() const
262	returns the name of the data term
263	***/
264	int type() const
265	{ abac_term_type(m_term); }
266	char *name() const
267	{ return abac_term_name(m_term); }
268	/*** ??? value
269	char *value() const
270	Not implemented
271	***/
272	char *value() const { }
273	/***
274	abac_term_t *term()
275	returns internal data term structure
276	Constraint *constraint()
277	returns internal constraint structure to the data term
278	***/
279	abac_term_t *term()
280	{ return m_term; }
281	Constraint *constraint()
282	{ return m_cond; }
283	private:
284	abac_term_t *m_term;
285	Constraint *m_cond;
286	};
287
288
289	/***
290	ABAC::Role
291	A Role is role specification of a set of entitities for a principal.
292	***/
293	class Role {
294	public:
295	/***
296	Role()
297	default constructor, do not use, for swig only
298	Role(const Role &)
299	copy constructor, used for cloning a role
300	~Role()
301	default destructor
302	***/
303	Role() : m_role(NULL) { } // do not use: here for swig
304	Role(const Role &role) {
305	m_role = abac_aspect_dup(role.m_role);
306	}
307	~Role() {
308	if (m_role) abac_aspect_free(m_role);
309	}
310	/***
311	Role(abac_aspect_t*)
312	constructor that takes an abac_aspect_t structure
313	Role(char*)
314	constructor that builds a bare bone role with just principal's name
315	Role(char, char)
316	constructor that builds a bare bone role with just principal's name
317	and a role name
318	***/
319	Role(abac_aspect_t *role): m_role(abac_aspect_dup(role))
320	{ }
321	Role(char *principal_name) :
322	m_role(abac_aspect_role_principal_create(principal_name))
323	{ }
324	Role(char principal_name, char role_name) :
325	m_role(abac_aspect_role_create(principal_name, role_name))
326	{ }
327	/***
328	bool is_principal() const
329	return true if the role is a principal object(made from
330	a data term), the right hand side of,
331	[keyid:A].role:r <- [keyid:B]
332	***/
333	bool is_principal() const
334	{ return abac_aspect_is_principal(m_role); }
335	/***
336	bool is_linking() const
337	returns true if the role is a linking role like
338	the right hand side of,
339	[keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
340	***/
341	bool is_linking() const
342	{ return abac_aspect_is_linking(m_role); }
343	/***
344	char *string() const
345	returns literal string of the role
346	char *typed_string() const
347	returns typed literal string of the role
348	***/
349	char *string() const
350	{ return abac_aspect_string(m_role); }
351	char *typed_string()
352	{ return abac_aspect_typed_string(m_role); }
353	/***
354	char *linked_role() const
355	returns linked part of a linking role, for
356	[keyid:A].role:r1.role:r2, it returns r1
357	***/
358	char *linked_role() const
359	{ return abac_aspect_linked_role_name(m_role); }
360	/***
361	char *role_name() const
362	returns the role name of any role (the part after the last dot)
363	[keyid:A].role.r1.role:r2, it returns r2
364	[keyid:A].role.r1, it returns r1
365	***/
366	char *role_name() const
367	{ return abac_aspect_aspect_name(m_role); }
368	char *principal() const
369	{ return abac_aspect_principal_name(m_role); }
370
371	/***
372	int add_data_term(DataTerm&)
373	add a data term to the role
374	***/
375	int add_data_term(DataTerm& d) {
376	abac_aspect_add_param(m_role, d.term());
377	return 1;
378	}
379	/***
380	std::vector<DataTerm> get_data_terms(bool &)
381	return the data terms bound to this role.
382	??? If the role is returned in a proof, these will all have values.
383	***/
384	std::vector<DataTerm> get_data_terms(bool &success) {
385	abac_term_t terms, end;
386	int i;
387	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role));
388	for (i = 0; terms[i] != NULL; ++i)
389	;
390	end = &terms[i];
391	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
392	abac_terms_free(terms);
393	success=1;
394	return dataterms;
395	}
396	int add_linking_data_term(DataTerm& d) {
397	abac_aspect_add_linked_param(m_role, d.term());
398	return 1;
399	}
400	/***
401	std::vector<DataTerm> get_linked_data_terms(bool &)
402	return the data terms bound to this role's linking role.
403	??? If the role is returned in a proof, these will all have values.
404	***/
405	std::vector<DataTerm> get_linked_data_terms(bool &success) {
406	abac_term_t terms, end;
407	int i;
408	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role));
409	for (i = 0; terms[i] != NULL; ++i)
410	;
411	end = &terms[i];
412	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
413	abac_terms_free(terms);
414	success=1;
415	return dataterms;
416	}
417	/***
418	abac_aspect_t *role()
419	returns the interal libabac representation of this role
420	***/
421	abac_aspect_t *role() {return m_role;}
422	private:
423	abac_aspect_t *m_role;
424	};
425
426	/***
427	ABAC::Oset
428	An Oset is oset specification of a set of entitities for a principal.
429	***/
430	class Oset {
431	public:
432	/***
433	Oset()
434	default constructor, do not use, for swig only
435	Oset(const Oset &)
436	copy constructor, used for cloning an oset
437	~Oset()
438	default destructor
439	***/
440	Oset() : m_oset(NULL) { } // do not use: here for swig
441	Oset(const Oset &oset)
442	{ m_oset =abac_aspect_dup(oset.m_oset); }
443	~Oset()
444	{ if(m_oset) abac_aspect_free(m_oset); }
445	/***
446	Oset(abac_aspect_t *)
447	constructor that takes abac_aspect_t structure
448	Oset(char *)
449	constructor that makes a principal oset, ie [keyid:B]
450	Oset(char , char )
451	constructor that makes a regular oset, ie. [keyid:B].oset:o
452	Oset(DataTerm&)
453	constructor that makes an object oset, ie. [urn:'file/fileA']
454	***/
455	Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset))
456	{ }
457	Oset(char *oset_name) : m_oset(abac_aspect_oset_principal_create(oset_name))
458	{ }
459	Oset(char principal_name, char oset_name) :
460	m_oset(abac_aspect_oset_create(principal_name, oset_name))
461	{ }
462	Oset(DataTerm& d) :
463	m_oset(abac_aspect_oset_object_create(d.term()))
464	{ }
465
466	/***
467	bool is_object(), ie <- [integer:10]
468	return ture if this oset is an object oset
469	***/
470	bool is_object() const
471	{ return abac_aspect_is_object(m_oset); }
472	/***
473	bool is_principal() const
474	return true if the oset is a principal object(made from
475	a data term), the right hand side of,
476	[keyid:A].oset:o <- [keyid:B]
477	***/
478	bool is_principal() const
479	{ return abac_aspect_is_principal(m_oset); }
480	/***
481	bool is_linking() const
482	returns true if the oset is a linking oset like
483	the right hand side of,
484	[keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
485	***/
486	bool is_linking() const
487	{ return abac_aspect_is_linking(m_oset); }
488	/***
489	char *string() const
490	returns literal string of the oset
491	char *typed_string() const
492	returns typed literal string of the oset
493	***/
494	char *string() const
495	{ return abac_aspect_string(m_oset); }
496	char *typed_string()
497	{ return abac_aspect_typed_string(m_oset); }
498	/***
499	char *linked_role() const
500	returns linked part of a linking oset, for
501	[keyid:A].role:r1.oset:o1, it returns r1
502	***/
503	char *linked_role() const
504	{ return abac_aspect_linked_role_name(m_oset); }
505	/***
506	char *oset_name() const
507	returns oset name,
508	[keyid:A].role:r1.oset:o1, it returns o1
509	[keyid:A].oset:o1, it returns o1
510	***/
511	char *oset_name() const
512	{ return abac_aspect_aspect_name(m_oset); }
513	/***
514	char *principal() const
515	returns principal name,
516	[keyid:A].role:r1.oset:o1, it returns A
517	***/
518	char *principal() const
519	{ return abac_aspect_principal_name(m_oset); }
520	/***
521	char *object() const
522	returns object's name when the oset is a principal object
523	[keyid:A].oset:values <- [integer:10], it returns 10
524	***/
525	char *object() const
526	{ return abac_aspect_object_name(m_oset); }
527	/***
528	int add_data_term(DataTerm&)
529	add a data term to this oset's parameter set
530	always returns 1
531	***/
532	int add_data_term(DataTerm& d) {
533	abac_aspect_add_param(m_oset, d.term());
534	return 1;
535	}
536	/***
537	std::vector<DataTerm> get_data_terms(bool &)
538	returns the data terms bound to this oset.
539	??? If the oset is returned in a proof, these will all have values.
540	***/
541	std::vector<DataTerm> get_data_terms(bool &success) {
542	abac_term_t terms, end;
543	int i;
544	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset));
545	for (i = 0; terms[i] != NULL; ++i)
546	;
547	end = &terms[i];
548	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
549	abac_terms_free(terms);
550	success=1;
551	return dataterms;
552	}
553	/***
554	int add_linking_data_term(DataTerm&)
555	add a data term to this oset's linking role's parameter set.
556	always returns 1
557	***/
558	int add_linking_data_term(DataTerm& d) {
559	abac_aspect_add_linked_param(m_oset, d.term());
560	return 1;
561	}
562	/***
563	std::vector<DataTerm> get_linked_data_terms(bool &)
564	returns the data terms bound to this oset's linking role.
565	??? If the oset is returned in a proof, these will all have values.
566	***/
567	std::vector<DataTerm> get_linked_data_terms(bool &success) {
568	abac_term_t terms, end;
569	int i;
570	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset));
571	for (i = 0; terms[i] != NULL; ++i)
572	;
573	end = &terms[i];
574	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
575	abac_terms_free(terms);
576	success=1;
577	return dataterms;
578	}
579	/***
580	abac_aspect_t *oset()
581	returns the internal libabac representation of the oset
582	***/
583	abac_aspect_t *oset() {return m_oset;}
584	private:
585	abac_aspect_t *m_oset;
586	};
587
588
589	/***
590	ABAC::ID
591	An ID holds a principal credential. It maybe imported from an existing
592	ID credential via external files, constructed from a streaming chunk,
593	or instantiated on the fly
594	***/
595	class ID {
596	public:
597	/***
598	ID()
599	default constructor, do not use, for swig only
600	ID(const ID &)
601	copy constructor, used for cloning an ID
602	~ID()
603	default destructor
604	***/
605	ID() : m_id(NULL) { } // do not use: here for swig
606	ID(const ID &id) { m_id =abac_id_dup(id.m_id); }
607	~ID() { if(m_id) abac_id_free(m_id); }
608	/*** ???
609	ID(abac_id_t *)
610	constructor from abac_id_t
611	ID(abac_id_credential_t *)
612	constructor from abac_id_t
613	***/
614	ID(abac_id_t *id): m_id(abac_id_dup(id))
615	{ }
616	ID(abac_id_credential_t *idcred) {
617	if(idcred)
618	m_id=abac_id_dup(abac_id_credential_id(idcred));
619	else m_id=NULL;
620	}
621
622	/***
623	ID(char *)
624	load an ID cert from a file, will throw an exception
625	if the cert cannot be loaded
626	***/
627	ID(char *filename) {
628	m_id=abac_id_from_file(filename);
629	if(m_id==NULL)
630	abac_errx(1, "Id creation from filename failed");
631	}
632	/***
633	ID(char *,int)
634	generates a new ID with the supplied CN and validity period
635	- CN must be alphanumeric and begin with a letter
636	- validity must be at least one second
637	will throw an exception if either of the above is violated
638	***/
639	ID(char *cn, int validity) {
640	int rt=abac_id_generate(&m_id, cn, validity);
641	if(rt != ABAC_ID_SUCCESS)
642	abac_errx(1, "Id creation failed");
643	}
644	/***
645	void load_privkey(char *)
646	loads the private key associated with the ID credential
647	will throw an exception if the key cannot be loaded
648	***/
649	void load_privkey(char *filename) {
650	int rt=abac_id_load_privkey_file(m_id, filename);
651	if(rt != 1)
652	abac_errx(1, "Failed to load private key");
653	}
654	/***
655	abac_id_t *id()
656	returns the abac_id_t
657	returns the interal libabac representation of this id
658	***/
659	abac_id_t *id() { return m_id; }
660
661	/***
662	char *keyid()
663	returns the SHA1 keyid of the id cert
664	char *name()
665	returns the CN
666	***/
667	char *keyid() { return abac_id_keyid(m_id); }
668	char *name() { return abac_id_cn(m_id); }
669	/***
670	bool has_privkey()
671	returns true if the ID has an associated private key
672	***/
673	bool has_privkey()
674	{ return abac_id_has_privkey(m_id); }
675
676	/***
677	void write_cert(FILE *)
678	writes a PEM-encoded cert to the file handle
679	void write_cert(char *)
680	writes a PEM-encoded cert to a file named out
681	***/
682	void write_cert(FILE *out)
683	{ abac_id_write_cert(m_id, out); }
684	void write_cert(char *filename) {
685	FILE *out = fopen(filename, "a");
686	write_cert(out);
687	fclose(out);
688	}
689	/***
690	void write_privkey(FILE *)
691	writes a PEM-encoded private key to the file handle
692	throws an exception if no private key is loaded
693	void write_privkey(char *)
694	writes a PEM-encoded private key a file named out
695	throws an exception if no private key is loaded
696	***/
697	void write_privkey(FILE *out) {
698	if(!has_privkey())
699	abac_errx(1, "No privkey to write");
700	abac_id_write_privkey(m_id, out);
701	}
702	void write_privkey(char *filename) {
703	FILE *out = fopen(filename, "a");
704	write_privkey(out);
705	fclose(out);
706	}
707	/***
708	abac_chunk_t cert_chunk()
709	returns a DER-encoded binary representation of the X.509 ID cert
710	associated with this ID.
711	can be passed to libabac's Context::load_id_chunk()
712	***/
713	abac_chunk_t cert_chunk()
714	{ return abac_id_cert_chunk(m_id); }
715	/***
716	char *string()
717	returns literal string of the id credential
718	***/
719	char *string() {
720	char *tmp=NULL;
721	if(has_privkey())
722	asprintf(&tmp,"(%s,%s,y)",abac_id_name(m_id),abac_id_idtype_string(m_id));
723	else asprintf(&tmp,"(%s,%s,n)",abac_id_name(m_id),abac_id_idtype_string(m_id));
724	return tmp;
725	}
726	public:
727	abac_id_t *m_id;
728	};
729
730
731	/***
732	ABAC::Attribute
733	This is the attribute representation for the access policy rule
734	LHS <- RHS
735	The sequence of generation is to
736	first, instantiate the object, ie, LHS (head)
737	second, adding subject(s) to it, ie, RHS (tail)
738	and then baking it.
739	Only once it's baked can you access the X.509 cert.
740	Once it's been baked you can no longer add subjects to it
741	***/
742	class Attribute {
743	public:
744	/***
745	Attribute()
746	default constructor, do not use, for swig only
747	Attribute(const Attribute &)
748	copy constructor, used for cloning an attribute
749	~Attribute()
750	default destructor
751	***/
752	Attribute() : m_attr(NULL) { }
753	Attribute(const Attribute &id)
754	{ m_attr =abac_attribute_dup(id.m_attr); }
755	~Attribute()
756	{ if(m_attr) abac_attribute_free(m_attr); }
757	/***
758	XXX
759	***/
760	Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr))
761	{ }
762	Attribute(abac_credential_t *cred) {
763	m_attr=abac_attribute_dup(abac_credential_attribute(cred));
764	}
765	/* Create an object to be signed by the given issuer with the given role
766	and validity period
767	An exception will be thrown if:
768	- the issuer has no private key
769	- the Head is invalid
770	- the validity period is invalid (must be >= 1 second) */
771	Attribute(Role& head, int validity) {
772	int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity);
773	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
774	abac_errx(1, "attribute(role), unable to make an attribute");
775	}
776	Attribute(Oset& head, int validity) {
777	int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity);
778	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
779	abac_errx(1, "attribute(oset), unable to make an attribute");
780	}
781	bool add_tail(Role& tail) {
782	if(abac_attribute_add_tail(m_attr, tail.role()))
783	return 1;
784	else return 0;
785	}
786	bool add_tail(Oset& tail) {
787	if(abac_attribute_add_tail(m_attr, tail.oset()))
788	return 1;
789	else return 0;
790	}
791	char *head_string() {
792	abac_aspect_t *head=abac_attribute_head(m_attr);
793	char *string=abac_aspect_string(head);
794	return string;
795	}
796	char *tail_string() {
797	abac_aspect_t *tail=abac_attribute_tail(m_attr);
798	char *string=abac_aspect_string(tail);
799	return string;
800	}
801	char *head_typed_string() {
802	abac_aspect_t *head=abac_attribute_head(m_attr);
803	char *string=abac_aspect_typed_string(head);
804	return string;
805	}
806	char *tail_typed_string() {
807	abac_aspect_t *tail=abac_attribute_tail(m_attr);
808	char *string=abac_aspect_typed_string(tail);
809	return string;
810	}
811	char *string() {
812	char *head=head_string();
813	char *tail=tail_string();
814	if(head==NULL \|\| tail==NULL)
815	abac_errx(1, "attribute string, head and tail can not be NULL");
816	char *tmp=NULL;
817	asprintf(&tmp,"%s<-%s",head,tail);
818	return tmp;
819	}
820	char *typed_string() {
821	char *head=head_typed_string();
822	char *tail=tail_typed_string();
823	if(head==NULL \|\| tail==NULL)
824	abac_errx(1, "attribute string, head and tail can not be NULL");
825	char *tmp=NULL;
826	asprintf(&tmp,"%s<-%s",head,tail);
827	return tmp;
828	}
829	const Role &role_head() {
830	abac_aspect_t *head=abac_attribute_head(m_attr);
831	static Role role=Role(head);
832	return role;
833	}
834	const Oset &oset_head() {
835	abac_aspect_t *head=abac_attribute_tail(m_attr);
836	static Oset oset=Oset(head);
837	return oset;
838	}
839	std::vector<Role> role_tails(bool &success) {
840	abac_aspect_t tails, end;
841	int i;
842	tails = abac_attribute_tail_vectorized(m_attr);
843	for (i = 0; tails[i] != NULL; ++i)
844	;
845	end = &tails[i];
846	std::vector<Role> roles = std::vector<Role>(tails, end);
847	abac_aspects_free(tails);
848	success=1;
849	return roles;
850	}
851	std::vector<Oset> oset_tails(bool &success) {
852	abac_aspect_t tails, end;
853	int i;
854	tails = abac_attribute_tail_vectorized(m_attr);
855	for (i = 0; tails[i] != NULL; ++i)
856	;
857	end = &tails[i];
858	std::vector<Oset> osets = std::vector<Oset>(tails, end);
859	success=1;
860	abac_aspects_free(tails);
861	return osets;
862	}
863	abac_attribute_t *attribute() { return m_attr; }
864
865	/* Generate the cert. Call this after you've added subjects to your cert.
866	This returns false if there are no subjects
867	This will throw an exception if the cert's already been baked. */
868	bool bake() {
869	/* can not bake in ABAC_CN mode */
870	if(USE("ABAC_CN"))
871	abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set");
872	int rt=abac_attribute_bake(m_attr);
873	if(rt!=1)
874	abac_errx(1, "bake, can not bake the cert");
875	}
876	/* Returns true iff the cert has been baked. */
877	bool baked() {
878	return abac_attribute_baked(m_attr);
879	}
880	/* Write the DER-encoded X.509 attribute cert to the open file handle
881	Throws an exception if the cert isn't baked */
882	void write_cert(FILE *out) {
883	int rt= abac_attribute_write(m_attr,out);
884	if(!rt)
885	abac_errx(1, "write, cert is not baked");
886	}
887	/* Write the DER-encoded X.509 attribute cert to a file named out
888	Throws an exception if the cert isn't baked */
889	void write_cert(char *filename) {
890	FILE *out = fopen(filename, "w");
891	printf("writing to %s\n", filename);
892	write_cert(out);
893	printf("done writing to %s\n", filename);
894	fclose(out);
895	}
896	/* returns a DER-encoded binary representation of the X.509 attribute
897	cert associated with this cert
898	Throws an exception if the cert isn't baked
899	the chunk can be passed to libabac's Context::load_attribute_chunk() */
900	abac_chunk_t cert_chunk() {
901	return abac_attribute_cert_chunk(m_attr);
902	}
903	/* generate yap clauses and injected into db */
904	int consume() {
905	/* attribute needs to be baked */
906	if(!baked()) {
907	return ABAC_ATTRIBUTE_FAIL;
908	}
909	}
910	private:
911	abac_attribute_t *m_attr;
912	};
913
914
915	class Context {
916	public:
917	Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); }
918	Context(const Context &context) {
919	m_ctx = abac_context_dup(context.m_ctx);
920	m_abac_version=strdup(context.m_abac_version);
921	}
922	~Context() {
923	abac_context_free(m_ctx);
924	if(m_abac_version) free(m_abac_version);
925	}
926
927	/* load an identity certificate, returns:
928	ABAC_CERT_SUCCESS successfully loaded
929	ABAC_CERT_INVALID invalid certificate (or file not found)
930	ABAC_CERT_BAD_SIG invalid signature */
931	void dump_yap() {
932	show_yap_db("dump_yap");
933	}
934	int load_id(ABAC::ID& id) {
935	return abac_context_load_id_id(m_ctx, id.id());
936	}
937	int load_id_file(char *filename) {
938	return abac_context_load_id_idkey_file(m_ctx, filename);
939	}
940	int load_id_file(char filename, char keyfilename) {
941	return abac_context_load_id_id_file_key_file(m_ctx, filename, keyfilename);
942	}
943	int load_id_chunk(abac_chunk_t cert) {
944	return abac_context_load_id_chunk(m_ctx, cert);
945	}
946	/* load an attribute certificate, returns the same values as above
947	* additionally can return ABAC_CERT_MISSING_ISSUER if the issuer
948	certificate has not been loaded */
949	int load_attribute(ABAC::Attribute& a) {
950	return abac_context_load_attribute_attribute(m_ctx, a.attribute());
951	}
952	int load_attribute_file(char *filename) {
953	return abac_context_load_attribute_file(m_ctx, filename);
954	}
955	int load_attribute_chunk(abac_chunk_t cert) {
956	return abac_context_load_attribute_chunk(m_ctx, cert);
957	}
958	/* load a directory full of certificates:
959	first: ${path}/*_ID.{der,pem} as identity certificates
960	then: ${path}/_attr.der as attribute certificates /
961	void load_directory(char *path) {
962	abac_context_load_directory(m_ctx, path);
963	}
964	/* run the query:
965	role <-?- principal
966	returns true/false in success
967	returns a proof upon success, partial proof on failure */
968	/* the string version is for query that is composed by hand with SHA or
969	in non ABAC_CN mode */
970	std::vector<Attribute> query(char role, char principal, bool &success) {
971	abac_credential_t creds, end;
972	int i, success_int;
973
974	creds = abac_context_query(m_ctx, role, principal, &success_int);
975	success = success_int;
976
977	for (i = 0; creds[i] != NULL; ++i)
978	;
979
980	end = &creds[i];
981	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
982	if(debug) printf("query, got rules(%d)\n", i);
983
984	abac_context_credentials_free(creds);
985
986	return attributes;
987	}
988
989	/* another way */
990	std::vector<Attribute> query(Role &role, Role &p_role, bool &success) {
991	abac_credential_t creds, end;
992	int i, success_int;
993
994	creds = abac_context_query_with_structure(m_ctx, role.role(), p_role.role(), &success_int);
995	success = success_int;
996
997	for (i = 0; creds[i] != NULL; ++i)
998	;
999
1000	end = &creds[i];
1001	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1002
1003	abac_context_credentials_free(creds);
1004
1005	return attributes;
1006	}
1007
1008	std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) {
1009	abac_credential_t creds, end;
1010	int i, success_int;
1011
1012	creds = abac_context_query_with_structure(m_ctx, oset.oset(), p_oset.oset(), &success_int);
1013	success = success_int;
1014
1015	for (i = 0; creds[i] != NULL; ++i)
1016	;
1017
1018	end = &creds[i];
1019	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1020	if(debug) printf("query, returning rules(%d)\n", i);
1021
1022	abac_context_credentials_free(creds);
1023
1024	return attributes;
1025	}
1026
1027	/* returns a vector of all the credentials loaded in the context */
1028	std::vector<Attribute> context_credentials(bool &success) {
1029	abac_credential_t creds, end;
1030	int i;
1031	success = 1;
1032
1033	creds = abac_context_credentials(m_ctx);
1034	for (i = 0; creds[i] != NULL; ++i)
1035	;
1036
1037	end = &creds[i];
1038	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1039	if(debug) printf("credentials, got (%d)\n", i);
1040
1041	abac_context_credentials_free(creds);
1042	if(debug) show_yap_db("calling from context_credentials");
1043	return attributes;
1044	}
1045
1046	/* returns a vector of all the principals loaded in the context */
1047	std::vector<ID> context_principals(bool &success) {
1048	abac_id_credential_t ids, end;
1049	int i;
1050	success = 1;
1051
1052	ids = abac_context_principals(m_ctx);
1053	for (i = 0; ids[i] != NULL; ++i)
1054	;
1055
1056	end = &ids[i];
1057	std::vector<ID> principals = std::vector<ID>(ids, end);
1058	if(debug) printf("principals, got (%d)\n", i);
1059
1060	abac_context_principals_free(ids);
1061	return principals;
1062	}
1063
1064	char *version() const { return m_abac_version; }
1065
1066	private:
1067	abac_context_t *m_ctx;
1068	char *m_abac_version;
1069	};
1070
1071	Constraint::Constraint(Role& role)
1072	{ m_constraint=abac_condition_create_from_aspect(role.role()); }
1073	Constraint::Constraint(Oset &oset)
1074	{ m_constraint=abac_condition_create_from_aspect(oset.oset()); }
1075	}
1076
1077	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: