1 | #ifndef __ABAC_HH__ |
---|
2 | #define __ABAC_HH__ |
---|
3 | |
---|
4 | #include <string> |
---|
5 | #include <vector> |
---|
6 | |
---|
7 | namespace ABAC { |
---|
8 | extern "C" { |
---|
9 | #include "abac.h" |
---|
10 | } |
---|
11 | |
---|
12 | static int debug=0; |
---|
13 | |
---|
14 | class Role; |
---|
15 | class Oset; |
---|
16 | |
---|
17 | class Constraint { |
---|
18 | public: |
---|
19 | Constraint() : m_constraint(NULL) { } // do not use: here for swig |
---|
20 | Constraint(abac_condition_t *constraint): |
---|
21 | m_constraint(abac_condition_dup(constraint)) |
---|
22 | { } |
---|
23 | Constraint(const Constraint &constraint) { |
---|
24 | m_constraint =abac_condition_dup(constraint.m_constraint); |
---|
25 | } |
---|
26 | ~Constraint() { |
---|
27 | if(m_constraint) abac_condition_free(m_constraint); |
---|
28 | } |
---|
29 | |
---|
30 | /* range constraint */ |
---|
31 | Constraint(char *vartype) { m_constraint=abac_condition_create(vartype); } |
---|
32 | |
---|
33 | /* [integer:?I[10 .. 20] */ |
---|
34 | /* [float:?F[0.5 .. 2.5] */ |
---|
35 | void add_constraint_integer_max(int val) { |
---|
36 | abac_condition_add_range_integer_item(m_constraint,abac_max_item_type(),val); |
---|
37 | } |
---|
38 | void add_constraint_integer_min(int val) { |
---|
39 | abac_condition_add_range_integer_item(m_constraint,abac_min_item_type(),val); |
---|
40 | } |
---|
41 | void add_constraint_integer_target(int val) { |
---|
42 | abac_condition_add_range_integer_item(m_constraint,abac_target_item_type(),val); |
---|
43 | } |
---|
44 | void add_constraint_float_max(float val) { |
---|
45 | abac_condition_add_range_float_item(m_constraint,abac_max_item_type(),val); |
---|
46 | } |
---|
47 | void add_constraint_float_min(float val) { |
---|
48 | abac_condition_add_range_float_item(m_constraint,abac_min_item_type(),val); |
---|
49 | } |
---|
50 | void add_constraint_float_target(float val) { |
---|
51 | abac_condition_add_range_float_item(m_constraint,abac_target_item_type(),val); |
---|
52 | } |
---|
53 | /* quoted string values */ |
---|
54 | /* [time:?T["20201101T182930"] */ |
---|
55 | void add_constraint_time_max(char* val) { |
---|
56 | abac_condition_add_range_time_item(m_constraint,abac_max_item_type(),val); |
---|
57 | } |
---|
58 | void add_constraint_time_min(char* val) { |
---|
59 | abac_condition_add_range_time_item(m_constraint,abac_min_item_type(),val); |
---|
60 | } |
---|
61 | void add_constraint_time_target(char* val) { |
---|
62 | abac_condition_add_range_time_item(m_constraint,abac_target_item_type(),val); |
---|
63 | } |
---|
64 | /* [urn:?U["fileA","http://fileB"] -only listed range */ |
---|
65 | void add_constraint_urn_target(char* val) { |
---|
66 | abac_condition_add_range_urn_item(m_constraint,val); |
---|
67 | } |
---|
68 | /* [string:?S["abc",'efg',"hij"] -only listed range */ |
---|
69 | void add_constraint_string_target(char* val) { |
---|
70 | abac_condition_add_range_string_item(m_constraint,val); |
---|
71 | } |
---|
72 | /*[boolean:?B['true']] */ |
---|
73 | void add_constraint_boolean_target(char* val) { |
---|
74 | abac_condition_add_range_boolean_item(m_constraint,val); |
---|
75 | } |
---|
76 | |
---|
77 | |
---|
78 | /* [oset:?O[{oset-constraint}] */ |
---|
79 | /* [role:?R[{role-constraint}] */ |
---|
80 | /* [urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])] */ |
---|
81 | /* role constraint */ |
---|
82 | Constraint(Role *role); |
---|
83 | /* oset constraint */ |
---|
84 | Constraint(Oset *oset); |
---|
85 | char *string() const { |
---|
86 | return abac_condition_string(m_constraint); |
---|
87 | } |
---|
88 | char *typed_string() const { |
---|
89 | return abac_condition_typed_string(m_constraint); |
---|
90 | } |
---|
91 | abac_condition_t *constraint() |
---|
92 | { return m_constraint; } |
---|
93 | private: |
---|
94 | abac_condition_t *m_constraint; |
---|
95 | }; |
---|
96 | |
---|
97 | /* XXX need to track the principal [keyid:alice] so can generate |
---|
98 | the id_type_clause within attribute clause */ |
---|
99 | class DataTerm { |
---|
100 | public: |
---|
101 | DataTerm() : m_term(NULL) { } // do not use: here for swig |
---|
102 | DataTerm(abac_term_t *term) { |
---|
103 | m_term=abac_term_dup(term); |
---|
104 | abac_condition_t *constraint=abac_term_constraint(m_term); |
---|
105 | if(constraint) m_cond=new Constraint(constraint); |
---|
106 | else m_cond=NULL; |
---|
107 | } |
---|
108 | DataTerm(const DataTerm &term) { |
---|
109 | m_term =abac_term_dup(term.m_term); |
---|
110 | abac_condition_t *constraint=abac_term_constraint(m_term); |
---|
111 | if(constraint) m_cond=new Constraint(constraint); |
---|
112 | else m_cond=NULL; |
---|
113 | } |
---|
114 | ~DataTerm() { |
---|
115 | if(m_term) abac_term_free(m_term); |
---|
116 | if(m_cond) free(m_cond); |
---|
117 | } |
---|
118 | /* this is for named principal data term */ |
---|
119 | DataTerm(char *sha) { |
---|
120 | if(debug) printf("adding a Dataterm named principal(%s)\n",sha); |
---|
121 | int isnamed=1; |
---|
122 | int type=e_TERM_PRINCIPAL; |
---|
123 | m_term=abac_term_named_create(type,sha); |
---|
124 | } |
---|
125 | /* can be an a variable data term or a specific value */ |
---|
126 | DataTerm(char* typenm, char *name, Constraint *cond=NULL) { |
---|
127 | int type=abac_verify_term_type(typenm); |
---|
128 | if(debug) printf("adding a Dataterm (%s)\n",name); |
---|
129 | if(type==ABAC_TERM_FAIL) |
---|
130 | abac_errx(1, "DataTerm, fail to create the term"); |
---|
131 | if(cond) { |
---|
132 | m_cond=cond; |
---|
133 | m_term=abac_term_create(type,name,cond->constraint()); |
---|
134 | } else { |
---|
135 | m_cond=NULL; |
---|
136 | m_term=abac_term_create(type,name,NULL); |
---|
137 | } |
---|
138 | } |
---|
139 | char *string() const { |
---|
140 | return abac_term_string(m_term); |
---|
141 | } |
---|
142 | char *typed_string() const { |
---|
143 | return abac_term_typed_string(m_term); |
---|
144 | } |
---|
145 | bool is_time() const { |
---|
146 | return abac_term_is_time_type(m_term); |
---|
147 | } |
---|
148 | bool is_string() const { |
---|
149 | return abac_term_is_string_type(m_term); |
---|
150 | } |
---|
151 | bool is_urn() const { |
---|
152 | return abac_term_is_urn_type(m_term); |
---|
153 | } |
---|
154 | bool is_integer() const { |
---|
155 | return abac_term_is_integer_type(m_term); |
---|
156 | } |
---|
157 | /* Add a constraint to this term. */ |
---|
158 | int add_constraint(Constraint& cond) { |
---|
159 | m_cond=new Constraint(cond); |
---|
160 | abac_term_add_constraint(m_term, m_cond->constraint()); |
---|
161 | } |
---|
162 | int type() { |
---|
163 | abac_term_type(m_term); |
---|
164 | } |
---|
165 | char *name() { |
---|
166 | return abac_term_name(m_term); |
---|
167 | } |
---|
168 | char *value() { |
---|
169 | /* ??? value XXX */ |
---|
170 | } |
---|
171 | Constraint *constraint() { |
---|
172 | return m_cond; |
---|
173 | } |
---|
174 | abac_term_t *term() { |
---|
175 | return m_term; |
---|
176 | } |
---|
177 | |
---|
178 | private: |
---|
179 | abac_term_t *m_term; |
---|
180 | Constraint *m_cond; |
---|
181 | }; |
---|
182 | |
---|
183 | |
---|
184 | class Role { |
---|
185 | public: |
---|
186 | Role() : m_role(NULL) { } // do not use: here for swig |
---|
187 | Role(abac_aspect_t *role): m_role(abac_aspect_dup(role)) |
---|
188 | { } |
---|
189 | Role(char *principal_name) : |
---|
190 | m_role(abac_aspect_role_principal_create(principal_name)) |
---|
191 | { } |
---|
192 | Role(char *principal_name, char *role_name) : |
---|
193 | m_role(abac_aspect_role_create(principal_name, role_name)) |
---|
194 | { } |
---|
195 | Role(const Role &role) { |
---|
196 | m_role = abac_aspect_dup(role.m_role); |
---|
197 | } |
---|
198 | ~Role() { |
---|
199 | if (m_role) abac_aspect_free(m_role); |
---|
200 | } |
---|
201 | bool is_principal() const { |
---|
202 | return abac_aspect_is_principal(m_role); |
---|
203 | } |
---|
204 | bool is_linking() const { |
---|
205 | return abac_aspect_is_linking(m_role); |
---|
206 | } |
---|
207 | char *string() const { |
---|
208 | return abac_aspect_string(m_role); |
---|
209 | } |
---|
210 | char *typed_string() { |
---|
211 | char* string=abac_aspect_typed_string(m_role); |
---|
212 | return string; |
---|
213 | } |
---|
214 | char *linked_role() const { |
---|
215 | return abac_aspect_linked_role_name(m_role); |
---|
216 | } |
---|
217 | char *role_name() const { |
---|
218 | return abac_aspect_aspect_name(m_role); |
---|
219 | } |
---|
220 | char *principal() const { |
---|
221 | return abac_aspect_principal_name(m_role); |
---|
222 | } |
---|
223 | /* Add a data term to this name. */ |
---|
224 | int add_data_term(DataTerm& d) { |
---|
225 | abac_aspect_add_param(m_role, d.term()); |
---|
226 | return 1; |
---|
227 | } |
---|
228 | /* Return the DataTerms bound to this name. If the name is returned |
---|
229 | in a proof, these will all have values. */ |
---|
230 | std::vector<DataTerm> get_data_terms(bool &success) { |
---|
231 | abac_term_t **terms, **end; |
---|
232 | int i; |
---|
233 | terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role)); |
---|
234 | for (i = 0; terms[i] != NULL; ++i) |
---|
235 | ; |
---|
236 | end = &terms[i]; |
---|
237 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
238 | abac_terms_free(terms); |
---|
239 | success=1; |
---|
240 | return dataterms; |
---|
241 | } |
---|
242 | int add_linking_data_term(DataTerm& d) { |
---|
243 | abac_aspect_add_linked_param(m_role, d.term()); |
---|
244 | return 1; |
---|
245 | } |
---|
246 | std::vector<DataTerm> get_linked_data_terms(bool &success) { |
---|
247 | abac_term_t **terms, **end; |
---|
248 | int i; |
---|
249 | terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role)); |
---|
250 | for (i = 0; terms[i] != NULL; ++i) |
---|
251 | ; |
---|
252 | end = &terms[i]; |
---|
253 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
254 | abac_terms_free(terms); |
---|
255 | success=1; |
---|
256 | return dataterms; |
---|
257 | } |
---|
258 | abac_aspect_t *role() {return m_role;} |
---|
259 | private: |
---|
260 | abac_aspect_t *m_role; |
---|
261 | }; |
---|
262 | |
---|
263 | class Oset { |
---|
264 | public: |
---|
265 | Oset() : m_oset(NULL) { } // do not use: here for swig |
---|
266 | Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset)) |
---|
267 | { } |
---|
268 | Oset(char *oset_name) : m_oset(abac_aspect_oset_principal_create(oset_name)) |
---|
269 | { } |
---|
270 | Oset(char *principal_name, char *oset_name) : |
---|
271 | m_oset(abac_aspect_oset_create(principal_name, oset_name)) |
---|
272 | { } |
---|
273 | Oset(DataTerm& d) : |
---|
274 | m_oset(abac_aspect_oset_object_create(d.term())) |
---|
275 | { } |
---|
276 | Oset(const Oset &oset) { |
---|
277 | m_oset =abac_aspect_dup(oset.m_oset); |
---|
278 | } |
---|
279 | ~Oset() { |
---|
280 | if(m_oset) abac_aspect_free(m_oset); |
---|
281 | } |
---|
282 | bool is_object() const { |
---|
283 | return abac_aspect_is_object(m_oset); |
---|
284 | } |
---|
285 | bool is_principal() const { |
---|
286 | return abac_aspect_is_principal(m_oset); |
---|
287 | } |
---|
288 | bool is_linking() const { |
---|
289 | return abac_aspect_is_linking(m_oset); |
---|
290 | } |
---|
291 | char *string() const { |
---|
292 | return abac_aspect_string(m_oset); |
---|
293 | } |
---|
294 | char *typed_string() { |
---|
295 | char* string=abac_aspect_typed_string(m_oset); |
---|
296 | return string; |
---|
297 | } |
---|
298 | char *linked_role() const { |
---|
299 | return abac_aspect_linked_role_name(m_oset); |
---|
300 | } |
---|
301 | char *oset_name() const { |
---|
302 | return abac_aspect_aspect_name(m_oset); |
---|
303 | } |
---|
304 | char *principal() const { |
---|
305 | return abac_aspect_principal_name(m_oset); |
---|
306 | } |
---|
307 | char *object() const { |
---|
308 | return abac_aspect_object_name(m_oset); |
---|
309 | } |
---|
310 | /* Add a data term to this name. */ |
---|
311 | int add_data_term(DataTerm& d) { |
---|
312 | abac_aspect_add_param(m_oset, d.term()); |
---|
313 | return 1; |
---|
314 | } |
---|
315 | /* Return the DataTerms bound to this name. If the name is returned |
---|
316 | in a proof, these will all have values. */ |
---|
317 | std::vector<DataTerm> get_data_terms(bool &success) { |
---|
318 | abac_term_t **terms, **end; |
---|
319 | int i; |
---|
320 | terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset)); |
---|
321 | for (i = 0; terms[i] != NULL; ++i) |
---|
322 | ; |
---|
323 | end = &terms[i]; |
---|
324 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
325 | abac_terms_free(terms); |
---|
326 | success=1; |
---|
327 | return dataterms; |
---|
328 | } |
---|
329 | int add_linking_data_term(DataTerm& d) { |
---|
330 | abac_aspect_add_linked_param(m_oset, d.term()); |
---|
331 | return 1; |
---|
332 | } |
---|
333 | std::vector<DataTerm> get_linked_data_terms(bool &success) { |
---|
334 | abac_term_t **terms, **end; |
---|
335 | int i; |
---|
336 | terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset)); |
---|
337 | for (i = 0; terms[i] != NULL; ++i) |
---|
338 | ; |
---|
339 | end = &terms[i]; |
---|
340 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
341 | abac_terms_free(terms); |
---|
342 | success=1; |
---|
343 | return dataterms; |
---|
344 | } |
---|
345 | abac_aspect_t *oset() {return m_oset;} |
---|
346 | private: |
---|
347 | abac_aspect_t *m_oset; |
---|
348 | }; |
---|
349 | |
---|
350 | |
---|
351 | class ID { |
---|
352 | public: |
---|
353 | ID() : m_id(NULL) { } // do not use: here for swig |
---|
354 | ID(abac_id_t *id): m_id(abac_id_dup(id)) |
---|
355 | { } |
---|
356 | ID(abac_id_credential_t *idcred) { |
---|
357 | if(idcred) |
---|
358 | m_id=abac_id_dup(abac_id_credential_id(idcred)); |
---|
359 | else m_id=NULL; |
---|
360 | } |
---|
361 | ID(const ID &id) { m_id =abac_id_dup(id.m_id); } |
---|
362 | ~ID() { if(m_id) abac_id_free(m_id); } |
---|
363 | |
---|
364 | /* load an ID cert from a file |
---|
365 | Will throw an exception if the cert cannot be loaded */ |
---|
366 | ID(char *filename) { |
---|
367 | m_id=abac_id_from_file(filename); |
---|
368 | if(m_id==NULL) |
---|
369 | abac_errx(1, "Id creation from filename failed"); |
---|
370 | } |
---|
371 | /* generates a new ID with the supplied CN and validity period |
---|
372 | - CN must be alphanumeric and begin with a letter |
---|
373 | - validity must be at least one second |
---|
374 | Will throw an exception if either of the above is violated */ |
---|
375 | ID(char *cn, int validity) { |
---|
376 | int rt=abac_id_generate(&m_id, cn, validity); |
---|
377 | if(rt != ABAC_ID_SUCCESS) |
---|
378 | abac_errx(1, "Id creation failed"); |
---|
379 | } |
---|
380 | /* loads the private key associated with the cert |
---|
381 | will throw an exception if the key cannot be loaded */ |
---|
382 | void load_privkey(char *filename) { |
---|
383 | int rt=abac_id_load_privkey_file(m_id, filename); |
---|
384 | if(rt != 1) |
---|
385 | abac_errx(1, "Failed to load private key"); |
---|
386 | } |
---|
387 | abac_id_t *id() { return m_id; } |
---|
388 | |
---|
389 | /* returns the SHA1 keyid of the cert */ |
---|
390 | char *keyid() { return abac_id_keyid(m_id); } |
---|
391 | /* returns the CN */ |
---|
392 | char *name() { return abac_id_cn(m_id); } |
---|
393 | /* returns true if the ID has an associated private key */ |
---|
394 | bool has_privkey() { |
---|
395 | return abac_id_has_privkey(m_id); |
---|
396 | } |
---|
397 | /* writes a PEM-encoded cert to the file handle */ |
---|
398 | void write_cert(FILE *out) { |
---|
399 | abac_id_write_cert(m_id, out); |
---|
400 | } |
---|
401 | /* writes a PEM-encoded cert to a file named out */ |
---|
402 | void write_cert(char *filename) { |
---|
403 | FILE *out = fopen(filename, "a"); |
---|
404 | write_cert(out); |
---|
405 | fclose(out); |
---|
406 | } |
---|
407 | /* writes a PEM-encoded private key to the file handle |
---|
408 | throws an exception if no private key is loaded */ |
---|
409 | void write_privkey(FILE *out) { |
---|
410 | if(!has_privkey()) |
---|
411 | abac_errx(1, "No privkey to write"); |
---|
412 | abac_id_write_privkey(m_id, out); |
---|
413 | } |
---|
414 | /* writes a PEM-encoded private key a file named out |
---|
415 | throws an exception if no private key is loaded */ |
---|
416 | void write_privkey(char *filename) { |
---|
417 | FILE *out = fopen(filename, "a"); |
---|
418 | write_privkey(out); |
---|
419 | fclose(out); |
---|
420 | } |
---|
421 | /* returns a DER-encoded binary representation of the X.509 ID cert |
---|
422 | associated with this ID. |
---|
423 | can be passed to libabac's Context::load_id_chunk() */ |
---|
424 | abac_chunk_t cert_chunk() { |
---|
425 | return abac_id_cert_chunk(m_id); |
---|
426 | } |
---|
427 | char *string() { |
---|
428 | char *tmp=NULL; |
---|
429 | if(has_privkey()) |
---|
430 | asprintf(&tmp,"(%s,%s,y)",abac_id_name(m_id),abac_id_idtype_string(m_id)); |
---|
431 | else asprintf(&tmp,"(%s,%s,n)",abac_id_name(m_id),abac_id_idtype_string(m_id)); |
---|
432 | return tmp; |
---|
433 | } |
---|
434 | public: |
---|
435 | abac_id_t *m_id; |
---|
436 | }; |
---|
437 | |
---|
438 | |
---|
439 | /* N.B., The way you use this class is by instantiating the object, adding |
---|
440 | subjects to it, and then baking it. Only once it's baked can you access the |
---|
441 | X.509 cert. Once it's been baked you can no longer add subjects to it. */ |
---|
442 | class Attribute { |
---|
443 | public: |
---|
444 | Attribute() : m_attr(NULL) { } // do not use: here for swig |
---|
445 | Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr)) |
---|
446 | { } |
---|
447 | Attribute(abac_credential_t *cred) { |
---|
448 | m_attr=abac_attribute_dup(abac_credential_attribute(cred)); |
---|
449 | } |
---|
450 | Attribute(const Attribute &id) { |
---|
451 | m_attr =abac_attribute_dup(id.m_attr); |
---|
452 | } |
---|
453 | ~Attribute() { |
---|
454 | if(m_attr) abac_attribute_free(m_attr); |
---|
455 | } |
---|
456 | /* Create an object to be signed by the given issuer with the given role |
---|
457 | and validity period |
---|
458 | An exception will be thrown if: |
---|
459 | - the issuer has no private key |
---|
460 | - the Head is invalid |
---|
461 | - the validity period is invalid (must be >= 1 second) */ |
---|
462 | Attribute(Role& head, int validity) { |
---|
463 | int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity); |
---|
464 | if(rt!=ABAC_ATTRIBUTE_SUCCESS) |
---|
465 | abac_errx(1, "attribute(role), unable to make an attribute"); |
---|
466 | } |
---|
467 | Attribute(Oset& head, int validity) { |
---|
468 | int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity); |
---|
469 | if(rt!=ABAC_ATTRIBUTE_SUCCESS) |
---|
470 | abac_errx(1, "attribute(oset), unable to make an attribute"); |
---|
471 | } |
---|
472 | bool add_tail(Role& tail) { |
---|
473 | if(abac_attribute_add_tail(m_attr, tail.role())) |
---|
474 | return 1; |
---|
475 | else return 0; |
---|
476 | } |
---|
477 | bool add_tail(Oset& tail) { |
---|
478 | if(abac_attribute_add_tail(m_attr, tail.oset())) |
---|
479 | return 1; |
---|
480 | else return 0; |
---|
481 | } |
---|
482 | char *head_string() { |
---|
483 | abac_aspect_t *head=abac_attribute_head(m_attr); |
---|
484 | char *string=abac_aspect_string(head); |
---|
485 | return string; |
---|
486 | } |
---|
487 | char *tail_string() { |
---|
488 | abac_aspect_t *tail=abac_attribute_tail(m_attr); |
---|
489 | char *string=abac_aspect_string(tail); |
---|
490 | return string; |
---|
491 | } |
---|
492 | char *head_typed_string() { |
---|
493 | abac_aspect_t *head=abac_attribute_head(m_attr); |
---|
494 | char *string=abac_aspect_typed_string(head); |
---|
495 | return string; |
---|
496 | } |
---|
497 | char *tail_typed_string() { |
---|
498 | abac_aspect_t *tail=abac_attribute_tail(m_attr); |
---|
499 | char *string=abac_aspect_typed_string(tail); |
---|
500 | return string; |
---|
501 | } |
---|
502 | char *string() { |
---|
503 | char *head=head_string(); |
---|
504 | char *tail=tail_string(); |
---|
505 | if(head==NULL || tail==NULL) |
---|
506 | abac_errx(1, "attribute string, head and tail can not be NULL"); |
---|
507 | char *tmp=NULL; |
---|
508 | asprintf(&tmp,"%s<-%s",head,tail); |
---|
509 | return tmp; |
---|
510 | } |
---|
511 | char *typed_string() { |
---|
512 | char *head=head_typed_string(); |
---|
513 | char *tail=tail_typed_string(); |
---|
514 | if(head==NULL || tail==NULL) |
---|
515 | abac_errx(1, "attribute string, head and tail can not be NULL"); |
---|
516 | char *tmp=NULL; |
---|
517 | asprintf(&tmp,"%s<-%s",head,tail); |
---|
518 | return tmp; |
---|
519 | } |
---|
520 | const Role &role_head() { |
---|
521 | abac_aspect_t *head=abac_attribute_head(m_attr); |
---|
522 | static Role role=Role(head); |
---|
523 | return role; |
---|
524 | } |
---|
525 | const Oset &oset_head() { |
---|
526 | abac_aspect_t *head=abac_attribute_tail(m_attr); |
---|
527 | static Oset oset=Oset(head); |
---|
528 | return oset; |
---|
529 | } |
---|
530 | std::vector<Role> role_tails(bool &success) { |
---|
531 | abac_aspect_t **tails, **end; |
---|
532 | int i; |
---|
533 | tails = abac_attribute_tail_vectorized(m_attr); |
---|
534 | for (i = 0; tails[i] != NULL; ++i) |
---|
535 | ; |
---|
536 | end = &tails[i]; |
---|
537 | std::vector<Role> roles = std::vector<Role>(tails, end); |
---|
538 | abac_aspects_free(tails); |
---|
539 | success=1; |
---|
540 | return roles; |
---|
541 | } |
---|
542 | std::vector<Oset> oset_tails(bool &success) { |
---|
543 | abac_aspect_t **tails, **end; |
---|
544 | int i; |
---|
545 | tails = abac_attribute_tail_vectorized(m_attr); |
---|
546 | for (i = 0; tails[i] != NULL; ++i) |
---|
547 | ; |
---|
548 | end = &tails[i]; |
---|
549 | std::vector<Oset> osets = std::vector<Oset>(tails, end); |
---|
550 | success=1; |
---|
551 | abac_aspects_free(tails); |
---|
552 | return osets; |
---|
553 | } |
---|
554 | abac_attribute_t *attribute() { return m_attr; } |
---|
555 | |
---|
556 | /* Generate the cert. Call this after you've added subjects to your cert. |
---|
557 | This returns false if there are no subjects |
---|
558 | This will throw an exception if the cert's already been baked. */ |
---|
559 | bool bake() { |
---|
560 | /* can not bake in ABAC_CN mode */ |
---|
561 | if(USE("ABAC_CN")) |
---|
562 | abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set"); |
---|
563 | int rt=abac_attribute_bake(m_attr); |
---|
564 | if(rt!=1) |
---|
565 | abac_errx(1, "bake, can not bake the cert"); |
---|
566 | } |
---|
567 | /* Returns true iff the cert has been baked. */ |
---|
568 | bool baked() { |
---|
569 | return abac_attribute_baked(m_attr); |
---|
570 | } |
---|
571 | /* Write the DER-encoded X.509 attribute cert to the open file handle |
---|
572 | Throws an exception if the cert isn't baked */ |
---|
573 | void write_cert(FILE *out) { |
---|
574 | int rt= abac_attribute_write(m_attr,out); |
---|
575 | if(!rt) |
---|
576 | abac_errx(1, "write, cert is not baked"); |
---|
577 | } |
---|
578 | /* Write the DER-encoded X.509 attribute cert to a file named out |
---|
579 | Throws an exception if the cert isn't baked */ |
---|
580 | void write_cert(char *filename) { |
---|
581 | FILE *out = fopen(filename, "w"); |
---|
582 | printf("writing to %s\n", filename); |
---|
583 | write_cert(out); |
---|
584 | printf("done writing to %s\n", filename); |
---|
585 | fclose(out); |
---|
586 | } |
---|
587 | /* returns a DER-encoded binary representation of the X.509 attribute |
---|
588 | cert associated with this cert |
---|
589 | Throws an exception if the cert isn't baked |
---|
590 | the chunk can be passed to libabac's Context::load_attribute_chunk() */ |
---|
591 | abac_chunk_t cert_chunk() { |
---|
592 | return abac_attribute_cert_chunk(m_attr); |
---|
593 | } |
---|
594 | /* generate yap clauses and injected into db */ |
---|
595 | int consume() { |
---|
596 | /* attribute needs to be baked */ |
---|
597 | if(!baked()) { |
---|
598 | return ABAC_ATTRIBUTE_FAIL; |
---|
599 | } |
---|
600 | } |
---|
601 | private: |
---|
602 | abac_attribute_t *m_attr; |
---|
603 | }; |
---|
604 | |
---|
605 | |
---|
606 | class Context { |
---|
607 | public: |
---|
608 | Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); } |
---|
609 | Context(const Context &context) { |
---|
610 | m_ctx = abac_context_dup(context.m_ctx); |
---|
611 | m_abac_version=strdup(context.m_abac_version); |
---|
612 | } |
---|
613 | ~Context() { |
---|
614 | abac_context_free(m_ctx); |
---|
615 | if(m_abac_version) free(m_abac_version); |
---|
616 | } |
---|
617 | |
---|
618 | /* load an identity certificate, returns: |
---|
619 | ABAC_CERT_SUCCESS successfully loaded |
---|
620 | ABAC_CERT_INVALID invalid certificate (or file not found) |
---|
621 | ABAC_CERT_BAD_SIG invalid signature */ |
---|
622 | void dump_yap() { |
---|
623 | show_yap_db("dump_yap"); |
---|
624 | } |
---|
625 | int load_id(ABAC::ID& id) { |
---|
626 | return abac_context_load_id_id(m_ctx, id.id()); |
---|
627 | } |
---|
628 | int load_id_file(char *filename) { |
---|
629 | return abac_context_load_id_idkey_file(m_ctx, filename); |
---|
630 | } |
---|
631 | int load_id_file(char *filename, char *keyfilename) { |
---|
632 | return abac_context_load_id_id_file_key_file(m_ctx, filename, keyfilename); |
---|
633 | } |
---|
634 | int load_id_chunk(abac_chunk_t cert) { |
---|
635 | return abac_context_load_id_chunk(m_ctx, cert); |
---|
636 | } |
---|
637 | /* load an attribute certificate, returns the same values as above |
---|
638 | * additionally can return ABAC_CERT_MISSING_ISSUER if the issuer |
---|
639 | certificate has not been loaded */ |
---|
640 | int load_attribute(ABAC::Attribute& a) { |
---|
641 | return abac_context_load_attribute_attribute(m_ctx, a.attribute()); |
---|
642 | } |
---|
643 | int load_attribute_file(char *filename) { |
---|
644 | return abac_context_load_attribute_file(m_ctx, filename); |
---|
645 | } |
---|
646 | int load_attribute_chunk(abac_chunk_t cert) { |
---|
647 | return abac_context_load_attribute_chunk(m_ctx, cert); |
---|
648 | } |
---|
649 | /* load a directory full of certificates: |
---|
650 | first: ${path}/*_ID.{der,pem} as identity certificates |
---|
651 | then: ${path}/*_attr.der as attribute certificates */ |
---|
652 | void load_directory(char *path) { |
---|
653 | abac_context_load_directory(m_ctx, path); |
---|
654 | } |
---|
655 | /* run the query: |
---|
656 | role <-?- principal |
---|
657 | returns true/false in success |
---|
658 | returns a proof upon success, partial proof on failure */ |
---|
659 | /* the string version is for query that is composed by hand with SHA or |
---|
660 | in non ABAC_CN mode */ |
---|
661 | std::vector<Attribute> query(char *role, char *principal, bool &success) { |
---|
662 | abac_credential_t **creds, **end; |
---|
663 | int i, success_int; |
---|
664 | |
---|
665 | creds = abac_context_query(m_ctx, role, principal, &success_int); |
---|
666 | success = success_int; |
---|
667 | |
---|
668 | for (i = 0; creds[i] != NULL; ++i) |
---|
669 | ; |
---|
670 | |
---|
671 | end = &creds[i]; |
---|
672 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
673 | if(debug) printf("query, got rules(%d)\n", i); |
---|
674 | |
---|
675 | abac_context_credentials_free(creds); |
---|
676 | |
---|
677 | return attributes; |
---|
678 | } |
---|
679 | |
---|
680 | /* another way */ |
---|
681 | std::vector<Attribute> query(Role &role, Role &p_role, bool &success) { |
---|
682 | abac_credential_t **creds, **end; |
---|
683 | int i, success_int; |
---|
684 | |
---|
685 | /* make sure retrieving SHA not CN embedded string */ |
---|
686 | ABAC_IN_QUERY=1; |
---|
687 | char *role_str=role.typed_string(); |
---|
688 | char *p_role_str=p_role.typed_string(); |
---|
689 | ABAC_IN_QUERY=0; |
---|
690 | if(debug) { |
---|
691 | printf("query with %s\n",role_str); |
---|
692 | printf(" and %s\n",p_role_str); |
---|
693 | } |
---|
694 | creds = abac_context_query(m_ctx, role_str, p_role_str, &success_int); |
---|
695 | success = success_int; |
---|
696 | |
---|
697 | for (i = 0; creds[i] != NULL; ++i) |
---|
698 | ; |
---|
699 | |
---|
700 | end = &creds[i]; |
---|
701 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
702 | |
---|
703 | abac_context_credentials_free(creds); |
---|
704 | free(role_str); |
---|
705 | free(p_role_str); |
---|
706 | |
---|
707 | return attributes; |
---|
708 | } |
---|
709 | |
---|
710 | std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) { |
---|
711 | abac_credential_t **creds, **end; |
---|
712 | int i, success_int; |
---|
713 | /* make sure retrieving SHA not CN embedded string */ |
---|
714 | |
---|
715 | ABAC_IN_QUERY++; |
---|
716 | char *oset_str=oset.typed_string(); |
---|
717 | char *p_oset_str=p_oset.typed_string(); |
---|
718 | ABAC_IN_QUERY--; |
---|
719 | |
---|
720 | creds = abac_context_query(m_ctx, oset_str, p_oset_str, &success_int); |
---|
721 | success = success_int; |
---|
722 | |
---|
723 | for (i = 0; creds[i] != NULL; ++i) |
---|
724 | ; |
---|
725 | |
---|
726 | end = &creds[i]; |
---|
727 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
728 | if(debug) printf("query, returning rules(%d)\n", i); |
---|
729 | |
---|
730 | abac_context_credentials_free(creds); |
---|
731 | free(oset_str); |
---|
732 | free(p_oset_str); |
---|
733 | |
---|
734 | return attributes; |
---|
735 | } |
---|
736 | |
---|
737 | /* returns a vector of all the credentials loaded in the context */ |
---|
738 | std::vector<Attribute> context_credentials(bool &success) { |
---|
739 | abac_credential_t **creds, **end; |
---|
740 | int i; |
---|
741 | success = 1; |
---|
742 | |
---|
743 | creds = abac_context_credentials(m_ctx); |
---|
744 | for (i = 0; creds[i] != NULL; ++i) |
---|
745 | ; |
---|
746 | |
---|
747 | end = &creds[i]; |
---|
748 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
749 | if(debug) printf("credentials, got (%d)\n", i); |
---|
750 | |
---|
751 | abac_context_credentials_free(creds); |
---|
752 | if(debug) show_yap_db("calling from context_credentials"); |
---|
753 | return attributes; |
---|
754 | } |
---|
755 | |
---|
756 | /* returns a vector of all the principals loaded in the context */ |
---|
757 | std::vector<ID> context_principals(bool &success) { |
---|
758 | abac_id_credential_t **ids, **end; |
---|
759 | int i; |
---|
760 | success = 1; |
---|
761 | |
---|
762 | ids = abac_context_principals(m_ctx); |
---|
763 | for (i = 0; ids[i] != NULL; ++i) |
---|
764 | ; |
---|
765 | |
---|
766 | end = &ids[i]; |
---|
767 | std::vector<ID> principals = std::vector<ID>(ids, end); |
---|
768 | if(debug) printf("principals, got (%d)\n", i); |
---|
769 | |
---|
770 | abac_context_principals_free(ids); |
---|
771 | return principals; |
---|
772 | } |
---|
773 | |
---|
774 | char *version() const { return m_abac_version; } |
---|
775 | |
---|
776 | private: |
---|
777 | abac_context_t *m_ctx; |
---|
778 | char *m_abac_version; |
---|
779 | }; |
---|
780 | |
---|
781 | Constraint::Constraint(Role *role) |
---|
782 | { m_constraint=abac_condition_create_from_aspect(role->role()); } |
---|
783 | Constraint::Constraint(Oset *oset) |
---|
784 | { m_constraint=abac_condition_create_from_aspect(oset->oset()); } |
---|
785 | } |
---|
786 | |
---|
787 | #endif /* __ABAC_HH__ */ |
---|