Context Navigation

source: libabac/abac.hh @ 5d06689

mei_rt2mei_rt2_fix_1

Last change on this file since 5d06689 was 5d06689, checked in by Mei <mei@…>, 12 years ago

1) modify abac.hh and added abac_c.c to unify the c and c++ api

interface (almost)

2) add new API
3) tweak the tests
4) filling missing code for abac_verifier_load_attribute_cert_attribute

Property mode set to 100644

File size: 39.6 KB

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <string>
5	#include <vector>
6
7	namespace ABAC {
8	extern "C" {
9	#include "abac.h"
10	}
11	static int debug=0;
12	class Role;
13	class Oset;
14
15	/***
16	ABAC::Constraint
17	Constraint on a data term.
18	There are 3 types:
19	- Role constraint on a principal
20	- Oset constraint on a principal, or a data object
21	- Range/List constraint on a data object
22	It holds a ptr to a abac_condition_t structure
23	***/
24	class Constraint {
25	public:
26	/***
27	f Constraint()
28	default constructor, do not use, for swig only
29	f Constraint(const Constraint &)
30	copy constructor, used for cloning a constraint
31	f ~Constraint()
32	default destructor
33	***/
34	Constraint() : m_constraint(NULL) { }
35	Constraint(const Constraint &constraint) {
36	m_constraint =abac_condition_dup(constraint.m_constraint);
37	}
38	~Constraint() {
39	if(m_constraint) abac_condition_free(m_constraint);
40	}
41	/***
42	f Constraint(Role &)
43	constructor that takes a constraining role
44	[role:?R[{role-constraint}]
45	(c:abac_constraint_from_role)
46	f Constraint(Oset &)
47	constructor that takes a constraining oset
48	[oset:?O[{oset-constraint}]
49	[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
50	(c:abac_constraint_from_oset)
51	f Constraint(char *)
52	constructor that takes one of following string
53	as its vartype to set up a range constraint:
54	"integer"
55	"urn"
56	"float"
57	"boolean"
58	"time"
59	"string"
60	it should be followed with one or many of following utility
61	calls.
62	(C:abac_condition_create)
63	***/
64	Constraint(Role& role);
65	Constraint(Oset& oset);
66	Constraint(char *vartype)
67	{ m_constraint=abac_condition_create(vartype); }
68	/ii*
69	f Constraint(abac_condition_t *)
70	internal constructor that takes an abac_condition_t structure
71	*ii/
72	Constraint(abac_condition_t *constraint):
73	m_constraint(abac_condition_dup(constraint))
74	{ }
75	/***
76	f void constraint_add_integer_max(int)
77	(c:abac_constraint_add_integer_max)
78	void constraint_add_integer_min(int)
79	utility routines to setup a integer range constraint
80	[integer:?I[10 .. 20]]
81	(c:abac_constraint_add_integer_min)
82	f void constraint_add_integer_target(int)
83	utility routine to setup a integer list constraint
84	[integer:?I[10,20]]
85	(c:abac_constraint_add_integer_target)
86	***/
87	void constraint_add_integer_max(int val)
88	{ abac_constraint_add_integer_max(m_constraint,val); }
89	void constraint_add_integer_min(int val)
90	{ abac_constraint_add_integer_min(m_constraint,val); }
91	void constraint_add_integer_target(int val)
92	{ abac_constraint_add_integer_target(m_constraint,val); }
93	/***
94	f void constraint_add_float_max(float)
95	void constraint_add_float_min(float)
96	utility routines to setup a float range constraint
97	[float:?F[1.0 .. 2.5]]
98	f void constraint_add_float_target(float)
99	utility routine to setup a float list constraint
100	[float:?F[0.5, 2.5]]
101	***/
102	void constraint_add_float_max(float val)
103	{ abac_constraint_add_float_max(m_constraint,val); }
104	void constraint_add_float_min(float val)
105	{ abac_constraint_add_float_min(m_constraint,val); }
106	void constraint_add_float_target(float val)
107	{ abac_constraint_add_float_target(m_constraint,val); }
108	/***
109	f void constraint_add_time_max(char*)
110	void constraint_add_time_min(char*)
111	utility routines to setup a time range constraint,
112	takes quoted string values, beyond T is optional
113	[time:?F["20120228T" .. "20120228T090000"]]
114	f void constraint_add_time_target(char*)
115	utility routine to setup a time list constraint
116	[time:?M["20201101T182930","20201101T"]]
117	***/
118	void constraint_add_time_max(char* val)
119	{ abac_constraint_add_time_max(m_constraint,val); }
120	void constraint_add_time_min(char* val)
121	{ abac_constraint_add_time_min(m_constraint,val); }
122	void constraint_add_time_target(char* val)
123	{ abac_constraint_add_time_target(m_constraint,val); }
124	/***
125	f void constraint_add_urn_target(char*)
126	utility routine to setup a an urn list constraint
127	[urn:?U["fileA","http://fileB"]]
128	f void constraint_add_string_target(char*)
129	utility routine to setup a a string list constraint
130	[string:?S["abc",'efg',"hij"]]
131	f void constraint_add_boolean_target(char*)
132	utility routine to setup a a boolean list constraint
133	[boolean:?B['true']]
134	***/
135	void constraint_add_urn_target(char* val)
136	{ abac_constraint_add_urn_target(m_constraint,val); }
137	void constraint_add_string_target(char* val)
138	{ abac_constraint_add_string_target(m_constraint,val); }
139	void constraint_add_boolean_target(char* val)
140	{ abac_constraint_add_boolean_target(m_constraint,val); }
141	/***
142	f char *string() const
143	returns literal string of the constraint
144	(c:abac_condition_string)
145	f char *typed_string() const
146	returns typed literal string of the constraint
147	(c:abac_condition_typed_string)
148	***/
149	char *string() const
150	{ return abac_condition_string(m_constraint); }
151	char *typed_string() const
152	{ return abac_condition_typed_string(m_constraint); }
153	/ii*
154	f abac_condition_t *constraint()
155	internal returns internal constraint structure
156	*ii/
157	abac_condition_t *constraint()
158	{ return m_constraint; }
159	private:
160	abac_condition_t *m_constraint;
161	};
162
163	/***
164	ABAC::DataTerm
165	A data term is associated with Role or Oset as a parameter that
166	maybe be instantiated, or uninstantiated but being constrained,
167	or as a principal oset term (standalone right handside of an oset
168	policy rule). It holds a pointer to a abac_term_t structure and
169	an optional constraint that may be imposed on this data term if it
170	is indeed an unistantiated variable.
171	***/
172	class DataTerm {
173	public:
174	/***
175	f DataTerm()
176	default constructor, do not use, for swig only
177	f DataTerm(const DataTerm &)
178	copy constructor, used for cloning a data term
179	f ~DataTerm()
180	default destructor
181	***/
182	DataTerm() : m_term(NULL) { } // do not use: here for swig
183	DataTerm(const DataTerm &dterm) {
184	m_term=abac_term_dup(dterm.m_term);
185	}
186	~DataTerm() {
187	if(m_term) abac_term_free(m_term);
188	}
189	/ii*
190	f DataTerm(abac_term_t *)
191	internal constructor to make data term from abac_term_t structure
192	*ii/
193	DataTerm(abac_term_t *term)
194	{ m_term=abac_term_dup(term); }
195	/***
196	f DataTerm(char*)
197	constructor to make named principal data term for the oset RHS
198	(C: abac_term_named_create)
199	f DataTerm(char, char, Constraint*)
200	constructor for making a variable data term
201	(C: abac_term_create)
202	f DataTerm(char, char)
203	constructor for making an instantiated data term
204	(C: abac_term_create)
205	***/
206	DataTerm(char *sha) {
207	if(debug) printf("adding a Dataterm named principal(%s)\n",sha);
208	m_term=abac_term_named_create(sha);
209	}
210	DataTerm(char* typenm, char name, Constraint cond) {
211	if(debug) printf("adding a Dataterm (%s)\n",name);
212	m_term=abac_term_create(typenm,name,cond->constraint());
213	}
214	DataTerm(char* typenm, char *name) {
215	if(debug) printf("adding a Dataterm (%s)\n",name);
216	m_term=abac_term_create(typenm,name,NULL);
217	}
218	/***
219	f char *string() const
220	returns literal string of the data term
221	(c:abac_term_string)
222	f char *typed_string() const
223	returns typed literal string of the data term
224	(c:abac_term_typed_string)
225	***/
226	char *string() const
227	{ return abac_term_string(m_term); }
228	char *typed_string() const
229	{ return abac_term_typed_string(m_term); }
230	/***
231	f bool term_is_time() const
232	bool term_is_string() const
233	bool term_is_urn() const
234	bool term_is_integer() const
235	returns true if data term is of certain type
236	***/
237	bool term_is_time() const
238	{ return abac_term_is_time(m_term); }
239	bool term_is_string() const
240	{ return abac_term_is_string(m_term); }
241	bool term_is_urn() const
242	{ return abac_term_is_urn(m_term); }
243	bool term_is_integer() const
244	{ return abac_term_is_integer(m_term); }
245	/***
246	f int term_add_constraint(Contraint&)
247	utiltiy routine to add a constraint to this data term
248	***/
249	int term_add_constraint(Constraint& cond) {
250	abac_term_add_constraint(m_term, cond.constraint());
251	return 1;
252	}
253	/***
254	f int term_type() const
255	returns subtype of the data term
256	f char *term_name() const
257	returns the name of the data term
258	***/
259	int term_type() const
260	{ abac_term_type(m_term); }
261	char *term_name() const
262	{ return abac_term_name(m_term); }
263	/ii*
264	f abac_term_t *term()
265	returns abac_term_t term structure
266	*ii/
267	abac_term_t *term()
268	{ return m_term; }
269	private:
270	abac_term_t *m_term;
271	};
272
273
274	/***
275	ABAC::Role
276	A Role is role specification of a set of entitities for a principal
277	***/
278	class Role {
279	public:
280	/***
281	f Role()
282	default constructor, do not use, for swig only
283	f Role(const Role &)
284	copy constructor, used for cloning a role
285	f ~Role()
286	default destructor
287	***/
288	Role() : m_role(NULL) { } // do not use: here for swig
289	Role(const Role &role) {
290	m_role = abac_aspect_dup(role.m_role);
291	}
292	~Role() {
293	if (m_role) abac_aspect_free(m_role);
294	}
295	/ii*
296	f Role(abac_aspect_t*)
297	constructor that takes an abac_aspect_t structure
298	*ii/
299	Role(abac_aspect_t *role): m_role(abac_aspect_dup(role))
300	{ }
301	/***
302	f Role(char*)
303	constructor that builds a bare bone role with just principal's name
304	(c:abac_role_principal_create)
305	f Role(char, char)
306	constructor that builds a bare bone role with just principal's name
307	and a role name
308	(c:abac_role_create)
309	***/
310	Role(char *principal_name) :
311	m_role(abac_role_principal_create(principal_name))
312	{ }
313	Role(char principal_name, char role_name) :
314	m_role(abac_role_create(principal_name, role_name))
315	{ }
316	/***
317	f bool role_is_principal() const
318	return true if the role is a principal object(made from
319	a data term), the right hand side of,
320	[keyid:A].role:r <- [keyid:B]
321	***/
322	bool role_is_principal() const
323	{ return abac_role_is_principal(m_role); }
324	/***
325	f bool role_is_linking() const
326	returns true if the role is a linking role like
327	the right hand side of,
328	[keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
329	***/
330	bool is_linking() const
331	{ return abac_role_is_linking(m_role); }
332	/***
333	f char *string() const
334	returns literal string of the role
335	(c:abac_aspect_string)
336	f char *typed_string() const
337	returns typed literal string of the role
338	(c:abac_aspect_typed_string)
339	***/
340	char *string() const
341	{ return abac_aspect_string(m_role); }
342	char *typed_string()
343	{ return abac_aspect_typed_string(m_role); }
344	/***
345	f char *role_linked_role() const
346	returns linked part of a linking role, for
347	[keyid:A].role:r1.role:r2, it returns r1
348	***/
349	char *role_linked_role() const
350	{ return abac_role_linked_role(m_role); }
351	/***
352	f char *role_name() const
353	returns the role name of any role (the part after the last dot)
354	[keyid:A].role.r1.role:r2, it returns r2
355	[keyid:A].role.r1, it returns r1
356	f char *role_principal() const
357	returns the principal of role (the part before the first dot)
358	[keyid:A].role.r1, it returns A
359	***/
360	char *role_name() const
361	{ return abac_role_name(m_role); }
362	char *role_principal() const
363	{ return abac_role_principal(m_role); }
364
365	/***
366	f void role_add_data_term(DataTerm&)
367	add a data term to the role
368	***/
369	void role_add_data_term(DataTerm& d) {
370	abac_role_add_data_term(m_role, d.term());
371	}
372	/***
373	f std::vector<DataTerm> get_data_terms(bool &)
374	return the data terms bound to this role.
375	***/
376	std::vector<DataTerm> get_data_terms(bool &success) {
377	abac_term_t terms, end;
378	int i;
379	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role));
380	for (i = 0; terms[i] != NULL; ++i)
381	;
382	end = &terms[i];
383	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
384	abac_terms_free(terms);
385	success=1;
386	return dataterms;
387	}
388	/***
389	f void role_add_linked_data_term(DataTerm&)
390	add a data term to the linking role
391	***/
392	void role_add_linked_data_term(DataTerm& d) {
393	abac_role_add_linked_data_term(m_role, d.term());
394	}
395	/***
396	f std::vector<DataTerm> get_linked_data_terms(bool &)
397	return the data terms bound to this role's linking role.
398	***/
399	std::vector<DataTerm> get_linked_data_terms(bool &success) {
400	abac_term_t terms, end;
401	int i;
402	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role));
403	for (i = 0; terms[i] != NULL; ++i)
404	;
405	end = &terms[i];
406	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
407	abac_terms_free(terms);
408	success=1;
409	return dataterms;
410	}
411	/ii*
412	f abac_aspect_t *role()
413	returns the interal libabac representation of this role
414	*ii/
415	abac_aspect_t *role() {return m_role;}
416	private:
417	abac_aspect_t *m_role;
418	};
419
420	/***
421	ABAC::Oset
422	An Oset is oset specification of a set of entitities for a principal
423	***/
424	class Oset {
425	public:
426	/***
427	f Oset()
428	default constructor, do not use, for swig only
429	f Oset(const Oset &)
430	copy constructor, used for cloning an oset
431	f ~Oset()
432	default destructor
433	***/
434	Oset() : m_oset(NULL) { } // do not use: here for swig
435	Oset(const Oset &oset)
436	{ m_oset =abac_aspect_dup(oset.m_oset); }
437	~Oset()
438	{ if(m_oset) abac_aspect_free(m_oset); }
439	/ii*
440	f Oset(abac_aspect_t *)
441	constructor that takes abac_aspect_t structure
442	*ii/
443	Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset))
444	{ }
445	/***
446	f Oset(char *)
447	constructor that makes a principal oset, ie [keyid:B]
448	(c:abac_role_principal_create)
449	f Oset(char , char )
450	constructor that makes a regular oset, ie. [keyid:B].oset:o
451	(c:abac_role_create)
452	f Oset(DataTerm&)
453	constructor that makes an object oset, ie. [urn:'file/fileA']
454	***/
455	Oset(char *oset_name) : m_oset(abac_oset_principal_create(oset_name))
456	{ }
457	Oset(char principal_name, char oset_name) :
458	m_oset(abac_oset_create(principal_name, oset_name))
459	{ }
460	Oset(DataTerm& d) :
461	m_oset(abac_oset_object_create(d.term()))
462	{ }
463
464	/***
465	f bool oset_is_object(), ie <- [integer:10]
466	return ture if this oset is an object oset
467	***/
468	bool oset_is_object() const
469	{ return abac_oset_is_object(m_oset); }
470	/***
471	f bool oset_is_principal() const
472	return true if the oset is a principal object(made from
473	a data term), the right hand side of,
474	[keyid:A].oset:o <- [keyid:B]
475	***/
476	bool oset_is_principal() const
477	{ return abac_oset_is_principal(m_oset); }
478	/***
479	f bool oset_is_linking() const
480	returns true if the oset is a linking oset like
481	the right hand side of,
482	[keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
483	***/
484	bool oset_is_linking() const
485	{ return abac_oset_is_linking(m_oset); }
486	/***
487	f char *string() const
488	returns literal string of the oset
489	(c:abac_aspect_string)
490	f char *typed_string() const
491	returns typed literal string of the oset
492	(c:abac_aspect_typed_string)
493	***/
494	char *string() const
495	{ return abac_aspect_string(m_oset); }
496	char *typed_string()
497	{ return abac_aspect_typed_string(m_oset); }
498	/***
499	f char *oset_linked_role() const
500	returns linked part of a linking oset, for
501	[keyid:A].role:r1.oset:o1, it returns r1
502	***/
503	char *oset_linked_role() const
504	{ return abac_oset_linked_role(m_oset); }
505	/***
506	f char *oset_name() const
507	returns oset name,
508	[keyid:A].role:r1.oset:o1, it returns o1
509	[keyid:A].oset:o1, it returns o1
510	***/
511	char *oset_name() const
512	{ return abac_oset_name(m_oset); }
513	/***
514	f char *oset_principal() const
515	returns principal name,
516	[keyid:A].role:r1.oset:o1, it returns A
517	***/
518	char *oset_principal() const
519	{ return abac_oset_principal(m_oset); }
520	/***
521	f char *oset_object() const
522	returns object's name when the oset is a principal object
523	[keyid:A].oset:values <- [integer:10], it returns 10
524	***/
525	char *oset_object() const
526	{ return abac_oset_object(m_oset); }
527	/***
528	f void add_data_term(DataTerm&)
529	add a data term to this oset's parameter set
530	***/
531	void oset_add_data_term(DataTerm& d) {
532	abac_oset_add_data_term(m_oset, d.term());
533	}
534	/***
535	f std::vector<DataTerm> get_data_terms(bool &)
536	returns the data terms bound to this oset.
537	***/
538	std::vector<DataTerm> get_data_terms(bool &success) {
539	abac_term_t terms, end;
540	int i;
541	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset));
542	for (i = 0; terms[i] != NULL; ++i)
543	;
544	end = &terms[i];
545	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
546	abac_terms_free(terms);
547	success=1;
548	return dataterms;
549	}
550	/***
551	f void oset_add_linked_data_term(DataTerm&)
552	add a data term to this oset's linking role's parameter set.
553	***/
554	void oset_add_linked_data_term(DataTerm& d) {
555	abac_oset_add_linked_data_term(m_oset, d.term());
556	}
557	/***
558	f std::vector<DataTerm> get_linked_data_terms(bool &)
559	returns the data terms bound to this oset's linking role.
560	***/
561	std::vector<DataTerm> get_linked_data_terms(bool &success) {
562	abac_term_t terms, end;
563	int i;
564	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset));
565	for (i = 0; terms[i] != NULL; ++i)
566	;
567	end = &terms[i];
568	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
569	abac_terms_free(terms);
570	success=1;
571	return dataterms;
572	}
573	/ii*
574	f abac_aspect_t *oset()
575	internal returns the internal libabac representation of the oset
576	*ii/
577	abac_aspect_t *oset() {return m_oset;}
578	private:
579	abac_aspect_t *m_oset;
580	};
581
582
583	/***
584	ABAC::ID
585	An ID holds a principal credential. It maybe imported from an existing
586	ID credential via external files, constructed from a streaming chunk,
587	or instantiated on the fly
588	***/
589	class ID {
590	public:
591	/***
592	f ID()
593	default constructor, do not use, for swig only
594	f ID(const ID &)
595	copy constructor, used for cloning an ID
596	f ~ID()
597	default destructor
598	***/
599	ID() : m_id(NULL) { } // do not use: here for swig
600	ID(const ID &id) { m_id =abac_id_dup(id.m_id); }
601	~ID() { if(m_id) abac_id_free(m_id); }
602	/ii*
603	f ID(abac_id_t *)
604	constructor from abac_id_t
605	f ID(abac_id_credential_t *)
606	constructor from abac_id_t
607	*ii/
608	ID(abac_id_t *id): m_id(abac_id_dup(id))
609	{ }
610	ID(abac_id_credential_t *idcred) {
611	if(idcred)
612	m_id=abac_id_dup(abac_id_credential_id(idcred));
613	else m_id=NULL;
614	}
615	/***
616	f ID(char *)
617	load an ID cert from a file, will throw an exception
618	if the cert cannot be loaded
619	(c:abac_id_from_file)
620	***/
621	ID(char *filename) {
622	m_id=abac_id_from_file(filename);
623	if(m_id==NULL)
624	abac_errx(1, "Id creation from filename failed");
625	}
626	/***
627	f ID(char *,int)
628	generates a new ID with the supplied CN and validity period
629	- CN must be alphanumeric and begin with a letter
630	- validity must be at least one second
631	will throw an exception if either of the above is violated
632	(c:abac_id_generate)
633	***/
634	ID(char *cn, int validity) {
635	int rt=abac_id_generate(&m_id, cn, validity);
636	if(rt != ABAC_ID_SUCCESS)
637	abac_errx(1, "Id creation failed");
638	}
639	/***
640	f void id_load_privkey_file(char *)
641	loads the private key associated with the ID credential
642	will throw an exception if the key cannot be loaded
643	***/
644	void id_load_privkey_file(char *filename) {
645	int rt=abac_id_load_privkey_file(m_id, filename);
646	if(rt != 1)
647	abac_errx(1, "Failed to load private key");
648	}
649	/ii*
650	f abac_id_t *id()
651	returns the abac_id_t
652	returns the interal libabac representation of this id
653	*ii/
654	abac_id_t *id() { return m_id; }
655
656	/***
657	f char *id_keyid()
658	returns the SHA1 keyid of the id cert
659	f char *id_name()
660	returns the CN (the parameter passed to the constructor or the
661	CN of the cert).
662	(c:abac_id_cn)
663	***/
664	char *id_keyid() { return abac_id_keyid(m_id); }
665	char *id_name() { return abac_id_cn(m_id); }
666	/***
667	f bool id_has_privkey()
668	returns true if the ID has an associated private key
669	***/
670	bool id_has_privkey()
671	{ return abac_id_has_privkey(m_id); }
672
673	/***
674	f void id_write_cert(FILE *)
675	writes a PEM-encoded cert to the file handle
676	f void id_write_cert(char *)
677	writes a PEM-encoded cert to a file named out
678	***/
679	void id_write_cert(FILE *out)
680	{ abac_id_write_cert(m_id, out); }
681	void id_write_cert(char *filename) {
682	FILE *out = fopen(filename, "a");
683	id_write_cert(out);
684	fclose(out);
685	}
686	/***
687	f void id_write_privkey(FILE *)
688	writes a PEM-encoded private key to the file handle
689	throws an exception if no private key is loaded
690	f void id_write_privkey(char *)
691	writes a PEM-encoded private key a file named out
692	throws an exception if no private key is loaded
693	***/
694	void id_write_privkey(FILE *out) {
695	if(!id_has_privkey())
696	abac_errx(1, "No privkey to write");
697	abac_id_write_privkey(m_id, out);
698	}
699	void id_write_privkey(char *filename) {
700	FILE *out = fopen(filename, "a");
701	id_write_privkey(out);
702	fclose(out);
703	}
704	/***
705	f abac_chunk_t id_cert_chunk()
706	returns a DER-encoded binary representation of the X.509 ID cert
707	associated with this ID.
708	can be passed to libabac's Context::load_id_chunk()
709	***/
710	abac_chunk_t id_cert_chunk()
711	{ return abac_id_cert_chunk(m_id); }
712	/***
713	f char *string()
714	returns literal string of the id credential
715	(c:abac_id_string)
716	***/
717	char *string()
718	{ return abac_id_string(m_id); }
719	public:
720	abac_id_t *m_id;
721	};
722
723
724	/***
725	ABAC::Attribute
726	This is the attribute representation for the access policy rule
727	LHS <- RHS
728	The sequence of generation is to
729	first, instantiate the object, ie, LHS (head)
730	second, adding subject(s) to it, ie, RHS (tail)
731	and then baking it.
732	Only once it's baked can you access the X.509 cert.
733	Once it's been baked you can no longer add subjects to it
734	***/
735	class Attribute {
736	public:
737	/***
738	f Attribute()
739	default constructor, do not use, for swig only
740	f Attribute(const Attribute &)
741	copy constructor, used for cloning an attribute
742	f ~Attribute()
743	default destructor
744	***/
745	Attribute() : m_attr(NULL) { }
746	Attribute(const Attribute &id)
747	{ m_attr =abac_attribute_dup(id.m_attr); }
748	~Attribute()
749	{ if(m_attr) abac_attribute_free(m_attr); }
750	/ii*
751	f Attribute(abac_attribute_t *)
752	constructor that takes abac_attribute_t, locally used
753	f Attribute(abac_credential_t *)
754	constructor that takes abac_credential_t, locally used
755	*ii/
756	Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr))
757	{ }
758	Attribute(abac_credential_t *cred)
759	{ m_attr=abac_attribute_dup(abac_credential_attribute(cred)); }
760	/***
761	f Attribute(Role&, int)
762	constructor that creates an attribute policy to be signed by the issuer
763	with the given role with a specified validity period
764	An exception will be thrown if:
765	- the issuer has no private key
766	- the Head role is invalid
767	- the validity period is invalid (must be >= 1 second)
768	(c:abac_attribute_create)
769	***/
770	Attribute(Role& head, int validity) {
771	int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity);
772	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
773	abac_errx(1, "attribute(role), unable to make an attribute");
774	}
775	/***
776	f Attribute(Oset&, int)
777	constructor that creates an attribute policy to be signed by the issuer
778	with the given oset with a specified validity period
779	An exception will be thrown if:
780	- the issuer has no private key
781	- the Head oset is invalid
782	- the validity period is invalid (must be >= 1 second)
783	(c:abac_attribute_create)
784	***/
785	Attribute(Oset& head, int validity) {
786	int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity);
787	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
788	abac_errx(1, "attribute(oset), unable to make an attribute");
789	}
790	/***
791	f bool attribute_add_tail(Role&)
792	Add a role tail. Call multiple times for intersections
793	f bool attribute_add_tail(Oset&)
794	Add an oset tail. Call multiple times for intersections
795	***/
796	bool attribute_add_tail(Role& tail) {
797	if(abac_attribute_add_tail(m_attr, tail.role()))
798	return 1;
799	else return 0;
800	}
801	bool attribute_add_tail(Oset& tail) {
802	if(abac_attribute_add_tail(m_attr, tail.oset()))
803	return 1;
804	else return 0;
805	}
806	/***
807	f char *head_string()
808	returns literal string of head of the attribute
809	f char *tail_string()
810	returns literal string of tail of the attribute
811	***/
812	char *head_string()
813	{ return abac_head_string(m_attr); }
814	char *tail_string()
815	{ return abac_tail_string(m_attr); }
816	/***
817	f char *head_typed_string()
818	returns typed literal string of head of the attribute
819	f char *tail_typed_string()
820	returns typed literal string of tail of the attribute
821	***/
822	char *head_typed_string()
823	{ return abac_head_typed_string(m_attr); }
824	char *tail_typed_string()
825	{ return abac_tail_typed_string(m_attr); }
826	/***
827	f char *string()
828	returns literal string of the attribute
829	(c:abac_attribute_string)
830	f char *typed_string()
831	returns typed literal string of the attribute
832	(c:abac_attribute_typed_string)
833	***/
834	char *string()
835	{ return abac_attribute_string(m_attr); }
836	char *typed_string()
837	{ return abac_attribute_typed_string(m_attr); }
838
839	/*** ??? not sure about implmentation
840	f const Role &role_head()
841	returns the head role
842	f const Oset &oset_head()
843	returns the oset head
844	***/
845	const Role &role_head() {
846	abac_aspect_t *head=abac_attribute_head(m_attr);
847	static Role role=Role(head);
848	return role;
849	}
850	const Oset &oset_head() {
851	abac_aspect_t *head=abac_attribute_tail(m_attr);
852	static Oset oset=Oset(head);
853	return oset;
854	}
855	/***
856	f std::vector<Role> role_tails(bool &)
857	retrieve tail role which maybe more than 1 if intersecting
858	f std::vector<Oset> oset_tails(bool &)
859	retrieve tail oset which maybe more than 1 if intersecting
860	***/
861	std::vector<Role> role_tails(bool &success) {
862	abac_aspect_t tails, end;
863	int i;
864	/* make sure it is role */
865	if(!abac_attribute_is_role(m_attr)) {
866	success=0;
867	abac_errx(1, "role_tails, attribute is not a role");
868	}
869	tails = abac_attribute_tail_vectorized(m_attr);
870	for (i = 0; tails[i] != NULL; ++i)
871	;
872	end = &tails[i];
873	std::vector<Role> roles = std::vector<Role>(tails, end);
874	abac_aspects_free(tails);
875	success=1;
876	return roles;
877	}
878	std::vector<Oset> oset_tails(bool &success) {
879	abac_aspect_t tails, end;
880	int i;
881	/* make sure that tail is not role */
882	if(abac_attribute_is_role(m_attr)) {
883	success=0;
884	abac_errx(1, "oset_tails, attribute is not an oset");
885	}
886	tails = abac_attribute_tail_vectorized(m_attr);
887	for (i = 0; tails[i] != NULL; ++i)
888	;
889	end = &tails[i];
890	std::vector<Oset> osets = std::vector<Oset>(tails, end);
891	success=1;
892	abac_aspects_free(tails);
893	return osets;
894	}
895	/ii*
896	f abac_attribute_t *attribute()
897	return libabac structure for attribute
898	*ii/
899	abac_attribute_t *attribute() { return m_attr; }
900
901	/***
902	f bool attribute_bake()
903	Generate the cert. Call this after you've added subjects to your cert.
904	This returns false if there are no subjects
905	This will throw an exception if the cert's already been baked.
906	***/
907	bool attribute_bake() {
908	/* can not bake in ABAC_CN mode */
909	if(USE("ABAC_CN"))
910	abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set");
911	int rt=abac_attribute_bake(m_attr);
912	if(rt!=1)
913	abac_errx(1, "bake, can not bake the cert");
914	}
915	/***
916	f bool attribute_baked()
917	returns true iff the cert has been baked.
918	***/
919	bool attribute_baked()
920	{ return abac_attribute_baked(m_attr); }
921
922	/***
923	f void attribute_write_cert(FILE *)
924	write the DER-encoded X.509 attribute cert to the open file handle
925	Throws an exception if the cert isn't baked
926	***/
927	void attribute_write_cert(FILE *out) {
928	int rt= abac_attribute_write_cert(m_attr,out);
929	if(!rt)
930	abac_errx(1, "write, cert is not baked");
931	}
932	/***
933	f void attribute_write_cert(char *)
934	write the DER-encoded X.509 attribute cert to a file named out
935	Throws an exception if the cert isn't baked
936	***/
937	void attribute_write_cert(char *filename) {
938	FILE *out = fopen(filename, "w");
939	attribute_write_cert(out);
940	fclose(out);
941	}
942	/***
943	f abac_chunk_t cert_chunk()
944	returns a DER-encoded binary representation of the X.509 attribute
945	cert associated with this cert
946	Throws an exception if the cert isn't baked
947	the chunk can be passed to libabac's Context::load_attribute_chunk()
948	***/
949	abac_chunk_t cert_chunk()
950	{ return abac_attribute_cert_chunk(m_attr); }
951	private:
952	abac_attribute_t *m_attr;
953	};
954
955
956	/***
957	ABAC::Context
958	An ABAC Context
959	***/
960	class Context {
961	public:
962	/***
963	f Context()
964	default constructor
965	f Context(const Context &)
966	copy constructor, used for cloning the context
967	f ~Context()
968	default destructor
969	***/
970	Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); }
971	Context(const Context &context) {
972	m_ctx = abac_context_dup(context.m_ctx);
973	m_abac_version=strdup(context.m_abac_version);
974	}
975	~Context() {
976	abac_context_free(m_ctx);
977	if(m_abac_version) free(m_abac_version);
978	}
979	/***
980	f void dump_yap_db()
981	dump the complete yap prolog database
982	(c:show_yap_db)
983	***/
984	void dump_yap_db()
985	{ show_yap_db("dump_yap"); }
986
987	/***
988	f int load_id(ABAC::ID&)
989	load id cert from ID
990	(c:abac_context_load_id)
991	f int load_id_file(char *)
992	load id cert from an idkey combo file. key retrieval will be attempt
993	but won't fail if not found
994	(c:abac_context_load_id_file)
995	f int load_id_files(char , char )
996	load id cert from an id file and a key file
997	(c:abac_context_load_id_files)
998	f int load_id_chunk(abac_chunk_t)
999	load id cert from a chunk structure
1000	(c:abac_context_load_id_chunk)
1001	returns:
1002	ABAC_CERT_SUCCESS successfully loaded
1003	ABAC_CERT_INVALID invalid certificate (or file not found)
1004	ABAC_CERT_BAD_SIG invalid signature
1005	***/
1006	int load_id(ABAC::ID& id)
1007	{ return abac_context_load_id(m_ctx, id.id()); }
1008	int load_id_file(char *filename)
1009	{ return abac_context_load_id_file(m_ctx, filename); }
1010	int load_id_files(char filename, char keyfilename)
1011	{ return abac_context_load_id_files(m_ctx, filename, keyfilename); }
1012	int load_id_chunk(abac_chunk_t cert)
1013	{ return abac_context_load_id_chunk(m_ctx, cert); }
1014
1015	/***
1016	f int load_attribute(ABAC::Attribute&)
1017	load attribute credential from attribute structure
1018	(c:abac_context_load_attribute)
1019	f int load_attribute_file(char *)
1020	load attribute credential from a file
1021	(c:abac_context_load_attribute_file)
1022	f int load_attribute_chunk(abac_chunk_t)
1023	load attribute credential from a chunk
1024	(c:abac_context_load_attribute_chunk)
1025	f returns the same values as above, additionally
1026	returns ABAC_CERT_MISSING_ISSUER if the issuer
1027	certificate has not been loaded
1028	***/
1029	int load_attribute(ABAC::Attribute& a)
1030	{ return abac_context_load_attribute(m_ctx, a.attribute()); }
1031	int load_attribute_file(char *filename)
1032	{ return abac_context_load_attribute_file(m_ctx, filename); }
1033	int load_attribute_chunk(abac_chunk_t cert)
1034	{ return abac_context_load_attribute_chunk(m_ctx, cert); }
1035	/***
1036	f void load_directory(char *)
1037	load a directory full of certificates:
1038	f first: ${path}/*_ID.{der,pem} as identity certificates
1039	implicitly looking for ${path}/*_private.{der,pem} as
1040	the private key file
1041	then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
1042	last: ${path}/*_attr.der as attribute certificates
1043	***/
1044	void load_directory(char *path)
1045	{ abac_context_load_directory(m_ctx, path); }
1046	/***
1047	f std::vector<Attribute> query(char , char , bool &)
1048	the string version is for query that is composed by hand with SHA or
1049	in non ABAC_CN mode
1050	(c:abac_context_query)
1051	f std::vector<Attribute> query(Role &, Role &, bool &)
1052	(c:abac_context_query_with_structure)
1053	std::vector<Attribute> query(Oset &, Oset &, bool &)
1054	(c:abac_context_query_with_structure)
1055	runs the query:
1056	role <-?- principal
1057	oset <-?- principal/obj
1058	returns true/false in success
1059	returns a proof upon success,
1060	partial proof on failure (not implemented yet)
1061	***/
1062	std::vector<Attribute> query(char role, char principal, bool &success) {
1063	abac_credential_t creds, end;
1064	int i, success_int;
1065
1066	creds = abac_context_query(m_ctx, role, principal, &success_int);
1067	success = success_int;
1068
1069	for (i = 0; creds[i] != NULL; ++i)
1070	;
1071
1072	end = &creds[i];
1073	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1074	if(debug) printf("query, got rules(%d)\n", i);
1075
1076	abac_context_credentials_free(creds);
1077
1078	return attributes;
1079	}
1080
1081	std::vector<Attribute> query(Role &role, Role &p_role, bool &success) {
1082	abac_credential_t creds, end;
1083	int i, success_int;
1084
1085	creds = abac_context_query_with_structure(m_ctx, role.role(), p_role.role(), &success_int);
1086	success = success_int;
1087
1088	for (i = 0; creds[i] != NULL; ++i)
1089	;
1090
1091	end = &creds[i];
1092	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1093
1094	abac_context_credentials_free(creds);
1095
1096	return attributes;
1097	}
1098
1099	std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) {
1100	abac_credential_t creds, end;
1101	int i, success_int;
1102
1103	creds = abac_context_query_with_structure(m_ctx, oset.oset(), p_oset.oset(), &success_int);
1104	success = success_int;
1105
1106	for (i = 0; creds[i] != NULL; ++i)
1107	;
1108
1109	end = &creds[i];
1110	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1111	if(debug) printf("query, returning rules(%d)\n", i);
1112
1113	abac_context_credentials_free(creds);
1114
1115	return attributes;
1116	}
1117
1118	/***
1119	f std::vector<Attribute> context_credentials(bool &)
1120	returns a vector of all the credentials loaded in the context
1121	extracted from the internal data structure
1122	***/
1123	std::vector<Attribute> context_credentials(bool &success) {
1124	abac_credential_t creds, end;
1125	int i;
1126	success = 1;
1127
1128	creds = abac_context_credentials(m_ctx);
1129	for (i = 0; creds[i] != NULL; ++i)
1130	;
1131
1132	end = &creds[i];
1133	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1134	if(debug) printf("credentials, got (%d)\n", i);
1135
1136	abac_context_credentials_free(creds);
1137	if(debug) show_yap_db("calling from context_credentials");
1138	return attributes;
1139	}
1140
1141	/***
1142	f std::vector<Attribute> context_principals(bool &)
1143	returns a vector of all the principals loaded in the context
1144	extracted from the internal data structure
1145	***/
1146	std::vector<ID> context_principals(bool &success) {
1147	abac_id_credential_t ids, end;
1148	int i;
1149	success = 1;
1150
1151	ids = abac_context_principals(m_ctx);
1152	for (i = 0; ids[i] != NULL; ++i)
1153	;
1154
1155	end = &ids[i];
1156	std::vector<ID> principals = std::vector<ID>(ids, end);
1157	if(debug) printf("principals, got (%d)\n", i);
1158
1159	abac_context_principals_free(ids);
1160	return principals;
1161	}
1162	/***
1163	f char *version()
1164	return the version of this interface
1165	***/
1166	char *version() const { return m_abac_version; }
1167
1168	private:
1169	abac_context_t *m_ctx;
1170	char *m_abac_version;
1171	};
1172
1173	Constraint::Constraint(Role& role)
1174	{ m_constraint=abac_constraint_from_role(role.role()); }
1175	Constraint::Constraint(Oset &oset)
1176	{ m_constraint=abac_constraint_from_oset(oset.oset()); }
1177	}
1178
1179	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: libabac/abac.hh @ 5d06689

Download in other formats: