Context Navigation

source: libabac/abac.hh @ 5f551d3

mei_rt2mei_rt2_fix_1

Last change on this file since 5f551d3 was 5f551d3, checked in by Mei <mei@…>, 12 years ago
1) add more python examples
Property mode set to `100644`
File size: 40.8 KB

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <string>
5	#include <vector>
6
7	namespace ABAC {
8	extern "C" {
9	#include "abac.h"
10	}
11	static int debug=0;
12	class Role;
13	class Oset;
14	class ID;
15
16	/***
17	ABAC::Constraint
18	Constraint on a data term.
19	There are 3 types:
20	- Role constraint on a principal
21	- Oset constraint on a principal, or a data object
22	- Range/List constraint on a data object
23	It holds a ptr to a abac_condition_t structure
24	***/
25	class Constraint {
26	public:
27	/***
28	f Constraint()
29	default constructor, do not use, for swig only
30	f Constraint(const Constraint &)
31	copy constructor, used for cloning a constraint
32	f ~Constraint()
33	default destructor
34	***/
35	Constraint() : m_constraint(NULL) { }
36	Constraint(const Constraint &constraint) {
37	m_constraint =abac_condition_dup(constraint.m_constraint);
38	}
39	~Constraint() {
40	if(m_constraint) abac_condition_free(m_constraint);
41	}
42	/***
43	f Constraint(Role &)
44	constructor that takes a constraining role
45	[role:?R[{role-constraint}]
46	(c:abac_constraint_from_role)
47	f Constraint(Oset &)
48	constructor that takes a constraining oset
49	[oset:?O[{oset-constraint}]
50	[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
51	(c:abac_constraint_from_oset)
52	f Constraint(char *)
53	constructor that takes one of following string
54	as its vartype to set up a range constraint:
55	"integer"
56	"urn"
57	"float"
58	"boolean"
59	"time"
60	"string"
61	it should be followed with one or many of following utility
62	calls.
63	(C:abac_condition_create)
64	***/
65	Constraint(Role& role);
66	Constraint(Oset& oset);
67	Constraint(char *vartype)
68	{ m_constraint=abac_condition_create(vartype); }
69	/ii*
70	f Constraint(abac_condition_t *)
71	internal constructor that takes an abac_condition_t structure
72	*ii/
73	Constraint(abac_condition_t *constraint):
74	m_constraint(abac_condition_dup(constraint))
75	{ }
76	/***
77	f void constraint_add_integer_max(int)
78	(c:abac_constraint_add_integer_max)
79	void constraint_add_integer_min(int)
80	utility routines to setup a integer range constraint
81	[integer:?I[10 .. 20]]
82	(c:abac_constraint_add_integer_min)
83	f void constraint_add_integer_target(int)
84	utility routine to setup a integer list constraint
85	[integer:?I[10,20]]
86	(c:abac_constraint_add_integer_target)
87	***/
88	void constraint_add_integer_max(int val)
89	{ abac_constraint_add_integer_max(m_constraint,val); }
90	void constraint_add_integer_min(int val)
91	{ abac_constraint_add_integer_min(m_constraint,val); }
92	void constraint_add_integer_target(int val)
93	{ abac_constraint_add_integer_target(m_constraint,val); }
94	/***
95	f void constraint_add_float_max(float)
96	void constraint_add_float_min(float)
97	utility routines to setup a float range constraint
98	[float:?F[1.0 .. 2.5]]
99	f void constraint_add_float_target(float)
100	utility routine to setup a float list constraint
101	[float:?F[0.5, 2.5]]
102	***/
103	void constraint_add_float_max(float val)
104	{ abac_constraint_add_float_max(m_constraint,val); }
105	void constraint_add_float_min(float val)
106	{ abac_constraint_add_float_min(m_constraint,val); }
107	void constraint_add_float_target(float val)
108	{ abac_constraint_add_float_target(m_constraint,val); }
109	/***
110	f void constraint_add_time_max(char*)
111	void constraint_add_time_min(char*)
112	utility routines to setup a time range constraint,
113	takes quoted string values, beyond T is optional
114	[time:?F["20120228T" .. "20120228T090000"]]
115	f void constraint_add_time_target(char*)
116	utility routine to setup a time list constraint
117	[time:?M["20201101T182930","20201101T"]]
118	***/
119	void constraint_add_time_max(char* val)
120	{ abac_constraint_add_time_max(m_constraint,val); }
121	void constraint_add_time_min(char* val)
122	{ abac_constraint_add_time_min(m_constraint,val); }
123	void constraint_add_time_target(char* val)
124	{ abac_constraint_add_time_target(m_constraint,val); }
125	/***
126	f void constraint_add_urn_target(char*)
127	utility routine to setup a an urn list constraint
128	[urn:?U["fileA","http://fileB"]]
129	f void constraint_add_string_target(char*)
130	utility routine to setup a a string list constraint
131	[string:?S["abc",'efg',"hij"]]
132	f void constraint_add_boolean_target(char*)
133	utility routine to setup a a boolean list constraint
134	[boolean:?B['true']]
135	***/
136	void constraint_add_urn_target(char* val)
137	{ abac_constraint_add_urn_target(m_constraint,val); }
138	void constraint_add_string_target(char* val)
139	{ abac_constraint_add_string_target(m_constraint,val); }
140	void constraint_add_boolean_target(char* val)
141	{ abac_constraint_add_boolean_target(m_constraint,val); }
142	/***
143	f char *string() const
144	returns literal string of the constraint
145	(c:abac_constraint_string)
146	f char *typed_string() const
147	returns typed literal string of the constraint
148	(c:abac_constraint_typed_string)
149	***/
150	char *string() const
151	{ return abac_constraint_string(m_constraint); }
152	char *typed_string() const
153	{ return abac_constraint_typed_string(m_constraint); }
154	/ii*
155	f abac_condition_t *constraint()
156	internal returns internal constraint structure
157	*ii/
158	abac_condition_t *constraint()
159	{ return m_constraint; }
160	private:
161	abac_condition_t *m_constraint;
162	};
163
164	/***
165	ABAC::DataTerm
166	A data term is associated with Role or Oset as a parameter that
167	maybe be instantiated, or uninstantiated but being constrained,
168	or as a principal oset term (standalone right handside of an oset
169	policy rule). It holds a pointer to a abac_term_t structure.
170	Types of data terms are:
171	"integer"
172	"urn"
173	"float"
174	"boolean"
175	"string"
176	"time"
177	"principal"
178	"anonymous"
179	***/
180	class DataTerm {
181	public:
182	/***
183	f DataTerm()
184	default constructor, do not use, for swig only
185	f DataTerm(const DataTerm &)
186	copy constructor, used for cloning a data term
187	f ~DataTerm()
188	default destructor
189	***/
190	DataTerm() : m_term(NULL) { } // do not use: here for swig
191	DataTerm(const DataTerm &dterm) {
192	m_term=abac_term_dup(dterm.m_term);
193	}
194	~DataTerm() {
195	if(m_term) abac_term_free(m_term);
196	}
197	/ii*
198	f DataTerm(abac_term_t *)
199	internal constructor to make data term from abac_term_t structure
200	*ii/
201	DataTerm(abac_term_t *term)
202	{ m_term=abac_term_dup(term); }
203	/***
204	f DataTerm(char*)
205	constructor to make named principal data term for the oset RHS
206	(C: abac_term_named_create)
207	f DataTerm(const ID&)
208	constructor to make named principal data term for parameters
209	(C: abac_term_id_create)
210	f DataTerm(char, char, Constraint*)
211	constructor for making a variable data term
212	(C: abac_term_create)
213	f DataTerm(char, char)
214	constructor for making an instantiated data term
215	(C: abac_term_create)
216	***/
217	DataTerm(char *name) {
218	if(debug) printf("adding a Dataterm named principal(%s)\n",name);
219	m_term=abac_term_named_create(name);
220	}
221	DataTerm(ID& id);
222	DataTerm(char* typenm, char name, Constraint cond) {
223	if(debug) printf("adding a Dataterm (%s)\n",name);
224	m_term=abac_term_create(typenm,name,cond->constraint());
225	}
226	DataTerm(char* typenm, char *name) {
227	if(debug) printf("adding a Dataterm (%s)\n",name);
228	m_term=abac_term_create(typenm,name,NULL);
229	}
230	/***
231	f char *string() const
232	returns literal string of the data term
233	(c:abac_term_string)
234	f char *typed_string() const
235	returns typed literal string of the data term
236	(c:abac_term_typed_string)
237	***/
238	char *string() const
239	{ return abac_term_string(m_term); }
240	char *typed_string() const
241	{ return abac_term_typed_string(m_term); }
242	/***
243	f bool term_is_time() const
244	(c:abac_term_is_time)
245	bool term_is_string() const
246	(c:abac_term_is_string)
247	bool term_is_urn() const
248	(c:abac_term_is_urn)
249	bool term_is_integer() const
250	(c:abac_term_is_integer)
251	returns true if data term is of certain type
252	***/
253	bool term_is_time() const
254	{ return abac_term_is_time(m_term); }
255	bool term_is_string() const
256	{ return abac_term_is_string(m_term); }
257	bool term_is_urn() const
258	{ return abac_term_is_urn(m_term); }
259	bool term_is_integer() const
260	{ return abac_term_is_integer(m_term); }
261	/***
262	f int term_add_constraint(Contraint&)
263	utiltiy routine to add a constraint to this data term
264	(c:abac_term_add_constraint)
265	***/
266	int term_add_constraint(Constraint& cond) {
267	abac_term_add_constraint(m_term, cond.constraint());
268	return 1;
269	}
270	/***
271	f int term_type() const
272	returns subtype of the data term
273	(c:abac_term_type)
274	f char *term_name() const
275	returns the name of the data term
276	(c:abac_term_name)
277	***/
278	int term_type() const
279	{ abac_term_type(m_term); }
280	char *term_name() const
281	{ return abac_term_name(m_term); }
282	/ii*
283	f abac_term_t *term()
284	returns abac_term_t term structure
285	*ii/
286	abac_term_t *term()
287	{ return m_term; }
288	private:
289	abac_term_t *m_term;
290	};
291
292
293	/***
294	ABAC::Role
295	A Role is role specification of a set of entitities for a principal
296	***/
297	class Role {
298	public:
299	/***
300	f Role()
301	default constructor, do not use, for swig only
302	f Role(const Role &)
303	copy constructor, used for cloning a role
304	f ~Role()
305	default destructor
306	***/
307	Role() : m_role(NULL) { } // do not use: here for swig
308	Role(const Role &role) {
309	m_role = abac_aspect_dup(role.m_role);
310	}
311	~Role() {
312	if (m_role) abac_aspect_free(m_role);
313	}
314	/ii*
315	f Role(abac_aspect_t*)
316	constructor that takes an abac_aspect_t structure
317	*ii/
318	Role(abac_aspect_t *role): m_role(abac_aspect_dup(role))
319	{ }
320	/***
321	f Role(char*)
322	constructor that builds a bare bone role with just principal's name
323	(c:abac_role_principal_create)
324	f Role(char, char)
325	constructor that builds a bare bone role with just principal's name
326	and a role name
327	(c:abac_role_create)
328	f Role(char, char, char*)
329	constructor that builds a bare bone role with just principal's name
330	and a linking role name and a role name
331	(c:abac_role_linked_create)
332	***/
333	Role(char *principal_name) :
334	m_role(abac_role_principal_create(principal_name))
335	{ }
336	Role(char principal_name, char role_name) :
337	m_role(abac_role_create(principal_name, role_name))
338	{ }
339	Role(char principal_name, char linked_role_name, char *role_name) :
340	m_role(abac_role_linked_create(principal_name, linked_role_name,role_name))
341	{ }
342	/***
343	f bool role_is_principal() const
344	return true if the role is a principal object(made from
345	a data term), the right hand side of,
346	[keyid:A].role:r <- [keyid:B]
347	***/
348	bool role_is_principal() const
349	{ return abac_role_is_principal(m_role); }
350	/***
351	f bool role_is_linking() const
352	returns true if the role is a linking role like
353	the right hand side of,
354	[keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
355	***/
356	bool is_linking() const
357	{ return abac_role_is_linking(m_role); }
358	/***
359	f char *string() const
360	returns literal string of the role
361	(c:abac_aspect_string)
362	f char *typed_string() const
363	returns typed literal string of the role
364	(c:abac_aspect_typed_string)
365	***/
366	char *string() const
367	{ return abac_aspect_string(m_role); }
368	char *typed_string()
369	{ return abac_aspect_typed_string(m_role); }
370	/***
371	f char *role_linked_role() const
372	returns linked part of a linking role, for
373	[keyid:A].role:r1.role:r2, it returns r1
374	***/
375	char *role_linked_role() const
376	{ return abac_role_linked_role(m_role); }
377	/***
378	f char *role_name() const
379	returns the role name of any role (the part after the last dot)
380	[keyid:A].role.r1.role:r2, it returns r2
381	[keyid:A].role.r1, it returns r1
382	f char *role_principal() const
383	returns the principal of role (the part before the first dot)
384	[keyid:A].role.r1, it returns A
385	***/
386	char *role_name() const
387	{ return abac_role_name(m_role); }
388	char *role_principal() const
389	{ return abac_role_principal(m_role); }
390
391	/***
392	f void role_add_data_term(DataTerm&)
393	add a data term to the role
394	***/
395	void role_add_data_term(DataTerm& d) {
396	abac_role_add_data_term(m_role, d.term());
397	}
398	/***
399	f std::vector<DataTerm> get_data_terms(bool &)
400	return the data terms bound to this role.
401	***/
402	std::vector<DataTerm> get_data_terms(bool &success) {
403	abac_term_t terms, end;
404	int i;
405	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role));
406	for (i = 0; terms[i] != NULL; ++i)
407	;
408	end = &terms[i];
409	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
410	abac_terms_free(terms);
411	success=1;
412	return dataterms;
413	}
414	/***
415	f void role_add_linked_data_term(DataTerm&)
416	add a data term to the linking role
417	***/
418	void role_add_linked_data_term(DataTerm& d) {
419	abac_role_add_linked_data_term(m_role, d.term());
420	}
421	/***
422	f std::vector<DataTerm> get_linked_data_terms(bool &)
423	return the data terms bound to this role's linking role.
424	***/
425	std::vector<DataTerm> get_linked_data_terms(bool &success) {
426	abac_term_t terms, end;
427	int i;
428	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role));
429	for (i = 0; terms[i] != NULL; ++i)
430	;
431	end = &terms[i];
432	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
433	abac_terms_free(terms);
434	success=1;
435	return dataterms;
436	}
437	/ii*
438	f abac_aspect_t *role()
439	returns the interal libabac representation of this role
440	*ii/
441	abac_aspect_t *role() {return m_role;}
442	private:
443	abac_aspect_t *m_role;
444	};
445
446	/***
447	ABAC::Oset
448	An Oset is oset specification of a set of entitities for a principal
449	***/
450	class Oset {
451	public:
452	/***
453	f Oset()
454	default constructor, do not use, for swig only
455	f Oset(const Oset &)
456	copy constructor, used for cloning an oset
457	f ~Oset()
458	default destructor
459	***/
460	Oset() : m_oset(NULL) { } // do not use: here for swig
461	Oset(const Oset &oset)
462	{ m_oset =abac_aspect_dup(oset.m_oset); }
463	~Oset()
464	{ if(m_oset) abac_aspect_free(m_oset); }
465	/ii*
466	f Oset(abac_aspect_t *)
467	constructor that takes abac_aspect_t structure
468	*ii/
469	Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset))
470	{ }
471	/***
472	f Oset(char *)
473	constructor that makes a principal oset, ie [keyid:B]
474	(c:abac_role_principal_create)
475	f Oset(char , char )
476	constructor that makes a regular oset, ie. [keyid:B].oset:o
477	(c:abac_role_create)
478	f Oset(char , char, char *)
479	constructor that makes a linked oset, ie. [keyid:B].role:r.oset:o
480	(c:abac_oset_linked_create)
481	f Oset(DataTerm&)
482	constructor that makes an object oset, ie. [urn:'file/fileA']
483	***/
484	Oset(char *oset_name) : m_oset(abac_oset_principal_create(oset_name))
485	{ }
486	Oset(char principal_name, char oset_name) :
487	m_oset(abac_oset_create(principal_name, oset_name))
488	{ }
489	Oset(char principal_name, char linked_role_name,char *oset_name) :
490	m_oset(abac_oset_linked_create(principal_name, linked_role_name, oset_name))
491	{ }
492	Oset(DataTerm& d) :
493	m_oset(abac_oset_object_create(d.term()))
494	{ }
495
496	/***
497	f bool oset_is_object(), ie <- [integer:10]
498	return ture if this oset is an object oset
499	***/
500	bool oset_is_object() const
501	{ return abac_oset_is_object(m_oset); }
502	/***
503	f bool oset_is_principal() const
504	return true if the oset is a principal object(made from
505	a data term), the right hand side of,
506	[keyid:A].oset:o <- [keyid:B]
507	***/
508	bool oset_is_principal() const
509	{ return abac_oset_is_principal(m_oset); }
510	/***
511	f bool oset_is_linking() const
512	returns true if the oset is a linking oset like
513	the right hand side of,
514	[keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
515	***/
516	bool oset_is_linking() const
517	{ return abac_oset_is_linking(m_oset); }
518	/***
519	f char *string() const
520	returns literal string of the oset
521	(c:abac_aspect_string)
522	f char *typed_string() const
523	returns typed literal string of the oset
524	(c:abac_aspect_typed_string)
525	***/
526	char *string() const
527	{ return abac_aspect_string(m_oset); }
528	char *typed_string()
529	{ return abac_aspect_typed_string(m_oset); }
530	/***
531	f char *oset_linked_role() const
532	returns linked part of a linking oset, for
533	[keyid:A].role:r1.oset:o1, it returns r1
534	***/
535	char *oset_linked_role() const
536	{ return abac_oset_linked_role(m_oset); }
537	/***
538	f char *oset_name() const
539	returns oset name,
540	[keyid:A].role:r1.oset:o1, it returns o1
541	[keyid:A].oset:o1, it returns o1
542	***/
543	char *oset_name() const
544	{ return abac_oset_name(m_oset); }
545	/***
546	f char *oset_principal() const
547	returns principal name,
548	[keyid:A].role:r1.oset:o1, it returns A
549	***/
550	char *oset_principal() const
551	{ return abac_oset_principal(m_oset); }
552	/***
553	f char *oset_object() const
554	returns object's name when the oset is a principal object
555	[keyid:A].oset:values <- [integer:10], it returns 10
556	***/
557	char *oset_object() const
558	{ return abac_oset_object(m_oset); }
559	/***
560	f void add_data_term(DataTerm&)
561	add a data term to this oset's parameter set
562	***/
563	void oset_add_data_term(DataTerm& d) {
564	abac_oset_add_data_term(m_oset, d.term());
565	}
566	/***
567	f std::vector<DataTerm> get_data_terms(bool &)
568	returns the data terms bound to this oset.
569	***/
570	std::vector<DataTerm> get_data_terms(bool &success) {
571	abac_term_t terms, end;
572	int i;
573	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset));
574	for (i = 0; terms[i] != NULL; ++i)
575	;
576	end = &terms[i];
577	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
578	abac_terms_free(terms);
579	success=1;
580	return dataterms;
581	}
582	/***
583	f void oset_add_linked_data_term(DataTerm&)
584	add a data term to this oset's linking role's parameter set.
585	***/
586	void oset_add_linked_data_term(DataTerm& d) {
587	abac_oset_add_linked_data_term(m_oset, d.term());
588	}
589	/***
590	f std::vector<DataTerm> get_linked_data_terms(bool &)
591	returns the data terms bound to this oset's linking role.
592	***/
593	std::vector<DataTerm> get_linked_data_terms(bool &success) {
594	abac_term_t terms, end;
595	int i;
596	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset));
597	for (i = 0; terms[i] != NULL; ++i)
598	;
599	end = &terms[i];
600	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
601	abac_terms_free(terms);
602	success=1;
603	return dataterms;
604	}
605	/ii*
606	f abac_aspect_t *oset()
607	internal returns the internal libabac representation of the oset
608	*ii/
609	abac_aspect_t *oset() {return m_oset;}
610	private:
611	abac_aspect_t *m_oset;
612	};
613
614
615	/***
616	ABAC::ID
617	An ID holds a principal credential. It maybe imported from an existing
618	ID credential via external files, constructed from a streaming chunk,
619	or instantiated on the fly
620	***/
621	class ID {
622	public:
623	/***
624	f ID()
625	default constructor, do not use, for swig only
626	f ID(const ID &)
627	copy constructor, used for cloning an ID
628	f ~ID()
629	default destructor
630	***/
631	ID() : m_id(NULL) { } // do not use: here for swig
632	ID(const ID &id) { m_id =abac_id_dup(id.m_id); }
633	~ID() { if(m_id) abac_id_free(m_id); }
634	/ii*
635	f ID(abac_id_t *)
636	constructor from abac_id_t
637	f ID(abac_id_credential_t *)
638	constructor from abac_id_t
639	*ii/
640	ID(abac_id_t *id): m_id(abac_id_dup(id))
641	{ }
642	ID(abac_id_credential_t *idcred) {
643	if(idcred)
644	m_id=abac_id_dup(abac_id_credential_id(idcred));
645	else m_id=NULL;
646	}
647	/***
648	f ID(char *)
649	load an ID cert from a file, will throw an exception
650	if the cert cannot be loaded
651	(c:abac_id_from_file)
652	***/
653	ID(char *filename) {
654	m_id=abac_id_from_file(filename);
655	if(m_id==NULL)
656	abac_errx(1, "Id creation from filename failed");
657	}
658	/***
659	f ID(char *,int)
660	generates a new ID with the supplied CN and validity period
661	- CN must be alphanumeric and begin with a letter
662	- validity must be at least one second
663	will throw an exception if either of the above is violated
664	(c:abac_id_generate)
665	***/
666	ID(char *cn, int validity) {
667	int rt=abac_id_generate(&m_id, cn, validity);
668	if(rt != ABAC_ID_SUCCESS)
669	abac_errx(1, "Id creation failed");
670	}
671	/***
672	f void id_load_privkey_file(char *)
673	loads the private key associated with the ID credential
674	will throw an exception if the key cannot be loaded
675	***/
676	void id_load_privkey_file(char *filename) {
677	int rt=abac_id_load_privkey_file(m_id, filename);
678	if(rt != 1)
679	abac_errx(1, "Failed to load private key");
680	}
681	/ii*
682	f abac_id_t *id()
683	returns the abac_id_t
684	returns the interal libabac representation of this id
685	*ii/
686	abac_id_t *id() { return m_id; }
687
688	/***
689	f char *id_keyid()
690	returns the SHA1 keyid of the id cert
691	f char *id_name()
692	returns the CN (the parameter passed to the constructor or the
693	CN of the cert).
694	(c:abac_id_cn)
695	***/
696	char *id_keyid() { return abac_id_keyid(m_id); }
697	char *id_name() { return abac_id_cn(m_id); }
698	/***
699	f bool id_has_privkey()
700	returns true if the ID has an associated private key
701	***/
702	bool id_has_privkey()
703	{ return abac_id_has_privkey(m_id); }
704
705	/***
706	f void id_write_cert(FILE *)
707	writes a PEM-encoded cert to the file handle
708	f void id_write_cert(char *)
709	writes a PEM-encoded cert to a file named out
710	***/
711	void id_write_cert(FILE *out)
712	{ abac_id_write_cert(m_id, out); }
713	void id_write_cert(char *filename) {
714	FILE *out = fopen(filename, "a");
715	id_write_cert(out);
716	fclose(out);
717	}
718	/***
719	f void id_write_privkey(FILE *)
720	writes a PEM-encoded private key to the file handle
721	throws an exception if no private key is loaded
722	f void id_write_privkey(char *)
723	writes a PEM-encoded private key a file named out
724	throws an exception if no private key is loaded
725	***/
726	void id_write_privkey(FILE *out) {
727	if(!id_has_privkey())
728	abac_errx(1, "No privkey to write");
729	abac_id_write_privkey(m_id, out);
730	}
731	void id_write_privkey(char *filename) {
732	FILE *out = fopen(filename, "a");
733	id_write_privkey(out);
734	fclose(out);
735	}
736	/***
737	f abac_chunk_t id_cert_chunk()
738	returns a DER-encoded binary representation of the X.509 ID cert
739	associated with this ID.
740	can be passed to libabac's Context::load_id_chunk()
741	***/
742	abac_chunk_t id_cert_chunk()
743	{ return abac_id_cert_chunk(m_id); }
744	/***
745	f char *string()
746	returns literal string of the id credential
747	(c:abac_id_string)
748	***/
749	char *string()
750	{ return abac_id_string(m_id); }
751	public:
752	abac_id_t *m_id;
753	};
754
755
756	/***
757	ABAC::Attribute
758	This is the attribute representation for the access policy rule
759	LHS <- RHS
760	The sequence of generation is to
761	first, instantiate the object, ie, LHS (head)
762	second, adding subject(s) to it, ie, RHS (tail)
763	and then baking it.
764	Only once it's baked can you access the X.509 cert.
765	Once it's been baked you can no longer add subjects to it
766	***/
767	class Attribute {
768	public:
769	/***
770	f Attribute()
771	default constructor, do not use, for swig only
772	f Attribute(const Attribute &)
773	copy constructor, used for cloning an attribute
774	f ~Attribute()
775	default destructor
776	***/
777	Attribute() : m_attr(NULL) { }
778	Attribute(const Attribute &id)
779	{ m_attr =abac_attribute_dup(id.m_attr); }
780	~Attribute()
781	{ if(m_attr) abac_attribute_free(m_attr); }
782	/ii*
783	f Attribute(abac_attribute_t *)
784	constructor that takes abac_attribute_t, locally used
785	f Attribute(abac_credential_t *)
786	constructor that takes abac_credential_t, locally used
787	*ii/
788	Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr))
789	{ }
790	Attribute(abac_credential_t *cred)
791	{ m_attr=abac_attribute_dup(abac_credential_attribute(cred)); }
792	/***
793	f Attribute(Role&, int)
794	constructor that creates an attribute policy to be signed by the issuer
795	with the given role with a specified validity period
796	An exception will be thrown if:
797	- the issuer has no private key
798	- the Head role is invalid
799	- the validity period is invalid (must be >= 1 second)
800	(c:abac_attribute_create)
801	***/
802	Attribute(Role& head, int validity) {
803	int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity);
804	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
805	abac_errx(1, "attribute(role), unable to make an attribute");
806	}
807	/***
808	f Attribute(Oset&, int)
809	constructor that creates an attribute policy to be signed by the issuer
810	with the given oset with a specified validity period
811	An exception will be thrown if:
812	- the issuer has no private key
813	- the Head oset is invalid
814	- the validity period is invalid (must be >= 1 second)
815	(c:abac_attribute_create)
816	***/
817	Attribute(Oset& head, int validity) {
818	int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity);
819	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
820	abac_errx(1, "attribute(oset), unable to make an attribute");
821	}
822	/***
823	f bool attribute_add_tail(Role&)
824	Add a role tail. Call multiple times for intersections
825	f bool attribute_add_tail(Oset&)
826	Add an oset tail. Call multiple times for intersections
827	***/
828	bool attribute_add_tail(Role& tail) {
829	if(abac_attribute_add_tail(m_attr, tail.role()))
830	return 1;
831	else return 0;
832	}
833	bool attribute_add_tail(Oset& tail) {
834	if(abac_attribute_add_tail(m_attr, tail.oset()))
835	return 1;
836	else return 0;
837	}
838	/***
839	f char *head_string()
840	returns literal string of head of the attribute
841	f char *tail_string()
842	returns literal string of tail of the attribute
843	***/
844	char *head_string()
845	{ return abac_head_string(m_attr); }
846	char *tail_string()
847	{ return abac_tail_string(m_attr); }
848	/***
849	f char *head_typed_string()
850	returns typed literal string of head of the attribute
851	f char *tail_typed_string()
852	returns typed literal string of tail of the attribute
853	***/
854	char *head_typed_string()
855	{ return abac_head_typed_string(m_attr); }
856	char *tail_typed_string()
857	{ return abac_tail_typed_string(m_attr); }
858	/***
859	f char *string()
860	returns literal string of the attribute
861	(c:abac_attribute_string)
862	f char *typed_string()
863	returns typed literal string of the attribute
864	(c:abac_attribute_typed_string)
865	***/
866	char *string()
867	{ return abac_attribute_string(m_attr); }
868	char *typed_string()
869	{ return abac_attribute_typed_string(m_attr); }
870
871	/*** ??? not sure about implmentation
872	f const Role &role_head()
873	returns the head role
874	f const Oset &oset_head()
875	returns the oset head
876	***/
877	const Role &role_head() {
878	abac_aspect_t *head=abac_attribute_head(m_attr);
879	static Role role=Role(head);
880	return role;
881	}
882	const Oset &oset_head() {
883	abac_aspect_t *head=abac_attribute_tail(m_attr);
884	static Oset oset=Oset(head);
885	return oset;
886	}
887	/***
888	f std::vector<Role> role_tails(bool &)
889	retrieve tail role which maybe more than 1 if intersecting
890	f std::vector<Oset> oset_tails(bool &)
891	retrieve tail oset which maybe more than 1 if intersecting
892	***/
893	std::vector<Role> role_tails(bool &success) {
894	abac_aspect_t tails, end;
895	int i;
896	/* make sure it is role */
897	if(!abac_attribute_is_role(m_attr)) {
898	success=0;
899	abac_errx(1, "role_tails, attribute is not a role");
900	}
901	tails = abac_attribute_tail_vectorized(m_attr);
902	for (i = 0; tails[i] != NULL; ++i)
903	;
904	end = &tails[i];
905	std::vector<Role> roles = std::vector<Role>(tails, end);
906	abac_aspects_free(tails);
907	success=1;
908	return roles;
909	}
910	std::vector<Oset> oset_tails(bool &success) {
911	abac_aspect_t tails, end;
912	int i;
913	/* make sure that tail is not role */
914	if(abac_attribute_is_role(m_attr)) {
915	success=0;
916	abac_errx(1, "oset_tails, attribute is not an oset");
917	}
918	tails = abac_attribute_tail_vectorized(m_attr);
919	for (i = 0; tails[i] != NULL; ++i)
920	;
921	end = &tails[i];
922	std::vector<Oset> osets = std::vector<Oset>(tails, end);
923	success=1;
924	abac_aspects_free(tails);
925	return osets;
926	}
927	/ii*
928	f abac_attribute_t *attribute()
929	return libabac structure for attribute
930	*ii/
931	abac_attribute_t *attribute() { return m_attr; }
932
933	/***
934	f bool attribute_bake()
935	Generate the cert. Call this after you've added subjects to your cert.
936	This returns false if there are no subjects
937	This will throw an exception if the cert's already been baked.
938	***/
939	bool attribute_bake() {
940	/* can not bake in ABAC_CN mode */
941	if(USE("ABAC_CN"))
942	abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set");
943	int rt=abac_attribute_bake(m_attr);
944	if(rt!=1)
945	abac_errx(1, "bake, can not bake the cert");
946	}
947	/***
948	f bool attribute_baked()
949	returns true iff the cert has been baked.
950	***/
951	bool attribute_baked()
952	{ return abac_attribute_baked(m_attr); }
953
954	/***
955	f void attribute_write_cert(FILE *)
956	write the DER-encoded X.509 attribute cert to the open file handle
957	Throws an exception if the cert isn't baked
958	***/
959	void attribute_write_cert(FILE *out) {
960	int rt= abac_attribute_write_cert(m_attr,out);
961	if(!rt)
962	abac_errx(1, "write, cert is not baked");
963	}
964	/***
965	f void attribute_write_cert(char *)
966	write the DER-encoded X.509 attribute cert to a file named out
967	Throws an exception if the cert isn't baked
968	***/
969	void attribute_write_cert(char *filename) {
970	FILE *out = fopen(filename, "w");
971	attribute_write_cert(out);
972	fclose(out);
973	}
974	/***
975	f abac_chunk_t cert_chunk()
976	returns a DER-encoded binary representation of the X.509 attribute
977	cert associated with this cert
978	Throws an exception if the cert isn't baked
979	the chunk can be passed to libabac's Context::load_attribute_chunk()
980	***/
981	abac_chunk_t cert_chunk()
982	{ return abac_attribute_cert_chunk(m_attr); }
983	private:
984	abac_attribute_t *m_attr;
985	};
986
987
988	/***
989	ABAC::Context
990	An ABAC Context
991	***/
992	class Context {
993	public:
994	/***
995	f Context()
996	default constructor
997	f Context(const Context &)
998	copy constructor, used for cloning the context
999	f ~Context()
1000	default destructor
1001	***/
1002	Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); }
1003	Context(const Context &context) {
1004	m_ctx = abac_context_dup(context.m_ctx);
1005	m_abac_version=strdup(context.m_abac_version);
1006	}
1007	~Context() {
1008	abac_context_free(m_ctx);
1009	if(m_abac_version) free(m_abac_version);
1010	}
1011	/***
1012	f void dump_yap_db()
1013	dump the complete yap prolog database
1014	(c:show_yap_db)
1015	***/
1016	void dump_yap_db()
1017	{ show_yap_db("dump_yap"); }
1018
1019	/***
1020	f int load_id(ABAC::ID&)
1021	load id cert from ID
1022	(c:abac_context_load_id)
1023	f int load_id_file(char *)
1024	load id cert from an idkey combo file. key retrieval will be attempt
1025	but won't fail if not found
1026	(c:abac_context_load_id_file)
1027	f int load_id_files(char , char )
1028	load id cert from an id file and a key file
1029	(c:abac_context_load_id_files)
1030	f int load_id_chunk(abac_chunk_t)
1031	load id cert from a chunk structure
1032	(c:abac_context_load_id_chunk)
1033	returns:
1034	ABAC_CERT_SUCCESS successfully loaded
1035	ABAC_CERT_INVALID invalid certificate (or file not found)
1036	ABAC_CERT_BAD_SIG invalid signature
1037	***/
1038	int load_id(ABAC::ID& id)
1039	{ return abac_context_load_id(m_ctx, id.id()); }
1040	int load_id_file(char *filename)
1041	{ return abac_context_load_id_file(m_ctx, filename); }
1042	int load_id_files(char filename, char keyfilename)
1043	{ return abac_context_load_id_files(m_ctx, filename, keyfilename); }
1044	int load_id_chunk(abac_chunk_t cert)
1045	{ return abac_context_load_id_chunk(m_ctx, cert); }
1046
1047	/***
1048	f int load_attribute(ABAC::Attribute&)
1049	load attribute credential from attribute structure
1050	(c:abac_context_load_attribute)
1051	f int load_attribute_file(char *)
1052	load attribute credential from a file
1053	(c:abac_context_load_attribute_file)
1054	f int load_attribute_chunk(abac_chunk_t)
1055	load attribute credential from a chunk
1056	(c:abac_context_load_attribute_chunk)
1057	f returns the same values as above, additionally
1058	returns ABAC_CERT_MISSING_ISSUER if the issuer
1059	certificate has not been loaded
1060	***/
1061	int load_attribute(ABAC::Attribute& a)
1062	{ return abac_context_load_attribute(m_ctx, a.attribute()); }
1063	int load_attribute_file(char *filename)
1064	{ return abac_context_load_attribute_file(m_ctx, filename); }
1065	int load_attribute_chunk(abac_chunk_t cert)
1066	{ return abac_context_load_attribute_chunk(m_ctx, cert); }
1067	/***
1068	f void load_directory(char *)
1069	load a directory full of certificates:
1070	f first: ${path}/*_ID.{der,pem} as identity certificates
1071	implicitly looking for ${path}/*_private.{der,pem} as
1072	the private key file
1073	then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
1074	last: ${path}/*_attr.der as attribute certificates
1075	***/
1076	void load_directory(char *path)
1077	{ abac_context_load_directory(m_ctx, path); }
1078	/***
1079	f std::vector<Attribute> query(char , char , bool &)
1080	the string version is for query that is composed by hand with SHA or
1081	in non ABAC_CN mode
1082	(c:abac_context_query)
1083	f std::vector<Attribute> query(Role &, Role &, bool &)
1084	(c:abac_context_query_with_structure)
1085	std::vector<Attribute> query(Oset &, Oset &, bool &)
1086	(c:abac_context_query_with_structure)
1087	runs the query:
1088	role <-?- principal
1089	oset <-?- principal/obj
1090	returns true/false in success
1091	returns a proof upon success,
1092	partial proof on failure (not implemented yet)
1093	***/
1094	std::vector<Attribute> query(char role, char principal, bool &success) {
1095	abac_credential_t creds, end;
1096	int i, success_int;
1097
1098	creds = abac_context_query(m_ctx, role, principal, &success_int);
1099	success = success_int;
1100
1101	for (i = 0; creds[i] != NULL; ++i)
1102	;
1103
1104	end = &creds[i];
1105	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1106	if(debug) printf("query, got rules(%d)\n", i);
1107
1108	abac_context_credentials_free(creds);
1109
1110	return attributes;
1111	}
1112
1113	std::vector<Attribute> query(Role &role, Role &p_role, bool &success) {
1114	abac_credential_t creds, end;
1115	int i, success_int;
1116
1117	creds = abac_context_query_with_structure(m_ctx, role.role(), p_role.role(), &success_int);
1118	success = success_int;
1119
1120	for (i = 0; creds[i] != NULL; ++i)
1121	;
1122
1123	end = &creds[i];
1124	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1125
1126	abac_context_credentials_free(creds);
1127
1128	return attributes;
1129	}
1130
1131	std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) {
1132	abac_credential_t creds, end;
1133	int i, success_int;
1134
1135	creds = abac_context_query_with_structure(m_ctx, oset.oset(), p_oset.oset(), &success_int);
1136	success = success_int;
1137
1138	for (i = 0; creds[i] != NULL; ++i)
1139	;
1140
1141	end = &creds[i];
1142	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1143	if(debug) printf("query, returning rules(%d)\n", i);
1144
1145	abac_context_credentials_free(creds);
1146
1147	return attributes;
1148	}
1149
1150	/***
1151	f std::vector<Attribute> context_credentials(bool &)
1152	returns a vector of all the credentials loaded in the context
1153	extracted from the internal data structure
1154	***/
1155	std::vector<Attribute> context_credentials(bool &success) {
1156	abac_credential_t creds, end;
1157	int i;
1158	success = 1;
1159
1160	creds = abac_context_credentials(m_ctx);
1161	for (i = 0; creds[i] != NULL; ++i)
1162	;
1163
1164	end = &creds[i];
1165	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1166	if(debug) printf("credentials, got (%d)\n", i);
1167
1168	abac_context_credentials_free(creds);
1169	if(debug) show_yap_db("calling from context_credentials");
1170	return attributes;
1171	}
1172
1173	/***
1174	f std::vector<Attribute> context_principals(bool &)
1175	returns a vector of all the principals loaded in the context
1176	extracted from the internal data structure
1177	***/
1178	std::vector<ID> context_principals(bool &success) {
1179	abac_id_credential_t ids, end;
1180	int i;
1181	success = 1;
1182
1183	ids = abac_context_principals(m_ctx);
1184	for (i = 0; ids[i] != NULL; ++i)
1185	;
1186
1187	end = &ids[i];
1188	std::vector<ID> principals = std::vector<ID>(ids, end);
1189	if(debug) printf("principals, got (%d)\n", i);
1190
1191	abac_context_principals_free(ids);
1192	return principals;
1193	}
1194	/***
1195	f char *version()
1196	return the version of this interface
1197	***/
1198	char *version() const { return m_abac_version; }
1199
1200	private:
1201	abac_context_t *m_ctx;
1202	char *m_abac_version;
1203	};
1204
1205	Constraint::Constraint(Role& role)
1206	{ m_constraint=abac_constraint_from_role(role.role()); }
1207	Constraint::Constraint(Oset &oset)
1208	{ m_constraint=abac_constraint_from_oset(oset.oset()); }
1209	DataTerm::DataTerm(ID& id)
1210	{ m_term=abac_term_id_create(id.id()); }
1211	}
1212
1213	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: