1 | #ifndef __ABAC_HH__ |
---|
2 | #define __ABAC_HH__ |
---|
3 | |
---|
4 | #include <string> |
---|
5 | #include <vector> |
---|
6 | |
---|
7 | namespace ABAC { |
---|
8 | extern "C" { |
---|
9 | #include "abac.h" |
---|
10 | } |
---|
11 | static int debug=0; |
---|
12 | class Role; |
---|
13 | class Oset; |
---|
14 | class ID; |
---|
15 | |
---|
16 | /*** |
---|
17 | ABAC::Constraint |
---|
18 | Constraint on a data term. |
---|
19 | There are 3 types: |
---|
20 | - Role constraint on a principal |
---|
21 | - Oset constraint on a principal, or a data object |
---|
22 | - Range/List constraint on a data object |
---|
23 | It holds a ptr to a abac_condition_t structure |
---|
24 | ***/ |
---|
25 | class Constraint { |
---|
26 | public: |
---|
27 | /*** |
---|
28 | f Constraint() |
---|
29 | default constructor, do not use, for swig only |
---|
30 | f Constraint(const Constraint &) |
---|
31 | copy constructor, used for cloning a constraint |
---|
32 | f ~Constraint() |
---|
33 | default destructor |
---|
34 | ***/ |
---|
35 | Constraint() : m_constraint(NULL) { } |
---|
36 | Constraint(const Constraint &constraint) { |
---|
37 | m_constraint =abac_condition_dup(constraint.m_constraint); |
---|
38 | } |
---|
39 | ~Constraint() { |
---|
40 | if(m_constraint) abac_condition_free(m_constraint); |
---|
41 | } |
---|
42 | /*** |
---|
43 | f Constraint(Role &) |
---|
44 | constructor that takes a constraining role |
---|
45 | [role:?R[{role-constraint}] |
---|
46 | (c:abac_constraint_from_role) |
---|
47 | f Constraint(Oset &) |
---|
48 | constructor that takes a constraining oset |
---|
49 | [oset:?O[{oset-constraint}] |
---|
50 | [urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])] |
---|
51 | (c:abac_constraint_from_oset) |
---|
52 | f Constraint(char *) |
---|
53 | constructor that takes one of following string |
---|
54 | as its vartype to set up a range constraint: |
---|
55 | "integer" |
---|
56 | "urn" |
---|
57 | "float" |
---|
58 | "boolean" |
---|
59 | "time" |
---|
60 | "string" |
---|
61 | it should be followed with one or many of following utility |
---|
62 | calls. |
---|
63 | (C:abac_condition_create) |
---|
64 | ***/ |
---|
65 | Constraint(Role& role); |
---|
66 | Constraint(Oset& oset); |
---|
67 | Constraint(char *vartype) |
---|
68 | { m_constraint=abac_condition_create(vartype); } |
---|
69 | /*ii** |
---|
70 | f Constraint(abac_condition_t *) |
---|
71 | internal constructor that takes an abac_condition_t structure |
---|
72 | **ii*/ |
---|
73 | Constraint(abac_condition_t *constraint): |
---|
74 | m_constraint(abac_condition_dup(constraint)) |
---|
75 | { } |
---|
76 | /*** |
---|
77 | f void constraint_add_integer_max(int) |
---|
78 | (c:abac_constraint_add_integer_max) |
---|
79 | void constraint_add_integer_min(int) |
---|
80 | utility routines to setup a integer range constraint |
---|
81 | [integer:?I[10 .. 20]] |
---|
82 | (c:abac_constraint_add_integer_min) |
---|
83 | f void constraint_add_integer_target(int) |
---|
84 | utility routine to setup a integer list constraint |
---|
85 | [integer:?I[10,20]] |
---|
86 | (c:abac_constraint_add_integer_target) |
---|
87 | ***/ |
---|
88 | void constraint_add_integer_max(int val) |
---|
89 | { abac_constraint_add_integer_max(m_constraint,val); } |
---|
90 | void constraint_add_integer_min(int val) |
---|
91 | { abac_constraint_add_integer_min(m_constraint,val); } |
---|
92 | void constraint_add_integer_target(int val) |
---|
93 | { abac_constraint_add_integer_target(m_constraint,val); } |
---|
94 | /*** |
---|
95 | f void constraint_add_float_max(float) |
---|
96 | void constraint_add_float_min(float) |
---|
97 | utility routines to setup a float range constraint |
---|
98 | [float:?F[1.0 .. 2.5]] |
---|
99 | f void constraint_add_float_target(float) |
---|
100 | utility routine to setup a float list constraint |
---|
101 | [float:?F[0.5, 2.5]] |
---|
102 | ***/ |
---|
103 | void constraint_add_float_max(float val) |
---|
104 | { abac_constraint_add_float_max(m_constraint,val); } |
---|
105 | void constraint_add_float_min(float val) |
---|
106 | { abac_constraint_add_float_min(m_constraint,val); } |
---|
107 | void constraint_add_float_target(float val) |
---|
108 | { abac_constraint_add_float_target(m_constraint,val); } |
---|
109 | /*** |
---|
110 | f void constraint_add_time_max(char*) |
---|
111 | void constraint_add_time_min(char*) |
---|
112 | utility routines to setup a time range constraint, |
---|
113 | takes quoted string values, beyond T is optional |
---|
114 | [time:?F["20120228T" .. "20120228T090000"]] |
---|
115 | f void constraint_add_time_target(char*) |
---|
116 | utility routine to setup a time list constraint |
---|
117 | [time:?M["20201101T182930","20201101T"]] |
---|
118 | ***/ |
---|
119 | void constraint_add_time_max(char* val) |
---|
120 | { abac_constraint_add_time_max(m_constraint,val); } |
---|
121 | void constraint_add_time_min(char* val) |
---|
122 | { abac_constraint_add_time_min(m_constraint,val); } |
---|
123 | void constraint_add_time_target(char* val) |
---|
124 | { abac_constraint_add_time_target(m_constraint,val); } |
---|
125 | /*** |
---|
126 | f void constraint_add_urn_target(char*) |
---|
127 | utility routine to setup a an urn list constraint |
---|
128 | [urn:?U["fileA","http://fileB"]] |
---|
129 | f void constraint_add_string_target(char*) |
---|
130 | utility routine to setup a a string list constraint |
---|
131 | [string:?S["abc",'efg',"hij"]] |
---|
132 | f void constraint_add_boolean_target(char*) |
---|
133 | utility routine to setup a a boolean list constraint |
---|
134 | [boolean:?B['true']] |
---|
135 | ***/ |
---|
136 | void constraint_add_urn_target(char* val) |
---|
137 | { abac_constraint_add_urn_target(m_constraint,val); } |
---|
138 | void constraint_add_string_target(char* val) |
---|
139 | { abac_constraint_add_string_target(m_constraint,val); } |
---|
140 | void constraint_add_boolean_target(char* val) |
---|
141 | { abac_constraint_add_boolean_target(m_constraint,val); } |
---|
142 | /*** |
---|
143 | f char *string() const |
---|
144 | returns literal string of the constraint |
---|
145 | (c:abac_constraint_string) |
---|
146 | f char *typed_string() const |
---|
147 | returns typed literal string of the constraint |
---|
148 | (c:abac_constraint_typed_string) |
---|
149 | ***/ |
---|
150 | char *string() const |
---|
151 | { return abac_constraint_string(m_constraint); } |
---|
152 | char *typed_string() const |
---|
153 | { return abac_constraint_typed_string(m_constraint); } |
---|
154 | /*ii** |
---|
155 | f abac_condition_t *constraint() |
---|
156 | internal returns internal constraint structure |
---|
157 | **ii*/ |
---|
158 | abac_condition_t *constraint() |
---|
159 | { return m_constraint; } |
---|
160 | private: |
---|
161 | abac_condition_t *m_constraint; |
---|
162 | }; |
---|
163 | |
---|
164 | /*** |
---|
165 | ABAC::DataTerm |
---|
166 | A data term is associated with Role or Oset as a parameter that |
---|
167 | maybe be instantiated, or uninstantiated but being constrained, |
---|
168 | or as a principal oset term (standalone right handside of an oset |
---|
169 | policy rule). It holds a pointer to a abac_term_t structure. |
---|
170 | Types of data terms are: |
---|
171 | "integer" |
---|
172 | "urn" |
---|
173 | "float" |
---|
174 | "boolean" |
---|
175 | "string" |
---|
176 | "time" |
---|
177 | "principal" |
---|
178 | "anonymous" |
---|
179 | ***/ |
---|
180 | class DataTerm { |
---|
181 | public: |
---|
182 | /*** |
---|
183 | f DataTerm() |
---|
184 | default constructor, do not use, for swig only |
---|
185 | f DataTerm(const DataTerm &) |
---|
186 | copy constructor, used for cloning a data term |
---|
187 | f ~DataTerm() |
---|
188 | default destructor |
---|
189 | ***/ |
---|
190 | DataTerm() : m_term(NULL) { } // do not use: here for swig |
---|
191 | DataTerm(const DataTerm &dterm) { |
---|
192 | m_term=abac_term_dup(dterm.m_term); |
---|
193 | } |
---|
194 | ~DataTerm() { |
---|
195 | if(m_term) abac_term_free(m_term); |
---|
196 | } |
---|
197 | /*ii** |
---|
198 | f DataTerm(abac_term_t *) |
---|
199 | internal constructor to make data term from abac_term_t structure |
---|
200 | **ii*/ |
---|
201 | DataTerm(abac_term_t *term) |
---|
202 | { m_term=abac_term_dup(term); } |
---|
203 | /*** |
---|
204 | f DataTerm(char*) |
---|
205 | constructor to make named principal data term for the oset RHS |
---|
206 | (C: abac_term_named_create) |
---|
207 | f DataTerm(const ID&) |
---|
208 | constructor to make named principal data term for parameters |
---|
209 | (C: abac_term_id_create) |
---|
210 | f DataTerm(char*, char*, Constraint*) |
---|
211 | constructor for making a variable data term |
---|
212 | (C: abac_term_create) |
---|
213 | f DataTerm(char*, char*) |
---|
214 | constructor for making an instantiated data term |
---|
215 | (C: abac_term_create) |
---|
216 | ***/ |
---|
217 | DataTerm(char *name) { |
---|
218 | if(debug) printf("adding a Dataterm named principal(%s)\n",name); |
---|
219 | m_term=abac_term_named_create(name); |
---|
220 | } |
---|
221 | DataTerm(ID& id); |
---|
222 | DataTerm(char* typenm, char *name, Constraint *cond) { |
---|
223 | if(debug) printf("adding a Dataterm (%s)\n",name); |
---|
224 | m_term=abac_term_create(typenm,name,cond->constraint()); |
---|
225 | } |
---|
226 | DataTerm(char* typenm, char *name) { |
---|
227 | if(debug) printf("adding a Dataterm (%s)\n",name); |
---|
228 | m_term=abac_term_create(typenm,name,NULL); |
---|
229 | } |
---|
230 | /*** |
---|
231 | f char *string() const |
---|
232 | returns literal string of the data term |
---|
233 | (c:abac_term_string) |
---|
234 | f char *typed_string() const |
---|
235 | returns typed literal string of the data term |
---|
236 | (c:abac_term_typed_string) |
---|
237 | ***/ |
---|
238 | char *string() const |
---|
239 | { return abac_term_string(m_term); } |
---|
240 | char *typed_string() const |
---|
241 | { return abac_term_typed_string(m_term); } |
---|
242 | /*** |
---|
243 | f bool term_is_time() const |
---|
244 | (c:abac_term_is_time) |
---|
245 | bool term_is_string() const |
---|
246 | (c:abac_term_is_string) |
---|
247 | bool term_is_urn() const |
---|
248 | (c:abac_term_is_urn) |
---|
249 | bool term_is_integer() const |
---|
250 | (c:abac_term_is_integer) |
---|
251 | returns true if data term is of certain type |
---|
252 | ***/ |
---|
253 | bool term_is_time() const |
---|
254 | { return abac_term_is_time(m_term); } |
---|
255 | bool term_is_string() const |
---|
256 | { return abac_term_is_string(m_term); } |
---|
257 | bool term_is_urn() const |
---|
258 | { return abac_term_is_urn(m_term); } |
---|
259 | bool term_is_integer() const |
---|
260 | { return abac_term_is_integer(m_term); } |
---|
261 | /*** |
---|
262 | f int term_add_constraint(Contraint&) |
---|
263 | utiltiy routine to add a constraint to this data term |
---|
264 | (c:abac_term_add_constraint) |
---|
265 | ***/ |
---|
266 | int term_add_constraint(Constraint& cond) { |
---|
267 | abac_term_add_constraint(m_term, cond.constraint()); |
---|
268 | return 1; |
---|
269 | } |
---|
270 | /*** |
---|
271 | f int term_type() const |
---|
272 | returns subtype of the data term |
---|
273 | (c:abac_term_type) |
---|
274 | f char *term_name() const |
---|
275 | returns the name of the data term |
---|
276 | (c:abac_term_name) |
---|
277 | ***/ |
---|
278 | int term_type() const |
---|
279 | { abac_term_type(m_term); } |
---|
280 | char *term_name() const |
---|
281 | { return abac_term_name(m_term); } |
---|
282 | /*ii** |
---|
283 | f abac_term_t *term() |
---|
284 | returns abac_term_t term structure |
---|
285 | **ii*/ |
---|
286 | abac_term_t *term() |
---|
287 | { return m_term; } |
---|
288 | private: |
---|
289 | abac_term_t *m_term; |
---|
290 | }; |
---|
291 | |
---|
292 | |
---|
293 | /*** |
---|
294 | ABAC::Role |
---|
295 | A Role is role specification of a set of entitities for a principal |
---|
296 | ***/ |
---|
297 | class Role { |
---|
298 | public: |
---|
299 | /*** |
---|
300 | f Role() |
---|
301 | default constructor, do not use, for swig only |
---|
302 | f Role(const Role &) |
---|
303 | copy constructor, used for cloning a role |
---|
304 | f ~Role() |
---|
305 | default destructor |
---|
306 | ***/ |
---|
307 | Role() : m_role(NULL) { } // do not use: here for swig |
---|
308 | Role(const Role &role) { |
---|
309 | m_role = abac_aspect_dup(role.m_role); |
---|
310 | } |
---|
311 | ~Role() { |
---|
312 | if (m_role) abac_aspect_free(m_role); |
---|
313 | } |
---|
314 | /*ii** |
---|
315 | f Role(abac_aspect_t*) |
---|
316 | constructor that takes an abac_aspect_t structure |
---|
317 | **ii*/ |
---|
318 | Role(abac_aspect_t *role): m_role(abac_aspect_dup(role)) |
---|
319 | { } |
---|
320 | /*** |
---|
321 | f Role(char*) |
---|
322 | constructor that builds a bare bone role with just principal's name |
---|
323 | (c:abac_role_principal_create) |
---|
324 | f Role(char*, char*) |
---|
325 | constructor that builds a bare bone role with just principal's name |
---|
326 | and a role name |
---|
327 | (c:abac_role_create) |
---|
328 | f Role(char*, char*, char*) |
---|
329 | constructor that builds a bare bone role with just principal's name |
---|
330 | and a linking role name and a role name |
---|
331 | (c:abac_role_linked_create) |
---|
332 | ***/ |
---|
333 | Role(char *principal_name) : |
---|
334 | m_role(abac_role_principal_create(principal_name)) |
---|
335 | { } |
---|
336 | Role(char *principal_name, char *role_name) : |
---|
337 | m_role(abac_role_create(principal_name, role_name)) |
---|
338 | { } |
---|
339 | Role(char *principal_name, char *linked_role_name, char *role_name) : |
---|
340 | m_role(abac_role_linked_create(principal_name, linked_role_name,role_name)) |
---|
341 | { } |
---|
342 | /*** |
---|
343 | f bool role_is_principal() const |
---|
344 | return true if the role is a principal object(made from |
---|
345 | a data term), the right hand side of, |
---|
346 | [keyid:A].role:r <- [keyid:B] |
---|
347 | ***/ |
---|
348 | bool role_is_principal() const |
---|
349 | { return abac_role_is_principal(m_role); } |
---|
350 | /*** |
---|
351 | f bool role_is_linking() const |
---|
352 | returns true if the role is a linking role like |
---|
353 | the right hand side of, |
---|
354 | [keyid:A].role:r1 <- [keyid:B].role:r2.role:r3 |
---|
355 | ***/ |
---|
356 | bool is_linking() const |
---|
357 | { return abac_role_is_linking(m_role); } |
---|
358 | /*** |
---|
359 | f char *string() const |
---|
360 | returns literal string of the role |
---|
361 | (c:abac_aspect_string) |
---|
362 | f char *typed_string() const |
---|
363 | returns typed literal string of the role |
---|
364 | (c:abac_aspect_typed_string) |
---|
365 | ***/ |
---|
366 | char *string() const |
---|
367 | { return abac_aspect_string(m_role); } |
---|
368 | char *typed_string() |
---|
369 | { return abac_aspect_typed_string(m_role); } |
---|
370 | /*** |
---|
371 | f char *role_linked_role() const |
---|
372 | returns linked part of a linking role, for |
---|
373 | [keyid:A].role:r1.role:r2, it returns r1 |
---|
374 | ***/ |
---|
375 | char *role_linked_role() const |
---|
376 | { return abac_role_linked_role(m_role); } |
---|
377 | /*** |
---|
378 | f char *role_name() const |
---|
379 | returns the role name of any role (the part after the last dot) |
---|
380 | [keyid:A].role.r1.role:r2, it returns r2 |
---|
381 | [keyid:A].role.r1, it returns r1 |
---|
382 | f char *role_principal() const |
---|
383 | returns the principal of role (the part before the first dot) |
---|
384 | [keyid:A].role.r1, it returns A |
---|
385 | ***/ |
---|
386 | char *role_name() const |
---|
387 | { return abac_role_name(m_role); } |
---|
388 | char *role_principal() const |
---|
389 | { return abac_role_principal(m_role); } |
---|
390 | |
---|
391 | /*** |
---|
392 | f void role_add_data_term(DataTerm&) |
---|
393 | add a data term to the role |
---|
394 | ***/ |
---|
395 | void role_add_data_term(DataTerm& d) { |
---|
396 | abac_role_add_data_term(m_role, d.term()); |
---|
397 | } |
---|
398 | /*** |
---|
399 | f std::vector<DataTerm> get_data_terms(bool &) |
---|
400 | return the data terms bound to this role. |
---|
401 | ***/ |
---|
402 | std::vector<DataTerm> get_data_terms(bool &success) { |
---|
403 | abac_term_t **terms, **end; |
---|
404 | int i; |
---|
405 | terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role)); |
---|
406 | for (i = 0; terms[i] != NULL; ++i) |
---|
407 | ; |
---|
408 | end = &terms[i]; |
---|
409 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
410 | abac_terms_free(terms); |
---|
411 | success=1; |
---|
412 | return dataterms; |
---|
413 | } |
---|
414 | /*** |
---|
415 | f void role_add_linked_data_term(DataTerm&) |
---|
416 | add a data term to the linking role |
---|
417 | ***/ |
---|
418 | void role_add_linked_data_term(DataTerm& d) { |
---|
419 | abac_role_add_linked_data_term(m_role, d.term()); |
---|
420 | } |
---|
421 | /*** |
---|
422 | f std::vector<DataTerm> get_linked_data_terms(bool &) |
---|
423 | return the data terms bound to this role's linking role. |
---|
424 | ***/ |
---|
425 | std::vector<DataTerm> get_linked_data_terms(bool &success) { |
---|
426 | abac_term_t **terms, **end; |
---|
427 | int i; |
---|
428 | terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role)); |
---|
429 | for (i = 0; terms[i] != NULL; ++i) |
---|
430 | ; |
---|
431 | end = &terms[i]; |
---|
432 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
433 | abac_terms_free(terms); |
---|
434 | success=1; |
---|
435 | return dataterms; |
---|
436 | } |
---|
437 | /*ii** |
---|
438 | f abac_aspect_t *role() |
---|
439 | returns the interal libabac representation of this role |
---|
440 | **ii*/ |
---|
441 | abac_aspect_t *role() {return m_role;} |
---|
442 | private: |
---|
443 | abac_aspect_t *m_role; |
---|
444 | }; |
---|
445 | |
---|
446 | /*** |
---|
447 | ABAC::Oset |
---|
448 | An Oset is oset specification of a set of entitities for a principal |
---|
449 | ***/ |
---|
450 | class Oset { |
---|
451 | public: |
---|
452 | /*** |
---|
453 | f Oset() |
---|
454 | default constructor, do not use, for swig only |
---|
455 | f Oset(const Oset &) |
---|
456 | copy constructor, used for cloning an oset |
---|
457 | f ~Oset() |
---|
458 | default destructor |
---|
459 | ***/ |
---|
460 | Oset() : m_oset(NULL) { } // do not use: here for swig |
---|
461 | Oset(const Oset &oset) |
---|
462 | { m_oset =abac_aspect_dup(oset.m_oset); } |
---|
463 | ~Oset() |
---|
464 | { if(m_oset) abac_aspect_free(m_oset); } |
---|
465 | /*ii** |
---|
466 | f Oset(abac_aspect_t *) |
---|
467 | constructor that takes abac_aspect_t structure |
---|
468 | **ii*/ |
---|
469 | Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset)) |
---|
470 | { } |
---|
471 | /*** |
---|
472 | f Oset(char *) |
---|
473 | constructor that makes a principal oset, ie [keyid:B] |
---|
474 | (c:abac_role_principal_create) |
---|
475 | f Oset(char *, char *) |
---|
476 | constructor that makes a regular oset, ie. [keyid:B].oset:o |
---|
477 | (c:abac_role_create) |
---|
478 | f Oset(char *, char*, char *) |
---|
479 | constructor that makes a linked oset, ie. [keyid:B].role:r.oset:o |
---|
480 | (c:abac_oset_linked_create) |
---|
481 | f Oset(DataTerm&) |
---|
482 | constructor that makes an object oset, ie. [urn:'file/fileA'] |
---|
483 | ***/ |
---|
484 | Oset(char *oset_name) : m_oset(abac_oset_principal_create(oset_name)) |
---|
485 | { } |
---|
486 | Oset(char *principal_name, char *oset_name) : |
---|
487 | m_oset(abac_oset_create(principal_name, oset_name)) |
---|
488 | { } |
---|
489 | Oset(char *principal_name, char *linked_role_name,char *oset_name) : |
---|
490 | m_oset(abac_oset_linked_create(principal_name, linked_role_name, oset_name)) |
---|
491 | { } |
---|
492 | Oset(DataTerm& d) : |
---|
493 | m_oset(abac_oset_object_create(d.term())) |
---|
494 | { } |
---|
495 | |
---|
496 | /*** |
---|
497 | f bool oset_is_object(), ie <- [integer:10] |
---|
498 | return ture if this oset is an object oset |
---|
499 | ***/ |
---|
500 | bool oset_is_object() const |
---|
501 | { return abac_oset_is_object(m_oset); } |
---|
502 | /*** |
---|
503 | f bool oset_is_principal() const |
---|
504 | return true if the oset is a principal object(made from |
---|
505 | a data term), the right hand side of, |
---|
506 | [keyid:A].oset:o <- [keyid:B] |
---|
507 | ***/ |
---|
508 | bool oset_is_principal() const |
---|
509 | { return abac_oset_is_principal(m_oset); } |
---|
510 | /*** |
---|
511 | f bool oset_is_linking() const |
---|
512 | returns true if the oset is a linking oset like |
---|
513 | the right hand side of, |
---|
514 | [keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2 |
---|
515 | ***/ |
---|
516 | bool oset_is_linking() const |
---|
517 | { return abac_oset_is_linking(m_oset); } |
---|
518 | /*** |
---|
519 | f char *string() const |
---|
520 | returns literal string of the oset |
---|
521 | (c:abac_aspect_string) |
---|
522 | f char *typed_string() const |
---|
523 | returns typed literal string of the oset |
---|
524 | (c:abac_aspect_typed_string) |
---|
525 | ***/ |
---|
526 | char *string() const |
---|
527 | { return abac_aspect_string(m_oset); } |
---|
528 | char *typed_string() |
---|
529 | { return abac_aspect_typed_string(m_oset); } |
---|
530 | /*** |
---|
531 | f char *oset_linked_role() const |
---|
532 | returns linked part of a linking oset, for |
---|
533 | [keyid:A].role:r1.oset:o1, it returns r1 |
---|
534 | ***/ |
---|
535 | char *oset_linked_role() const |
---|
536 | { return abac_oset_linked_role(m_oset); } |
---|
537 | /*** |
---|
538 | f char *oset_name() const |
---|
539 | returns oset name, |
---|
540 | [keyid:A].role:r1.oset:o1, it returns o1 |
---|
541 | [keyid:A].oset:o1, it returns o1 |
---|
542 | ***/ |
---|
543 | char *oset_name() const |
---|
544 | { return abac_oset_name(m_oset); } |
---|
545 | /*** |
---|
546 | f char *oset_principal() const |
---|
547 | returns principal name, |
---|
548 | [keyid:A].role:r1.oset:o1, it returns A |
---|
549 | ***/ |
---|
550 | char *oset_principal() const |
---|
551 | { return abac_oset_principal(m_oset); } |
---|
552 | /*** |
---|
553 | f char *oset_object() const |
---|
554 | returns object's name when the oset is a principal object |
---|
555 | [keyid:A].oset:values <- [integer:10], it returns 10 |
---|
556 | ***/ |
---|
557 | char *oset_object() const |
---|
558 | { return abac_oset_object(m_oset); } |
---|
559 | /*** |
---|
560 | f void add_data_term(DataTerm&) |
---|
561 | add a data term to this oset's parameter set |
---|
562 | ***/ |
---|
563 | void oset_add_data_term(DataTerm& d) { |
---|
564 | abac_oset_add_data_term(m_oset, d.term()); |
---|
565 | } |
---|
566 | /*** |
---|
567 | f std::vector<DataTerm> get_data_terms(bool &) |
---|
568 | returns the data terms bound to this oset. |
---|
569 | ***/ |
---|
570 | std::vector<DataTerm> get_data_terms(bool &success) { |
---|
571 | abac_term_t **terms, **end; |
---|
572 | int i; |
---|
573 | terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset)); |
---|
574 | for (i = 0; terms[i] != NULL; ++i) |
---|
575 | ; |
---|
576 | end = &terms[i]; |
---|
577 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
578 | abac_terms_free(terms); |
---|
579 | success=1; |
---|
580 | return dataterms; |
---|
581 | } |
---|
582 | /*** |
---|
583 | f void oset_add_linked_data_term(DataTerm&) |
---|
584 | add a data term to this oset's linking role's parameter set. |
---|
585 | ***/ |
---|
586 | void oset_add_linked_data_term(DataTerm& d) { |
---|
587 | abac_oset_add_linked_data_term(m_oset, d.term()); |
---|
588 | } |
---|
589 | /*** |
---|
590 | f std::vector<DataTerm> get_linked_data_terms(bool &) |
---|
591 | returns the data terms bound to this oset's linking role. |
---|
592 | ***/ |
---|
593 | std::vector<DataTerm> get_linked_data_terms(bool &success) { |
---|
594 | abac_term_t **terms, **end; |
---|
595 | int i; |
---|
596 | terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset)); |
---|
597 | for (i = 0; terms[i] != NULL; ++i) |
---|
598 | ; |
---|
599 | end = &terms[i]; |
---|
600 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
601 | abac_terms_free(terms); |
---|
602 | success=1; |
---|
603 | return dataterms; |
---|
604 | } |
---|
605 | /*ii** |
---|
606 | f abac_aspect_t *oset() |
---|
607 | internal returns the internal libabac representation of the oset |
---|
608 | **ii*/ |
---|
609 | abac_aspect_t *oset() {return m_oset;} |
---|
610 | private: |
---|
611 | abac_aspect_t *m_oset; |
---|
612 | }; |
---|
613 | |
---|
614 | |
---|
615 | /*** |
---|
616 | ABAC::ID |
---|
617 | An ID holds a principal credential. It maybe imported from an existing |
---|
618 | ID credential via external files, constructed from a streaming chunk, |
---|
619 | or instantiated on the fly |
---|
620 | ***/ |
---|
621 | class ID { |
---|
622 | public: |
---|
623 | /*** |
---|
624 | f ID() |
---|
625 | default constructor, do not use, for swig only |
---|
626 | f ID(const ID &) |
---|
627 | copy constructor, used for cloning an ID |
---|
628 | f ~ID() |
---|
629 | default destructor |
---|
630 | ***/ |
---|
631 | ID() : m_id(NULL) { } // do not use: here for swig |
---|
632 | ID(const ID &id) { m_id =abac_id_dup(id.m_id); } |
---|
633 | ~ID() { if(m_id) abac_id_free(m_id); } |
---|
634 | /*ii** |
---|
635 | f ID(abac_id_t *) |
---|
636 | constructor from abac_id_t |
---|
637 | f ID(abac_id_credential_t *) |
---|
638 | constructor from abac_id_t |
---|
639 | **ii*/ |
---|
640 | ID(abac_id_t *id): m_id(abac_id_dup(id)) |
---|
641 | { } |
---|
642 | ID(abac_id_credential_t *idcred) { |
---|
643 | if(idcred) |
---|
644 | m_id=abac_id_dup(abac_id_credential_id(idcred)); |
---|
645 | else m_id=NULL; |
---|
646 | } |
---|
647 | /*** |
---|
648 | f ID(char *) |
---|
649 | load an ID cert from a file, will throw an exception |
---|
650 | if the cert cannot be loaded |
---|
651 | (c:abac_id_from_file) |
---|
652 | ***/ |
---|
653 | ID(char *filename) { |
---|
654 | m_id=abac_id_from_file(filename); |
---|
655 | if(m_id==NULL) |
---|
656 | abac_errx(1, "Id creation from filename failed"); |
---|
657 | } |
---|
658 | /*** |
---|
659 | f ID(char *,int) |
---|
660 | generates a new ID with the supplied CN and validity period |
---|
661 | - CN must be alphanumeric and begin with a letter |
---|
662 | - validity must be at least one second |
---|
663 | will throw an exception if either of the above is violated |
---|
664 | (c:abac_id_generate) |
---|
665 | ***/ |
---|
666 | ID(char *cn, int validity) { |
---|
667 | int rt=abac_id_generate(&m_id, cn, validity); |
---|
668 | if(rt != ABAC_ID_SUCCESS) |
---|
669 | abac_errx(1, "Id creation failed"); |
---|
670 | } |
---|
671 | /*** |
---|
672 | f void id_load_privkey_file(char *) |
---|
673 | loads the private key associated with the ID credential |
---|
674 | will throw an exception if the key cannot be loaded |
---|
675 | ***/ |
---|
676 | void id_load_privkey_file(char *filename) { |
---|
677 | int rt=abac_id_load_privkey_file(m_id, filename); |
---|
678 | if(rt != 1) |
---|
679 | abac_errx(1, "Failed to load private key"); |
---|
680 | } |
---|
681 | /*ii** |
---|
682 | f abac_id_t *id() |
---|
683 | returns the abac_id_t |
---|
684 | returns the interal libabac representation of this id |
---|
685 | **ii*/ |
---|
686 | abac_id_t *id() { return m_id; } |
---|
687 | |
---|
688 | /*** |
---|
689 | f char *id_keyid() |
---|
690 | returns the SHA1 keyid of the id cert |
---|
691 | f char *id_name() |
---|
692 | returns the CN (the parameter passed to the constructor or the |
---|
693 | CN of the cert). |
---|
694 | (c:abac_id_cn) |
---|
695 | ***/ |
---|
696 | char *id_keyid() { return abac_id_keyid(m_id); } |
---|
697 | char *id_name() { return abac_id_cn(m_id); } |
---|
698 | /*** |
---|
699 | f bool id_has_privkey() |
---|
700 | returns true if the ID has an associated private key |
---|
701 | ***/ |
---|
702 | bool id_has_privkey() |
---|
703 | { return abac_id_has_privkey(m_id); } |
---|
704 | |
---|
705 | /*** |
---|
706 | f void id_write_cert(FILE *) |
---|
707 | writes a PEM-encoded cert to the file handle |
---|
708 | f void id_write_cert(char *) |
---|
709 | writes a PEM-encoded cert to a file named out |
---|
710 | ***/ |
---|
711 | void id_write_cert(FILE *out) |
---|
712 | { abac_id_write_cert(m_id, out); } |
---|
713 | void id_write_cert(char *filename) { |
---|
714 | FILE *out = fopen(filename, "a"); |
---|
715 | id_write_cert(out); |
---|
716 | fclose(out); |
---|
717 | } |
---|
718 | /*** |
---|
719 | f void id_write_privkey(FILE *) |
---|
720 | writes a PEM-encoded private key to the file handle |
---|
721 | throws an exception if no private key is loaded |
---|
722 | f void id_write_privkey(char *) |
---|
723 | writes a PEM-encoded private key a file named out |
---|
724 | throws an exception if no private key is loaded |
---|
725 | ***/ |
---|
726 | void id_write_privkey(FILE *out) { |
---|
727 | if(!id_has_privkey()) |
---|
728 | abac_errx(1, "No privkey to write"); |
---|
729 | abac_id_write_privkey(m_id, out); |
---|
730 | } |
---|
731 | void id_write_privkey(char *filename) { |
---|
732 | FILE *out = fopen(filename, "a"); |
---|
733 | id_write_privkey(out); |
---|
734 | fclose(out); |
---|
735 | } |
---|
736 | /*** |
---|
737 | f abac_chunk_t id_cert_chunk() |
---|
738 | returns a DER-encoded binary representation of the X.509 ID cert |
---|
739 | associated with this ID. |
---|
740 | can be passed to libabac's Context::load_id_chunk() |
---|
741 | ***/ |
---|
742 | abac_chunk_t id_cert_chunk() |
---|
743 | { return abac_id_cert_chunk(m_id); } |
---|
744 | /*** |
---|
745 | f char *string() |
---|
746 | returns literal string of the id credential |
---|
747 | (c:abac_id_string) |
---|
748 | ***/ |
---|
749 | char *string() |
---|
750 | { return abac_id_string(m_id); } |
---|
751 | public: |
---|
752 | abac_id_t *m_id; |
---|
753 | }; |
---|
754 | |
---|
755 | |
---|
756 | /*** |
---|
757 | ABAC::Attribute |
---|
758 | This is the attribute representation for the access policy rule |
---|
759 | LHS <- RHS |
---|
760 | The sequence of generation is to |
---|
761 | first, instantiate the object, ie, LHS (head) |
---|
762 | second, adding subject(s) to it, ie, RHS (tail) |
---|
763 | and then baking it. |
---|
764 | Only once it's baked can you access the X.509 cert. |
---|
765 | Once it's been baked you can no longer add subjects to it |
---|
766 | ***/ |
---|
767 | class Attribute { |
---|
768 | public: |
---|
769 | /*** |
---|
770 | f Attribute() |
---|
771 | default constructor, do not use, for swig only |
---|
772 | f Attribute(const Attribute &) |
---|
773 | copy constructor, used for cloning an attribute |
---|
774 | f ~Attribute() |
---|
775 | default destructor |
---|
776 | ***/ |
---|
777 | Attribute() : m_attr(NULL) { } |
---|
778 | Attribute(const Attribute &id) |
---|
779 | { m_attr =abac_attribute_dup(id.m_attr); } |
---|
780 | ~Attribute() |
---|
781 | { if(m_attr) abac_attribute_free(m_attr); } |
---|
782 | /*ii** |
---|
783 | f Attribute(abac_attribute_t *) |
---|
784 | constructor that takes abac_attribute_t, locally used |
---|
785 | f Attribute(abac_credential_t *) |
---|
786 | constructor that takes abac_credential_t, locally used |
---|
787 | **ii*/ |
---|
788 | Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr)) |
---|
789 | { } |
---|
790 | Attribute(abac_credential_t *cred) |
---|
791 | { m_attr=abac_attribute_dup(abac_credential_attribute(cred)); } |
---|
792 | /*** |
---|
793 | f Attribute(Role&, int) |
---|
794 | constructor that creates an attribute policy to be signed by the issuer |
---|
795 | with the given role with a specified validity period |
---|
796 | An exception will be thrown if: |
---|
797 | - the issuer has no private key |
---|
798 | - the Head role is invalid |
---|
799 | - the validity period is invalid (must be >= 1 second) |
---|
800 | (c:abac_attribute_create) |
---|
801 | ***/ |
---|
802 | Attribute(Role& head, int validity) { |
---|
803 | int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity); |
---|
804 | if(rt!=ABAC_ATTRIBUTE_SUCCESS) |
---|
805 | abac_errx(1, "attribute(role), unable to make an attribute"); |
---|
806 | } |
---|
807 | /*** |
---|
808 | f Attribute(Oset&, int) |
---|
809 | constructor that creates an attribute policy to be signed by the issuer |
---|
810 | with the given oset with a specified validity period |
---|
811 | An exception will be thrown if: |
---|
812 | - the issuer has no private key |
---|
813 | - the Head oset is invalid |
---|
814 | - the validity period is invalid (must be >= 1 second) |
---|
815 | (c:abac_attribute_create) |
---|
816 | ***/ |
---|
817 | Attribute(Oset& head, int validity) { |
---|
818 | int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity); |
---|
819 | if(rt!=ABAC_ATTRIBUTE_SUCCESS) |
---|
820 | abac_errx(1, "attribute(oset), unable to make an attribute"); |
---|
821 | } |
---|
822 | /*** |
---|
823 | f bool attribute_add_tail(Role&) |
---|
824 | Add a role tail. Call multiple times for intersections |
---|
825 | f bool attribute_add_tail(Oset&) |
---|
826 | Add an oset tail. Call multiple times for intersections |
---|
827 | ***/ |
---|
828 | bool attribute_add_tail(Role& tail) { |
---|
829 | if(abac_attribute_add_tail(m_attr, tail.role())) |
---|
830 | return 1; |
---|
831 | else return 0; |
---|
832 | } |
---|
833 | bool attribute_add_tail(Oset& tail) { |
---|
834 | if(abac_attribute_add_tail(m_attr, tail.oset())) |
---|
835 | return 1; |
---|
836 | else return 0; |
---|
837 | } |
---|
838 | /*** |
---|
839 | f char *head_string() |
---|
840 | returns literal string of head of the attribute |
---|
841 | f char *tail_string() |
---|
842 | returns literal string of tail of the attribute |
---|
843 | ***/ |
---|
844 | char *head_string() |
---|
845 | { return abac_head_string(m_attr); } |
---|
846 | char *tail_string() |
---|
847 | { return abac_tail_string(m_attr); } |
---|
848 | /*** |
---|
849 | f char *head_typed_string() |
---|
850 | returns typed literal string of head of the attribute |
---|
851 | f char *tail_typed_string() |
---|
852 | returns typed literal string of tail of the attribute |
---|
853 | ***/ |
---|
854 | char *head_typed_string() |
---|
855 | { return abac_head_typed_string(m_attr); } |
---|
856 | char *tail_typed_string() |
---|
857 | { return abac_tail_typed_string(m_attr); } |
---|
858 | /*** |
---|
859 | f char *string() |
---|
860 | returns literal string of the attribute |
---|
861 | (c:abac_attribute_string) |
---|
862 | f char *typed_string() |
---|
863 | returns typed literal string of the attribute |
---|
864 | (c:abac_attribute_typed_string) |
---|
865 | ***/ |
---|
866 | char *string() |
---|
867 | { return abac_attribute_string(m_attr); } |
---|
868 | char *typed_string() |
---|
869 | { return abac_attribute_typed_string(m_attr); } |
---|
870 | |
---|
871 | /*** ??? not sure about implmentation |
---|
872 | f const Role &role_head() |
---|
873 | returns the head role |
---|
874 | f const Oset &oset_head() |
---|
875 | returns the oset head |
---|
876 | ***/ |
---|
877 | const Role &role_head() { |
---|
878 | abac_aspect_t *head=abac_attribute_head(m_attr); |
---|
879 | static Role role=Role(head); |
---|
880 | return role; |
---|
881 | } |
---|
882 | const Oset &oset_head() { |
---|
883 | abac_aspect_t *head=abac_attribute_tail(m_attr); |
---|
884 | static Oset oset=Oset(head); |
---|
885 | return oset; |
---|
886 | } |
---|
887 | /*** |
---|
888 | f std::vector<Role> role_tails(bool &) |
---|
889 | retrieve tail role which maybe more than 1 if intersecting |
---|
890 | f std::vector<Oset> oset_tails(bool &) |
---|
891 | retrieve tail oset which maybe more than 1 if intersecting |
---|
892 | ***/ |
---|
893 | std::vector<Role> role_tails(bool &success) { |
---|
894 | abac_aspect_t **tails, **end; |
---|
895 | int i; |
---|
896 | /* make sure it is role */ |
---|
897 | if(!abac_attribute_is_role(m_attr)) { |
---|
898 | success=0; |
---|
899 | abac_errx(1, "role_tails, attribute is not a role"); |
---|
900 | } |
---|
901 | tails = abac_attribute_tail_vectorized(m_attr); |
---|
902 | for (i = 0; tails[i] != NULL; ++i) |
---|
903 | ; |
---|
904 | end = &tails[i]; |
---|
905 | std::vector<Role> roles = std::vector<Role>(tails, end); |
---|
906 | abac_aspects_free(tails); |
---|
907 | success=1; |
---|
908 | return roles; |
---|
909 | } |
---|
910 | std::vector<Oset> oset_tails(bool &success) { |
---|
911 | abac_aspect_t **tails, **end; |
---|
912 | int i; |
---|
913 | /* make sure that tail is not role */ |
---|
914 | if(abac_attribute_is_role(m_attr)) { |
---|
915 | success=0; |
---|
916 | abac_errx(1, "oset_tails, attribute is not an oset"); |
---|
917 | } |
---|
918 | tails = abac_attribute_tail_vectorized(m_attr); |
---|
919 | for (i = 0; tails[i] != NULL; ++i) |
---|
920 | ; |
---|
921 | end = &tails[i]; |
---|
922 | std::vector<Oset> osets = std::vector<Oset>(tails, end); |
---|
923 | success=1; |
---|
924 | abac_aspects_free(tails); |
---|
925 | return osets; |
---|
926 | } |
---|
927 | /*ii** |
---|
928 | f abac_attribute_t *attribute() |
---|
929 | return libabac structure for attribute |
---|
930 | **ii*/ |
---|
931 | abac_attribute_t *attribute() { return m_attr; } |
---|
932 | |
---|
933 | /*** |
---|
934 | f bool attribute_bake() |
---|
935 | Generate the cert. Call this after you've added subjects to your cert. |
---|
936 | This returns false if there are no subjects |
---|
937 | This will throw an exception if the cert's already been baked. |
---|
938 | ***/ |
---|
939 | bool attribute_bake() { |
---|
940 | /* can not bake in ABAC_CN mode */ |
---|
941 | if(USE("ABAC_CN")) |
---|
942 | abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set"); |
---|
943 | int rt=abac_attribute_bake(m_attr); |
---|
944 | if(rt!=1) |
---|
945 | abac_errx(1, "bake, can not bake the cert"); |
---|
946 | } |
---|
947 | /*** |
---|
948 | f bool attribute_baked() |
---|
949 | returns true iff the cert has been baked. |
---|
950 | ***/ |
---|
951 | bool attribute_baked() |
---|
952 | { return abac_attribute_baked(m_attr); } |
---|
953 | |
---|
954 | /*** |
---|
955 | f void attribute_write_cert(FILE *) |
---|
956 | write the DER-encoded X.509 attribute cert to the open file handle |
---|
957 | Throws an exception if the cert isn't baked |
---|
958 | ***/ |
---|
959 | void attribute_write_cert(FILE *out) { |
---|
960 | int rt= abac_attribute_write_cert(m_attr,out); |
---|
961 | if(!rt) |
---|
962 | abac_errx(1, "write, cert is not baked"); |
---|
963 | } |
---|
964 | /*** |
---|
965 | f void attribute_write_cert(char *) |
---|
966 | write the DER-encoded X.509 attribute cert to a file named out |
---|
967 | Throws an exception if the cert isn't baked |
---|
968 | ***/ |
---|
969 | void attribute_write_cert(char *filename) { |
---|
970 | FILE *out = fopen(filename, "w"); |
---|
971 | attribute_write_cert(out); |
---|
972 | fclose(out); |
---|
973 | } |
---|
974 | /*** |
---|
975 | f abac_chunk_t cert_chunk() |
---|
976 | returns a DER-encoded binary representation of the X.509 attribute |
---|
977 | cert associated with this cert |
---|
978 | Throws an exception if the cert isn't baked |
---|
979 | the chunk can be passed to libabac's Context::load_attribute_chunk() |
---|
980 | ***/ |
---|
981 | abac_chunk_t cert_chunk() |
---|
982 | { return abac_attribute_cert_chunk(m_attr); } |
---|
983 | private: |
---|
984 | abac_attribute_t *m_attr; |
---|
985 | }; |
---|
986 | |
---|
987 | |
---|
988 | /*** |
---|
989 | ABAC::Context |
---|
990 | An ABAC Context |
---|
991 | ***/ |
---|
992 | class Context { |
---|
993 | public: |
---|
994 | /*** |
---|
995 | f Context() |
---|
996 | default constructor |
---|
997 | f Context(const Context &) |
---|
998 | copy constructor, used for cloning the context |
---|
999 | f ~Context() |
---|
1000 | default destructor |
---|
1001 | ***/ |
---|
1002 | Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); } |
---|
1003 | Context(const Context &context) { |
---|
1004 | m_ctx = abac_context_dup(context.m_ctx); |
---|
1005 | m_abac_version=strdup(context.m_abac_version); |
---|
1006 | } |
---|
1007 | ~Context() { |
---|
1008 | abac_context_free(m_ctx); |
---|
1009 | if(m_abac_version) free(m_abac_version); |
---|
1010 | } |
---|
1011 | /*** |
---|
1012 | f void dump_yap_db() |
---|
1013 | dump the complete yap prolog database |
---|
1014 | (c:show_yap_db) |
---|
1015 | ***/ |
---|
1016 | void dump_yap_db() |
---|
1017 | { show_yap_db("dump_yap"); } |
---|
1018 | |
---|
1019 | /*** |
---|
1020 | f int load_id(ABAC::ID&) |
---|
1021 | load id cert from ID |
---|
1022 | (c:abac_context_load_id) |
---|
1023 | f int load_id_file(char *) |
---|
1024 | load id cert from an idkey combo file. key retrieval will be attempt |
---|
1025 | but won't fail if not found |
---|
1026 | (c:abac_context_load_id_file) |
---|
1027 | f int load_id_files(char *, char *) |
---|
1028 | load id cert from an id file and a key file |
---|
1029 | (c:abac_context_load_id_files) |
---|
1030 | f int load_id_chunk(abac_chunk_t) |
---|
1031 | load id cert from a chunk structure |
---|
1032 | (c:abac_context_load_id_chunk) |
---|
1033 | returns: |
---|
1034 | ABAC_CERT_SUCCESS successfully loaded |
---|
1035 | ABAC_CERT_INVALID invalid certificate (or file not found) |
---|
1036 | ABAC_CERT_BAD_SIG invalid signature |
---|
1037 | ***/ |
---|
1038 | int load_id(ABAC::ID& id) |
---|
1039 | { return abac_context_load_id(m_ctx, id.id()); } |
---|
1040 | int load_id_file(char *filename) |
---|
1041 | { return abac_context_load_id_file(m_ctx, filename); } |
---|
1042 | int load_id_files(char *filename, char *keyfilename) |
---|
1043 | { return abac_context_load_id_files(m_ctx, filename, keyfilename); } |
---|
1044 | int load_id_chunk(abac_chunk_t cert) |
---|
1045 | { return abac_context_load_id_chunk(m_ctx, cert); } |
---|
1046 | |
---|
1047 | /*** |
---|
1048 | f int load_attribute(ABAC::Attribute&) |
---|
1049 | load attribute credential from attribute structure |
---|
1050 | (c:abac_context_load_attribute) |
---|
1051 | f int load_attribute_file(char *) |
---|
1052 | load attribute credential from a file |
---|
1053 | (c:abac_context_load_attribute_file) |
---|
1054 | f int load_attribute_chunk(abac_chunk_t) |
---|
1055 | load attribute credential from a chunk |
---|
1056 | (c:abac_context_load_attribute_chunk) |
---|
1057 | f returns the same values as above, additionally |
---|
1058 | returns ABAC_CERT_MISSING_ISSUER if the issuer |
---|
1059 | certificate has not been loaded |
---|
1060 | ***/ |
---|
1061 | int load_attribute(ABAC::Attribute& a) |
---|
1062 | { return abac_context_load_attribute(m_ctx, a.attribute()); } |
---|
1063 | int load_attribute_file(char *filename) |
---|
1064 | { return abac_context_load_attribute_file(m_ctx, filename); } |
---|
1065 | int load_attribute_chunk(abac_chunk_t cert) |
---|
1066 | { return abac_context_load_attribute_chunk(m_ctx, cert); } |
---|
1067 | /*** |
---|
1068 | f void load_directory(char *) |
---|
1069 | load a directory full of certificates: |
---|
1070 | f first: ${path}/*_ID.{der,pem} as identity certificates |
---|
1071 | implicitly looking for ${path}/*_private.{der,pem} as |
---|
1072 | the private key file |
---|
1073 | then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate |
---|
1074 | last: ${path}/*_attr.der as attribute certificates |
---|
1075 | ***/ |
---|
1076 | void load_directory(char *path) |
---|
1077 | { abac_context_load_directory(m_ctx, path); } |
---|
1078 | /*** |
---|
1079 | f std::vector<Attribute> query(char *, char *, bool &) |
---|
1080 | the string version is for query that is composed by hand with SHA or |
---|
1081 | in non ABAC_CN mode |
---|
1082 | (c:abac_context_query) |
---|
1083 | f std::vector<Attribute> query(Role &, Role &, bool &) |
---|
1084 | (c:abac_context_query_with_structure) |
---|
1085 | std::vector<Attribute> query(Oset &, Oset &, bool &) |
---|
1086 | (c:abac_context_query_with_structure) |
---|
1087 | runs the query: |
---|
1088 | role <-?- principal |
---|
1089 | oset <-?- principal/obj |
---|
1090 | returns true/false in success |
---|
1091 | returns a proof upon success, |
---|
1092 | partial proof on failure (not implemented yet) |
---|
1093 | ***/ |
---|
1094 | std::vector<Attribute> query(char *role, char *principal, bool &success) { |
---|
1095 | abac_credential_t **creds, **end; |
---|
1096 | int i, success_int; |
---|
1097 | |
---|
1098 | creds = abac_context_query(m_ctx, role, principal, &success_int); |
---|
1099 | success = success_int; |
---|
1100 | |
---|
1101 | for (i = 0; creds[i] != NULL; ++i) |
---|
1102 | ; |
---|
1103 | |
---|
1104 | end = &creds[i]; |
---|
1105 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
1106 | if(debug) printf("query, got rules(%d)\n", i); |
---|
1107 | |
---|
1108 | abac_context_credentials_free(creds); |
---|
1109 | |
---|
1110 | return attributes; |
---|
1111 | } |
---|
1112 | |
---|
1113 | std::vector<Attribute> query(Role &role, Role &p_role, bool &success) { |
---|
1114 | abac_credential_t **creds, **end; |
---|
1115 | int i, success_int; |
---|
1116 | |
---|
1117 | creds = abac_context_query_with_structure(m_ctx, role.role(), p_role.role(), &success_int); |
---|
1118 | success = success_int; |
---|
1119 | |
---|
1120 | for (i = 0; creds[i] != NULL; ++i) |
---|
1121 | ; |
---|
1122 | |
---|
1123 | end = &creds[i]; |
---|
1124 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
1125 | |
---|
1126 | abac_context_credentials_free(creds); |
---|
1127 | |
---|
1128 | return attributes; |
---|
1129 | } |
---|
1130 | |
---|
1131 | std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) { |
---|
1132 | abac_credential_t **creds, **end; |
---|
1133 | int i, success_int; |
---|
1134 | |
---|
1135 | creds = abac_context_query_with_structure(m_ctx, oset.oset(), p_oset.oset(), &success_int); |
---|
1136 | success = success_int; |
---|
1137 | |
---|
1138 | for (i = 0; creds[i] != NULL; ++i) |
---|
1139 | ; |
---|
1140 | |
---|
1141 | end = &creds[i]; |
---|
1142 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
1143 | if(debug) printf("query, returning rules(%d)\n", i); |
---|
1144 | |
---|
1145 | abac_context_credentials_free(creds); |
---|
1146 | |
---|
1147 | return attributes; |
---|
1148 | } |
---|
1149 | |
---|
1150 | /*** |
---|
1151 | f std::vector<Attribute> context_credentials(bool &) |
---|
1152 | returns a vector of all the credentials loaded in the context |
---|
1153 | extracted from the internal data structure |
---|
1154 | ***/ |
---|
1155 | std::vector<Attribute> context_credentials(bool &success) { |
---|
1156 | abac_credential_t **creds, **end; |
---|
1157 | int i; |
---|
1158 | success = 1; |
---|
1159 | |
---|
1160 | creds = abac_context_credentials(m_ctx); |
---|
1161 | for (i = 0; creds[i] != NULL; ++i) |
---|
1162 | ; |
---|
1163 | |
---|
1164 | end = &creds[i]; |
---|
1165 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
1166 | if(debug) printf("credentials, got (%d)\n", i); |
---|
1167 | |
---|
1168 | abac_context_credentials_free(creds); |
---|
1169 | if(debug) show_yap_db("calling from context_credentials"); |
---|
1170 | return attributes; |
---|
1171 | } |
---|
1172 | |
---|
1173 | /*** |
---|
1174 | f std::vector<Attribute> context_principals(bool &) |
---|
1175 | returns a vector of all the principals loaded in the context |
---|
1176 | extracted from the internal data structure |
---|
1177 | ***/ |
---|
1178 | std::vector<ID> context_principals(bool &success) { |
---|
1179 | abac_id_credential_t **ids, **end; |
---|
1180 | int i; |
---|
1181 | success = 1; |
---|
1182 | |
---|
1183 | ids = abac_context_principals(m_ctx); |
---|
1184 | for (i = 0; ids[i] != NULL; ++i) |
---|
1185 | ; |
---|
1186 | |
---|
1187 | end = &ids[i]; |
---|
1188 | std::vector<ID> principals = std::vector<ID>(ids, end); |
---|
1189 | if(debug) printf("principals, got (%d)\n", i); |
---|
1190 | |
---|
1191 | abac_context_principals_free(ids); |
---|
1192 | return principals; |
---|
1193 | } |
---|
1194 | /*** |
---|
1195 | f char *version() |
---|
1196 | return the version of this interface |
---|
1197 | ***/ |
---|
1198 | char *version() const { return m_abac_version; } |
---|
1199 | |
---|
1200 | private: |
---|
1201 | abac_context_t *m_ctx; |
---|
1202 | char *m_abac_version; |
---|
1203 | }; |
---|
1204 | |
---|
1205 | Constraint::Constraint(Role& role) |
---|
1206 | { m_constraint=abac_constraint_from_role(role.role()); } |
---|
1207 | Constraint::Constraint(Oset &oset) |
---|
1208 | { m_constraint=abac_constraint_from_oset(oset.oset()); } |
---|
1209 | DataTerm::DataTerm(ID& id) |
---|
1210 | { m_term=abac_term_id_create(id.id()); } |
---|
1211 | } |
---|
1212 | |
---|
1213 | #endif /* __ABAC_HH__ */ |
---|