1 | #ifndef __ABAC_HH__ |
---|
2 | #define __ABAC_HH__ |
---|
3 | |
---|
4 | #include <string> |
---|
5 | #include <vector> |
---|
6 | |
---|
7 | namespace ABAC { |
---|
8 | extern "C" { |
---|
9 | #include "abac.h" |
---|
10 | } |
---|
11 | static int debug=0; |
---|
12 | class Role; |
---|
13 | class Oset; |
---|
14 | /*** |
---|
15 | ABAC::Constraint |
---|
16 | Constraint on a data term. |
---|
17 | There are 3 types: |
---|
18 | - Role constraint on a principal |
---|
19 | - Oset constraint on a principal, or a data object |
---|
20 | - Range/List constraint on a data object |
---|
21 | It holds a ptr to a abac_condition_t structure |
---|
22 | ***/ |
---|
23 | class Constraint { |
---|
24 | public: |
---|
25 | /*** |
---|
26 | f Constraint() |
---|
27 | default constructor, do not use, for swig only |
---|
28 | f Constraint(const Constraint &) |
---|
29 | copy constructor, used for cloning a constraint |
---|
30 | f ~Constraint() |
---|
31 | default destructor |
---|
32 | ***/ |
---|
33 | Constraint() : m_constraint(NULL) { } |
---|
34 | Constraint(const Constraint &constraint) { |
---|
35 | m_constraint =abac_condition_dup(constraint.m_constraint); |
---|
36 | } |
---|
37 | ~Constraint() { |
---|
38 | if(m_constraint) abac_condition_free(m_constraint); |
---|
39 | } |
---|
40 | /*** |
---|
41 | f Constraint(Role &) |
---|
42 | constructor that takes a constraining role |
---|
43 | [role:?R[{role-constraint}] |
---|
44 | f Constraint(Oset &) |
---|
45 | constructor that takes a constraining oset |
---|
46 | [oset:?O[{oset-constraint}] |
---|
47 | [urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])] |
---|
48 | f Constraint(abac_condition_t *) |
---|
49 | constructor that takes an abac_condition_t structure |
---|
50 | f Constraint(char *) |
---|
51 | constructor that takes one of following string |
---|
52 | as its vartype to set up a range constraint: |
---|
53 | "integer" |
---|
54 | "urn" |
---|
55 | "float" |
---|
56 | "boolean" |
---|
57 | "time" |
---|
58 | "string" |
---|
59 | it should be followed with one or many of following utility |
---|
60 | calls. |
---|
61 | ***/ |
---|
62 | Constraint(Role& role); |
---|
63 | Constraint(Oset& oset); |
---|
64 | Constraint(abac_condition_t *constraint): |
---|
65 | m_constraint(abac_condition_dup(constraint)) |
---|
66 | { } |
---|
67 | Constraint(char *vartype) { |
---|
68 | m_constraint=abac_condition_create(vartype); |
---|
69 | } |
---|
70 | /*** |
---|
71 | f void add_constraint_integer_max(int) |
---|
72 | void add_constraint_integer_min(int) |
---|
73 | utility routines to setup a integer range constraint |
---|
74 | [integer:?I[10 .. 20]] |
---|
75 | f void add_constraint_integer_target(int) |
---|
76 | utility routine to setup a integer list constraint |
---|
77 | [integer:?I[10,20]] |
---|
78 | ***/ |
---|
79 | void add_constraint_integer_max(int val) { |
---|
80 | abac_condition_add_range_integer_item(m_constraint,abac_max_item_type(),val); |
---|
81 | } |
---|
82 | void add_constraint_integer_min(int val) { |
---|
83 | abac_condition_add_range_integer_item(m_constraint,abac_min_item_type(),val); |
---|
84 | } |
---|
85 | void add_constraint_integer_target(int val) { |
---|
86 | abac_condition_add_range_integer_item(m_constraint,abac_target_item_type(),val); |
---|
87 | } |
---|
88 | /*** |
---|
89 | f void add_constraint_float_max(float) |
---|
90 | void add_constraint_float_min(float) |
---|
91 | utility routines to setup a float range constraint |
---|
92 | [float:?F[1.0 .. 2.5]] |
---|
93 | f void add_constraint_float_target(float) |
---|
94 | utility routine to setup a float list constraint |
---|
95 | [float:?F[0.5, 2.5]] |
---|
96 | ***/ |
---|
97 | void add_constraint_float_max(float val) { |
---|
98 | abac_condition_add_range_float_item(m_constraint,abac_max_item_type(),val); |
---|
99 | } |
---|
100 | void add_constraint_float_min(float val) { |
---|
101 | abac_condition_add_range_float_item(m_constraint,abac_min_item_type(),val); |
---|
102 | } |
---|
103 | void add_constraint_float_target(float val) { |
---|
104 | abac_condition_add_range_float_item(m_constraint,abac_target_item_type(),val); |
---|
105 | } |
---|
106 | /*** |
---|
107 | f void add_constraint_time_max(char*) |
---|
108 | void add_constraint_time_min(char*) |
---|
109 | utility routines to setup a time range constraint, |
---|
110 | takes quoted string values, beyond T is optional |
---|
111 | [time:?F["20120228T" .. "20120228T090000"]] |
---|
112 | f void add_constraint_time_target(char*) |
---|
113 | utility routine to setup a time list constraint |
---|
114 | [time:?M["20201101T182930","20201101T"]] |
---|
115 | ***/ |
---|
116 | void add_constraint_time_max(char* val) { |
---|
117 | abac_condition_add_range_time_item(m_constraint,abac_max_item_type(),val); |
---|
118 | } |
---|
119 | void add_constraint_time_min(char* val) { |
---|
120 | abac_condition_add_range_time_item(m_constraint,abac_min_item_type(),val); |
---|
121 | } |
---|
122 | void add_constraint_time_target(char* val) { |
---|
123 | abac_condition_add_range_time_item(m_constraint,abac_target_item_type(),val); |
---|
124 | } |
---|
125 | /*** |
---|
126 | f void add_constraint_urn_target(char*) |
---|
127 | utility routine to setup a an urn list constraint |
---|
128 | [urn:?U["fileA","http://fileB"]] |
---|
129 | f void add_constraint_string_target(char*) |
---|
130 | utility routine to setup a a string list constraint |
---|
131 | [string:?S["abc",'efg',"hij"]] |
---|
132 | f void add_constraint_boolean_target(char*) |
---|
133 | utility routine to setup a a boolean list constraint |
---|
134 | [boolean:?B['true']] |
---|
135 | ***/ |
---|
136 | void add_constraint_urn_target(char* val) |
---|
137 | { abac_condition_add_range_urn_item(m_constraint,val); } |
---|
138 | void add_constraint_string_target(char* val) |
---|
139 | { abac_condition_add_range_string_item(m_constraint,val); } |
---|
140 | void add_constraint_boolean_target(char* val) |
---|
141 | { abac_condition_add_range_boolean_item(m_constraint,val); } |
---|
142 | /*** |
---|
143 | f char *string() const |
---|
144 | returns literal string of the constraint |
---|
145 | f char *typed_string() const |
---|
146 | returns typed literal string of the constraint |
---|
147 | ***/ |
---|
148 | char *string() const |
---|
149 | { return abac_condition_string(m_constraint); } |
---|
150 | char *typed_string() const |
---|
151 | { return abac_condition_typed_string(m_constraint); } |
---|
152 | /*** |
---|
153 | f abac_condition_t *constraint() |
---|
154 | returns internal constraint structure |
---|
155 | ***/ |
---|
156 | abac_condition_t *constraint() |
---|
157 | { return m_constraint; } |
---|
158 | private: |
---|
159 | abac_condition_t *m_constraint; |
---|
160 | }; |
---|
161 | |
---|
162 | /*** |
---|
163 | ABAC::DataTerm |
---|
164 | A data term is associated with Role or Oset as a parameter that |
---|
165 | maybe be instantiated, or uninstantiated but being constrained, |
---|
166 | or as a principal oset term (standalone right handside of an oset |
---|
167 | policy rule). It holds a pointer to a abac_term_t structure and |
---|
168 | an optional constraint that may be imposed on this data term if it |
---|
169 | is indeed an unistantiated variable. |
---|
170 | ***/ |
---|
171 | class DataTerm { |
---|
172 | public: |
---|
173 | /*** |
---|
174 | f DataTerm() |
---|
175 | default constructor, do not use, for swig only |
---|
176 | f DataTerm(const DataTerm &) |
---|
177 | copy constructor, used for cloning a data term |
---|
178 | f ~DataTerm() |
---|
179 | default destructor |
---|
180 | ***/ |
---|
181 | DataTerm() : m_term(NULL) { } // do not use: here for swig |
---|
182 | DataTerm(const DataTerm &dterm) { |
---|
183 | m_term =abac_term_dup(dterm.m_term); |
---|
184 | abac_condition_t *constraint=abac_term_constraint(m_term); |
---|
185 | if(constraint) m_cond=new Constraint(constraint); |
---|
186 | else m_cond=NULL; |
---|
187 | } |
---|
188 | ~DataTerm() { |
---|
189 | if(m_term) abac_term_free(m_term); |
---|
190 | if(m_cond) free(m_cond); |
---|
191 | } |
---|
192 | /*** ??? |
---|
193 | f DataTerm(abac_term_t *) |
---|
194 | constructor to make data term from abac_term_t structure |
---|
195 | ***/ |
---|
196 | DataTerm(abac_term_t *term) { |
---|
197 | m_term=abac_term_dup(term); |
---|
198 | abac_condition_t *constraint=abac_term_constraint(m_term); |
---|
199 | if(constraint) m_cond=new Constraint(constraint); |
---|
200 | else m_cond=NULL; |
---|
201 | } |
---|
202 | /*** |
---|
203 | f DataTerm(char*) |
---|
204 | constructor to make named principal data term for the oset RHS |
---|
205 | f DataTerm(char*, char*, Constraint*) |
---|
206 | constructor for making a variable data term or an instantiated |
---|
207 | data term |
---|
208 | ***/ |
---|
209 | DataTerm(char *sha) { |
---|
210 | if(debug) printf("adding a Dataterm named principal(%s)\n",sha); |
---|
211 | int isnamed=1; |
---|
212 | int type=e_TERM_PRINCIPAL; |
---|
213 | m_term=abac_term_named_create(type,sha); |
---|
214 | } |
---|
215 | DataTerm(char* typenm, char *name, Constraint *cond=NULL) { |
---|
216 | int type=abac_verify_term_type(typenm); |
---|
217 | if(debug) printf("adding a Dataterm (%s)\n",name); |
---|
218 | if(type==ABAC_TERM_FAIL) |
---|
219 | abac_errx(1, "DataTerm, fail to create the term"); |
---|
220 | if(cond) { |
---|
221 | m_cond=cond; |
---|
222 | m_term=abac_term_create(type,name,cond->constraint()); |
---|
223 | } else { |
---|
224 | m_cond=NULL; |
---|
225 | m_term=abac_term_create(type,name,NULL); |
---|
226 | } |
---|
227 | } |
---|
228 | /*** |
---|
229 | f char *string() const |
---|
230 | returns literal string of the data term |
---|
231 | f char *typed_string() const |
---|
232 | returns typed literal string of the data term |
---|
233 | ***/ |
---|
234 | char *string() const |
---|
235 | { return abac_term_string(m_term); } |
---|
236 | char *typed_string() const |
---|
237 | { return abac_term_typed_string(m_term); } |
---|
238 | /*** |
---|
239 | f bool is_time() const |
---|
240 | bool is_string() const |
---|
241 | bool is_urn() const |
---|
242 | bool is_integer() const |
---|
243 | returns true if data term is of certain type |
---|
244 | ***/ |
---|
245 | bool is_time() const |
---|
246 | { return abac_term_is_time_type(m_term); } |
---|
247 | bool is_string() const |
---|
248 | { return abac_term_is_string_type(m_term); } |
---|
249 | bool is_urn() const |
---|
250 | { return abac_term_is_urn_type(m_term); } |
---|
251 | bool is_integer() const |
---|
252 | { return abac_term_is_integer_type(m_term); } |
---|
253 | /*** |
---|
254 | f int add_constraint(const Contraint&) |
---|
255 | utiltiy routine to add a constraint to this data term |
---|
256 | ***/ |
---|
257 | int add_constraint(const Constraint& cond) { |
---|
258 | m_cond=new Constraint(cond); |
---|
259 | abac_term_add_constraint(m_term, m_cond->constraint()); |
---|
260 | } |
---|
261 | /*** |
---|
262 | f int type() const |
---|
263 | returns subtype of the data term |
---|
264 | f char *name() const |
---|
265 | returns the name of the data term |
---|
266 | ***/ |
---|
267 | int type() const |
---|
268 | { abac_term_type(m_term); } |
---|
269 | char *name() const |
---|
270 | { return abac_term_name(m_term); } |
---|
271 | /*** ??? value |
---|
272 | f char *value() const |
---|
273 | Not implemented |
---|
274 | ***/ |
---|
275 | char *value() const { } |
---|
276 | /*** |
---|
277 | f abac_term_t *term() |
---|
278 | returns internal data term structure |
---|
279 | f Constraint *constraint() |
---|
280 | returns internal constraint structure to the data term |
---|
281 | ***/ |
---|
282 | abac_term_t *term() |
---|
283 | { return m_term; } |
---|
284 | Constraint *constraint() |
---|
285 | { return m_cond; } |
---|
286 | private: |
---|
287 | abac_term_t *m_term; |
---|
288 | Constraint *m_cond; |
---|
289 | }; |
---|
290 | |
---|
291 | |
---|
292 | /*** |
---|
293 | ABAC::Role |
---|
294 | A Role is role specification of a set of entitities for a principal |
---|
295 | ***/ |
---|
296 | class Role { |
---|
297 | public: |
---|
298 | /*** |
---|
299 | f Role() |
---|
300 | default constructor, do not use, for swig only |
---|
301 | f Role(const Role &) |
---|
302 | copy constructor, used for cloning a role |
---|
303 | f ~Role() |
---|
304 | default destructor |
---|
305 | ***/ |
---|
306 | Role() : m_role(NULL) { } // do not use: here for swig |
---|
307 | Role(const Role &role) { |
---|
308 | m_role = abac_aspect_dup(role.m_role); |
---|
309 | } |
---|
310 | ~Role() { |
---|
311 | if (m_role) abac_aspect_free(m_role); |
---|
312 | } |
---|
313 | /*** |
---|
314 | f Role(abac_aspect_t*) |
---|
315 | constructor that takes an abac_aspect_t structure |
---|
316 | f Role(char*) |
---|
317 | constructor that builds a bare bone role with just principal's name |
---|
318 | f Role(char*, char*) |
---|
319 | constructor that builds a bare bone role with just principal's name |
---|
320 | and a role name |
---|
321 | ***/ |
---|
322 | Role(abac_aspect_t *role): m_role(abac_aspect_dup(role)) |
---|
323 | { } |
---|
324 | Role(char *principal_name) : |
---|
325 | m_role(abac_aspect_role_principal_create(principal_name)) |
---|
326 | { } |
---|
327 | Role(char *principal_name, char *role_name) : |
---|
328 | m_role(abac_aspect_role_create(principal_name, role_name)) |
---|
329 | { } |
---|
330 | /*** |
---|
331 | f bool is_principal() const |
---|
332 | return true if the role is a principal object(made from |
---|
333 | a data term), the right hand side of, |
---|
334 | [keyid:A].role:r <- [keyid:B] |
---|
335 | ***/ |
---|
336 | bool is_principal() const |
---|
337 | { return abac_aspect_is_principal(m_role); } |
---|
338 | /*** |
---|
339 | f bool is_linking() const |
---|
340 | returns true if the role is a linking role like |
---|
341 | the right hand side of, |
---|
342 | [keyid:A].role:r1 <- [keyid:B].role:r2.role:r3 |
---|
343 | ***/ |
---|
344 | bool is_linking() const |
---|
345 | { return abac_aspect_is_linking(m_role); } |
---|
346 | /*** |
---|
347 | f char *string() const |
---|
348 | returns literal string of the role |
---|
349 | f char *typed_string() const |
---|
350 | returns typed literal string of the role |
---|
351 | ***/ |
---|
352 | char *string() const |
---|
353 | { return abac_aspect_string(m_role); } |
---|
354 | char *typed_string() |
---|
355 | { return abac_aspect_typed_string(m_role); } |
---|
356 | /*** |
---|
357 | f char *linked_role() const |
---|
358 | returns linked part of a linking role, for |
---|
359 | [keyid:A].role:r1.role:r2, it returns r1 |
---|
360 | ***/ |
---|
361 | char *linked_role() const |
---|
362 | { return abac_aspect_linked_role_name(m_role); } |
---|
363 | /*** |
---|
364 | f char *role_name() const |
---|
365 | returns the role name of any role (the part after the last dot) |
---|
366 | [keyid:A].role.r1.role:r2, it returns r2 |
---|
367 | [keyid:A].role.r1, it returns r1 |
---|
368 | ***/ |
---|
369 | char *role_name() const |
---|
370 | { return abac_aspect_aspect_name(m_role); } |
---|
371 | char *principal() const |
---|
372 | { return abac_aspect_principal_name(m_role); } |
---|
373 | |
---|
374 | /*** |
---|
375 | f int add_data_term(DataTerm&) |
---|
376 | add a data term to the role |
---|
377 | ***/ |
---|
378 | int add_data_term(DataTerm& d) { |
---|
379 | abac_aspect_add_param(m_role, d.term()); |
---|
380 | return 1; |
---|
381 | } |
---|
382 | /*** |
---|
383 | f std::vector<DataTerm> get_data_terms(bool &) |
---|
384 | return the data terms bound to this role. |
---|
385 | ??? If the role is returned in a proof, these will all have values. |
---|
386 | ***/ |
---|
387 | std::vector<DataTerm> get_data_terms(bool &success) { |
---|
388 | abac_term_t **terms, **end; |
---|
389 | int i; |
---|
390 | terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role)); |
---|
391 | for (i = 0; terms[i] != NULL; ++i) |
---|
392 | ; |
---|
393 | end = &terms[i]; |
---|
394 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
395 | abac_terms_free(terms); |
---|
396 | success=1; |
---|
397 | return dataterms; |
---|
398 | } |
---|
399 | int add_linking_data_term(DataTerm& d) { |
---|
400 | abac_aspect_add_linked_param(m_role, d.term()); |
---|
401 | return 1; |
---|
402 | } |
---|
403 | /*** |
---|
404 | f std::vector<DataTerm> get_linked_data_terms(bool &) |
---|
405 | return the data terms bound to this role's linking role. |
---|
406 | ??? If the role is returned in a proof, these will all have values. |
---|
407 | ***/ |
---|
408 | std::vector<DataTerm> get_linked_data_terms(bool &success) { |
---|
409 | abac_term_t **terms, **end; |
---|
410 | int i; |
---|
411 | terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role)); |
---|
412 | for (i = 0; terms[i] != NULL; ++i) |
---|
413 | ; |
---|
414 | end = &terms[i]; |
---|
415 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
416 | abac_terms_free(terms); |
---|
417 | success=1; |
---|
418 | return dataterms; |
---|
419 | } |
---|
420 | /*** |
---|
421 | f abac_aspect_t *role() |
---|
422 | returns the interal libabac representation of this role |
---|
423 | ***/ |
---|
424 | abac_aspect_t *role() {return m_role;} |
---|
425 | private: |
---|
426 | abac_aspect_t *m_role; |
---|
427 | }; |
---|
428 | |
---|
429 | /*** |
---|
430 | ABAC::Oset |
---|
431 | An Oset is oset specification of a set of entitities for a principal |
---|
432 | ***/ |
---|
433 | class Oset { |
---|
434 | public: |
---|
435 | /*** |
---|
436 | f Oset() |
---|
437 | default constructor, do not use, for swig only |
---|
438 | f Oset(const Oset &) |
---|
439 | copy constructor, used for cloning an oset |
---|
440 | f ~Oset() |
---|
441 | default destructor |
---|
442 | ***/ |
---|
443 | Oset() : m_oset(NULL) { } // do not use: here for swig |
---|
444 | Oset(const Oset &oset) |
---|
445 | { m_oset =abac_aspect_dup(oset.m_oset); } |
---|
446 | ~Oset() |
---|
447 | { if(m_oset) abac_aspect_free(m_oset); } |
---|
448 | /*** |
---|
449 | f Oset(abac_aspect_t *) |
---|
450 | constructor that takes abac_aspect_t structure |
---|
451 | f Oset(char *) |
---|
452 | constructor that makes a principal oset, ie [keyid:B] |
---|
453 | f Oset(char *, char *) |
---|
454 | constructor that makes a regular oset, ie. [keyid:B].oset:o |
---|
455 | f Oset(DataTerm&) |
---|
456 | constructor that makes an object oset, ie. [urn:'file/fileA'] |
---|
457 | ***/ |
---|
458 | Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset)) |
---|
459 | { } |
---|
460 | Oset(char *oset_name) : m_oset(abac_aspect_oset_principal_create(oset_name)) |
---|
461 | { } |
---|
462 | Oset(char *principal_name, char *oset_name) : |
---|
463 | m_oset(abac_aspect_oset_create(principal_name, oset_name)) |
---|
464 | { } |
---|
465 | Oset(DataTerm& d) : |
---|
466 | m_oset(abac_aspect_oset_object_create(d.term())) |
---|
467 | { } |
---|
468 | |
---|
469 | /*** |
---|
470 | f bool is_object(), ie <- [integer:10] |
---|
471 | return ture if this oset is an object oset |
---|
472 | ***/ |
---|
473 | bool is_object() const |
---|
474 | { return abac_aspect_is_object(m_oset); } |
---|
475 | /*** |
---|
476 | f bool is_principal() const |
---|
477 | return true if the oset is a principal object(made from |
---|
478 | a data term), the right hand side of, |
---|
479 | [keyid:A].oset:o <- [keyid:B] |
---|
480 | ***/ |
---|
481 | bool is_principal() const |
---|
482 | { return abac_aspect_is_principal(m_oset); } |
---|
483 | /*** |
---|
484 | f bool is_linking() const |
---|
485 | returns true if the oset is a linking oset like |
---|
486 | the right hand side of, |
---|
487 | [keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2 |
---|
488 | ***/ |
---|
489 | bool is_linking() const |
---|
490 | { return abac_aspect_is_linking(m_oset); } |
---|
491 | /*** |
---|
492 | f char *string() const |
---|
493 | returns literal string of the oset |
---|
494 | f char *typed_string() const |
---|
495 | returns typed literal string of the oset |
---|
496 | ***/ |
---|
497 | char *string() const |
---|
498 | { return abac_aspect_string(m_oset); } |
---|
499 | char *typed_string() |
---|
500 | { return abac_aspect_typed_string(m_oset); } |
---|
501 | /*** |
---|
502 | f char *linked_role() const |
---|
503 | returns linked part of a linking oset, for |
---|
504 | [keyid:A].role:r1.oset:o1, it returns r1 |
---|
505 | ***/ |
---|
506 | char *linked_role() const |
---|
507 | { return abac_aspect_linked_role_name(m_oset); } |
---|
508 | /*** |
---|
509 | f char *oset_name() const |
---|
510 | returns oset name, |
---|
511 | [keyid:A].role:r1.oset:o1, it returns o1 |
---|
512 | [keyid:A].oset:o1, it returns o1 |
---|
513 | ***/ |
---|
514 | char *oset_name() const |
---|
515 | { return abac_aspect_aspect_name(m_oset); } |
---|
516 | /*** |
---|
517 | f char *principal() const |
---|
518 | returns principal name, |
---|
519 | [keyid:A].role:r1.oset:o1, it returns A |
---|
520 | ***/ |
---|
521 | char *principal() const |
---|
522 | { return abac_aspect_principal_name(m_oset); } |
---|
523 | /*** |
---|
524 | f char *object() const |
---|
525 | returns object's name when the oset is a principal object |
---|
526 | [keyid:A].oset:values <- [integer:10], it returns 10 |
---|
527 | ***/ |
---|
528 | char *object() const |
---|
529 | { return abac_aspect_object_name(m_oset); } |
---|
530 | /*** |
---|
531 | f int add_data_term(DataTerm&) |
---|
532 | add a data term to this oset's parameter set |
---|
533 | always returns 1 |
---|
534 | ***/ |
---|
535 | int add_data_term(DataTerm& d) { |
---|
536 | abac_aspect_add_param(m_oset, d.term()); |
---|
537 | return 1; |
---|
538 | } |
---|
539 | /*** |
---|
540 | f std::vector<DataTerm> get_data_terms(bool &) |
---|
541 | returns the data terms bound to this oset. |
---|
542 | ??? If the oset is returned in a proof, these will all have values. |
---|
543 | ***/ |
---|
544 | std::vector<DataTerm> get_data_terms(bool &success) { |
---|
545 | abac_term_t **terms, **end; |
---|
546 | int i; |
---|
547 | terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset)); |
---|
548 | for (i = 0; terms[i] != NULL; ++i) |
---|
549 | ; |
---|
550 | end = &terms[i]; |
---|
551 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
552 | abac_terms_free(terms); |
---|
553 | success=1; |
---|
554 | return dataterms; |
---|
555 | } |
---|
556 | /*** |
---|
557 | f int add_linking_data_term(DataTerm&) |
---|
558 | add a data term to this oset's linking role's parameter set. |
---|
559 | always returns 1 |
---|
560 | ***/ |
---|
561 | int add_linking_data_term(DataTerm& d) { |
---|
562 | abac_aspect_add_linked_param(m_oset, d.term()); |
---|
563 | return 1; |
---|
564 | } |
---|
565 | /*** |
---|
566 | f std::vector<DataTerm> get_linked_data_terms(bool &) |
---|
567 | returns the data terms bound to this oset's linking role. |
---|
568 | ??? If the oset is returned in a proof, these will all have values. |
---|
569 | ***/ |
---|
570 | std::vector<DataTerm> get_linked_data_terms(bool &success) { |
---|
571 | abac_term_t **terms, **end; |
---|
572 | int i; |
---|
573 | terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset)); |
---|
574 | for (i = 0; terms[i] != NULL; ++i) |
---|
575 | ; |
---|
576 | end = &terms[i]; |
---|
577 | std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end); |
---|
578 | abac_terms_free(terms); |
---|
579 | success=1; |
---|
580 | return dataterms; |
---|
581 | } |
---|
582 | /*** |
---|
583 | f abac_aspect_t *oset() |
---|
584 | returns the internal libabac representation of the oset |
---|
585 | ***/ |
---|
586 | abac_aspect_t *oset() {return m_oset;} |
---|
587 | private: |
---|
588 | abac_aspect_t *m_oset; |
---|
589 | }; |
---|
590 | |
---|
591 | |
---|
592 | /*** |
---|
593 | ABAC::ID |
---|
594 | An ID holds a principal credential. It maybe imported from an existing |
---|
595 | ID credential via external files, constructed from a streaming chunk, |
---|
596 | or instantiated on the fly |
---|
597 | ***/ |
---|
598 | class ID { |
---|
599 | public: |
---|
600 | /*** |
---|
601 | f ID() |
---|
602 | default constructor, do not use, for swig only |
---|
603 | f ID(const ID &) |
---|
604 | copy constructor, used for cloning an ID |
---|
605 | f ~ID() |
---|
606 | default destructor |
---|
607 | ***/ |
---|
608 | ID() : m_id(NULL) { } // do not use: here for swig |
---|
609 | ID(const ID &id) { m_id =abac_id_dup(id.m_id); } |
---|
610 | ~ID() { if(m_id) abac_id_free(m_id); } |
---|
611 | /*** ??? |
---|
612 | f ID(abac_id_t *) |
---|
613 | constructor from abac_id_t |
---|
614 | f ID(abac_id_credential_t *) |
---|
615 | constructor from abac_id_t |
---|
616 | ***/ |
---|
617 | ID(abac_id_t *id): m_id(abac_id_dup(id)) |
---|
618 | { } |
---|
619 | ID(abac_id_credential_t *idcred) { |
---|
620 | if(idcred) |
---|
621 | m_id=abac_id_dup(abac_id_credential_id(idcred)); |
---|
622 | else m_id=NULL; |
---|
623 | } |
---|
624 | |
---|
625 | /*** |
---|
626 | f ID(char *) |
---|
627 | load an ID cert from a file, will throw an exception |
---|
628 | if the cert cannot be loaded |
---|
629 | ***/ |
---|
630 | ID(char *filename) { |
---|
631 | m_id=abac_id_from_file(filename); |
---|
632 | if(m_id==NULL) |
---|
633 | abac_errx(1, "Id creation from filename failed"); |
---|
634 | } |
---|
635 | /*** |
---|
636 | f ID(char *,int) |
---|
637 | generates a new ID with the supplied CN and validity period |
---|
638 | - CN must be alphanumeric and begin with a letter |
---|
639 | - validity must be at least one second |
---|
640 | will throw an exception if either of the above is violated |
---|
641 | ***/ |
---|
642 | ID(char *cn, int validity) { |
---|
643 | int rt=abac_id_generate(&m_id, cn, validity); |
---|
644 | if(rt != ABAC_ID_SUCCESS) |
---|
645 | abac_errx(1, "Id creation failed"); |
---|
646 | } |
---|
647 | /*** |
---|
648 | f void load_privkey(char *) |
---|
649 | loads the private key associated with the ID credential |
---|
650 | will throw an exception if the key cannot be loaded |
---|
651 | ***/ |
---|
652 | void load_privkey(char *filename) { |
---|
653 | int rt=abac_id_load_privkey_file(m_id, filename); |
---|
654 | if(rt != 1) |
---|
655 | abac_errx(1, "Failed to load private key"); |
---|
656 | } |
---|
657 | /*** |
---|
658 | f abac_id_t *id() |
---|
659 | returns the abac_id_t |
---|
660 | returns the interal libabac representation of this id |
---|
661 | ***/ |
---|
662 | abac_id_t *id() { return m_id; } |
---|
663 | |
---|
664 | /*** |
---|
665 | f char *keyid() |
---|
666 | returns the SHA1 keyid of the id cert |
---|
667 | f char *name() |
---|
668 | returns the CN (the parameter passed to the constructor or the |
---|
669 | CN of the cert). |
---|
670 | ***/ |
---|
671 | char *keyid() { return abac_id_keyid(m_id); } |
---|
672 | char *name() { return abac_id_cn(m_id); } |
---|
673 | /*** |
---|
674 | f bool has_privkey() |
---|
675 | returns true if the ID has an associated private key |
---|
676 | ***/ |
---|
677 | bool has_privkey() |
---|
678 | { return abac_id_has_privkey(m_id); } |
---|
679 | |
---|
680 | /*** |
---|
681 | f void write_cert(FILE *) |
---|
682 | writes a PEM-encoded cert to the file handle |
---|
683 | f void write_cert(char *) |
---|
684 | writes a PEM-encoded cert to a file named out |
---|
685 | ***/ |
---|
686 | void write_cert(FILE *out) |
---|
687 | { abac_id_write_cert(m_id, out); } |
---|
688 | void write_cert(char *filename) { |
---|
689 | FILE *out = fopen(filename, "a"); |
---|
690 | write_cert(out); |
---|
691 | fclose(out); |
---|
692 | } |
---|
693 | /*** |
---|
694 | f void write_privkey(FILE *) |
---|
695 | writes a PEM-encoded private key to the file handle |
---|
696 | throws an exception if no private key is loaded |
---|
697 | f void write_privkey(char *) |
---|
698 | writes a PEM-encoded private key a file named out |
---|
699 | throws an exception if no private key is loaded |
---|
700 | ***/ |
---|
701 | void write_privkey(FILE *out) { |
---|
702 | if(!has_privkey()) |
---|
703 | abac_errx(1, "No privkey to write"); |
---|
704 | abac_id_write_privkey(m_id, out); |
---|
705 | } |
---|
706 | void write_privkey(char *filename) { |
---|
707 | FILE *out = fopen(filename, "a"); |
---|
708 | write_privkey(out); |
---|
709 | fclose(out); |
---|
710 | } |
---|
711 | /*** |
---|
712 | f abac_chunk_t cert_chunk() |
---|
713 | returns a DER-encoded binary representation of the X.509 ID cert |
---|
714 | associated with this ID. |
---|
715 | can be passed to libabac's Context::load_id_chunk() |
---|
716 | ***/ |
---|
717 | abac_chunk_t cert_chunk() |
---|
718 | { return abac_id_cert_chunk(m_id); } |
---|
719 | /*** |
---|
720 | f char *string() |
---|
721 | returns literal string of the id credential |
---|
722 | ***/ |
---|
723 | char *string() { |
---|
724 | char *tmp=NULL; |
---|
725 | if(has_privkey()) |
---|
726 | asprintf(&tmp,"(%s,%s,y)",abac_id_name(m_id),abac_id_idtype_string(m_id)); |
---|
727 | else asprintf(&tmp,"(%s,%s,n)",abac_id_name(m_id),abac_id_idtype_string(m_id)); |
---|
728 | return tmp; |
---|
729 | } |
---|
730 | public: |
---|
731 | abac_id_t *m_id; |
---|
732 | }; |
---|
733 | |
---|
734 | |
---|
735 | /*** |
---|
736 | ABAC::Attribute |
---|
737 | This is the attribute representation for the access policy rule |
---|
738 | LHS <- RHS |
---|
739 | The sequence of generation is to |
---|
740 | first, instantiate the object, ie, LHS (head) |
---|
741 | second, adding subject(s) to it, ie, RHS (tail) |
---|
742 | and then baking it. |
---|
743 | Only once it's baked can you access the X.509 cert. |
---|
744 | Once it's been baked you can no longer add subjects to it |
---|
745 | ***/ |
---|
746 | class Attribute { |
---|
747 | public: |
---|
748 | /*** |
---|
749 | f Attribute() |
---|
750 | default constructor, do not use, for swig only |
---|
751 | f Attribute(const Attribute &) |
---|
752 | copy constructor, used for cloning an attribute |
---|
753 | f ~Attribute() |
---|
754 | default destructor |
---|
755 | ***/ |
---|
756 | Attribute() : m_attr(NULL) { } |
---|
757 | Attribute(const Attribute &id) |
---|
758 | { m_attr =abac_attribute_dup(id.m_attr); } |
---|
759 | ~Attribute() |
---|
760 | { if(m_attr) abac_attribute_free(m_attr); } |
---|
761 | /*** |
---|
762 | f Attribute(abac_attribute_t *) |
---|
763 | constructor that takes abac_attribute_t, locally used |
---|
764 | f Attribute(abac_credential_t *) |
---|
765 | constructor that takes abac_credential_t, locally used |
---|
766 | ***/ |
---|
767 | Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr)) |
---|
768 | { } |
---|
769 | Attribute(abac_credential_t *cred) |
---|
770 | { m_attr=abac_attribute_dup(abac_credential_attribute(cred)); } |
---|
771 | /*** |
---|
772 | f Attribute(Role&, int) |
---|
773 | constructor that creates an attribute policy to be signed by the issuer |
---|
774 | with the given role with a specified validity period |
---|
775 | An exception will be thrown if: |
---|
776 | - the issuer has no private key |
---|
777 | - the Head role is invalid |
---|
778 | - the validity period is invalid (must be >= 1 second) |
---|
779 | ***/ |
---|
780 | Attribute(Role& head, int validity) { |
---|
781 | int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity); |
---|
782 | if(rt!=ABAC_ATTRIBUTE_SUCCESS) |
---|
783 | abac_errx(1, "attribute(role), unable to make an attribute"); |
---|
784 | } |
---|
785 | /*** |
---|
786 | f Attribute(Oset&, int) |
---|
787 | constructor that creates an attribute policy to be signed by the issuer |
---|
788 | with the given oset with a specified validity period |
---|
789 | An exception will be thrown if: |
---|
790 | - the issuer has no private key |
---|
791 | - the Head oset is invalid |
---|
792 | - the validity period is invalid (must be >= 1 second) |
---|
793 | ***/ |
---|
794 | Attribute(Oset& head, int validity) { |
---|
795 | int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity); |
---|
796 | if(rt!=ABAC_ATTRIBUTE_SUCCESS) |
---|
797 | abac_errx(1, "attribute(oset), unable to make an attribute"); |
---|
798 | } |
---|
799 | /*** |
---|
800 | f bool add_tail(Role&) |
---|
801 | Add a role tail. Call multiple times for intersections |
---|
802 | f bool add_tail(Oset&) |
---|
803 | Add an oset tail. Call multiple times for intersections |
---|
804 | ***/ |
---|
805 | bool add_tail(Role& tail) { |
---|
806 | if(abac_attribute_add_tail(m_attr, tail.role())) |
---|
807 | return 1; |
---|
808 | else return 0; |
---|
809 | } |
---|
810 | bool add_tail(Oset& tail) { |
---|
811 | if(abac_attribute_add_tail(m_attr, tail.oset())) |
---|
812 | return 1; |
---|
813 | else return 0; |
---|
814 | } |
---|
815 | /*** |
---|
816 | f char *head_string() |
---|
817 | returns literal string of head of the attribute |
---|
818 | f char *tail_string() |
---|
819 | returns literal string of tail of the attribute |
---|
820 | ***/ |
---|
821 | char *head_string() { |
---|
822 | abac_aspect_t *head=abac_attribute_head(m_attr); |
---|
823 | char *string=abac_aspect_string(head); |
---|
824 | return string; |
---|
825 | } |
---|
826 | char *tail_string() { |
---|
827 | abac_aspect_t *tail=abac_attribute_tail(m_attr); |
---|
828 | char *string=abac_aspect_string(tail); |
---|
829 | return string; |
---|
830 | } |
---|
831 | /*** |
---|
832 | f char *head_typed_string() |
---|
833 | returns typed literal string of head of the attribute |
---|
834 | f char *tail_typed_string() |
---|
835 | returns typed literal string of tail of the attribute |
---|
836 | ***/ |
---|
837 | char *head_typed_string() { |
---|
838 | abac_aspect_t *head=abac_attribute_head(m_attr); |
---|
839 | char *string=abac_aspect_typed_string(head); |
---|
840 | return string; |
---|
841 | } |
---|
842 | char *tail_typed_string() { |
---|
843 | abac_aspect_t *tail=abac_attribute_tail(m_attr); |
---|
844 | char *string=abac_aspect_typed_string(tail); |
---|
845 | return string; |
---|
846 | } |
---|
847 | /*** |
---|
848 | f char *string() |
---|
849 | returns literal string of the attribute |
---|
850 | f char *typed_string() |
---|
851 | returns typed literal string of the attribute |
---|
852 | ***/ |
---|
853 | char *string() { |
---|
854 | char *head=head_string(); |
---|
855 | char *tail=tail_string(); |
---|
856 | if(head==NULL || tail==NULL) |
---|
857 | abac_errx(1, "attribute string, head and tail can not be NULL"); |
---|
858 | char *tmp=NULL; |
---|
859 | asprintf(&tmp,"%s<-%s",head,tail); |
---|
860 | return tmp; |
---|
861 | } |
---|
862 | char *typed_string() { |
---|
863 | char *head=head_typed_string(); |
---|
864 | char *tail=tail_typed_string(); |
---|
865 | if(head==NULL || tail==NULL) |
---|
866 | abac_errx(1, "attribute string, head and tail can not be NULL"); |
---|
867 | char *tmp=NULL; |
---|
868 | asprintf(&tmp,"%s<-%s",head,tail); |
---|
869 | return tmp; |
---|
870 | } |
---|
871 | /*** ??? not sure about implmentation |
---|
872 | f const Role &role_head() |
---|
873 | returns the head role |
---|
874 | f const Oset &oset_head() |
---|
875 | returns the oset head |
---|
876 | ***/ |
---|
877 | const Role &role_head() { |
---|
878 | abac_aspect_t *head=abac_attribute_head(m_attr); |
---|
879 | static Role role=Role(head); |
---|
880 | return role; |
---|
881 | } |
---|
882 | const Oset &oset_head() { |
---|
883 | abac_aspect_t *head=abac_attribute_tail(m_attr); |
---|
884 | static Oset oset=Oset(head); |
---|
885 | return oset; |
---|
886 | } |
---|
887 | /*** ??? |
---|
888 | f std::vector<Role> role_tails(bool &) |
---|
889 | retrieve tail role which maybe more than 1 if intersecting |
---|
890 | f std::vector<Oset> oset_tails(bool &) |
---|
891 | retrieve tail oset which maybe more than 1 if intersecting |
---|
892 | ***/ |
---|
893 | std::vector<Role> role_tails(bool &success) { |
---|
894 | abac_aspect_t **tails, **end; |
---|
895 | int i; |
---|
896 | /* make sure it is role */ |
---|
897 | if(!abac_attribute_is_role(m_attr)) { |
---|
898 | success=0; |
---|
899 | abac_errx(1, "role_tails, attribute is not a role"); |
---|
900 | } |
---|
901 | tails = abac_attribute_tail_vectorized(m_attr); |
---|
902 | for (i = 0; tails[i] != NULL; ++i) |
---|
903 | ; |
---|
904 | end = &tails[i]; |
---|
905 | std::vector<Role> roles = std::vector<Role>(tails, end); |
---|
906 | abac_aspects_free(tails); |
---|
907 | success=1; |
---|
908 | return roles; |
---|
909 | } |
---|
910 | std::vector<Oset> oset_tails(bool &success) { |
---|
911 | abac_aspect_t **tails, **end; |
---|
912 | int i; |
---|
913 | /* make sure that tail is not role */ |
---|
914 | if(abac_attribute_is_role(m_attr)) { |
---|
915 | success=0; |
---|
916 | abac_errx(1, "oset_tails, attribute is not an oset"); |
---|
917 | } |
---|
918 | tails = abac_attribute_tail_vectorized(m_attr); |
---|
919 | for (i = 0; tails[i] != NULL; ++i) |
---|
920 | ; |
---|
921 | end = &tails[i]; |
---|
922 | std::vector<Oset> osets = std::vector<Oset>(tails, end); |
---|
923 | success=1; |
---|
924 | abac_aspects_free(tails); |
---|
925 | return osets; |
---|
926 | } |
---|
927 | /*** |
---|
928 | f abac_attribute_t *attribute() |
---|
929 | return libabac structure for attribute |
---|
930 | ***/ |
---|
931 | abac_attribute_t *attribute() { return m_attr; } |
---|
932 | |
---|
933 | /*** |
---|
934 | f bool bake() |
---|
935 | Generate the cert. Call this after you've added subjects to your cert. |
---|
936 | This returns false if there are no subjects |
---|
937 | This will throw an exception if the cert's already been baked. |
---|
938 | ***/ |
---|
939 | bool bake() { |
---|
940 | /* can not bake in ABAC_CN mode */ |
---|
941 | if(USE("ABAC_CN")) |
---|
942 | abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set"); |
---|
943 | int rt=abac_attribute_bake(m_attr); |
---|
944 | if(rt!=1) |
---|
945 | abac_errx(1, "bake, can not bake the cert"); |
---|
946 | } |
---|
947 | /*** |
---|
948 | f bool baked() |
---|
949 | returns true iff the cert has been baked. |
---|
950 | ***/ |
---|
951 | bool baked() |
---|
952 | { return abac_attribute_baked(m_attr); } |
---|
953 | |
---|
954 | /*** |
---|
955 | f void write_cert(FILE *) |
---|
956 | write the DER-encoded X.509 attribute cert to the open file handle |
---|
957 | Throws an exception if the cert isn't baked |
---|
958 | ***/ |
---|
959 | void write_cert(FILE *out) { |
---|
960 | int rt= abac_attribute_write(m_attr,out); |
---|
961 | if(!rt) |
---|
962 | abac_errx(1, "write, cert is not baked"); |
---|
963 | } |
---|
964 | /*** |
---|
965 | f void write_cert(char *) |
---|
966 | write the DER-encoded X.509 attribute cert to a file named out |
---|
967 | Throws an exception if the cert isn't baked |
---|
968 | ***/ |
---|
969 | void write_cert(char *filename) { |
---|
970 | FILE *out = fopen(filename, "w"); |
---|
971 | write_cert(out); |
---|
972 | fclose(out); |
---|
973 | } |
---|
974 | /*** |
---|
975 | f abac_chunk_t cert_chunk() |
---|
976 | returns a DER-encoded binary representation of the X.509 attribute |
---|
977 | cert associated with this cert |
---|
978 | Throws an exception if the cert isn't baked |
---|
979 | the chunk can be passed to libabac's Context::load_attribute_chunk() |
---|
980 | ***/ |
---|
981 | abac_chunk_t cert_chunk() |
---|
982 | { return abac_attribute_cert_chunk(m_attr); } |
---|
983 | |
---|
984 | /*** |
---|
985 | f int consume() |
---|
986 | generate yap clauses and injected into db |
---|
987 | ***/ |
---|
988 | int consume() { |
---|
989 | /* attribute needs to be baked */ |
---|
990 | if(!baked()) { |
---|
991 | return ABAC_ATTRIBUTE_FAIL; |
---|
992 | } |
---|
993 | } |
---|
994 | private: |
---|
995 | abac_attribute_t *m_attr; |
---|
996 | }; |
---|
997 | |
---|
998 | |
---|
999 | /*** |
---|
1000 | ABAC::Context |
---|
1001 | An ABAC Context |
---|
1002 | ***/ |
---|
1003 | class Context { |
---|
1004 | public: |
---|
1005 | /*** |
---|
1006 | f Context() |
---|
1007 | default constructor |
---|
1008 | f Context(const Context &) |
---|
1009 | copy constructor, used for cloning the context |
---|
1010 | f ~Context() |
---|
1011 | default destructor |
---|
1012 | ***/ |
---|
1013 | Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); } |
---|
1014 | Context(const Context &context) { |
---|
1015 | m_ctx = abac_context_dup(context.m_ctx); |
---|
1016 | m_abac_version=strdup(context.m_abac_version); |
---|
1017 | } |
---|
1018 | ~Context() { |
---|
1019 | abac_context_free(m_ctx); |
---|
1020 | if(m_abac_version) free(m_abac_version); |
---|
1021 | } |
---|
1022 | /*** |
---|
1023 | f void dump_yap() |
---|
1024 | dump the complete yap prolog database |
---|
1025 | ***/ |
---|
1026 | void dump_yap() |
---|
1027 | { show_yap_db("dump_yap"); } |
---|
1028 | |
---|
1029 | /*** |
---|
1030 | f int load_id(ABAC::ID&) |
---|
1031 | load id cert from ID |
---|
1032 | f int load_id_file(char *) |
---|
1033 | load id cert from an idkey combo file. key retrieval will be attempt |
---|
1034 | but won't fail if not found |
---|
1035 | f int load_id_file(char *, char *) |
---|
1036 | load id cert from an id file and a key file |
---|
1037 | f int load_id_chunk(abac_chunk_t) |
---|
1038 | load id cert from a chunk structure |
---|
1039 | returns: |
---|
1040 | ABAC_CERT_SUCCESS successfully loaded |
---|
1041 | ABAC_CERT_INVALID invalid certificate (or file not found) |
---|
1042 | ABAC_CERT_BAD_SIG invalid signature |
---|
1043 | ***/ |
---|
1044 | int load_id(ABAC::ID& id) |
---|
1045 | { return abac_context_load_id_id(m_ctx, id.id()); } |
---|
1046 | int load_id_file(char *filename) |
---|
1047 | { return abac_context_load_id_idkey_file(m_ctx, filename); } |
---|
1048 | int load_id_file(char *filename, char *keyfilename) |
---|
1049 | { return abac_context_load_id_id_file_key_file(m_ctx, filename, keyfilename); } |
---|
1050 | int load_id_chunk(abac_chunk_t cert) |
---|
1051 | { return abac_context_load_id_chunk(m_ctx, cert); } |
---|
1052 | |
---|
1053 | /*** |
---|
1054 | f int load_attribute(ABAC::Attribute&) |
---|
1055 | load attribute credential from attribute structure |
---|
1056 | f int load_attribute_file(char *) |
---|
1057 | load attribute credential from a file |
---|
1058 | f int load_attribute_chunk(abac_chunk_t) |
---|
1059 | load attribute credential from a chunk |
---|
1060 | f returns the same values as above, additionally |
---|
1061 | returns ABAC_CERT_MISSING_ISSUER if the issuer |
---|
1062 | certificate has not been loaded |
---|
1063 | ***/ |
---|
1064 | int load_attribute(ABAC::Attribute& a) |
---|
1065 | { return abac_context_load_attribute_attribute(m_ctx, a.attribute()); } |
---|
1066 | int load_attribute_file(char *filename) |
---|
1067 | { return abac_context_load_attribute_file(m_ctx, filename); } |
---|
1068 | int load_attribute_chunk(abac_chunk_t cert) |
---|
1069 | { return abac_context_load_attribute_chunk(m_ctx, cert); } |
---|
1070 | |
---|
1071 | /*** |
---|
1072 | f void load_directory(char *) |
---|
1073 | load a directory full of certificates: |
---|
1074 | f first: ${path}/*_ID.{der,pem} as identity certificates |
---|
1075 | implicitly looking for ${path}/*_private.{der,pem} as |
---|
1076 | the private key file |
---|
1077 | then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate |
---|
1078 | last: ${path}/*_attr.der as attribute certificates |
---|
1079 | ***/ |
---|
1080 | void load_directory(char *path) |
---|
1081 | { abac_context_load_directory(m_ctx, path); } |
---|
1082 | /*** |
---|
1083 | f std::vector<Attribute> query(char *, char *, bool &) |
---|
1084 | the string version is for query that is composed by hand with SHA or |
---|
1085 | in non ABAC_CN mode |
---|
1086 | f std::vector<Attribute> query(Role &, Role &, bool &) |
---|
1087 | std::vector<Attribute> query(Oset &, Oset &, bool &) |
---|
1088 | runs the query: |
---|
1089 | role <-?- principal |
---|
1090 | oset <-?- principal/obj |
---|
1091 | returns true/false in success |
---|
1092 | returns a proof upon success, |
---|
1093 | partial proof on failure (not implemented yet) |
---|
1094 | ***/ |
---|
1095 | std::vector<Attribute> query(char *role, char *principal, bool &success) { |
---|
1096 | abac_credential_t **creds, **end; |
---|
1097 | int i, success_int; |
---|
1098 | |
---|
1099 | creds = abac_context_query(m_ctx, role, principal, &success_int); |
---|
1100 | success = success_int; |
---|
1101 | |
---|
1102 | for (i = 0; creds[i] != NULL; ++i) |
---|
1103 | ; |
---|
1104 | |
---|
1105 | end = &creds[i]; |
---|
1106 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
1107 | if(debug) printf("query, got rules(%d)\n", i); |
---|
1108 | |
---|
1109 | abac_context_credentials_free(creds); |
---|
1110 | |
---|
1111 | return attributes; |
---|
1112 | } |
---|
1113 | |
---|
1114 | std::vector<Attribute> query(Role &role, Role &p_role, bool &success) { |
---|
1115 | abac_credential_t **creds, **end; |
---|
1116 | int i, success_int; |
---|
1117 | |
---|
1118 | creds = abac_context_query_with_structure(m_ctx, role.role(), p_role.role(), &success_int); |
---|
1119 | success = success_int; |
---|
1120 | |
---|
1121 | for (i = 0; creds[i] != NULL; ++i) |
---|
1122 | ; |
---|
1123 | |
---|
1124 | end = &creds[i]; |
---|
1125 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
1126 | |
---|
1127 | abac_context_credentials_free(creds); |
---|
1128 | |
---|
1129 | return attributes; |
---|
1130 | } |
---|
1131 | |
---|
1132 | std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) { |
---|
1133 | abac_credential_t **creds, **end; |
---|
1134 | int i, success_int; |
---|
1135 | |
---|
1136 | creds = abac_context_query_with_structure(m_ctx, oset.oset(), p_oset.oset(), &success_int); |
---|
1137 | success = success_int; |
---|
1138 | |
---|
1139 | for (i = 0; creds[i] != NULL; ++i) |
---|
1140 | ; |
---|
1141 | |
---|
1142 | end = &creds[i]; |
---|
1143 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
1144 | if(debug) printf("query, returning rules(%d)\n", i); |
---|
1145 | |
---|
1146 | abac_context_credentials_free(creds); |
---|
1147 | |
---|
1148 | return attributes; |
---|
1149 | } |
---|
1150 | |
---|
1151 | /*** |
---|
1152 | f std::vector<Attribute> context_credentials(bool &) |
---|
1153 | returns a vector of all the credentials loaded in the context |
---|
1154 | extracted from the internal data structure |
---|
1155 | ***/ |
---|
1156 | std::vector<Attribute> context_credentials(bool &success) { |
---|
1157 | abac_credential_t **creds, **end; |
---|
1158 | int i; |
---|
1159 | success = 1; |
---|
1160 | |
---|
1161 | creds = abac_context_credentials(m_ctx); |
---|
1162 | for (i = 0; creds[i] != NULL; ++i) |
---|
1163 | ; |
---|
1164 | |
---|
1165 | end = &creds[i]; |
---|
1166 | std::vector<Attribute> attributes = std::vector<Attribute>(creds, end); |
---|
1167 | if(debug) printf("credentials, got (%d)\n", i); |
---|
1168 | |
---|
1169 | abac_context_credentials_free(creds); |
---|
1170 | if(debug) show_yap_db("calling from context_credentials"); |
---|
1171 | return attributes; |
---|
1172 | } |
---|
1173 | |
---|
1174 | /*** |
---|
1175 | f std::vector<Attribute> context_principals(bool &) |
---|
1176 | returns a vector of all the principals loaded in the context |
---|
1177 | extracted from the internal data structure |
---|
1178 | ***/ |
---|
1179 | std::vector<ID> context_principals(bool &success) { |
---|
1180 | abac_id_credential_t **ids, **end; |
---|
1181 | int i; |
---|
1182 | success = 1; |
---|
1183 | |
---|
1184 | ids = abac_context_principals(m_ctx); |
---|
1185 | for (i = 0; ids[i] != NULL; ++i) |
---|
1186 | ; |
---|
1187 | |
---|
1188 | end = &ids[i]; |
---|
1189 | std::vector<ID> principals = std::vector<ID>(ids, end); |
---|
1190 | if(debug) printf("principals, got (%d)\n", i); |
---|
1191 | |
---|
1192 | abac_context_principals_free(ids); |
---|
1193 | return principals; |
---|
1194 | } |
---|
1195 | /*** |
---|
1196 | f char *version() |
---|
1197 | return the version of this interface |
---|
1198 | ***/ |
---|
1199 | char *version() const { return m_abac_version; } |
---|
1200 | |
---|
1201 | private: |
---|
1202 | abac_context_t *m_ctx; |
---|
1203 | char *m_abac_version; |
---|
1204 | }; |
---|
1205 | |
---|
1206 | Constraint::Constraint(Role& role) |
---|
1207 | { m_constraint=abac_condition_create_from_aspect(role.role()); } |
---|
1208 | Constraint::Constraint(Oset &oset) |
---|
1209 | { m_constraint=abac_condition_create_from_aspect(oset.oset()); } |
---|
1210 | } |
---|
1211 | |
---|
1212 | #endif /* __ABAC_HH__ */ |
---|