Context Navigation

source: libabac/abac.hh @ 6e8997e

mei_rt2mei_rt2_fix_1

Last change on this file since 6e8997e was 6e8997e, checked in by Mei <mei@…>, 12 years ago
1) more changes to the api doc embedded in abac.hh
Property mode set to `100644`
File size: 40.9 KB

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <string>
5	#include <vector>
6
7	namespace ABAC {
8	extern "C" {
9	#include "abac.h"
10	}
11	static int debug=0;
12	class Role;
13	class Oset;
14	/***
15	ABAC::Constraint
16	Constraint on a data term.
17	There are 3 types:
18	- Role constraint on a principal
19	- Oset constraint on a principal, or a data object
20	- Range/List constraint on a data object
21	It holds a ptr to a abac_condition_t structure
22	***/
23	class Constraint {
24	public:
25	/***
26	f Constraint()
27	default constructor, do not use, for swig only
28	f Constraint(const Constraint &)
29	copy constructor, used for cloning a constraint
30	f ~Constraint()
31	default destructor
32	***/
33	Constraint() : m_constraint(NULL) { }
34	Constraint(const Constraint &constraint) {
35	m_constraint =abac_condition_dup(constraint.m_constraint);
36	}
37	~Constraint() {
38	if(m_constraint) abac_condition_free(m_constraint);
39	}
40	/***
41	f Constraint(Role &)
42	constructor that takes a constraining role
43	[role:?R[{role-constraint}]
44	f Constraint(Oset &)
45	constructor that takes a constraining oset
46	[oset:?O[{oset-constraint}]
47	[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
48	f Constraint(abac_condition_t *)
49	constructor that takes an abac_condition_t structure
50	f Constraint(char *)
51	constructor that takes one of following string
52	as its vartype to set up a range constraint:
53	"integer"
54	"urn"
55	"float"
56	"boolean"
57	"time"
58	"string"
59	it should be followed with one or many of following utility
60	calls.
61	***/
62	Constraint(Role& role);
63	Constraint(Oset& oset);
64	Constraint(abac_condition_t *constraint):
65	m_constraint(abac_condition_dup(constraint))
66	{ }
67	Constraint(char *vartype) {
68	m_constraint=abac_condition_create(vartype);
69	}
70	/***
71	f void add_constraint_integer_max(int)
72	void add_constraint_integer_min(int)
73	utility routines to setup a integer range constraint
74	[integer:?I[10 .. 20]]
75	f void add_constraint_integer_target(int)
76	utility routine to setup a integer list constraint
77	[integer:?I[10,20]]
78	***/
79	void add_constraint_integer_max(int val) {
80	abac_condition_add_range_integer_item(m_constraint,abac_max_item_type(),val);
81	}
82	void add_constraint_integer_min(int val) {
83	abac_condition_add_range_integer_item(m_constraint,abac_min_item_type(),val);
84	}
85	void add_constraint_integer_target(int val) {
86	abac_condition_add_range_integer_item(m_constraint,abac_target_item_type(),val);
87	}
88	/***
89	f void add_constraint_float_max(float)
90	void add_constraint_float_min(float)
91	utility routines to setup a float range constraint
92	[float:?F[1.0 .. 2.5]]
93	f void add_constraint_float_target(float)
94	utility routine to setup a float list constraint
95	[float:?F[0.5, 2.5]]
96	***/
97	void add_constraint_float_max(float val) {
98	abac_condition_add_range_float_item(m_constraint,abac_max_item_type(),val);
99	}
100	void add_constraint_float_min(float val) {
101	abac_condition_add_range_float_item(m_constraint,abac_min_item_type(),val);
102	}
103	void add_constraint_float_target(float val) {
104	abac_condition_add_range_float_item(m_constraint,abac_target_item_type(),val);
105	}
106	/***
107	f void add_constraint_time_max(char*)
108	void add_constraint_time_min(char*)
109	utility routines to setup a time range constraint,
110	takes quoted string values, beyond T is optional
111	[time:?F["20120228T" .. "20120228T090000"]]
112	f void add_constraint_time_target(char*)
113	utility routine to setup a time list constraint
114	[time:?M["20201101T182930","20201101T"]]
115	***/
116	void add_constraint_time_max(char* val) {
117	abac_condition_add_range_time_item(m_constraint,abac_max_item_type(),val);
118	}
119	void add_constraint_time_min(char* val) {
120	abac_condition_add_range_time_item(m_constraint,abac_min_item_type(),val);
121	}
122	void add_constraint_time_target(char* val) {
123	abac_condition_add_range_time_item(m_constraint,abac_target_item_type(),val);
124	}
125	/***
126	f void add_constraint_urn_target(char*)
127	utility routine to setup a an urn list constraint
128	[urn:?U["fileA","http://fileB"]]
129	f void add_constraint_string_target(char*)
130	utility routine to setup a a string list constraint
131	[string:?S["abc",'efg',"hij"]]
132	f void add_constraint_boolean_target(char*)
133	utility routine to setup a a boolean list constraint
134	[boolean:?B['true']]
135	***/
136	void add_constraint_urn_target(char* val)
137	{ abac_condition_add_range_urn_item(m_constraint,val); }
138	void add_constraint_string_target(char* val)
139	{ abac_condition_add_range_string_item(m_constraint,val); }
140	void add_constraint_boolean_target(char* val)
141	{ abac_condition_add_range_boolean_item(m_constraint,val); }
142	/***
143	f char *string() const
144	returns literal string of the constraint
145	f char *typed_string() const
146	returns typed literal string of the constraint
147	***/
148	char *string() const
149	{ return abac_condition_string(m_constraint); }
150	char *typed_string() const
151	{ return abac_condition_typed_string(m_constraint); }
152	/***
153	f abac_condition_t *constraint()
154	returns internal constraint structure
155	***/
156	abac_condition_t *constraint()
157	{ return m_constraint; }
158	private:
159	abac_condition_t *m_constraint;
160	};
161
162	/***
163	ABAC::DataTerm
164	A data term is associated with Role or Oset as a parameter that
165	maybe be instantiated, or uninstantiated but being constrained,
166	or as a principal oset term (standalone right handside of an oset
167	policy rule). It holds a pointer to a abac_term_t structure and
168	an optional constraint that may be imposed on this data term if it
169	is indeed an unistantiated variable.
170	***/
171	class DataTerm {
172	public:
173	/***
174	f DataTerm()
175	default constructor, do not use, for swig only
176	f DataTerm(const DataTerm &)
177	copy constructor, used for cloning a data term
178	f ~DataTerm()
179	default destructor
180	***/
181	DataTerm() : m_term(NULL) { } // do not use: here for swig
182	DataTerm(const DataTerm &dterm) {
183	m_term =abac_term_dup(dterm.m_term);
184	abac_condition_t *constraint=abac_term_constraint(m_term);
185	if(constraint) m_cond=new Constraint(constraint);
186	else m_cond=NULL;
187	}
188	~DataTerm() {
189	if(m_term) abac_term_free(m_term);
190	if(m_cond) free(m_cond);
191	}
192	/*** ???
193	f DataTerm(abac_term_t *)
194	constructor to make data term from abac_term_t structure
195	***/
196	DataTerm(abac_term_t *term) {
197	m_term=abac_term_dup(term);
198	abac_condition_t *constraint=abac_term_constraint(m_term);
199	if(constraint) m_cond=new Constraint(constraint);
200	else m_cond=NULL;
201	}
202	/***
203	f DataTerm(char*)
204	constructor to make named principal data term for the oset RHS
205	f DataTerm(char, char, Constraint*)
206	constructor for making a variable data term or an instantiated
207	data term
208	***/
209	DataTerm(char *sha) {
210	if(debug) printf("adding a Dataterm named principal(%s)\n",sha);
211	int isnamed=1;
212	int type=e_TERM_PRINCIPAL;
213	m_term=abac_term_named_create(type,sha);
214	}
215	DataTerm(char* typenm, char name, Constraint cond=NULL) {
216	int type=abac_verify_term_type(typenm);
217	if(debug) printf("adding a Dataterm (%s)\n",name);
218	if(type==ABAC_TERM_FAIL)
219	abac_errx(1, "DataTerm, fail to create the term");
220	if(cond) {
221	m_cond=cond;
222	m_term=abac_term_create(type,name,cond->constraint());
223	} else {
224	m_cond=NULL;
225	m_term=abac_term_create(type,name,NULL);
226	}
227	}
228	/***
229	f char *string() const
230	returns literal string of the data term
231	f char *typed_string() const
232	returns typed literal string of the data term
233	***/
234	char *string() const
235	{ return abac_term_string(m_term); }
236	char *typed_string() const
237	{ return abac_term_typed_string(m_term); }
238	/***
239	f bool is_time() const
240	bool is_string() const
241	bool is_urn() const
242	bool is_integer() const
243	returns true if data term is of certain type
244	***/
245	bool is_time() const
246	{ return abac_term_is_time_type(m_term); }
247	bool is_string() const
248	{ return abac_term_is_string_type(m_term); }
249	bool is_urn() const
250	{ return abac_term_is_urn_type(m_term); }
251	bool is_integer() const
252	{ return abac_term_is_integer_type(m_term); }
253	/***
254	f int add_constraint(const Contraint&)
255	utiltiy routine to add a constraint to this data term
256	***/
257	int add_constraint(const Constraint& cond) {
258	m_cond=new Constraint(cond);
259	abac_term_add_constraint(m_term, m_cond->constraint());
260	}
261	/***
262	f int type() const
263	returns subtype of the data term
264	f char *name() const
265	returns the name of the data term
266	***/
267	int type() const
268	{ abac_term_type(m_term); }
269	char *name() const
270	{ return abac_term_name(m_term); }
271	/*** ??? value
272	f char *value() const
273	Not implemented
274	***/
275	char *value() const { }
276	/***
277	f abac_term_t *term()
278	returns internal data term structure
279	f Constraint *constraint()
280	returns internal constraint structure to the data term
281	***/
282	abac_term_t *term()
283	{ return m_term; }
284	Constraint *constraint()
285	{ return m_cond; }
286	private:
287	abac_term_t *m_term;
288	Constraint *m_cond;
289	};
290
291
292	/***
293	ABAC::Role
294	A Role is role specification of a set of entitities for a principal
295	***/
296	class Role {
297	public:
298	/***
299	f Role()
300	default constructor, do not use, for swig only
301	f Role(const Role &)
302	copy constructor, used for cloning a role
303	f ~Role()
304	default destructor
305	***/
306	Role() : m_role(NULL) { } // do not use: here for swig
307	Role(const Role &role) {
308	m_role = abac_aspect_dup(role.m_role);
309	}
310	~Role() {
311	if (m_role) abac_aspect_free(m_role);
312	}
313	/***
314	f Role(abac_aspect_t*)
315	constructor that takes an abac_aspect_t structure
316	f Role(char*)
317	constructor that builds a bare bone role with just principal's name
318	f Role(char, char)
319	constructor that builds a bare bone role with just principal's name
320	and a role name
321	***/
322	Role(abac_aspect_t *role): m_role(abac_aspect_dup(role))
323	{ }
324	Role(char *principal_name) :
325	m_role(abac_aspect_role_principal_create(principal_name))
326	{ }
327	Role(char principal_name, char role_name) :
328	m_role(abac_aspect_role_create(principal_name, role_name))
329	{ }
330	/***
331	f bool is_principal() const
332	return true if the role is a principal object(made from
333	a data term), the right hand side of,
334	[keyid:A].role:r <- [keyid:B]
335	***/
336	bool is_principal() const
337	{ return abac_aspect_is_principal(m_role); }
338	/***
339	f bool is_linking() const
340	returns true if the role is a linking role like
341	the right hand side of,
342	[keyid:A].role:r1 <- [keyid:B].role:r2.role:r3
343	***/
344	bool is_linking() const
345	{ return abac_aspect_is_linking(m_role); }
346	/***
347	f char *string() const
348	returns literal string of the role
349	f char *typed_string() const
350	returns typed literal string of the role
351	***/
352	char *string() const
353	{ return abac_aspect_string(m_role); }
354	char *typed_string()
355	{ return abac_aspect_typed_string(m_role); }
356	/***
357	f char *linked_role() const
358	returns linked part of a linking role, for
359	[keyid:A].role:r1.role:r2, it returns r1
360	***/
361	char *linked_role() const
362	{ return abac_aspect_linked_role_name(m_role); }
363	/***
364	f char *role_name() const
365	returns the role name of any role (the part after the last dot)
366	[keyid:A].role.r1.role:r2, it returns r2
367	[keyid:A].role.r1, it returns r1
368	***/
369	char *role_name() const
370	{ return abac_aspect_aspect_name(m_role); }
371	char *principal() const
372	{ return abac_aspect_principal_name(m_role); }
373
374	/***
375	f int add_data_term(DataTerm&)
376	add a data term to the role
377	***/
378	int add_data_term(DataTerm& d) {
379	abac_aspect_add_param(m_role, d.term());
380	return 1;
381	}
382	/***
383	f std::vector<DataTerm> get_data_terms(bool &)
384	return the data terms bound to this role.
385	??? If the role is returned in a proof, these will all have values.
386	***/
387	std::vector<DataTerm> get_data_terms(bool &success) {
388	abac_term_t terms, end;
389	int i;
390	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role));
391	for (i = 0; terms[i] != NULL; ++i)
392	;
393	end = &terms[i];
394	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
395	abac_terms_free(terms);
396	success=1;
397	return dataterms;
398	}
399	int add_linking_data_term(DataTerm& d) {
400	abac_aspect_add_linked_param(m_role, d.term());
401	return 1;
402	}
403	/***
404	f std::vector<DataTerm> get_linked_data_terms(bool &)
405	return the data terms bound to this role's linking role.
406	??? If the role is returned in a proof, these will all have values.
407	***/
408	std::vector<DataTerm> get_linked_data_terms(bool &success) {
409	abac_term_t terms, end;
410	int i;
411	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role));
412	for (i = 0; terms[i] != NULL; ++i)
413	;
414	end = &terms[i];
415	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
416	abac_terms_free(terms);
417	success=1;
418	return dataterms;
419	}
420	/***
421	f abac_aspect_t *role()
422	returns the interal libabac representation of this role
423	***/
424	abac_aspect_t *role() {return m_role;}
425	private:
426	abac_aspect_t *m_role;
427	};
428
429	/***
430	ABAC::Oset
431	An Oset is oset specification of a set of entitities for a principal
432	***/
433	class Oset {
434	public:
435	/***
436	f Oset()
437	default constructor, do not use, for swig only
438	f Oset(const Oset &)
439	copy constructor, used for cloning an oset
440	f ~Oset()
441	default destructor
442	***/
443	Oset() : m_oset(NULL) { } // do not use: here for swig
444	Oset(const Oset &oset)
445	{ m_oset =abac_aspect_dup(oset.m_oset); }
446	~Oset()
447	{ if(m_oset) abac_aspect_free(m_oset); }
448	/***
449	f Oset(abac_aspect_t *)
450	constructor that takes abac_aspect_t structure
451	f Oset(char *)
452	constructor that makes a principal oset, ie [keyid:B]
453	f Oset(char , char )
454	constructor that makes a regular oset, ie. [keyid:B].oset:o
455	f Oset(DataTerm&)
456	constructor that makes an object oset, ie. [urn:'file/fileA']
457	***/
458	Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset))
459	{ }
460	Oset(char *oset_name) : m_oset(abac_aspect_oset_principal_create(oset_name))
461	{ }
462	Oset(char principal_name, char oset_name) :
463	m_oset(abac_aspect_oset_create(principal_name, oset_name))
464	{ }
465	Oset(DataTerm& d) :
466	m_oset(abac_aspect_oset_object_create(d.term()))
467	{ }
468
469	/***
470	f bool is_object(), ie <- [integer:10]
471	return ture if this oset is an object oset
472	***/
473	bool is_object() const
474	{ return abac_aspect_is_object(m_oset); }
475	/***
476	f bool is_principal() const
477	return true if the oset is a principal object(made from
478	a data term), the right hand side of,
479	[keyid:A].oset:o <- [keyid:B]
480	***/
481	bool is_principal() const
482	{ return abac_aspect_is_principal(m_oset); }
483	/***
484	f bool is_linking() const
485	returns true if the oset is a linking oset like
486	the right hand side of,
487	[keyid:A].oset:o1 <- [keyid:B].role:r1.oset:o2
488	***/
489	bool is_linking() const
490	{ return abac_aspect_is_linking(m_oset); }
491	/***
492	f char *string() const
493	returns literal string of the oset
494	f char *typed_string() const
495	returns typed literal string of the oset
496	***/
497	char *string() const
498	{ return abac_aspect_string(m_oset); }
499	char *typed_string()
500	{ return abac_aspect_typed_string(m_oset); }
501	/***
502	f char *linked_role() const
503	returns linked part of a linking oset, for
504	[keyid:A].role:r1.oset:o1, it returns r1
505	***/
506	char *linked_role() const
507	{ return abac_aspect_linked_role_name(m_oset); }
508	/***
509	f char *oset_name() const
510	returns oset name,
511	[keyid:A].role:r1.oset:o1, it returns o1
512	[keyid:A].oset:o1, it returns o1
513	***/
514	char *oset_name() const
515	{ return abac_aspect_aspect_name(m_oset); }
516	/***
517	f char *principal() const
518	returns principal name,
519	[keyid:A].role:r1.oset:o1, it returns A
520	***/
521	char *principal() const
522	{ return abac_aspect_principal_name(m_oset); }
523	/***
524	f char *object() const
525	returns object's name when the oset is a principal object
526	[keyid:A].oset:values <- [integer:10], it returns 10
527	***/
528	char *object() const
529	{ return abac_aspect_object_name(m_oset); }
530	/***
531	f int add_data_term(DataTerm&)
532	add a data term to this oset's parameter set
533	always returns 1
534	***/
535	int add_data_term(DataTerm& d) {
536	abac_aspect_add_param(m_oset, d.term());
537	return 1;
538	}
539	/***
540	f std::vector<DataTerm> get_data_terms(bool &)
541	returns the data terms bound to this oset.
542	??? If the oset is returned in a proof, these will all have values.
543	***/
544	std::vector<DataTerm> get_data_terms(bool &success) {
545	abac_term_t terms, end;
546	int i;
547	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset));
548	for (i = 0; terms[i] != NULL; ++i)
549	;
550	end = &terms[i];
551	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
552	abac_terms_free(terms);
553	success=1;
554	return dataterms;
555	}
556	/***
557	f int add_linking_data_term(DataTerm&)
558	add a data term to this oset's linking role's parameter set.
559	always returns 1
560	***/
561	int add_linking_data_term(DataTerm& d) {
562	abac_aspect_add_linked_param(m_oset, d.term());
563	return 1;
564	}
565	/***
566	f std::vector<DataTerm> get_linked_data_terms(bool &)
567	returns the data terms bound to this oset's linking role.
568	??? If the oset is returned in a proof, these will all have values.
569	***/
570	std::vector<DataTerm> get_linked_data_terms(bool &success) {
571	abac_term_t terms, end;
572	int i;
573	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset));
574	for (i = 0; terms[i] != NULL; ++i)
575	;
576	end = &terms[i];
577	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
578	abac_terms_free(terms);
579	success=1;
580	return dataterms;
581	}
582	/***
583	f abac_aspect_t *oset()
584	returns the internal libabac representation of the oset
585	***/
586	abac_aspect_t *oset() {return m_oset;}
587	private:
588	abac_aspect_t *m_oset;
589	};
590
591
592	/***
593	ABAC::ID
594	An ID holds a principal credential. It maybe imported from an existing
595	ID credential via external files, constructed from a streaming chunk,
596	or instantiated on the fly
597	***/
598	class ID {
599	public:
600	/***
601	f ID()
602	default constructor, do not use, for swig only
603	f ID(const ID &)
604	copy constructor, used for cloning an ID
605	f ~ID()
606	default destructor
607	***/
608	ID() : m_id(NULL) { } // do not use: here for swig
609	ID(const ID &id) { m_id =abac_id_dup(id.m_id); }
610	~ID() { if(m_id) abac_id_free(m_id); }
611	/*** ???
612	f ID(abac_id_t *)
613	constructor from abac_id_t
614	f ID(abac_id_credential_t *)
615	constructor from abac_id_t
616	***/
617	ID(abac_id_t *id): m_id(abac_id_dup(id))
618	{ }
619	ID(abac_id_credential_t *idcred) {
620	if(idcred)
621	m_id=abac_id_dup(abac_id_credential_id(idcred));
622	else m_id=NULL;
623	}
624
625	/***
626	f ID(char *)
627	load an ID cert from a file, will throw an exception
628	if the cert cannot be loaded
629	***/
630	ID(char *filename) {
631	m_id=abac_id_from_file(filename);
632	if(m_id==NULL)
633	abac_errx(1, "Id creation from filename failed");
634	}
635	/***
636	f ID(char *,int)
637	generates a new ID with the supplied CN and validity period
638	- CN must be alphanumeric and begin with a letter
639	- validity must be at least one second
640	will throw an exception if either of the above is violated
641	***/
642	ID(char *cn, int validity) {
643	int rt=abac_id_generate(&m_id, cn, validity);
644	if(rt != ABAC_ID_SUCCESS)
645	abac_errx(1, "Id creation failed");
646	}
647	/***
648	f void load_privkey(char *)
649	loads the private key associated with the ID credential
650	will throw an exception if the key cannot be loaded
651	***/
652	void load_privkey(char *filename) {
653	int rt=abac_id_load_privkey_file(m_id, filename);
654	if(rt != 1)
655	abac_errx(1, "Failed to load private key");
656	}
657	/***
658	f abac_id_t *id()
659	returns the abac_id_t
660	returns the interal libabac representation of this id
661	***/
662	abac_id_t *id() { return m_id; }
663
664	/***
665	f char *keyid()
666	returns the SHA1 keyid of the id cert
667	f char *name()
668	returns the CN (the parameter passed to the constructor or the
669	CN of the cert).
670	***/
671	char *keyid() { return abac_id_keyid(m_id); }
672	char *name() { return abac_id_cn(m_id); }
673	/***
674	f bool has_privkey()
675	returns true if the ID has an associated private key
676	***/
677	bool has_privkey()
678	{ return abac_id_has_privkey(m_id); }
679
680	/***
681	f void write_cert(FILE *)
682	writes a PEM-encoded cert to the file handle
683	f void write_cert(char *)
684	writes a PEM-encoded cert to a file named out
685	***/
686	void write_cert(FILE *out)
687	{ abac_id_write_cert(m_id, out); }
688	void write_cert(char *filename) {
689	FILE *out = fopen(filename, "a");
690	write_cert(out);
691	fclose(out);
692	}
693	/***
694	f void write_privkey(FILE *)
695	writes a PEM-encoded private key to the file handle
696	throws an exception if no private key is loaded
697	f void write_privkey(char *)
698	writes a PEM-encoded private key a file named out
699	throws an exception if no private key is loaded
700	***/
701	void write_privkey(FILE *out) {
702	if(!has_privkey())
703	abac_errx(1, "No privkey to write");
704	abac_id_write_privkey(m_id, out);
705	}
706	void write_privkey(char *filename) {
707	FILE *out = fopen(filename, "a");
708	write_privkey(out);
709	fclose(out);
710	}
711	/***
712	f abac_chunk_t cert_chunk()
713	returns a DER-encoded binary representation of the X.509 ID cert
714	associated with this ID.
715	can be passed to libabac's Context::load_id_chunk()
716	***/
717	abac_chunk_t cert_chunk()
718	{ return abac_id_cert_chunk(m_id); }
719	/***
720	f char *string()
721	returns literal string of the id credential
722	***/
723	char *string() {
724	char *tmp=NULL;
725	if(has_privkey())
726	asprintf(&tmp,"(%s,%s,y)",abac_id_name(m_id),abac_id_idtype_string(m_id));
727	else asprintf(&tmp,"(%s,%s,n)",abac_id_name(m_id),abac_id_idtype_string(m_id));
728	return tmp;
729	}
730	public:
731	abac_id_t *m_id;
732	};
733
734
735	/***
736	ABAC::Attribute
737	This is the attribute representation for the access policy rule
738	LHS <- RHS
739	The sequence of generation is to
740	first, instantiate the object, ie, LHS (head)
741	second, adding subject(s) to it, ie, RHS (tail)
742	and then baking it.
743	Only once it's baked can you access the X.509 cert.
744	Once it's been baked you can no longer add subjects to it
745	***/
746	class Attribute {
747	public:
748	/***
749	f Attribute()
750	default constructor, do not use, for swig only
751	f Attribute(const Attribute &)
752	copy constructor, used for cloning an attribute
753	f ~Attribute()
754	default destructor
755	***/
756	Attribute() : m_attr(NULL) { }
757	Attribute(const Attribute &id)
758	{ m_attr =abac_attribute_dup(id.m_attr); }
759	~Attribute()
760	{ if(m_attr) abac_attribute_free(m_attr); }
761	/***
762	f Attribute(abac_attribute_t *)
763	constructor that takes abac_attribute_t, locally used
764	f Attribute(abac_credential_t *)
765	constructor that takes abac_credential_t, locally used
766	***/
767	Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr))
768	{ }
769	Attribute(abac_credential_t *cred)
770	{ m_attr=abac_attribute_dup(abac_credential_attribute(cred)); }
771	/***
772	f Attribute(Role&, int)
773	constructor that creates an attribute policy to be signed by the issuer
774	with the given role with a specified validity period
775	An exception will be thrown if:
776	- the issuer has no private key
777	- the Head role is invalid
778	- the validity period is invalid (must be >= 1 second)
779	***/
780	Attribute(Role& head, int validity) {
781	int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity);
782	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
783	abac_errx(1, "attribute(role), unable to make an attribute");
784	}
785	/***
786	f Attribute(Oset&, int)
787	constructor that creates an attribute policy to be signed by the issuer
788	with the given oset with a specified validity period
789	An exception will be thrown if:
790	- the issuer has no private key
791	- the Head oset is invalid
792	- the validity period is invalid (must be >= 1 second)
793	***/
794	Attribute(Oset& head, int validity) {
795	int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity);
796	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
797	abac_errx(1, "attribute(oset), unable to make an attribute");
798	}
799	/***
800	f bool add_tail(Role&)
801	Add a role tail. Call multiple times for intersections
802	f bool add_tail(Oset&)
803	Add an oset tail. Call multiple times for intersections
804	***/
805	bool add_tail(Role& tail) {
806	if(abac_attribute_add_tail(m_attr, tail.role()))
807	return 1;
808	else return 0;
809	}
810	bool add_tail(Oset& tail) {
811	if(abac_attribute_add_tail(m_attr, tail.oset()))
812	return 1;
813	else return 0;
814	}
815	/***
816	f char *head_string()
817	returns literal string of head of the attribute
818	f char *tail_string()
819	returns literal string of tail of the attribute
820	***/
821	char *head_string() {
822	abac_aspect_t *head=abac_attribute_head(m_attr);
823	char *string=abac_aspect_string(head);
824	return string;
825	}
826	char *tail_string() {
827	abac_aspect_t *tail=abac_attribute_tail(m_attr);
828	char *string=abac_aspect_string(tail);
829	return string;
830	}
831	/***
832	f char *head_typed_string()
833	returns typed literal string of head of the attribute
834	f char *tail_typed_string()
835	returns typed literal string of tail of the attribute
836	***/
837	char *head_typed_string() {
838	abac_aspect_t *head=abac_attribute_head(m_attr);
839	char *string=abac_aspect_typed_string(head);
840	return string;
841	}
842	char *tail_typed_string() {
843	abac_aspect_t *tail=abac_attribute_tail(m_attr);
844	char *string=abac_aspect_typed_string(tail);
845	return string;
846	}
847	/***
848	f char *string()
849	returns literal string of the attribute
850	f char *typed_string()
851	returns typed literal string of the attribute
852	***/
853	char *string() {
854	char *head=head_string();
855	char *tail=tail_string();
856	if(head==NULL \|\| tail==NULL)
857	abac_errx(1, "attribute string, head and tail can not be NULL");
858	char *tmp=NULL;
859	asprintf(&tmp,"%s<-%s",head,tail);
860	return tmp;
861	}
862	char *typed_string() {
863	char *head=head_typed_string();
864	char *tail=tail_typed_string();
865	if(head==NULL \|\| tail==NULL)
866	abac_errx(1, "attribute string, head and tail can not be NULL");
867	char *tmp=NULL;
868	asprintf(&tmp,"%s<-%s",head,tail);
869	return tmp;
870	}
871	/*** ??? not sure about implmentation
872	f const Role &role_head()
873	returns the head role
874	f const Oset &oset_head()
875	returns the oset head
876	***/
877	const Role &role_head() {
878	abac_aspect_t *head=abac_attribute_head(m_attr);
879	static Role role=Role(head);
880	return role;
881	}
882	const Oset &oset_head() {
883	abac_aspect_t *head=abac_attribute_tail(m_attr);
884	static Oset oset=Oset(head);
885	return oset;
886	}
887	/*** ???
888	f std::vector<Role> role_tails(bool &)
889	retrieve tail role which maybe more than 1 if intersecting
890	f std::vector<Oset> oset_tails(bool &)
891	retrieve tail oset which maybe more than 1 if intersecting
892	***/
893	std::vector<Role> role_tails(bool &success) {
894	abac_aspect_t tails, end;
895	int i;
896	/* make sure it is role */
897	if(!abac_attribute_is_role(m_attr)) {
898	success=0;
899	abac_errx(1, "role_tails, attribute is not a role");
900	}
901	tails = abac_attribute_tail_vectorized(m_attr);
902	for (i = 0; tails[i] != NULL; ++i)
903	;
904	end = &tails[i];
905	std::vector<Role> roles = std::vector<Role>(tails, end);
906	abac_aspects_free(tails);
907	success=1;
908	return roles;
909	}
910	std::vector<Oset> oset_tails(bool &success) {
911	abac_aspect_t tails, end;
912	int i;
913	/* make sure that tail is not role */
914	if(abac_attribute_is_role(m_attr)) {
915	success=0;
916	abac_errx(1, "oset_tails, attribute is not an oset");
917	}
918	tails = abac_attribute_tail_vectorized(m_attr);
919	for (i = 0; tails[i] != NULL; ++i)
920	;
921	end = &tails[i];
922	std::vector<Oset> osets = std::vector<Oset>(tails, end);
923	success=1;
924	abac_aspects_free(tails);
925	return osets;
926	}
927	/***
928	f abac_attribute_t *attribute()
929	return libabac structure for attribute
930	***/
931	abac_attribute_t *attribute() { return m_attr; }
932
933	/***
934	f bool bake()
935	Generate the cert. Call this after you've added subjects to your cert.
936	This returns false if there are no subjects
937	This will throw an exception if the cert's already been baked.
938	***/
939	bool bake() {
940	/* can not bake in ABAC_CN mode */
941	if(USE("ABAC_CN"))
942	abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set");
943	int rt=abac_attribute_bake(m_attr);
944	if(rt!=1)
945	abac_errx(1, "bake, can not bake the cert");
946	}
947	/***
948	f bool baked()
949	returns true iff the cert has been baked.
950	***/
951	bool baked()
952	{ return abac_attribute_baked(m_attr); }
953
954	/***
955	f void write_cert(FILE *)
956	write the DER-encoded X.509 attribute cert to the open file handle
957	Throws an exception if the cert isn't baked
958	***/
959	void write_cert(FILE *out) {
960	int rt= abac_attribute_write(m_attr,out);
961	if(!rt)
962	abac_errx(1, "write, cert is not baked");
963	}
964	/***
965	f void write_cert(char *)
966	write the DER-encoded X.509 attribute cert to a file named out
967	Throws an exception if the cert isn't baked
968	***/
969	void write_cert(char *filename) {
970	FILE *out = fopen(filename, "w");
971	write_cert(out);
972	fclose(out);
973	}
974	/***
975	f abac_chunk_t cert_chunk()
976	returns a DER-encoded binary representation of the X.509 attribute
977	cert associated with this cert
978	Throws an exception if the cert isn't baked
979	the chunk can be passed to libabac's Context::load_attribute_chunk()
980	***/
981	abac_chunk_t cert_chunk()
982	{ return abac_attribute_cert_chunk(m_attr); }
983
984	/***
985	f int consume()
986	generate yap clauses and injected into db
987	***/
988	int consume() {
989	/* attribute needs to be baked */
990	if(!baked()) {
991	return ABAC_ATTRIBUTE_FAIL;
992	}
993	}
994	private:
995	abac_attribute_t *m_attr;
996	};
997
998
999	/***
1000	ABAC::Context
1001	An ABAC Context
1002	***/
1003	class Context {
1004	public:
1005	/***
1006	f Context()
1007	default constructor
1008	f Context(const Context &)
1009	copy constructor, used for cloning the context
1010	f ~Context()
1011	default destructor
1012	***/
1013	Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); }
1014	Context(const Context &context) {
1015	m_ctx = abac_context_dup(context.m_ctx);
1016	m_abac_version=strdup(context.m_abac_version);
1017	}
1018	~Context() {
1019	abac_context_free(m_ctx);
1020	if(m_abac_version) free(m_abac_version);
1021	}
1022	/***
1023	f void dump_yap()
1024	dump the complete yap prolog database
1025	***/
1026	void dump_yap()
1027	{ show_yap_db("dump_yap"); }
1028
1029	/***
1030	f int load_id(ABAC::ID&)
1031	load id cert from ID
1032	f int load_id_file(char *)
1033	load id cert from an idkey combo file. key retrieval will be attempt
1034	but won't fail if not found
1035	f int load_id_file(char , char )
1036	load id cert from an id file and a key file
1037	f int load_id_chunk(abac_chunk_t)
1038	load id cert from a chunk structure
1039	returns:
1040	ABAC_CERT_SUCCESS successfully loaded
1041	ABAC_CERT_INVALID invalid certificate (or file not found)
1042	ABAC_CERT_BAD_SIG invalid signature
1043	***/
1044	int load_id(ABAC::ID& id)
1045	{ return abac_context_load_id_id(m_ctx, id.id()); }
1046	int load_id_file(char *filename)
1047	{ return abac_context_load_id_idkey_file(m_ctx, filename); }
1048	int load_id_file(char filename, char keyfilename)
1049	{ return abac_context_load_id_id_file_key_file(m_ctx, filename, keyfilename); }
1050	int load_id_chunk(abac_chunk_t cert)
1051	{ return abac_context_load_id_chunk(m_ctx, cert); }
1052
1053	/***
1054	f int load_attribute(ABAC::Attribute&)
1055	load attribute credential from attribute structure
1056	f int load_attribute_file(char *)
1057	load attribute credential from a file
1058	f int load_attribute_chunk(abac_chunk_t)
1059	load attribute credential from a chunk
1060	f returns the same values as above, additionally
1061	returns ABAC_CERT_MISSING_ISSUER if the issuer
1062	certificate has not been loaded
1063	***/
1064	int load_attribute(ABAC::Attribute& a)
1065	{ return abac_context_load_attribute_attribute(m_ctx, a.attribute()); }
1066	int load_attribute_file(char *filename)
1067	{ return abac_context_load_attribute_file(m_ctx, filename); }
1068	int load_attribute_chunk(abac_chunk_t cert)
1069	{ return abac_context_load_attribute_chunk(m_ctx, cert); }
1070
1071	/***
1072	f void load_directory(char *)
1073	load a directory full of certificates:
1074	f first: ${path}/*_ID.{der,pem} as identity certificates
1075	implicitly looking for ${path}/*_private.{der,pem} as
1076	the private key file
1077	then: ${path}/*_IDKEY.{der,pem} as id/key combo certificate
1078	last: ${path}/*_attr.der as attribute certificates
1079	***/
1080	void load_directory(char *path)
1081	{ abac_context_load_directory(m_ctx, path); }
1082	/***
1083	f std::vector<Attribute> query(char , char , bool &)
1084	the string version is for query that is composed by hand with SHA or
1085	in non ABAC_CN mode
1086	f std::vector<Attribute> query(Role &, Role &, bool &)
1087	std::vector<Attribute> query(Oset &, Oset &, bool &)
1088	runs the query:
1089	role <-?- principal
1090	oset <-?- principal/obj
1091	returns true/false in success
1092	returns a proof upon success,
1093	partial proof on failure (not implemented yet)
1094	***/
1095	std::vector<Attribute> query(char role, char principal, bool &success) {
1096	abac_credential_t creds, end;
1097	int i, success_int;
1098
1099	creds = abac_context_query(m_ctx, role, principal, &success_int);
1100	success = success_int;
1101
1102	for (i = 0; creds[i] != NULL; ++i)
1103	;
1104
1105	end = &creds[i];
1106	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1107	if(debug) printf("query, got rules(%d)\n", i);
1108
1109	abac_context_credentials_free(creds);
1110
1111	return attributes;
1112	}
1113
1114	std::vector<Attribute> query(Role &role, Role &p_role, bool &success) {
1115	abac_credential_t creds, end;
1116	int i, success_int;
1117
1118	creds = abac_context_query_with_structure(m_ctx, role.role(), p_role.role(), &success_int);
1119	success = success_int;
1120
1121	for (i = 0; creds[i] != NULL; ++i)
1122	;
1123
1124	end = &creds[i];
1125	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1126
1127	abac_context_credentials_free(creds);
1128
1129	return attributes;
1130	}
1131
1132	std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) {
1133	abac_credential_t creds, end;
1134	int i, success_int;
1135
1136	creds = abac_context_query_with_structure(m_ctx, oset.oset(), p_oset.oset(), &success_int);
1137	success = success_int;
1138
1139	for (i = 0; creds[i] != NULL; ++i)
1140	;
1141
1142	end = &creds[i];
1143	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1144	if(debug) printf("query, returning rules(%d)\n", i);
1145
1146	abac_context_credentials_free(creds);
1147
1148	return attributes;
1149	}
1150
1151	/***
1152	f std::vector<Attribute> context_credentials(bool &)
1153	returns a vector of all the credentials loaded in the context
1154	extracted from the internal data structure
1155	***/
1156	std::vector<Attribute> context_credentials(bool &success) {
1157	abac_credential_t creds, end;
1158	int i;
1159	success = 1;
1160
1161	creds = abac_context_credentials(m_ctx);
1162	for (i = 0; creds[i] != NULL; ++i)
1163	;
1164
1165	end = &creds[i];
1166	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
1167	if(debug) printf("credentials, got (%d)\n", i);
1168
1169	abac_context_credentials_free(creds);
1170	if(debug) show_yap_db("calling from context_credentials");
1171	return attributes;
1172	}
1173
1174	/***
1175	f std::vector<Attribute> context_principals(bool &)
1176	returns a vector of all the principals loaded in the context
1177	extracted from the internal data structure
1178	***/
1179	std::vector<ID> context_principals(bool &success) {
1180	abac_id_credential_t ids, end;
1181	int i;
1182	success = 1;
1183
1184	ids = abac_context_principals(m_ctx);
1185	for (i = 0; ids[i] != NULL; ++i)
1186	;
1187
1188	end = &ids[i];
1189	std::vector<ID> principals = std::vector<ID>(ids, end);
1190	if(debug) printf("principals, got (%d)\n", i);
1191
1192	abac_context_principals_free(ids);
1193	return principals;
1194	}
1195	/***
1196	f char *version()
1197	return the version of this interface
1198	***/
1199	char *version() const { return m_abac_version; }
1200
1201	private:
1202	abac_context_t *m_ctx;
1203	char *m_abac_version;
1204	};
1205
1206	Constraint::Constraint(Role& role)
1207	{ m_constraint=abac_condition_create_from_aspect(role.role()); }
1208	Constraint::Constraint(Oset &oset)
1209	{ m_constraint=abac_condition_create_from_aspect(oset.oset()); }
1210	}
1211
1212	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: