Context Navigation

source: libabac/abac_attribute.c @ bc12f3d

abac0-leakabac0-meitvf-new-xml

Last change on this file since bc12f3d was bc12f3d, checked in by Ted Faber <faber@…>, 11 years ago
Allow user to specify credential output format
Property mode set to `100644`
File size: 12.7 KB

Line
1
2	/* abac_attribute.c */
3
4	#define _GNU_SOURCE
5	#include <stdio.h>
6	#include <assert.h>
7	#include <ctype.h>
8	#include <string.h>
9	#include <time.h>
10
11	#include "libabac_common.h"
12	#include "abac_list.h"
13	#include "abac_util.h"
14	#include "abac_xml.h"
15
16	#define ROLE_SEPARATOR " <- "
17	#define INTERSECTION_SEP " & "
18	#define SHA1_LENGTH 40
19
20	#define DEFAULT_OUTPUT_FORMAT "GENIv1.1"
21
22	static int debug=0;
23
24	// a GENI XML attribute chunk might contain multiple
25	// attribute rules. It will be translate into multiple
26	// abac_attribute structures but with cert ptr pointing
27	// to the same xml chunk
28	// issuer can be missing but then it won't be bakable
29	// unless it is baked just for creddy's roles call
30	struct _abac_attribute_t {
31	abac_id_t *issuer_id;
32	char *role;
33	long validity;
34	int ntails;
35
36	char *head_string;
37	char **tail_strings;
38	char *output_format;
39
40	abac_chunk_t cert; // the XML chunk
41	};
42
43	char abac_attribute_role_string(abac_attribute_t attr);
44	extern abac_id_t abac_verifier_lookup_id(abac_list_t, char *keyid);
45	static char _validate_principal(char keyid);
46
47	/************************************************************/
48	abac_chunk_t abac_attribute_cert(abac_attribute_t *ptr)
49	{
50	assert(ptr);
51	return ptr->cert;
52	}
53
54	abac_id_t abac_attribute_issuer_id(abac_attribute_t ptr)
55	{
56	assert(ptr);
57	return ptr->issuer_id;
58	}
59
60	/* Get the format for this attribute to be output in. This is NULL if the
61	* attribute has been read from a file. */
62	char abac_attribute_get_output_format(abac_attribute_t a) {
63	return a->output_format;
64	}
65
66	/* Set the format for this attribute to be output in. Valid formats are:
67	* GENIv1.0
68	* GENIv1.1
69	*/
70	void abac_attribute_set_output_format(abac_attribute_t a, char fmt) {
71	if (a->output_format)
72	free(a->output_format);
73	a->output_format = abac_xstrdup(fmt);
74	}
75
76
77	// validity is measured in seconds (as of 0.2.0)
78	// Acme.customer
79	int abac_attribute_create(abac_attribute_t *ret, abac_id_t issuer_id, char *role, long validity) {
80	libabac_init();
81	if (!abac_id_has_privkey(issuer_id))
82	return ABAC_ATTRIBUTE_ISSUER_NOKEY;
83	if (!abac_clean_name(role))
84	return ABAC_ATTRIBUTE_INVALID_ROLE;
85	if (validity < 0)
86	return ABAC_ATTRIBUTE_INVALID_VALIDITY;
87	if (!abac_id_still_valid(issuer_id))
88	return ABAC_ATTRIBUTE_INVALID_ISSUER;
89
90	if(validity == 0) validity = (long)(606024*(365));
91
92	abac_attribute_t *attr = abac_xmalloc(sizeof(abac_attribute_t));
93	if(issuer_id) attr->issuer_id = abac_id_dup(issuer_id);
94	else attr->issuer_id = NULL;
95	attr->role = abac_xstrdup(role);
96	attr->validity = validity;
97
98	attr->head_string = NULL;
99	asprintf(&attr->head_string,"%s.%s",abac_id_keyid(issuer_id),role);
100	attr->ntails = 0;
101	attr->tail_strings = NULL;
102
103	attr->output_format = abac_xstrdup(DEFAULT_OUTPUT_FORMAT);
104
105	// NULL until baked
106	attr->cert.ptr=NULL;
107	attr->cert.len=0;
108
109	*ret = attr;
110	return ABAC_SUCCESS;
111	}
112
113	/**
114	* Get the validity period.(xml module returns the diff from expire time - now()
115	*/
116	int abac_attribute_validity(abac_attribute_t attr,struct tm not_before,struct tm *not_after) {
117	assert(attr);
118	memset(not_before, 0, sizeof(struct tm));
119	memset(not_after, 0, sizeof(struct tm));
120
121	time_t now;
122	time(&now);
123	gmtime_r(&now, not_before);
124	char xml=(char )attr->cert.ptr;
125	long validity=get_validity_from_xml(xml);
126
127	time_t etime = now + validity;
128	gmtime_r(&etime, not_after);
129
130	if(debug) fprintf(stderr,"validity from the xml blob is %ld\n",validity);
131	if(validity == 0)
132	return ABAC_FAILURE;
133	return ABAC_SUCCESS;
134	}
135
136	int abac_attribute_still_valid(abac_attribute_t *attr)
137	{
138	assert(attr);
139	assert(attr->cert.ptr);
140	long v=get_validity_from_xml((char *)attr->cert.ptr);
141	if (v > 0.0)
142	return 1;
143	else return 0;
144	}
145
146	int abac_attribute_add_tail(abac_attribute_t attr, char string) {
147	assert(attr);
148
149	char **old_tail = attr->tail_strings;
150	int newsize = (attr->ntails+1)sizeof(char );
151
152	if ( !(attr->tail_strings = realloc(attr->tail_strings, newsize))) {
153	attr->tail_strings = old_tail;
154	return 0;
155	}
156	attr->tail_strings[attr->ntails++] = abac_xstrdup(string);
157	return 1;
158	}
159
160
161	void abac_attribute_set_head(abac_attribute_t attr, char string)
162	{
163	assert(attr);
164	attr->head_string=string;
165	}
166
167	char abac_attribute_get_head(abac_attribute_t attr)
168	{
169	assert(attr);
170	return attr->head_string;
171	}
172
173	/*
174	* Return the number of tail strings
175	*/
176	int abac_attribute_get_ntails(abac_attribute_t *attr) {
177	assert(attr);
178	return attr->ntails;
179	}
180
181	/*
182	* Return the nth tail string or NULL if it is undefined
183	*/
184
185	char abac_attribute_get_tail_n(abac_attribute_t attr, int n) {
186	assert(attr);
187	if ( n < 0 \|\| n > attr->ntails) return NULL;
188	return attr->tail_strings[n];
189	}
190
191
192	/* A.b->C, return copy of a A */
193	char abac_attribute_get_principal(abac_attribute_t attr)
194	{
195	char *role_string=abac_attribute_role_string(attr);
196	/* make an copy */
197	char *tmp=strdup(role_string);
198	char *head_tail[2];
199	int ret = 2;
200	abac_split(tmp, "<-", head_tail, &ret);
201	if (ret != 2) goto err;
202	abac_split(head_tail[0], ".", head_tail, &ret);
203	if (ret != 2) goto err;
204	char *prin=strdup(head_tail[0]);
205	free(tmp);
206	return prin;
207
208	err:
209	free(tmp);
210	return NULL;
211	}
212
213	int abac_attribute_principal(abac_attribute_t attr, char keyid) {
214	char *copy = _validate_principal(keyid);
215	if (copy == NULL)
216	return 0;
217
218	return abac_attribute_add_tail(attr,copy);
219	}
220
221	int abac_attribute_role(abac_attribute_t attr, char keyid, char *role) {
222	if (!abac_clean_name(role))
223	return 0;
224
225	char *copy = _validate_principal(keyid);
226	char *newcopy=NULL;
227	if (copy == NULL)
228	return 0;
229
230	asprintf(&newcopy,"%s.%s", copy,role);
231	free(copy);
232	return abac_attribute_add_tail(attr, newcopy);
233	}
234
235	int abac_attribute_linking_role(abac_attribute_t attr, char keyid, char role, char linked) {
236	if (!abac_clean_name(role) \|\| !abac_clean_name(linked))
237	return 0;
238
239	char *copy = _validate_principal(keyid);
240	if (copy == NULL)
241	return 0;
242
243	char *newcopy=NULL;
244	asprintf(&newcopy,"%s.%s.%s", copy,role,linked);
245	free(copy);
246	return abac_attribute_add_tail(attr, newcopy);
247	}
248
249
250
251	// 0 for fail to bake, 1 is baked okay
252	int abac_attribute_bake(abac_attribute_t *attr) {
253	assert(attr);
254	assert(attr->head_string);
255	assert(attr->tail_strings);
256
257	abac_chunk_t id_chunk = { NULL, 0 };
258	int ret=abac_id_PEM(attr->issuer_id, &id_chunk);
259	if(ret != ABAC_CERT_SUCCESS)
260	return 0;
261
262	/* Make an new GENI abac credential with the rt0 rule that expires secs from
263	* now. cert is the PEM encoded X.509 of the issuer's certificate as a string.
264	* certlen is the length of cert. Returns the XML. Caller is responsible for
265	* freeing it. */
266	char attr_cert=make_credential(attr, attr->validity, (char )id_chunk.ptr, id_chunk.len);
267
268	if (attr_cert == NULL)
269	return 0;
270
271	attr->cert.ptr = (unsigned char *)attr_cert;
272	attr->cert.len = strlen(attr_cert);
273
274	/* free(role_string); */
275	return 1;
276	}
277
278	// make an explicit copy
279	abac_chunk_t abac_attribute_cert_chunk(abac_attribute_t *attr) {
280	abac_chunk_t chunk= {NULL,0};
281
282	if (attr->cert.ptr == NULL)
283	return chunk;
284
285	/* return the xml chunk */
286	chunk.ptr= (unsigned char )abac_xstrdup((char )attr->cert.ptr);
287	chunk.len=attr->cert.len;
288	return chunk;
289	}
290
291	int abac_attribute_baked(abac_attribute_t *attr) {
292	return (attr->cert.ptr != NULL);
293	}
294
295
296	static abac_attribute_t _load_attr(abac_list_t id_certs,char rstring, char xml)
297	{
298	/* make a copy of rle_string */
299	char *role_string=abac_xstrdup(rstring);
300
301	if(debug) fprintf(stderr,"loading -> %s \n", role_string);
302
303	char *head_tail[2];
304	char *role_rest[2];
305	int ret = 2;
306	abac_split(role_string, "<-", head_tail, &ret);
307	if (ret != 2) return NULL;
308
309	char *keyid=get_keyid_from_xml(xml);
310	abac_id_t *issuer_id=abac_verifier_lookup_id(id_certs,keyid);
311
312	long validity=get_validity_from_xml(xml);
313
314	abac_attribute_t *attr = abac_xmalloc(sizeof(abac_attribute_t));
315	if(issuer_id)
316	attr->issuer_id = abac_id_dup(issuer_id);
317	else attr->issuer_id=NULL;
318	attr->validity = validity;
319
320	attr->head_string = abac_xstrdup(head_tail[0]);
321	do {
322	ret = 2;
323	abac_split(head_tail[1], " & ", role_rest, &ret);
324	abac_attribute_add_tail(attr, abac_xstrdup(role_rest[0]));
325	head_tail[1] =role_rest[1];
326	} while (ret == 2);
327
328	char *tmp=strstr(attr->head_string,".");
329	attr->role =abac_xstrdup(tmp+1);
330
331	attr->cert.ptr=(unsigned char *)abac_xstrdup(xml);
332	attr->cert.len=strlen(xml);
333	attr->output_format = NULL;
334
335	return attr;
336	}
337
338	abac_list_t abac_attribute_certs_from_file(abac_list_t id_certs,char *filename)
339	{
340	libabac_init();
341	abac_list_t *alist=abac_list_new();
342	char *xml=NULL;
343	char *rt0=NULL;
344
345	char *rt0s=read_credential((void )id_certs,filename, &xml);
346	if(rt0s == NULL) return alist;
347	if(xml == NULL \|\| strlen(xml)==0) return alist;
348
349	abac_attribute_t *attr;
350
351	int i=0;
352	do {
353	rt0 = rt0s[i];
354	if(rt0 == NULL) break;
355	attr=_load_attr(id_certs,rt0, xml);
356	if(attr)
357	abac_list_add(alist, attr);
358	free(rt0);
359	i++;
360	} while (rt0s[i] !=NULL);
361
362	free(rt0s);
363	free(xml);
364
365	return alist;
366	}
367
368	abac_list_t abac_attribute_certs_from_chunk(abac_list_t id_certs,abac_chunk_t chunk) {
369	libabac_init();
370
371	abac_list_t *alist=abac_list_new();
372	char xml=(char )chunk.ptr;
373	if(chunk.len==0) return alist;
374
375	char *rt0s=get_rt0_from_xml((void ) id_certs,xml);
376	char *rt0=NULL;
377	if(rt0s==NULL) return alist;
378
379	abac_attribute_t *attr;
380	int i=0;
381	do {
382	rt0 = rt0s[i];
383	if(rt0 == NULL) break;
384	attr=_load_attr(id_certs,rt0, xml);
385	if(attr)
386	abac_list_add(alist, attr);
387	free(rt0);
388	i++;
389	} while (rt0s[i] !=NULL);
390
391	free(rt0s);
392	return alist;
393	}
394
395	// returns ABAC_FAILURE if the cert hasn't been baked
396	int abac_attribute_write(abac_attribute_t attr, FILE out) {
397	assert(attr != NULL);
398
399	if (attr->cert.ptr == NULL)
400	return ABAC_FAILURE;
401
402	// write to file
403	fwrite(attr->cert.ptr, attr->cert.len, 1, out);
404
405	return ABAC_SUCCESS;
406	}
407
408	// returns ABAC_FAILURE if the cert hasn't been baked
409	int abac_attribute_write_file(abac_attribute_t attr, const char fname) {
410	if (attr->cert.ptr == NULL)
411	return ABAC_FAILURE;
412
413	FILE *fp=fopen(fname,"w+");
414	if(fp) {
415	// write to file
416	fwrite(attr->cert.ptr, attr->cert.len, 1, fp);
417	} else return ABAC_FAILURE;
418	fclose(fp);
419
420	return ABAC_SUCCESS;
421	}
422
423
424	void abac_attribute_free(abac_attribute_t *attr) {
425
426	if(debug) fprintf(stderr,"calling abac_attribute_free on %s\n", attr->head_string);
427	int i = 0;
428
429	if (attr == NULL)
430	return;
431
432	if(attr->issuer_id) abac_id_free(attr->issuer_id);
433
434	free(attr->role);
435	free(attr->head_string);
436	for (i=0; i < attr->ntails; i++)
437	free(attr->tail_strings[i]);
438	free(attr->tail_strings);
439	if ( attr->output_format )
440	free(attr->output_format);
441
442	/* XXX this can not be free as if it is a char string
443	free(attr->cert.ptr);
444	*/
445
446	free(attr);
447	}
448
449	//
450	// Helper functions below
451	//
452
453	// validate a princpal's name
454	// makes sure it's a valid SHA1 identifier
455	// return values:
456	// success: malloc'd copy with all hex digits lowercase
457	// fail: NULL
458	static char _validate_principal(char keyid) {
459	int i;
460	char *copy = NULL;
461
462	if (strlen(keyid) != SHA1_LENGTH)
463	return NULL;
464
465	copy = abac_xstrdup(keyid);
466	for (i = 0; i < SHA1_LENGTH; ++i) {
467	copy[i] = tolower(copy[i]);
468	if (!isxdigit(copy[i]))
469	goto error;
470	}
471
472	return copy;
473
474	error:
475	free(copy);
476	return NULL;
477	}
478
479	static int abac_attribute_role_string_size(abac_attribute_t *attr) {
480	int sz = 3; /* Start with the end of string character and <-*/
481	int i; /* Scratch */
482
483	if ( !attr) return sz;
484	if ( attr->head_string)
485	sz += strlen(attr->head_string);
486	for (i = 0; i < attr->ntails; i++)
487	if ( attr->tail_strings[i])
488	sz += strlen(attr->tail_strings[i]);
489	/* " & " between each pair of tails */
490	sz += 3 * (attr->ntails-1);
491	return sz;
492	}
493
494	// combine up the attribute's rule string, explicit copy
495	char abac_attribute_role_string(abac_attribute_t attr) {
496	assert(attr);
497
498	int sz = abac_attribute_role_string_size(attr);
499	char *role_string=abac_xmalloc(sz);
500	int i;
501
502	if ( !role_string) return NULL;
503
504	sz -= snprintf(role_string, sz, "%s<-", attr->head_string);
505	for ( i = 0 ; i < attr->ntails; i++ ) {
506	if ( i > 0 ) {
507	strncat(role_string, " & ", 3);
508	sz -= 3;
509	}
510	strncat(role_string,attr->tail_strings[i], sz);
511
512	sz -= strlen(attr->tail_strings[i]);
513	if (sz < 0 ) return NULL;
514	}
515	return role_string;
516	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: