[d4cbf71] | 1 | #include <assert.h> |
---|
[379a53f] | 2 | #include <stdlib.h> |
---|
[d4cbf71] | 3 | |
---|
[06293d1] | 4 | #include "abac_graph.h" |
---|
[cb0f2b2] | 5 | |
---|
[2fd24c7] | 6 | #include "abac_set.h" |
---|
[3c251d0] | 7 | #include "abac_util.h" |
---|
[d4cbf71] | 8 | |
---|
[f46412c] | 9 | #include "uthash.h" |
---|
| 10 | |
---|
| 11 | // vertex |
---|
[06293d1] | 12 | struct _abac_vertex_t { |
---|
[1743825] | 13 | abac_role_t *role; |
---|
[f46412c] | 14 | char *name; |
---|
| 15 | |
---|
[6d5623e] | 16 | abac_list_t *edges; |
---|
[f46412c] | 17 | |
---|
[0eb4a8e] | 18 | // only relevant to intersection edges |
---|
| 19 | abac_list_t *prereqs; |
---|
| 20 | |
---|
[f46412c] | 21 | UT_hash_handle hh; |
---|
| 22 | }; |
---|
| 23 | |
---|
[ae72c5d] | 24 | // edge |
---|
[06293d1] | 25 | typedef struct _abac_edge_t { |
---|
| 26 | abac_vertex_t *vertex; |
---|
[401a054] | 27 | abac_credential_t *credential; |
---|
[06293d1] | 28 | } abac_edge_t; |
---|
[ae72c5d] | 29 | |
---|
[f46412c] | 30 | // derived edge |
---|
[06293d1] | 31 | typedef struct _abac_derived_key_t { |
---|
| 32 | abac_vertex_t *head; |
---|
| 33 | abac_edge_t *tail; |
---|
| 34 | } abac_derived_key_t; |
---|
[f46412c] | 35 | |
---|
[06293d1] | 36 | typedef struct _abac_derived_t { |
---|
| 37 | abac_derived_key_t key; |
---|
[f46412c] | 38 | UT_hash_handle hh; |
---|
[06293d1] | 39 | } abac_derived_t; |
---|
[f46412c] | 40 | |
---|
| 41 | // graph |
---|
[06293d1] | 42 | struct _abac_graph_t { |
---|
| 43 | abac_vertex_t *vertices; |
---|
| 44 | abac_derived_t *derived; |
---|
[f46412c] | 45 | int dirty; |
---|
| 46 | }; |
---|
[0ec9e25] | 47 | |
---|
[0eb4a8e] | 48 | // ugghhhghhhghh need this for intersections |
---|
| 49 | abac_list_t *abac_credential_prereqs(abac_credential_t *); |
---|
| 50 | |
---|
| 51 | /** |
---|
| 52 | * True iff a vertex is linking. |
---|
| 53 | */ |
---|
| 54 | static inline int _vertex_is_intersection(abac_vertex_t *vertex) { |
---|
| 55 | return vertex->role == NULL; |
---|
| 56 | } |
---|
| 57 | |
---|
[0ec9e25] | 58 | /** |
---|
| 59 | * Create a new graph. |
---|
| 60 | */ |
---|
[06293d1] | 61 | abac_graph_t *abac_graph_new(void) { |
---|
[3c251d0] | 62 | abac_graph_t *graph = abac_xmalloc(sizeof(abac_graph_t)); |
---|
[82aeefa] | 63 | |
---|
| 64 | graph->vertices = NULL; |
---|
[6188f4e] | 65 | graph->derived = NULL; |
---|
[82aeefa] | 66 | graph->dirty = 0; |
---|
| 67 | |
---|
| 68 | return graph; |
---|
| 69 | } |
---|
[d4cbf71] | 70 | |
---|
[b26942d] | 71 | /** |
---|
| 72 | * Deep copy a graph. |
---|
| 73 | */ |
---|
[06293d1] | 74 | abac_graph_t *abac_graph_dup(abac_graph_t *graph) { |
---|
| 75 | abac_vertex_t *vertex; |
---|
| 76 | abac_edge_t *edge; |
---|
[b26942d] | 77 | |
---|
[06293d1] | 78 | abac_graph_t *clone = abac_graph_new(); |
---|
[b26942d] | 79 | |
---|
| 80 | // copy the vertices edge by edge |
---|
| 81 | for (vertex = graph->vertices; vertex != NULL; vertex = vertex->hh.next) |
---|
[6d5623e] | 82 | abac_list_foreach(vertex->edges, edge, |
---|
[b26942d] | 83 | // only copy non-derived edges |
---|
[401a054] | 84 | if (edge->credential != NULL) |
---|
| 85 | abac_graph_add_credential(clone, edge->credential); |
---|
[b26942d] | 86 | ); |
---|
| 87 | |
---|
| 88 | return clone; |
---|
| 89 | } |
---|
| 90 | |
---|
[d4cbf71] | 91 | /** |
---|
[401a054] | 92 | * Add a vertex to the graph. Should only be called by abac_graph_add_credential. |
---|
[d4cbf71] | 93 | */ |
---|
[06293d1] | 94 | static abac_vertex_t *_get_vertex(abac_graph_t *graph, abac_role_t *role) { |
---|
| 95 | abac_vertex_t *vertex; |
---|
[c28bd8b] | 96 | char *string; |
---|
| 97 | |
---|
[dcc1a8e] | 98 | string = abac_role_string(role); |
---|
[82aeefa] | 99 | HASH_FIND_STR(graph->vertices, string, vertex); |
---|
[c28bd8b] | 100 | |
---|
| 101 | // add the vertex if it doesn't exist |
---|
| 102 | if (vertex == NULL) { |
---|
[3c251d0] | 103 | vertex = abac_xmalloc(sizeof(abac_vertex_t)); |
---|
[dcc1a8e] | 104 | vertex->role = abac_role_dup(role); |
---|
| 105 | vertex->name = abac_role_string(vertex->role); |
---|
[d4cbf71] | 106 | |
---|
[379a53f] | 107 | // create the list of edges |
---|
[6d5623e] | 108 | vertex->edges = abac_list_new(); |
---|
[d4cbf71] | 109 | |
---|
[0eb4a8e] | 110 | // for intersections, always NULL on normal vertices |
---|
| 111 | vertex->prereqs = NULL; |
---|
| 112 | |
---|
| 113 | // add it to the vertices |
---|
| 114 | HASH_ADD_KEYPTR(hh, graph->vertices, vertex->name, strlen(vertex->name), vertex); |
---|
| 115 | } |
---|
| 116 | |
---|
| 117 | return vertex; |
---|
| 118 | } |
---|
| 119 | |
---|
| 120 | /** |
---|
| 121 | * convert a list of prereqs to a string suitable for use as a hash key |
---|
| 122 | * format: role & role & ... & role |
---|
| 123 | */ |
---|
| 124 | static char *_prereq_key(abac_list_t *prereqs) { |
---|
| 125 | abac_role_t *role; |
---|
| 126 | char *string; |
---|
| 127 | int i = 0, size; |
---|
| 128 | size_t len = 0; |
---|
| 129 | |
---|
| 130 | // find the required size |
---|
| 131 | abac_list_foreach(prereqs, role, |
---|
| 132 | len += strlen(abac_role_string(role)) + 3; |
---|
| 133 | ); |
---|
| 134 | |
---|
| 135 | string = abac_xmalloc(len); |
---|
| 136 | string[0] = '\0'; |
---|
| 137 | |
---|
| 138 | size = abac_list_size(prereqs); |
---|
| 139 | |
---|
| 140 | // concat the names |
---|
| 141 | abac_list_foreach(prereqs, role, |
---|
| 142 | strcat(string, abac_role_string(role)); |
---|
| 143 | if (i++ < size - 1) |
---|
| 144 | strcat(string, " & "); |
---|
| 145 | ); |
---|
| 146 | |
---|
| 147 | return string; |
---|
| 148 | } |
---|
| 149 | |
---|
| 150 | /** |
---|
| 151 | * Find/create intersection vertex. Only called by abac_graph_add_credential. |
---|
| 152 | */ |
---|
| 153 | static abac_vertex_t *_get_intersection_vertex(abac_graph_t *graph, abac_credential_t *cred) { |
---|
| 154 | abac_role_t *role, *tail_role; |
---|
| 155 | abac_vertex_t *vertex; |
---|
| 156 | |
---|
| 157 | abac_list_t *prereqs = abac_credential_prereqs(cred); |
---|
| 158 | char *string = _prereq_key(prereqs); |
---|
| 159 | HASH_FIND_STR(graph->vertices, string, vertex); |
---|
| 160 | |
---|
| 161 | // add the vertex if it doesn't exist |
---|
| 162 | if (vertex == NULL) { |
---|
| 163 | vertex = abac_xmalloc(sizeof(abac_vertex_t)); |
---|
| 164 | vertex->role = NULL; |
---|
| 165 | vertex->name = string; |
---|
| 166 | |
---|
| 167 | // create the list of edges |
---|
| 168 | vertex->edges = abac_list_new(); |
---|
| 169 | |
---|
| 170 | // for intersections, will be populated first time it's created |
---|
| 171 | vertex->prereqs = abac_list_new(); |
---|
| 172 | |
---|
| 173 | // add each prereq to the vertex |
---|
| 174 | abac_list_foreach(prereqs, tail_role, |
---|
| 175 | abac_vertex_t *tail_vertex = _get_vertex(graph, tail_role); |
---|
| 176 | abac_list_add(vertex->prereqs, tail_vertex); |
---|
| 177 | ); |
---|
| 178 | |
---|
[c28bd8b] | 179 | // add it to the vertices |
---|
[82aeefa] | 180 | HASH_ADD_KEYPTR(hh, graph->vertices, vertex->name, strlen(vertex->name), vertex); |
---|
[c28bd8b] | 181 | } |
---|
[0eb4a8e] | 182 | else |
---|
| 183 | free(string); // already exists, get rid of useless memory |
---|
[d4cbf71] | 184 | |
---|
| 185 | return vertex; |
---|
[0eb4a8e] | 186 | |
---|
[d4cbf71] | 187 | } |
---|
| 188 | |
---|
| 189 | /** |
---|
[401a054] | 190 | * Add a credential to the credential graph. |
---|
[d4cbf71] | 191 | */ |
---|
[401a054] | 192 | int abac_graph_add_credential(abac_graph_t *graph, abac_credential_t *cred) { |
---|
[06293d1] | 193 | abac_vertex_t *head_vertex, *tail_vertex; |
---|
[314869f] | 194 | abac_edge_t *edge; |
---|
[d4cbf71] | 195 | |
---|
[401a054] | 196 | assert(cred != NULL); |
---|
[ae72c5d] | 197 | |
---|
[401a054] | 198 | abac_role_t *head = abac_credential_head(cred); |
---|
| 199 | abac_role_t *tail = abac_credential_tail(cred); |
---|
[d4cbf71] | 200 | |
---|
[401a054] | 201 | // a valid credential must have a role for the head |
---|
[dcc1a8e] | 202 | if (!abac_role_is_role(head)) return 0; |
---|
[d4cbf71] | 203 | |
---|
[82aeefa] | 204 | head_vertex = _get_vertex(graph, head); |
---|
[0eb4a8e] | 205 | |
---|
| 206 | // tail is a normal role |
---|
| 207 | if (tail != NULL) |
---|
| 208 | tail_vertex = _get_vertex(graph, tail); |
---|
| 209 | |
---|
| 210 | // intersection |
---|
| 211 | else |
---|
| 212 | tail_vertex = _get_intersection_vertex(graph, cred); |
---|
[d4cbf71] | 213 | |
---|
[314869f] | 214 | // make sure we don't insert the same edge twice (ugh) |
---|
| 215 | abac_list_foreach(head_vertex->edges, edge, |
---|
| 216 | if (edge->vertex == tail_vertex) |
---|
| 217 | return 0; |
---|
| 218 | ); |
---|
| 219 | |
---|
[ae72c5d] | 220 | // create the edge and add it |
---|
[314869f] | 221 | edge = abac_xmalloc(sizeof(abac_edge_t)); |
---|
[ae72c5d] | 222 | edge->vertex = tail_vertex; |
---|
[401a054] | 223 | edge->credential = abac_credential_dup(cred); |
---|
[ae72c5d] | 224 | |
---|
[6d5623e] | 225 | abac_list_add(head_vertex->edges, edge); |
---|
[d4cbf71] | 226 | |
---|
[82aeefa] | 227 | // must re-derive edges |
---|
| 228 | graph->dirty = 1; |
---|
| 229 | |
---|
[d4cbf71] | 230 | return 1; |
---|
| 231 | } |
---|
| 232 | |
---|
[ebde9dd] | 233 | // find the principals that have a role |
---|
[06293d1] | 234 | static abac_set_t *_find_principals(abac_graph_t *graph, abac_vertex_t *start_vertex) { |
---|
[2fd24c7] | 235 | abac_set_t *principals = abac_set_new(); |
---|
[d4cbf71] | 236 | |
---|
[06293d1] | 237 | abac_list_t *traversal = abac_graph_postorder(graph, start_vertex->role); |
---|
| 238 | abac_vertex_t *vertex; |
---|
[d4cbf71] | 239 | |
---|
[6d5623e] | 240 | abac_list_foreach(traversal, vertex, |
---|
[e2a0f26] | 241 | if (vertex->role != NULL && abac_role_is_principal(vertex->role)) |
---|
| 242 | abac_set_add(principals, vertex->name); |
---|
[ebde9dd] | 243 | ); |
---|
[d4cbf71] | 244 | |
---|
[6d5623e] | 245 | abac_list_free(traversal); |
---|
[ebde9dd] | 246 | return principals; |
---|
| 247 | } |
---|
[d4cbf71] | 248 | |
---|
[6188f4e] | 249 | // remove any derived edges from the graph |
---|
[06293d1] | 250 | void _clear_derived(abac_graph_t *graph) { |
---|
| 251 | abac_derived_t *current; |
---|
[6188f4e] | 252 | |
---|
| 253 | while (graph->derived) { |
---|
| 254 | current = graph->derived; |
---|
| 255 | |
---|
| 256 | HASH_DEL(graph->derived, current); |
---|
| 257 | |
---|
[06293d1] | 258 | abac_vertex_t *head = current->key.head; |
---|
| 259 | abac_edge_t *tail = current->key.tail; |
---|
[401a054] | 260 | assert(tail->credential == NULL); |
---|
[6188f4e] | 261 | |
---|
| 262 | // this can fail, but we assume the data structures are consistent |
---|
[6d5623e] | 263 | abac_list_remove(head->edges, tail); |
---|
[6188f4e] | 264 | |
---|
| 265 | free(current); |
---|
[186cb75] | 266 | free(tail); |
---|
[6188f4e] | 267 | } |
---|
| 268 | } |
---|
| 269 | |
---|
[e2a0f26] | 270 | // add a derived edge |
---|
| 271 | static void _derived_edge(abac_graph_t *graph, abac_vertex_t *head, abac_vertex_t *tail) { |
---|
| 272 | abac_edge_t *edge = abac_xmalloc(sizeof(abac_edge_t)); |
---|
| 273 | edge->vertex = tail; |
---|
| 274 | edge->credential = NULL; |
---|
| 275 | abac_list_add(head->edges, edge); |
---|
| 276 | |
---|
| 277 | // add to list of derived edges |
---|
| 278 | abac_derived_t *derived = abac_xmalloc(sizeof(abac_derived_t)); |
---|
| 279 | derived->key.head = head; |
---|
| 280 | derived->key.tail = edge; |
---|
| 281 | HASH_ADD(hh, graph->derived, key, sizeof(abac_derived_key_t), derived); |
---|
| 282 | } |
---|
| 283 | |
---|
| 284 | // find a vertex by name |
---|
| 285 | abac_vertex_t *_find_vertex(abac_graph_t *graph, char *name) { |
---|
| 286 | abac_vertex_t *ret = NULL; |
---|
| 287 | HASH_FIND_STR(graph->vertices, name, ret); |
---|
| 288 | return ret; |
---|
| 289 | } |
---|
| 290 | |
---|
[06293d1] | 291 | void abac_graph_derive_links(abac_graph_t *graph) { |
---|
| 292 | abac_vertex_t *vertex; |
---|
[d4cbf71] | 293 | |
---|
[ebde9dd] | 294 | if (!graph->dirty) |
---|
| 295 | return; |
---|
[379a53f] | 296 | |
---|
[ebde9dd] | 297 | for (vertex = graph->vertices; vertex != NULL; vertex = vertex->hh.next) { |
---|
[0eb4a8e] | 298 | // intersection |
---|
| 299 | if (_vertex_is_intersection(vertex)) { |
---|
| 300 | // for each prereq edge: |
---|
| 301 | // find principals that have the edge |
---|
| 302 | // find intersection of all sets |
---|
| 303 | // for each principal B in intersection: |
---|
| 304 | // add link |
---|
[e2a0f26] | 305 | |
---|
| 306 | char *name; |
---|
| 307 | abac_vertex_t *prereq; |
---|
| 308 | abac_set_t *principals = NULL; |
---|
| 309 | |
---|
| 310 | abac_list_foreach(vertex->prereqs, prereq, |
---|
| 311 | abac_set_t *cur = _find_principals(graph, prereq); |
---|
| 312 | |
---|
| 313 | if (principals == NULL) |
---|
| 314 | principals = cur; |
---|
| 315 | else { |
---|
| 316 | abac_set_intersect(principals, cur); |
---|
| 317 | abac_set_free(cur); |
---|
| 318 | } |
---|
| 319 | |
---|
| 320 | if (abac_set_size(principals) == 0) |
---|
| 321 | goto isect_done; |
---|
| 322 | ); |
---|
| 323 | |
---|
| 324 | abac_list_t *prin_names = abac_set_elements(principals); |
---|
| 325 | abac_list_foreach(prin_names, name, |
---|
| 326 | abac_vertex_t *principal = _find_vertex(graph, name); |
---|
| 327 | _derived_edge(graph, vertex, principal); |
---|
| 328 | |
---|
| 329 | printf("adding edge from %s to %s\n", principal->name, vertex->name); |
---|
| 330 | ); |
---|
| 331 | |
---|
| 332 | abac_list_free(prin_names); |
---|
| 333 | isect_done: |
---|
| 334 | abac_set_free(principals); |
---|
[0eb4a8e] | 335 | } |
---|
| 336 | |
---|
| 337 | // linking role |
---|
| 338 | else if (abac_role_is_linking(vertex->role)) { |
---|
| 339 | // linking roles take the form A.r1.r2 |
---|
| 340 | char *A_r1 = abac_role_linked_role(vertex->role); |
---|
| 341 | char *r2 = abac_role_role_name(vertex->role); |
---|
| 342 | |
---|
| 343 | // find the linked role in the graph |
---|
| 344 | abac_vertex_t *A_r1_vertex; |
---|
| 345 | HASH_FIND_STR(graph->vertices, A_r1, A_r1_vertex); |
---|
| 346 | if (A_r1_vertex == NULL) |
---|
| 347 | continue; |
---|
| 348 | |
---|
| 349 | // find the principals that have A.r1 |
---|
| 350 | abac_set_t *principals = _find_principals(graph, A_r1_vertex); |
---|
| 351 | char *B; |
---|
| 352 | |
---|
| 353 | abac_list_t *elts = abac_set_elements(principals); |
---|
| 354 | |
---|
| 355 | // and add a link for each B.r2 to A.r1.r2 |
---|
| 356 | abac_list_foreach(elts, B, |
---|
| 357 | int B_len = strlen(B); |
---|
| 358 | int r2_len = strlen(r2); |
---|
| 359 | |
---|
| 360 | // create the string B.r2, thx C |
---|
| 361 | char *B_r2 = malloc(B_len + r2_len + 2); |
---|
| 362 | memcpy(B_r2, B, B_len); |
---|
| 363 | B_r2[B_len] = '.'; |
---|
| 364 | memcpy(B_r2 + B_len + 1, r2, r2_len); |
---|
| 365 | B_r2[B_len + r2_len + 1] = 0; |
---|
| 366 | |
---|
| 367 | // add an edge if the principal's granted it to someone |
---|
[e2a0f26] | 368 | abac_vertex_t *B_r2_vertex = _find_vertex(graph, B_r2); |
---|
[0eb4a8e] | 369 | if (B_r2_vertex) { |
---|
| 370 | debug_printf("adding edge from %s to %s\n", B_r2, abac_role_string(vertex->role)); |
---|
[e2a0f26] | 371 | _derived_edge(graph, vertex, B_r2_vertex); |
---|
[0eb4a8e] | 372 | } |
---|
[ebde9dd] | 373 | |
---|
[dbbf777] | 374 | #ifdef DEBUG |
---|
[0eb4a8e] | 375 | debug_printf(" incoming edges for %s\n", abac_role_string(vertex->role)); |
---|
| 376 | abac_edge_t *cur; |
---|
| 377 | abac_list_foreach(vertex->edges, cur, |
---|
| 378 | debug_printf(" %s (%s)\n", abac_role_string(cur->vertex->role), cur->vertex->name); |
---|
| 379 | ); |
---|
[dbbf777] | 380 | #endif |
---|
[d4cbf71] | 381 | |
---|
[0eb4a8e] | 382 | free(B_r2); |
---|
| 383 | ); |
---|
[ebde9dd] | 384 | |
---|
[0eb4a8e] | 385 | abac_list_free(elts); |
---|
| 386 | abac_set_free(principals); |
---|
| 387 | } |
---|
[ebde9dd] | 388 | } |
---|
[6188f4e] | 389 | |
---|
| 390 | graph->dirty = 0; |
---|
[d4cbf71] | 391 | } |
---|
[cb0f2b2] | 392 | |
---|
[06293d1] | 393 | static void _order_recurse(abac_vertex_t *vertex, abac_set_t *seen, int preorder, abac_list_t *stack) { |
---|
| 394 | abac_edge_t *incoming; |
---|
[cb0f2b2] | 395 | |
---|
| 396 | // don't revisit nodes |
---|
[e2a0f26] | 397 | if (!abac_set_add(seen, vertex->name)) |
---|
[cb0f2b2] | 398 | return; |
---|
| 399 | |
---|
| 400 | if (preorder) |
---|
[6d5623e] | 401 | abac_list_add(stack, vertex); |
---|
[cb0f2b2] | 402 | |
---|
[9536712] | 403 | // recurse along the incoming vertices |
---|
[6d5623e] | 404 | abac_list_foreach(vertex->edges, incoming, |
---|
[ae72c5d] | 405 | _order_recurse(incoming->vertex, seen, preorder, stack); |
---|
[379a53f] | 406 | ); |
---|
[cb0f2b2] | 407 | |
---|
| 408 | if (!preorder) |
---|
[6d5623e] | 409 | abac_list_add(stack, vertex); |
---|
[cb0f2b2] | 410 | } |
---|
| 411 | |
---|
[06293d1] | 412 | static abac_list_t *_order(abac_graph_t *graph, abac_role_t *start, int preorder) { |
---|
[dcc1a8e] | 413 | debug_printf("%sorder at %s\n", preorder ? "pre" : "post", abac_role_string(start)); |
---|
[ebde9dd] | 414 | |
---|
[06293d1] | 415 | abac_vertex_t *start_vertex = _get_vertex(graph, start); |
---|
[2fd24c7] | 416 | abac_set_t *seen = abac_set_new(); |
---|
[cb0f2b2] | 417 | |
---|
[379a53f] | 418 | // create the return list |
---|
[6d5623e] | 419 | abac_list_t *stack = abac_list_new(); |
---|
[cb0f2b2] | 420 | |
---|
| 421 | _order_recurse(start_vertex, seen, preorder, stack); |
---|
| 422 | |
---|
[2fd24c7] | 423 | abac_set_free(seen); |
---|
[be963dc] | 424 | |
---|
[cb0f2b2] | 425 | return stack; |
---|
| 426 | } |
---|
| 427 | |
---|
[06293d1] | 428 | abac_list_t *abac_graph_postorder(abac_graph_t *graph, abac_role_t *start) { |
---|
[82aeefa] | 429 | return _order(graph, start, 0); |
---|
[cb0f2b2] | 430 | } |
---|
[97a5e13] | 431 | |
---|
[4e426c9] | 432 | /** |
---|
| 433 | * Postorder traverse the graph and return all the credentials within. |
---|
| 434 | */ |
---|
| 435 | abac_list_t *abac_graph_postorder_credentials(abac_graph_t *graph, char *start) { |
---|
| 436 | abac_vertex_t *vertex; |
---|
| 437 | abac_edge_t *incoming; |
---|
| 438 | |
---|
| 439 | // get the postorder of vertices |
---|
| 440 | abac_role_t *role = abac_role_from_string(start); |
---|
| 441 | abac_list_t *order = abac_graph_postorder(graph, role); |
---|
| 442 | |
---|
| 443 | // go through the list and dup all the credentials |
---|
| 444 | abac_list_t *credentials = abac_list_new(); |
---|
| 445 | abac_list_foreach(order, vertex, |
---|
| 446 | abac_list_foreach(vertex->edges, incoming, |
---|
| 447 | if (incoming->credential != NULL) |
---|
| 448 | abac_list_add(credentials, abac_credential_dup(incoming->credential)); |
---|
| 449 | ); |
---|
| 450 | ); |
---|
| 451 | |
---|
| 452 | abac_role_free(role); |
---|
| 453 | abac_list_free(order); |
---|
| 454 | |
---|
| 455 | return credentials; |
---|
| 456 | } |
---|
| 457 | |
---|
[401a054] | 458 | static void _query(abac_graph_t *graph, char *role_name, char *principal, abac_graph_t *return_graph) { |
---|
[06293d1] | 459 | abac_vertex_t *vertex; |
---|
| 460 | abac_edge_t *incoming; |
---|
[97a5e13] | 461 | |
---|
[401a054] | 462 | abac_role_t *role = abac_role_from_string(role_name); |
---|
[dcc1a8e] | 463 | abac_role_t *prin_role = abac_role_from_string(principal); |
---|
[97a5e13] | 464 | |
---|
[675cbea] | 465 | // give up on bogus roles |
---|
| 466 | if (role == NULL || prin_role == NULL) { |
---|
| 467 | free(role); |
---|
| 468 | free(prin_role); |
---|
| 469 | return; |
---|
| 470 | } |
---|
| 471 | |
---|
[2fd24c7] | 472 | abac_set_t *on_path = abac_set_new(); |
---|
[dcc1a8e] | 473 | abac_set_add(on_path, abac_role_string(prin_role)); |
---|
[97a5e13] | 474 | |
---|
[401a054] | 475 | abac_list_t *traversal = abac_graph_postorder(graph, role); |
---|
[6d5623e] | 476 | abac_list_foreach(traversal, vertex, |
---|
[1743825] | 477 | abac_role_t *role = vertex->role; |
---|
[e2a0f26] | 478 | char *vertex_name = vertex->name; |
---|
[97a5e13] | 479 | |
---|
[6d5623e] | 480 | abac_list_foreach(vertex->edges, incoming, |
---|
[1743825] | 481 | abac_role_t *incoming_role = incoming->vertex->role; |
---|
[e2a0f26] | 482 | char *incoming_name = incoming->vertex->name; |
---|
[97a5e13] | 483 | |
---|
[e2a0f26] | 484 | if (!abac_set_contains(on_path, incoming_name)) |
---|
[ae72c5d] | 485 | continue; |
---|
[97a5e13] | 486 | |
---|
[e2a0f26] | 487 | abac_set_add(on_path, vertex_name); |
---|
[97a5e13] | 488 | |
---|
[ebe824c] | 489 | // get implying edges for intersection vertices |
---|
[e2a0f26] | 490 | if (_vertex_is_intersection(vertex)) { |
---|
[ebe824c] | 491 | abac_vertex_t *prereq; |
---|
| 492 | abac_list_foreach(vertex->prereqs, prereq, |
---|
| 493 | _query(graph, prereq->name, principal, return_graph); |
---|
| 494 | ); |
---|
[e2a0f26] | 495 | } |
---|
[97a5e13] | 496 | |
---|
| 497 | // recursively find linked roles |
---|
[e2a0f26] | 498 | else if (abac_role_is_linking(role)) { |
---|
[401a054] | 499 | char *linked_role = abac_role_linked_role(role); |
---|
[dcc1a8e] | 500 | char *principal = abac_role_principal(incoming_role); |
---|
[97a5e13] | 501 | |
---|
[401a054] | 502 | _query(graph, linked_role, principal, return_graph); |
---|
[97a5e13] | 503 | } |
---|
[e2a0f26] | 504 | |
---|
| 505 | // add non-derived edges to the proof graph |
---|
| 506 | else |
---|
| 507 | abac_graph_add_credential(return_graph, incoming->credential); |
---|
[97a5e13] | 508 | ); |
---|
| 509 | ); |
---|
| 510 | |
---|
[6d5623e] | 511 | abac_list_free(traversal); |
---|
[2fd24c7] | 512 | abac_set_free(on_path); |
---|
[401a054] | 513 | abac_role_free(role); |
---|
[dcc1a8e] | 514 | abac_role_free(prin_role); |
---|
[97a5e13] | 515 | } |
---|
| 516 | |
---|
[401a054] | 517 | abac_graph_t *abac_graph_query(abac_graph_t *graph, char *role, char *principal) { |
---|
[06293d1] | 518 | abac_graph_derive_links(graph); |
---|
[97a5e13] | 519 | |
---|
[06293d1] | 520 | abac_graph_t *return_graph = abac_graph_new(); |
---|
[401a054] | 521 | _query(graph, role, principal, return_graph); |
---|
[06293d1] | 522 | abac_graph_derive_links(return_graph); |
---|
[97a5e13] | 523 | return return_graph; |
---|
| 524 | } |
---|
[be963dc] | 525 | |
---|
[902d079] | 526 | /** |
---|
[401a054] | 527 | * Get all the credentials (attribute/issuer cert pairs) from the graph. |
---|
[902d079] | 528 | */ |
---|
[401a054] | 529 | abac_list_t *abac_graph_credentials(abac_graph_t *graph) { |
---|
| 530 | abac_list_t *credentials = abac_list_new(); |
---|
[902d079] | 531 | |
---|
[06293d1] | 532 | abac_vertex_t *vertex; |
---|
[902d079] | 533 | |
---|
| 534 | for (vertex = graph->vertices; vertex != NULL; vertex = vertex->hh.next) { |
---|
[06293d1] | 535 | abac_edge_t *edge; |
---|
[6d5623e] | 536 | abac_list_foreach(vertex->edges, edge, |
---|
[401a054] | 537 | if (edge->credential != NULL) |
---|
| 538 | abac_list_add(credentials, abac_credential_dup(edge->credential)); |
---|
[902d079] | 539 | ); |
---|
| 540 | } |
---|
| 541 | |
---|
[401a054] | 542 | return credentials; |
---|
[902d079] | 543 | } |
---|
| 544 | |
---|
[06293d1] | 545 | void abac_graph_free(abac_graph_t *graph) { |
---|
| 546 | abac_vertex_t *vertex; |
---|
| 547 | abac_edge_t *edge; |
---|
[be963dc] | 548 | |
---|
| 549 | // kill derived edges |
---|
| 550 | _clear_derived(graph); |
---|
| 551 | |
---|
| 552 | // delete vertices |
---|
| 553 | while ((vertex = graph->vertices) != NULL) { |
---|
| 554 | HASH_DEL(graph->vertices, vertex); |
---|
| 555 | |
---|
[dcc1a8e] | 556 | abac_role_free(vertex->role); |
---|
[186cb75] | 557 | |
---|
[6d5623e] | 558 | abac_list_foreach(vertex->edges, edge, |
---|
[401a054] | 559 | if (edge->credential != NULL) |
---|
| 560 | abac_credential_free(edge->credential); |
---|
[186cb75] | 561 | free(edge); |
---|
| 562 | ); |
---|
[6d5623e] | 563 | abac_list_free(vertex->edges); |
---|
[be963dc] | 564 | free(vertex); |
---|
| 565 | } |
---|
| 566 | |
---|
| 567 | free(graph); |
---|
| 568 | } |
---|
[f46412c] | 569 | |
---|
[06293d1] | 570 | abac_role_t *abac_vertex_role(abac_vertex_t *vertex) { |
---|
[f46412c] | 571 | return vertex->role; |
---|
| 572 | } |
---|