[fc1a6b4] | 1 | |
---|
| 2 | /* abac_graph.c */ |
---|
| 3 | |
---|
[d4cbf71] | 4 | #include <assert.h> |
---|
[379a53f] | 5 | #include <stdlib.h> |
---|
[d4cbf71] | 6 | |
---|
[06293d1] | 7 | #include "abac_graph.h" |
---|
[cb0f2b2] | 8 | |
---|
[2fd24c7] | 9 | #include "abac_set.h" |
---|
[3c251d0] | 10 | #include "abac_util.h" |
---|
[d4cbf71] | 11 | |
---|
[f46412c] | 12 | #include "uthash.h" |
---|
| 13 | |
---|
| 14 | // vertex |
---|
[06293d1] | 15 | struct _abac_vertex_t { |
---|
[1743825] | 16 | abac_role_t *role; |
---|
[f46412c] | 17 | char *name; |
---|
[06ef09c] | 18 | int refcount; |
---|
[f46412c] | 19 | |
---|
[6d5623e] | 20 | abac_list_t *edges; |
---|
[d4b3b52] | 21 | abac_list_t *reverse_edges; |
---|
[f46412c] | 22 | |
---|
[0eb4a8e] | 23 | // only relevant to intersection edges |
---|
| 24 | abac_list_t *prereqs; |
---|
| 25 | |
---|
[f46412c] | 26 | UT_hash_handle hh; |
---|
| 27 | }; |
---|
| 28 | |
---|
[ae72c5d] | 29 | // edge |
---|
[06293d1] | 30 | typedef struct _abac_edge_t { |
---|
[06ef09c] | 31 | int refcount; |
---|
[06293d1] | 32 | abac_vertex_t *vertex; |
---|
[d4b3b52] | 33 | abac_vertex_t *reverse_vertex; |
---|
[401a054] | 34 | abac_credential_t *credential; |
---|
[06293d1] | 35 | } abac_edge_t; |
---|
[ae72c5d] | 36 | |
---|
[f46412c] | 37 | // derived edge |
---|
[06293d1] | 38 | typedef struct _abac_derived_key_t { |
---|
| 39 | abac_vertex_t *head; |
---|
| 40 | abac_edge_t *tail; |
---|
| 41 | } abac_derived_key_t; |
---|
[f46412c] | 42 | |
---|
[06293d1] | 43 | typedef struct _abac_derived_t { |
---|
| 44 | abac_derived_key_t key; |
---|
[f46412c] | 45 | UT_hash_handle hh; |
---|
[06293d1] | 46 | } abac_derived_t; |
---|
[f46412c] | 47 | |
---|
| 48 | // graph |
---|
[06293d1] | 49 | struct _abac_graph_t { |
---|
| 50 | abac_vertex_t *vertices; |
---|
| 51 | abac_derived_t *derived; |
---|
[f46412c] | 52 | int dirty; |
---|
| 53 | }; |
---|
[0ec9e25] | 54 | |
---|
[0eb4a8e] | 55 | // ugghhhghhhghh need this for intersections |
---|
[9a411d7] | 56 | abac_list_t *abac_role_prereqs(abac_role_t *); |
---|
[0eb4a8e] | 57 | |
---|
[f2622ee] | 58 | static abac_vertex_t *_dup_vertex(abac_vertex_t *v); |
---|
[fc1a6b4] | 59 | int abac_graph_add_credential(abac_graph_t *graph, abac_credential_t *cred); |
---|
[f2622ee] | 60 | |
---|
[0ec9e25] | 61 | /** |
---|
| 62 | * Create a new graph. |
---|
| 63 | */ |
---|
[06293d1] | 64 | abac_graph_t *abac_graph_new(void) { |
---|
[3c251d0] | 65 | abac_graph_t *graph = abac_xmalloc(sizeof(abac_graph_t)); |
---|
[82aeefa] | 66 | |
---|
| 67 | graph->vertices = NULL; |
---|
[6188f4e] | 68 | graph->derived = NULL; |
---|
[82aeefa] | 69 | graph->dirty = 0; |
---|
| 70 | |
---|
| 71 | return graph; |
---|
| 72 | } |
---|
[d4cbf71] | 73 | |
---|
[b26942d] | 74 | /** |
---|
| 75 | * Deep copy a graph. |
---|
| 76 | */ |
---|
[06293d1] | 77 | abac_graph_t *abac_graph_dup(abac_graph_t *graph) { |
---|
| 78 | abac_vertex_t *vertex; |
---|
| 79 | abac_edge_t *edge; |
---|
[b26942d] | 80 | |
---|
[06293d1] | 81 | abac_graph_t *clone = abac_graph_new(); |
---|
[b26942d] | 82 | |
---|
| 83 | // copy the vertices edge by edge |
---|
| 84 | for (vertex = graph->vertices; vertex != NULL; vertex = vertex->hh.next) |
---|
[6d5623e] | 85 | abac_list_foreach(vertex->edges, edge, |
---|
[b26942d] | 86 | // only copy non-derived edges |
---|
[401a054] | 87 | if (edge->credential != NULL) |
---|
| 88 | abac_graph_add_credential(clone, edge->credential); |
---|
[b26942d] | 89 | ); |
---|
| 90 | |
---|
| 91 | return clone; |
---|
| 92 | } |
---|
[d4cbf71] | 93 | /** |
---|
[06ef09c] | 94 | * Add a vertex to the graph. Should only be called by |
---|
| 95 | * abac_graph_add_credential. This returns an existing vertex with the refcount |
---|
| 96 | * bumped, or a new vertex with a refcount of 1. Either way it gets and |
---|
| 97 | * references the vertex. |
---|
[d4cbf71] | 98 | */ |
---|
[06293d1] | 99 | static abac_vertex_t *_get_vertex(abac_graph_t *graph, abac_role_t *role) { |
---|
| 100 | abac_vertex_t *vertex; |
---|
[c28bd8b] | 101 | char *string; |
---|
| 102 | |
---|
[cb135e1] | 103 | string =abac_role_string(role); |
---|
[82aeefa] | 104 | HASH_FIND_STR(graph->vertices, string, vertex); |
---|
[c28bd8b] | 105 | |
---|
| 106 | // add the vertex if it doesn't exist |
---|
| 107 | if (vertex == NULL) { |
---|
[3c251d0] | 108 | vertex = abac_xmalloc(sizeof(abac_vertex_t)); |
---|
[f2622ee] | 109 | vertex->refcount = 1; |
---|
[dcc1a8e] | 110 | vertex->role = abac_role_dup(role); |
---|
| 111 | vertex->name = abac_role_string(vertex->role); |
---|
[d4cbf71] | 112 | |
---|
[379a53f] | 113 | // create the list of edges |
---|
[6d5623e] | 114 | vertex->edges = abac_list_new(); |
---|
[d4b3b52] | 115 | vertex->reverse_edges = abac_list_new(); |
---|
[d4cbf71] | 116 | |
---|
[0eb4a8e] | 117 | // for intersections, always NULL on normal vertices |
---|
[9a411d7] | 118 | if (abac_role_is_intersection(role)) { |
---|
| 119 | abac_role_t *prereq; |
---|
| 120 | vertex->prereqs = abac_list_new(); |
---|
| 121 | |
---|
| 122 | // add each prereq to the vertex |
---|
| 123 | abac_list_foreach(abac_role_prereqs(role), prereq, |
---|
| 124 | abac_vertex_t *tail_vertex = _get_vertex(graph, prereq); |
---|
[fc1a6b4] | 125 | /*??? */ |
---|
[4571abc] | 126 | abac_list_add(vertex->prereqs, _dup_vertex(tail_vertex)); |
---|
[9a411d7] | 127 | ); |
---|
| 128 | } |
---|
[0eb4a8e] | 129 | |
---|
[9a411d7] | 130 | // normal edges have no prereqs |
---|
| 131 | else |
---|
| 132 | vertex->prereqs = NULL; |
---|
[0eb4a8e] | 133 | |
---|
[c28bd8b] | 134 | // add it to the vertices |
---|
[82aeefa] | 135 | HASH_ADD_KEYPTR(hh, graph->vertices, vertex->name, strlen(vertex->name), vertex); |
---|
[f2622ee] | 136 | |
---|
| 137 | } else { |
---|
[fc1a6b4] | 138 | return vertex; |
---|
| 139 | /* ??? return _dup_vertex(vertex); */ |
---|
[c28bd8b] | 140 | } |
---|
[d4cbf71] | 141 | |
---|
| 142 | return vertex; |
---|
| 143 | } |
---|
| 144 | |
---|
[06ef09c] | 145 | /* forward decl */ |
---|
| 146 | static void _free_edge(abac_edge_t *edge); |
---|
[fc1a6b4] | 147 | |
---|
[06ef09c] | 148 | /* |
---|
| 149 | * Reduce the vertex reference count and free it if this is the last reference |
---|
| 150 | */ |
---|
| 151 | static void _free_vertex(abac_vertex_t *vertex) { |
---|
| 152 | abac_edge_t *edge=NULL; |
---|
| 153 | abac_vertex_t *pre=NULL; |
---|
| 154 | |
---|
| 155 | --vertex->refcount; |
---|
[fc1a6b4] | 156 | |
---|
[06ef09c] | 157 | if ( vertex->refcount > 0) return; |
---|
| 158 | |
---|
| 159 | abac_role_free(vertex->role); |
---|
| 160 | |
---|
| 161 | abac_list_foreach(vertex->edges, edge, |
---|
| 162 | _free_edge(edge); |
---|
| 163 | ); |
---|
| 164 | abac_list_free(vertex->edges); |
---|
| 165 | |
---|
| 166 | abac_list_foreach(vertex->reverse_edges, edge, |
---|
| 167 | _free_edge(edge); |
---|
| 168 | ); |
---|
| 169 | abac_list_free(vertex->reverse_edges); |
---|
| 170 | |
---|
| 171 | // Free the prereqs |
---|
| 172 | if (vertex->prereqs != NULL) { |
---|
| 173 | abac_list_foreach(vertex->prereqs, pre, |
---|
| 174 | if (pre != NULL) { |
---|
| 175 | _free_vertex(pre); |
---|
| 176 | } |
---|
| 177 | ); |
---|
| 178 | abac_list_free(vertex->prereqs); |
---|
| 179 | } |
---|
| 180 | |
---|
| 181 | free(vertex); |
---|
| 182 | } |
---|
| 183 | |
---|
| 184 | /* |
---|
| 185 | * Increment vertex reference count |
---|
| 186 | */ |
---|
| 187 | static abac_vertex_t *_dup_vertex(abac_vertex_t *v) { |
---|
| 188 | v->refcount++; |
---|
| 189 | return v; |
---|
| 190 | } |
---|
| 191 | |
---|
| 192 | |
---|
| 193 | /* |
---|
| 194 | * create a new edge from the given head, tail and credential |
---|
| 195 | */ |
---|
| 196 | |
---|
| 197 | static abac_edge_t *_get_edge(abac_vertex_t *h, abac_vertex_t *t, |
---|
| 198 | abac_credential_t *c) { |
---|
| 199 | |
---|
| 200 | /* An edge does not own it's vertices. Do not delete them from an edge |
---|
| 201 | * reference. */ |
---|
| 202 | abac_edge_t *edge = abac_xmalloc(sizeof(abac_edge_t)); |
---|
| 203 | edge->refcount = 1; |
---|
| 204 | edge->vertex = t; |
---|
| 205 | edge->reverse_vertex = h; |
---|
| 206 | /* Don't dup a null credential */ |
---|
| 207 | edge->credential = (c) ? abac_credential_dup(c): NULL; |
---|
| 208 | |
---|
| 209 | return edge; |
---|
| 210 | } |
---|
| 211 | |
---|
| 212 | |
---|
| 213 | /** |
---|
| 214 | * Increment the reference count |
---|
| 215 | */ |
---|
| 216 | static abac_edge_t *_dup_edge(abac_edge_t *e) { |
---|
| 217 | e->refcount++; |
---|
| 218 | return e; |
---|
| 219 | } |
---|
| 220 | |
---|
| 221 | /** |
---|
| 222 | * Decerement the refcount and free it if this was the last reference. NB |
---|
| 223 | * edges do not own teh vertices, so they must be deleted elsewhere. |
---|
| 224 | */ |
---|
| 225 | static void _free_edge(abac_edge_t *edge) { |
---|
| 226 | assert(edge && edge->refcount > 0); |
---|
| 227 | if ( --edge->refcount > 0) return; |
---|
| 228 | if (edge->credential) abac_credential_free(edge->credential); |
---|
| 229 | free(edge); |
---|
| 230 | } |
---|
| 231 | |
---|
[d4cbf71] | 232 | /** |
---|
[401a054] | 233 | * Add a credential to the credential graph. |
---|
[d4cbf71] | 234 | */ |
---|
[401a054] | 235 | int abac_graph_add_credential(abac_graph_t *graph, abac_credential_t *cred) { |
---|
[06293d1] | 236 | abac_vertex_t *head_vertex, *tail_vertex; |
---|
[314869f] | 237 | abac_edge_t *edge; |
---|
[d4cbf71] | 238 | |
---|
[401a054] | 239 | assert(cred != NULL); |
---|
[ae72c5d] | 240 | |
---|
[401a054] | 241 | abac_role_t *head = abac_credential_head(cred); |
---|
| 242 | abac_role_t *tail = abac_credential_tail(cred); |
---|
[d4cbf71] | 243 | |
---|
[401a054] | 244 | // a valid credential must have a role for the head |
---|
[dcc1a8e] | 245 | if (!abac_role_is_role(head)) return 0; |
---|
[d4cbf71] | 246 | |
---|
[82aeefa] | 247 | head_vertex = _get_vertex(graph, head); |
---|
[9a411d7] | 248 | tail_vertex = _get_vertex(graph, tail); |
---|
[d4cbf71] | 249 | |
---|
[314869f] | 250 | // make sure we don't insert the same edge twice (ugh) |
---|
| 251 | abac_list_foreach(head_vertex->edges, edge, |
---|
[06ef09c] | 252 | if (edge->vertex == tail_vertex) { |
---|
[fc1a6b4] | 253 | /* |
---|
[06ef09c] | 254 | _free_vertex(head_vertex); |
---|
| 255 | _free_vertex(tail_vertex); |
---|
[fc1a6b4] | 256 | */ |
---|
[314869f] | 257 | return 0; |
---|
[06ef09c] | 258 | } |
---|
[314869f] | 259 | ); |
---|
| 260 | |
---|
[ae72c5d] | 261 | // create the edge and add it |
---|
[06ef09c] | 262 | edge = _get_edge(head_vertex, tail_vertex, cred); |
---|
[ae72c5d] | 263 | |
---|
[6d5623e] | 264 | abac_list_add(head_vertex->edges, edge); |
---|
[06ef09c] | 265 | abac_list_add(tail_vertex->reverse_edges, _dup_edge(edge)); |
---|
[d4cbf71] | 266 | |
---|
[82aeefa] | 267 | // must re-derive edges |
---|
| 268 | graph->dirty = 1; |
---|
| 269 | |
---|
[d4cbf71] | 270 | return 1; |
---|
| 271 | } |
---|
| 272 | |
---|
[ebde9dd] | 273 | // find the principals that have a role |
---|
[06293d1] | 274 | static abac_set_t *_find_principals(abac_graph_t *graph, abac_vertex_t *start_vertex) { |
---|
[2fd24c7] | 275 | abac_set_t *principals = abac_set_new(); |
---|
[d4cbf71] | 276 | |
---|
[06293d1] | 277 | abac_list_t *traversal = abac_graph_postorder(graph, start_vertex->role); |
---|
| 278 | abac_vertex_t *vertex; |
---|
[d4cbf71] | 279 | |
---|
[6d5623e] | 280 | abac_list_foreach(traversal, vertex, |
---|
[9a411d7] | 281 | if (abac_role_is_principal(vertex->role)) |
---|
| 282 | abac_set_add(principals, abac_role_string(vertex->role)); |
---|
[ebde9dd] | 283 | ); |
---|
[d4cbf71] | 284 | |
---|
[6d5623e] | 285 | abac_list_free(traversal); |
---|
[ebde9dd] | 286 | return principals; |
---|
| 287 | } |
---|
[d4cbf71] | 288 | |
---|
[6188f4e] | 289 | // remove any derived edges from the graph |
---|
[06293d1] | 290 | void _clear_derived(abac_graph_t *graph) { |
---|
| 291 | abac_derived_t *current; |
---|
[6188f4e] | 292 | |
---|
| 293 | while (graph->derived) { |
---|
| 294 | current = graph->derived; |
---|
| 295 | |
---|
| 296 | HASH_DEL(graph->derived, current); |
---|
| 297 | |
---|
[06293d1] | 298 | abac_vertex_t *head = current->key.head; |
---|
| 299 | abac_edge_t *tail = current->key.tail; |
---|
[401a054] | 300 | assert(tail->credential == NULL); |
---|
[6188f4e] | 301 | |
---|
| 302 | // this can fail, but we assume the data structures are consistent |
---|
[6d5623e] | 303 | abac_list_remove(head->edges, tail); |
---|
[d4b3b52] | 304 | abac_list_remove(tail->reverse_vertex->edges, tail); |
---|
[6188f4e] | 305 | |
---|
[06ef09c] | 306 | _free_edge(tail); |
---|
[fc1a6b4] | 307 | free(current); |
---|
[6188f4e] | 308 | } |
---|
| 309 | } |
---|
| 310 | |
---|
[704fde7] | 311 | // add a derived edge, returns 1 if added 0 if dup |
---|
| 312 | static int _derived_edge(abac_graph_t *graph, abac_vertex_t *head, abac_vertex_t *tail) { |
---|
| 313 | abac_edge_t *edge; |
---|
| 314 | |
---|
| 315 | // don't add duplicate edges |
---|
| 316 | abac_list_foreach(head->edges, edge, |
---|
| 317 | if (edge->vertex == tail) |
---|
| 318 | return 0; |
---|
| 319 | ); |
---|
| 320 | |
---|
| 321 | debug_printf("derived edge %s <- %s\n", head->name, tail->name); |
---|
| 322 | |
---|
[06ef09c] | 323 | edge = _get_edge(head, tail, NULL); |
---|
[e2a0f26] | 324 | abac_list_add(head->edges, edge); |
---|
[06ef09c] | 325 | abac_list_add(tail->reverse_edges, _dup_edge(edge)); |
---|
[e2a0f26] | 326 | |
---|
| 327 | // add to list of derived edges |
---|
| 328 | abac_derived_t *derived = abac_xmalloc(sizeof(abac_derived_t)); |
---|
| 329 | derived->key.head = head; |
---|
| 330 | derived->key.tail = edge; |
---|
| 331 | HASH_ADD(hh, graph->derived, key, sizeof(abac_derived_key_t), derived); |
---|
[704fde7] | 332 | |
---|
| 333 | return 1; |
---|
[e2a0f26] | 334 | } |
---|
| 335 | |
---|
| 336 | // find a vertex by name |
---|
| 337 | abac_vertex_t *_find_vertex(abac_graph_t *graph, char *name) { |
---|
| 338 | abac_vertex_t *ret = NULL; |
---|
| 339 | HASH_FIND_STR(graph->vertices, name, ret); |
---|
| 340 | return ret; |
---|
| 341 | } |
---|
| 342 | |
---|
[704fde7] | 343 | /** |
---|
| 344 | * Single iteration of deriving new edges. Returns the number of new edges |
---|
| 345 | * added. |
---|
| 346 | */ |
---|
| 347 | static int _derive_links_iter(abac_graph_t *graph) { |
---|
| 348 | int count = 0; |
---|
[06293d1] | 349 | abac_vertex_t *vertex; |
---|
[d4cbf71] | 350 | |
---|
[ebde9dd] | 351 | for (vertex = graph->vertices; vertex != NULL; vertex = vertex->hh.next) { |
---|
[0eb4a8e] | 352 | // intersection |
---|
[9a411d7] | 353 | if (abac_role_is_intersection(vertex->role)) { |
---|
[0eb4a8e] | 354 | // for each prereq edge: |
---|
| 355 | // find principals that have the edge |
---|
| 356 | // find intersection of all sets |
---|
| 357 | // for each principal B in intersection: |
---|
| 358 | // add link |
---|
[e2a0f26] | 359 | |
---|
| 360 | char *name; |
---|
| 361 | abac_vertex_t *prereq; |
---|
| 362 | abac_set_t *principals = NULL; |
---|
| 363 | |
---|
| 364 | abac_list_foreach(vertex->prereqs, prereq, |
---|
| 365 | abac_set_t *cur = _find_principals(graph, prereq); |
---|
| 366 | |
---|
| 367 | if (principals == NULL) |
---|
| 368 | principals = cur; |
---|
| 369 | else { |
---|
| 370 | abac_set_intersect(principals, cur); |
---|
| 371 | abac_set_free(cur); |
---|
| 372 | } |
---|
| 373 | |
---|
| 374 | if (abac_set_size(principals) == 0) |
---|
| 375 | goto isect_done; |
---|
| 376 | ); |
---|
| 377 | |
---|
| 378 | abac_list_t *prin_names = abac_set_elements(principals); |
---|
| 379 | abac_list_foreach(prin_names, name, |
---|
| 380 | abac_vertex_t *principal = _find_vertex(graph, name); |
---|
[704fde7] | 381 | count += _derived_edge(graph, vertex, principal); |
---|
[e2a0f26] | 382 | ); |
---|
| 383 | |
---|
| 384 | abac_list_free(prin_names); |
---|
| 385 | isect_done: |
---|
| 386 | abac_set_free(principals); |
---|
[0eb4a8e] | 387 | } |
---|
| 388 | |
---|
| 389 | // linking role |
---|
| 390 | else if (abac_role_is_linking(vertex->role)) { |
---|
| 391 | // linking roles take the form A.r1.r2 |
---|
| 392 | char *A_r1 = abac_role_linked_role(vertex->role); |
---|
| 393 | char *r2 = abac_role_role_name(vertex->role); |
---|
| 394 | |
---|
| 395 | // find the linked role in the graph |
---|
| 396 | abac_vertex_t *A_r1_vertex; |
---|
| 397 | HASH_FIND_STR(graph->vertices, A_r1, A_r1_vertex); |
---|
| 398 | if (A_r1_vertex == NULL) |
---|
| 399 | continue; |
---|
| 400 | |
---|
| 401 | // find the principals that have A.r1 |
---|
| 402 | abac_set_t *principals = _find_principals(graph, A_r1_vertex); |
---|
| 403 | char *B; |
---|
| 404 | |
---|
| 405 | abac_list_t *elts = abac_set_elements(principals); |
---|
| 406 | |
---|
| 407 | // and add a link for each B.r2 to A.r1.r2 |
---|
| 408 | abac_list_foreach(elts, B, |
---|
| 409 | int B_len = strlen(B); |
---|
| 410 | int r2_len = strlen(r2); |
---|
| 411 | |
---|
| 412 | // create the string B.r2, thx C |
---|
| 413 | char *B_r2 = malloc(B_len + r2_len + 2); |
---|
| 414 | memcpy(B_r2, B, B_len); |
---|
| 415 | B_r2[B_len] = '.'; |
---|
| 416 | memcpy(B_r2 + B_len + 1, r2, r2_len); |
---|
| 417 | B_r2[B_len + r2_len + 1] = 0; |
---|
| 418 | |
---|
| 419 | // add an edge if the principal's granted it to someone |
---|
[e2a0f26] | 420 | abac_vertex_t *B_r2_vertex = _find_vertex(graph, B_r2); |
---|
[0eb4a8e] | 421 | if (B_r2_vertex) { |
---|
| 422 | debug_printf("adding edge from %s to %s\n", B_r2, abac_role_string(vertex->role)); |
---|
[704fde7] | 423 | count += _derived_edge(graph, vertex, B_r2_vertex); |
---|
[0eb4a8e] | 424 | } |
---|
[ebde9dd] | 425 | |
---|
[dbbf777] | 426 | #ifdef DEBUG |
---|
[0eb4a8e] | 427 | debug_printf(" incoming edges for %s\n", abac_role_string(vertex->role)); |
---|
| 428 | abac_edge_t *cur; |
---|
| 429 | abac_list_foreach(vertex->edges, cur, |
---|
| 430 | debug_printf(" %s (%s)\n", abac_role_string(cur->vertex->role), cur->vertex->name); |
---|
| 431 | ); |
---|
[dbbf777] | 432 | #endif |
---|
[d4cbf71] | 433 | |
---|
[0eb4a8e] | 434 | free(B_r2); |
---|
| 435 | ); |
---|
[ebde9dd] | 436 | |
---|
[0eb4a8e] | 437 | abac_list_free(elts); |
---|
| 438 | abac_set_free(principals); |
---|
| 439 | } |
---|
[ebde9dd] | 440 | } |
---|
[6188f4e] | 441 | |
---|
[704fde7] | 442 | return count; |
---|
| 443 | } |
---|
| 444 | |
---|
| 445 | /** |
---|
| 446 | * Derive all implied edges in the graph. These can come from linking roles |
---|
| 447 | * and intersections. |
---|
| 448 | * |
---|
| 449 | * We have to do it iteratively because derived edges can imply new edges. |
---|
| 450 | */ |
---|
| 451 | void abac_graph_derive_links(abac_graph_t *graph) { |
---|
| 452 | if (!graph->dirty) |
---|
| 453 | return; |
---|
| 454 | |
---|
| 455 | // iterate as long as new links are derived |
---|
| 456 | while (_derive_links_iter(graph) > 0) |
---|
| 457 | ; |
---|
| 458 | |
---|
[6188f4e] | 459 | graph->dirty = 0; |
---|
[d4cbf71] | 460 | } |
---|
[cb0f2b2] | 461 | |
---|
[d4b3b52] | 462 | static void _reverse_order_recurse(abac_vertex_t *vertex, abac_set_t *seen, int preorder, abac_list_t *stack) { |
---|
| 463 | abac_edge_t *outgoing; |
---|
| 464 | |
---|
| 465 | // don't revisit nodes |
---|
| 466 | if (!abac_set_add(seen, abac_role_string(vertex->role))) |
---|
| 467 | return; |
---|
| 468 | |
---|
[fc1a6b4] | 469 | if (preorder) { |
---|
[d4b3b52] | 470 | abac_list_add(stack, vertex); |
---|
[fc1a6b4] | 471 | } |
---|
[d4b3b52] | 472 | |
---|
| 473 | // recurse along the incoming vertices |
---|
| 474 | abac_list_foreach(vertex->reverse_edges, outgoing, |
---|
| 475 | _reverse_order_recurse(outgoing->reverse_vertex, seen, preorder, stack); |
---|
| 476 | ); |
---|
| 477 | |
---|
[fc1a6b4] | 478 | if (!preorder) { |
---|
[d4b3b52] | 479 | abac_list_add(stack, vertex); |
---|
[fc1a6b4] | 480 | } |
---|
[d4b3b52] | 481 | } |
---|
| 482 | |
---|
| 483 | static abac_list_t *_reverse_order(abac_graph_t *graph, abac_role_t *start, int preorder) { |
---|
| 484 | debug_printf("%sorder at %s\n", preorder ? "pre" : "post", abac_role_string(start)); |
---|
| 485 | |
---|
[fc1a6b4] | 486 | |
---|
[d4b3b52] | 487 | abac_vertex_t *start_vertex = _get_vertex(graph, start); |
---|
[fc1a6b4] | 488 | |
---|
[d4b3b52] | 489 | abac_set_t *seen = abac_set_new(); |
---|
| 490 | |
---|
| 491 | // create the return list |
---|
| 492 | abac_list_t *stack = abac_list_new(); |
---|
| 493 | |
---|
| 494 | _reverse_order_recurse(start_vertex, seen, preorder, stack); |
---|
| 495 | |
---|
| 496 | abac_set_free(seen); |
---|
| 497 | |
---|
[fc1a6b4] | 498 | |
---|
[d4b3b52] | 499 | return stack; |
---|
| 500 | } |
---|
| 501 | |
---|
[06293d1] | 502 | static void _order_recurse(abac_vertex_t *vertex, abac_set_t *seen, int preorder, abac_list_t *stack) { |
---|
| 503 | abac_edge_t *incoming; |
---|
[cb0f2b2] | 504 | |
---|
| 505 | // don't revisit nodes |
---|
[9a411d7] | 506 | if (!abac_set_add(seen, abac_role_string(vertex->role))) |
---|
[cb0f2b2] | 507 | return; |
---|
| 508 | |
---|
[fc1a6b4] | 509 | if (preorder) { |
---|
[6d5623e] | 510 | abac_list_add(stack, vertex); |
---|
[fc1a6b4] | 511 | } |
---|
[cb0f2b2] | 512 | |
---|
[9536712] | 513 | // recurse along the incoming vertices |
---|
[6d5623e] | 514 | abac_list_foreach(vertex->edges, incoming, |
---|
[ae72c5d] | 515 | _order_recurse(incoming->vertex, seen, preorder, stack); |
---|
[379a53f] | 516 | ); |
---|
[cb0f2b2] | 517 | |
---|
[fc1a6b4] | 518 | if (!preorder) { |
---|
[6d5623e] | 519 | abac_list_add(stack, vertex); |
---|
[fc1a6b4] | 520 | } |
---|
[cb0f2b2] | 521 | } |
---|
| 522 | |
---|
[06293d1] | 523 | static abac_list_t *_order(abac_graph_t *graph, abac_role_t *start, int preorder) { |
---|
[dcc1a8e] | 524 | debug_printf("%sorder at %s\n", preorder ? "pre" : "post", abac_role_string(start)); |
---|
[ebde9dd] | 525 | |
---|
[06293d1] | 526 | abac_vertex_t *start_vertex = _get_vertex(graph, start); |
---|
[fc1a6b4] | 527 | |
---|
[2fd24c7] | 528 | abac_set_t *seen = abac_set_new(); |
---|
[cb0f2b2] | 529 | |
---|
[379a53f] | 530 | // create the return list |
---|
[6d5623e] | 531 | abac_list_t *stack = abac_list_new(); |
---|
[cb0f2b2] | 532 | |
---|
| 533 | _order_recurse(start_vertex, seen, preorder, stack); |
---|
| 534 | |
---|
[2fd24c7] | 535 | abac_set_free(seen); |
---|
[be963dc] | 536 | |
---|
[cb0f2b2] | 537 | return stack; |
---|
| 538 | } |
---|
| 539 | |
---|
[06293d1] | 540 | abac_list_t *abac_graph_postorder(abac_graph_t *graph, abac_role_t *start) { |
---|
[82aeefa] | 541 | return _order(graph, start, 0); |
---|
[cb0f2b2] | 542 | } |
---|
[97a5e13] | 543 | |
---|
[4e426c9] | 544 | /** |
---|
| 545 | * Postorder traverse the graph and return all the credentials within. |
---|
| 546 | */ |
---|
| 547 | abac_list_t *abac_graph_postorder_credentials(abac_graph_t *graph, char *start) { |
---|
| 548 | abac_vertex_t *vertex; |
---|
| 549 | abac_edge_t *incoming; |
---|
| 550 | |
---|
| 551 | // get the postorder of vertices |
---|
| 552 | abac_role_t *role = abac_role_from_string(start); |
---|
| 553 | abac_list_t *order = abac_graph_postorder(graph, role); |
---|
| 554 | |
---|
| 555 | // go through the list and dup all the credentials |
---|
| 556 | abac_list_t *credentials = abac_list_new(); |
---|
| 557 | abac_list_foreach(order, vertex, |
---|
| 558 | abac_list_foreach(vertex->edges, incoming, |
---|
[fc1a6b4] | 559 | if (incoming->credential != NULL) { |
---|
| 560 | /* ??? do we need to duplicate this?? */ |
---|
[4e426c9] | 561 | abac_list_add(credentials, abac_credential_dup(incoming->credential)); |
---|
[fc1a6b4] | 562 | } |
---|
[4e426c9] | 563 | ); |
---|
| 564 | ); |
---|
| 565 | |
---|
| 566 | abac_role_free(role); |
---|
| 567 | abac_list_free(order); |
---|
| 568 | |
---|
| 569 | return credentials; |
---|
| 570 | } |
---|
| 571 | |
---|
[d4b3b52] | 572 | |
---|
| 573 | abac_list_t *abac_graph_postorder_reverse(abac_graph_t *graph, abac_role_t *start) { |
---|
| 574 | return _reverse_order(graph, start, 0); |
---|
| 575 | } |
---|
| 576 | |
---|
| 577 | /** |
---|
| 578 | * Postorder traverse the graph and return all the credentials within. |
---|
| 579 | */ |
---|
| 580 | abac_list_t *abac_graph_postorder_reverse_credentials(abac_graph_t *graph, char *start) { |
---|
| 581 | abac_vertex_t *vertex; |
---|
| 582 | abac_edge_t *outgoing; |
---|
| 583 | |
---|
| 584 | // get the postorder of vertices |
---|
| 585 | abac_role_t *role = abac_role_from_string(start); |
---|
| 586 | abac_list_t *order = abac_graph_postorder_reverse(graph, role); |
---|
| 587 | |
---|
| 588 | // go through the list and dup all the credentials |
---|
| 589 | abac_list_t *credentials = abac_list_new(); |
---|
[fc1a6b4] | 590 | |
---|
[d4b3b52] | 591 | abac_list_foreach(order, vertex, |
---|
| 592 | abac_list_foreach(vertex->reverse_edges, outgoing, |
---|
[fc1a6b4] | 593 | if (outgoing->credential != NULL) { |
---|
[d4b3b52] | 594 | abac_list_add(credentials, abac_credential_dup(outgoing->credential)); |
---|
[fc1a6b4] | 595 | } |
---|
[d4b3b52] | 596 | ); |
---|
| 597 | ); |
---|
| 598 | |
---|
| 599 | abac_role_free(role); |
---|
| 600 | abac_list_free(order); |
---|
| 601 | |
---|
| 602 | return credentials; |
---|
| 603 | } |
---|
| 604 | |
---|
[401a054] | 605 | static void _query(abac_graph_t *graph, char *role_name, char *principal, abac_graph_t *return_graph) { |
---|
[06293d1] | 606 | abac_vertex_t *vertex; |
---|
| 607 | abac_edge_t *incoming; |
---|
[401a054] | 608 | abac_role_t *role = abac_role_from_string(role_name); |
---|
[dcc1a8e] | 609 | abac_role_t *prin_role = abac_role_from_string(principal); |
---|
[97a5e13] | 610 | |
---|
[675cbea] | 611 | // give up on bogus roles |
---|
| 612 | if (role == NULL || prin_role == NULL) { |
---|
[f2622ee] | 613 | abac_role_free(role); |
---|
| 614 | abac_role_free(prin_role); |
---|
[675cbea] | 615 | return; |
---|
| 616 | } |
---|
| 617 | |
---|
[2fd24c7] | 618 | abac_set_t *on_path = abac_set_new(); |
---|
[dcc1a8e] | 619 | abac_set_add(on_path, abac_role_string(prin_role)); |
---|
[97a5e13] | 620 | |
---|
[401a054] | 621 | abac_list_t *traversal = abac_graph_postorder(graph, role); |
---|
[6d5623e] | 622 | abac_list_foreach(traversal, vertex, |
---|
[1743825] | 623 | abac_role_t *role = vertex->role; |
---|
[97a5e13] | 624 | |
---|
[6d5623e] | 625 | abac_list_foreach(vertex->edges, incoming, |
---|
[1743825] | 626 | abac_role_t *incoming_role = incoming->vertex->role; |
---|
[97a5e13] | 627 | |
---|
[9a411d7] | 628 | if (!abac_set_contains(on_path, abac_role_string(incoming_role))) |
---|
[ae72c5d] | 629 | continue; |
---|
[97a5e13] | 630 | |
---|
[9a411d7] | 631 | abac_set_add(on_path, abac_role_string(role)); |
---|
[97a5e13] | 632 | |
---|
[ebe824c] | 633 | // get implying edges for intersection vertices |
---|
[9a411d7] | 634 | if (abac_role_is_intersection(role)) { |
---|
[ebe824c] | 635 | abac_vertex_t *prereq; |
---|
| 636 | abac_list_foreach(vertex->prereqs, prereq, |
---|
| 637 | _query(graph, prereq->name, principal, return_graph); |
---|
| 638 | ); |
---|
[e2a0f26] | 639 | } |
---|
[97a5e13] | 640 | |
---|
| 641 | // recursively find linked roles |
---|
[e2a0f26] | 642 | else if (abac_role_is_linking(role)) { |
---|
[401a054] | 643 | char *linked_role = abac_role_linked_role(role); |
---|
[dcc1a8e] | 644 | char *principal = abac_role_principal(incoming_role); |
---|
[97a5e13] | 645 | |
---|
[401a054] | 646 | _query(graph, linked_role, principal, return_graph); |
---|
[97a5e13] | 647 | } |
---|
[e2a0f26] | 648 | |
---|
| 649 | // add non-derived edges to the proof graph |
---|
| 650 | else |
---|
| 651 | abac_graph_add_credential(return_graph, incoming->credential); |
---|
[97a5e13] | 652 | ); |
---|
| 653 | ); |
---|
| 654 | |
---|
[6d5623e] | 655 | abac_list_free(traversal); |
---|
[2fd24c7] | 656 | abac_set_free(on_path); |
---|
[401a054] | 657 | abac_role_free(role); |
---|
[dcc1a8e] | 658 | abac_role_free(prin_role); |
---|
[97a5e13] | 659 | } |
---|
| 660 | |
---|
[401a054] | 661 | abac_graph_t *abac_graph_query(abac_graph_t *graph, char *role, char *principal) { |
---|
[06293d1] | 662 | abac_graph_derive_links(graph); |
---|
[97a5e13] | 663 | |
---|
[06293d1] | 664 | abac_graph_t *return_graph = abac_graph_new(); |
---|
[401a054] | 665 | _query(graph, role, principal, return_graph); |
---|
[06293d1] | 666 | abac_graph_derive_links(return_graph); |
---|
[97a5e13] | 667 | return return_graph; |
---|
| 668 | } |
---|
[be963dc] | 669 | |
---|
[d4b3b52] | 670 | abac_graph_t *abac_graph_principal_creds(abac_graph_t *graph, char *principal) { |
---|
| 671 | abac_graph_derive_links(graph); |
---|
| 672 | abac_graph_t *result_graph = abac_graph_new(); |
---|
[fc1a6b4] | 673 | |
---|
[d4b3b52] | 674 | abac_list_t *result = abac_graph_postorder_reverse_credentials(graph, |
---|
| 675 | principal); |
---|
[fc1a6b4] | 676 | |
---|
[d4b3b52] | 677 | abac_credential_t *cur = NULL; |
---|
[f6576c4] | 678 | int add_ret; |
---|
[d4b3b52] | 679 | abac_list_foreach(result, cur, |
---|
[f6576c4] | 680 | add_ret=abac_graph_add_credential(result_graph, cur); |
---|
| 681 | assert(add_ret != ABAC_GRAPH_CRED_INVALID); |
---|
| 682 | abac_credential_free(cur); |
---|
[d4b3b52] | 683 | ); |
---|
| 684 | abac_list_free(result); |
---|
| 685 | /* For each terminal role that the principal can reach, roll a proof into |
---|
| 686 | the result_graph. */ |
---|
[fc1a6b4] | 687 | |
---|
[d4b3b52] | 688 | abac_vertex_t *vertex = NULL; |
---|
| 689 | for (vertex = result_graph->vertices; vertex != NULL; |
---|
| 690 | vertex = vertex->hh.next) { |
---|
| 691 | if ( abac_list_size(vertex->reverse_edges) == 0) |
---|
| 692 | _query(graph, vertex->name, principal, result_graph); |
---|
| 693 | } |
---|
| 694 | abac_graph_derive_links(result_graph); |
---|
[fc1a6b4] | 695 | |
---|
[d4b3b52] | 696 | return result_graph; |
---|
| 697 | } |
---|
| 698 | |
---|
| 699 | |
---|
[902d079] | 700 | /** |
---|
[401a054] | 701 | * Get all the credentials (attribute/issuer cert pairs) from the graph. |
---|
[902d079] | 702 | */ |
---|
[401a054] | 703 | abac_list_t *abac_graph_credentials(abac_graph_t *graph) { |
---|
| 704 | abac_list_t *credentials = abac_list_new(); |
---|
[902d079] | 705 | |
---|
[06293d1] | 706 | abac_vertex_t *vertex; |
---|
[902d079] | 707 | |
---|
| 708 | for (vertex = graph->vertices; vertex != NULL; vertex = vertex->hh.next) { |
---|
[06293d1] | 709 | abac_edge_t *edge; |
---|
[6d5623e] | 710 | abac_list_foreach(vertex->edges, edge, |
---|
[401a054] | 711 | if (edge->credential != NULL) |
---|
| 712 | abac_list_add(credentials, abac_credential_dup(edge->credential)); |
---|
[902d079] | 713 | ); |
---|
| 714 | } |
---|
| 715 | |
---|
[401a054] | 716 | return credentials; |
---|
[902d079] | 717 | } |
---|
| 718 | |
---|
[06293d1] | 719 | void abac_graph_free(abac_graph_t *graph) { |
---|
| 720 | abac_vertex_t *vertex; |
---|
| 721 | abac_edge_t *edge; |
---|
[be963dc] | 722 | |
---|
| 723 | // kill derived edges |
---|
| 724 | _clear_derived(graph); |
---|
| 725 | |
---|
| 726 | // delete vertices |
---|
| 727 | while ((vertex = graph->vertices) != NULL) { |
---|
| 728 | HASH_DEL(graph->vertices, vertex); |
---|
[06ef09c] | 729 | _free_vertex(vertex); |
---|
[be963dc] | 730 | } |
---|
| 731 | |
---|
| 732 | free(graph); |
---|
| 733 | } |
---|
[f46412c] | 734 | |
---|
[06293d1] | 735 | abac_role_t *abac_vertex_role(abac_vertex_t *vertex) { |
---|
[f46412c] | 736 | return vertex->role; |
---|
| 737 | } |
---|