Context Navigation

source: libabac/abac_graph.c @ 3613ab8

abac0-leak

Last change on this file since 3613ab8 was 3613ab8, checked in by Ted Faber <faber@…>, 11 years ago
Back out the badly executed memory leak changes
Property mode set to `100644`
File size: 17.9 KB

Line
1	#include <assert.h>
2	#include <stdlib.h>
3
4	#include "abac_graph.h"
5
6	#include "abac_set.h"
7	#include "abac_util.h"
8
9	#include "uthash.h"
10
11	// vertex
12	struct _abac_vertex_t {
13	abac_role_t *role;
14	char *name;
15
16	abac_list_t *edges;
17	abac_list_t *reverse_edges;
18
19	// only relevant to intersection edges
20	abac_list_t *prereqs;
21
22	UT_hash_handle hh;
23	};
24
25	// edge
26	typedef struct _abac_edge_t {
27	abac_vertex_t *vertex;
28	abac_vertex_t *reverse_vertex;
29	abac_credential_t *credential;
30	} abac_edge_t;
31
32	// derived edge
33	typedef struct _abac_derived_key_t {
34	abac_vertex_t *head;
35	abac_edge_t *tail;
36	} abac_derived_key_t;
37
38	typedef struct _abac_derived_t {
39	abac_derived_key_t key;
40	UT_hash_handle hh;
41	} abac_derived_t;
42
43	// graph
44	struct _abac_graph_t {
45	abac_vertex_t *vertices;
46	abac_derived_t *derived;
47	int dirty;
48	};
49
50	// ugghhhghhhghh need this for intersections
51	abac_list_t abac_role_prereqs(abac_role_t );
52
53	/**
54	* Create a new graph.
55	*/
56	abac_graph_t *abac_graph_new(void) {
57	abac_graph_t *graph = abac_xmalloc(sizeof(abac_graph_t));
58
59	graph->vertices = NULL;
60	graph->derived = NULL;
61	graph->dirty = 0;
62
63	return graph;
64	}
65
66	/**
67	* Deep copy a graph.
68	*/
69	abac_graph_t abac_graph_dup(abac_graph_t graph) {
70	abac_vertex_t *vertex;
71	abac_edge_t *edge;
72
73	abac_graph_t *clone = abac_graph_new();
74
75	// copy the vertices edge by edge
76	for (vertex = graph->vertices; vertex != NULL; vertex = vertex->hh.next)
77	abac_list_foreach(vertex->edges, edge,
78	// only copy non-derived edges
79	if (edge->credential != NULL)
80	abac_graph_add_credential(clone, edge->credential);
81	);
82
83	return clone;
84	}
85
86	/**
87	* Add a vertex to the graph. Should only be called by abac_graph_add_credential.
88	*/
89	static abac_vertex_t _get_vertex(abac_graph_t graph, abac_role_t *role) {
90	abac_vertex_t *vertex;
91	char *string;
92
93	string = abac_role_string(role);
94	HASH_FIND_STR(graph->vertices, string, vertex);
95
96	// add the vertex if it doesn't exist
97	if (vertex == NULL) {
98	vertex = abac_xmalloc(sizeof(abac_vertex_t));
99	vertex->role = abac_role_dup(role);
100	vertex->name = abac_role_string(vertex->role);
101
102	// create the list of edges
103	vertex->edges = abac_list_new();
104	vertex->reverse_edges = abac_list_new();
105
106	// for intersections, always NULL on normal vertices
107	if (abac_role_is_intersection(role)) {
108	abac_role_t *prereq;
109	vertex->prereqs = abac_list_new();
110
111	// add each prereq to the vertex
112	abac_list_foreach(abac_role_prereqs(role), prereq,
113	abac_vertex_t *tail_vertex = _get_vertex(graph, prereq);
114	abac_list_add(vertex->prereqs, tail_vertex);
115	);
116	}
117
118	// normal edges have no prereqs
119	else
120	vertex->prereqs = NULL;
121
122	// add it to the vertices
123	HASH_ADD_KEYPTR(hh, graph->vertices, vertex->name, strlen(vertex->name), vertex);
124	}
125
126	return vertex;
127	}
128
129	/**
130	* Add a credential to the credential graph.
131	*/
132	int abac_graph_add_credential(abac_graph_t graph, abac_credential_t cred) {
133	abac_vertex_t head_vertex, tail_vertex;
134	abac_edge_t *edge;
135
136	assert(cred != NULL);
137
138	abac_role_t *head = abac_credential_head(cred);
139	abac_role_t *tail = abac_credential_tail(cred);
140
141	// a valid credential must have a role for the head
142	if (!abac_role_is_role(head)) return 0;
143
144	head_vertex = _get_vertex(graph, head);
145	tail_vertex = _get_vertex(graph, tail);
146
147	// make sure we don't insert the same edge twice (ugh)
148	abac_list_foreach(head_vertex->edges, edge,
149	if (edge->vertex == tail_vertex)
150	return 0;
151	);
152
153	// create the edge and add it
154	edge = abac_xmalloc(sizeof(abac_edge_t));
155	edge->vertex = tail_vertex;
156	edge->reverse_vertex = head_vertex;
157	edge->credential = abac_credential_dup(cred);
158
159	abac_list_add(head_vertex->edges, edge);
160	abac_list_add(tail_vertex->reverse_edges, edge);
161
162	// must re-derive edges
163	graph->dirty = 1;
164
165	return 1;
166	}
167
168	// find the principals that have a role
169	static abac_set_t _find_principals(abac_graph_t graph, abac_vertex_t *start_vertex) {
170	abac_set_t *principals = abac_set_new();
171
172	abac_list_t *traversal = abac_graph_postorder(graph, start_vertex->role);
173	abac_vertex_t *vertex;
174
175	abac_list_foreach(traversal, vertex,
176	if (abac_role_is_principal(vertex->role))
177	abac_set_add(principals, abac_role_string(vertex->role));
178	);
179
180	abac_list_free(traversal);
181	return principals;
182	}
183
184	// remove any derived edges from the graph
185	void _clear_derived(abac_graph_t *graph) {
186	abac_derived_t *current;
187
188	while (graph->derived) {
189	current = graph->derived;
190
191	HASH_DEL(graph->derived, current);
192
193	abac_vertex_t *head = current->key.head;
194	abac_edge_t *tail = current->key.tail;
195	assert(tail->credential == NULL);
196
197	// this can fail, but we assume the data structures are consistent
198	abac_list_remove(head->edges, tail);
199	abac_list_remove(tail->reverse_vertex->edges, tail);
200
201	free(current);
202	free(tail);
203	}
204	}
205
206	// add a derived edge, returns 1 if added 0 if dup
207	static int _derived_edge(abac_graph_t graph, abac_vertex_t head, abac_vertex_t *tail) {
208	abac_edge_t *edge;
209
210	// don't add duplicate edges
211	abac_list_foreach(head->edges, edge,
212	if (edge->vertex == tail)
213	return 0;
214	);
215
216	debug_printf("derived edge %s <- %s\n", head->name, tail->name);
217
218	edge = abac_xmalloc(sizeof(abac_edge_t));
219	edge->vertex = tail;
220	edge->reverse_vertex = head;
221	edge->credential = NULL;
222	abac_list_add(head->edges, edge);
223	abac_list_add(tail->reverse_edges, edge);
224
225	// add to list of derived edges
226	abac_derived_t *derived = abac_xmalloc(sizeof(abac_derived_t));
227	derived->key.head = head;
228	derived->key.tail = edge;
229	HASH_ADD(hh, graph->derived, key, sizeof(abac_derived_key_t), derived);
230
231	return 1;
232	}
233
234	// find a vertex by name
235	abac_vertex_t _find_vertex(abac_graph_t graph, char *name) {
236	abac_vertex_t *ret = NULL;
237	HASH_FIND_STR(graph->vertices, name, ret);
238	return ret;
239	}
240
241	/**
242	* Single iteration of deriving new edges. Returns the number of new edges
243	* added.
244	*/
245	static int _derive_links_iter(abac_graph_t *graph) {
246	int count = 0;
247	abac_vertex_t *vertex;
248
249	for (vertex = graph->vertices; vertex != NULL; vertex = vertex->hh.next) {
250	// intersection
251	if (abac_role_is_intersection(vertex->role)) {
252	// for each prereq edge:
253	// find principals that have the edge
254	// find intersection of all sets
255	// for each principal B in intersection:
256	// add link
257
258	char *name;
259	abac_vertex_t *prereq;
260	abac_set_t *principals = NULL;
261
262	abac_list_foreach(vertex->prereqs, prereq,
263	abac_set_t *cur = _find_principals(graph, prereq);
264
265	if (principals == NULL)
266	principals = cur;
267	else {
268	abac_set_intersect(principals, cur);
269	abac_set_free(cur);
270	}
271
272	if (abac_set_size(principals) == 0)
273	goto isect_done;
274	);
275
276	abac_list_t *prin_names = abac_set_elements(principals);
277	abac_list_foreach(prin_names, name,
278	abac_vertex_t *principal = _find_vertex(graph, name);
279	count += _derived_edge(graph, vertex, principal);
280	);
281
282	abac_list_free(prin_names);
283	isect_done:
284	abac_set_free(principals);
285	}
286
287	// linking role
288	else if (abac_role_is_linking(vertex->role)) {
289	// linking roles take the form A.r1.r2
290	char *A_r1 = abac_role_linked_role(vertex->role);
291	char *r2 = abac_role_role_name(vertex->role);
292
293	// find the linked role in the graph
294	abac_vertex_t *A_r1_vertex;
295	HASH_FIND_STR(graph->vertices, A_r1, A_r1_vertex);
296	if (A_r1_vertex == NULL)
297	continue;
298
299	// find the principals that have A.r1
300	abac_set_t *principals = _find_principals(graph, A_r1_vertex);
301	char *B;
302
303	abac_list_t *elts = abac_set_elements(principals);
304
305	// and add a link for each B.r2 to A.r1.r2
306	abac_list_foreach(elts, B,
307	int B_len = strlen(B);
308	int r2_len = strlen(r2);
309
310	// create the string B.r2, thx C
311	char *B_r2 = malloc(B_len + r2_len + 2);
312	memcpy(B_r2, B, B_len);
313	B_r2[B_len] = '.';
314	memcpy(B_r2 + B_len + 1, r2, r2_len);
315	B_r2[B_len + r2_len + 1] = 0;
316
317	// add an edge if the principal's granted it to someone
318	abac_vertex_t *B_r2_vertex = _find_vertex(graph, B_r2);
319	if (B_r2_vertex) {
320	debug_printf("adding edge from %s to %s\n", B_r2, abac_role_string(vertex->role));
321	count += _derived_edge(graph, vertex, B_r2_vertex);
322	}
323
324	#ifdef DEBUG
325	debug_printf(" incoming edges for %s\n", abac_role_string(vertex->role));
326	abac_edge_t *cur;
327	abac_list_foreach(vertex->edges, cur,
328	debug_printf(" %s (%s)\n", abac_role_string(cur->vertex->role), cur->vertex->name);
329	);
330	#endif
331
332	free(B_r2);
333	);
334
335	abac_list_free(elts);
336	abac_set_free(principals);
337	}
338	}
339
340	return count;
341	}
342
343	/**
344	* Derive all implied edges in the graph. These can come from linking roles
345	* and intersections.
346	*
347	* We have to do it iteratively because derived edges can imply new edges.
348	*/
349	void abac_graph_derive_links(abac_graph_t *graph) {
350	if (!graph->dirty)
351	return;
352
353	// iterate as long as new links are derived
354	while (_derive_links_iter(graph) > 0)
355	;
356
357	graph->dirty = 0;
358	}
359
360	static void _reverse_order_recurse(abac_vertex_t vertex, abac_set_t seen, int preorder, abac_list_t *stack) {
361	abac_edge_t *outgoing;
362
363	// don't revisit nodes
364	if (!abac_set_add(seen, abac_role_string(vertex->role)))
365	return;
366
367	if (preorder)
368	abac_list_add(stack, vertex);
369
370	// recurse along the incoming vertices
371	abac_list_foreach(vertex->reverse_edges, outgoing,
372	_reverse_order_recurse(outgoing->reverse_vertex, seen, preorder, stack);
373	);
374
375	if (!preorder)
376	abac_list_add(stack, vertex);
377	}
378
379	static abac_list_t _reverse_order(abac_graph_t graph, abac_role_t *start, int preorder) {
380	debug_printf("%sorder at %s\n", preorder ? "pre" : "post", abac_role_string(start));
381
382	abac_vertex_t *start_vertex = _get_vertex(graph, start);
383	abac_set_t *seen = abac_set_new();
384
385	// create the return list
386	abac_list_t *stack = abac_list_new();
387
388	_reverse_order_recurse(start_vertex, seen, preorder, stack);
389
390	abac_set_free(seen);
391
392	return stack;
393	}
394
395	static void _order_recurse(abac_vertex_t vertex, abac_set_t seen, int preorder, abac_list_t *stack) {
396	abac_edge_t *incoming;
397
398	// don't revisit nodes
399	if (!abac_set_add(seen, abac_role_string(vertex->role)))
400	return;
401
402	if (preorder)
403	abac_list_add(stack, vertex);
404
405	// recurse along the incoming vertices
406	abac_list_foreach(vertex->edges, incoming,
407	_order_recurse(incoming->vertex, seen, preorder, stack);
408	);
409
410	if (!preorder)
411	abac_list_add(stack, vertex);
412	}
413
414	static abac_list_t _order(abac_graph_t graph, abac_role_t *start, int preorder) {
415	debug_printf("%sorder at %s\n", preorder ? "pre" : "post", abac_role_string(start));
416
417	abac_vertex_t *start_vertex = _get_vertex(graph, start);
418	abac_set_t *seen = abac_set_new();
419
420	// create the return list
421	abac_list_t *stack = abac_list_new();
422
423	_order_recurse(start_vertex, seen, preorder, stack);
424
425	abac_set_free(seen);
426
427	return stack;
428	}
429
430	abac_list_t abac_graph_postorder(abac_graph_t graph, abac_role_t *start) {
431	return _order(graph, start, 0);
432	}
433
434	/**
435	* Postorder traverse the graph and return all the credentials within.
436	*/
437	abac_list_t abac_graph_postorder_credentials(abac_graph_t graph, char *start) {
438	abac_vertex_t *vertex;
439	abac_edge_t *incoming;
440
441	// get the postorder of vertices
442	abac_role_t *role = abac_role_from_string(start);
443	abac_list_t *order = abac_graph_postorder(graph, role);
444
445	// go through the list and dup all the credentials
446	abac_list_t *credentials = abac_list_new();
447	abac_list_foreach(order, vertex,
448	abac_list_foreach(vertex->edges, incoming,
449	if (incoming->credential != NULL)
450	abac_list_add(credentials, abac_credential_dup(incoming->credential));
451	);
452	);
453
454	abac_role_free(role);
455	abac_list_free(order);
456
457	return credentials;
458	}
459
460
461	abac_list_t abac_graph_postorder_reverse(abac_graph_t graph, abac_role_t *start) {
462	return _reverse_order(graph, start, 0);
463	}
464
465	/**
466	* Postorder traverse the graph and return all the credentials within.
467	*/
468	abac_list_t abac_graph_postorder_reverse_credentials(abac_graph_t graph, char *start) {
469	abac_vertex_t *vertex;
470	abac_edge_t *outgoing;
471
472	// get the postorder of vertices
473	abac_role_t *role = abac_role_from_string(start);
474	abac_list_t *order = abac_graph_postorder_reverse(graph, role);
475
476	// go through the list and dup all the credentials
477	abac_list_t *credentials = abac_list_new();
478	abac_list_foreach(order, vertex,
479	abac_list_foreach(vertex->reverse_edges, outgoing,
480	if (outgoing->credential != NULL)
481	abac_list_add(credentials, abac_credential_dup(outgoing->credential));
482	);
483	);
484
485	abac_role_free(role);
486	abac_list_free(order);
487
488	return credentials;
489	}
490
491	static void _query(abac_graph_t graph, char role_name, char principal, abac_graph_t return_graph) {
492	abac_vertex_t *vertex;
493	abac_edge_t *incoming;
494
495	abac_role_t *role = abac_role_from_string(role_name);
496	abac_role_t *prin_role = abac_role_from_string(principal);
497
498	// give up on bogus roles
499	if (role == NULL \|\| prin_role == NULL) {
500	free(role);
501	free(prin_role);
502	return;
503	}
504
505	abac_set_t *on_path = abac_set_new();
506	abac_set_add(on_path, abac_role_string(prin_role));
507
508	abac_list_t *traversal = abac_graph_postorder(graph, role);
509	abac_list_foreach(traversal, vertex,
510	abac_role_t *role = vertex->role;
511
512	abac_list_foreach(vertex->edges, incoming,
513	abac_role_t *incoming_role = incoming->vertex->role;
514
515	if (!abac_set_contains(on_path, abac_role_string(incoming_role)))
516	continue;
517
518	abac_set_add(on_path, abac_role_string(role));
519
520	// get implying edges for intersection vertices
521	if (abac_role_is_intersection(role)) {
522	abac_vertex_t *prereq;
523	abac_list_foreach(vertex->prereqs, prereq,
524	_query(graph, prereq->name, principal, return_graph);
525	);
526	}
527
528	// recursively find linked roles
529	else if (abac_role_is_linking(role)) {
530	char *linked_role = abac_role_linked_role(role);
531	char *principal = abac_role_principal(incoming_role);
532
533	_query(graph, linked_role, principal, return_graph);
534	}
535
536	// add non-derived edges to the proof graph
537	else
538	abac_graph_add_credential(return_graph, incoming->credential);
539	);
540	);
541
542	abac_list_free(traversal);
543	abac_set_free(on_path);
544	abac_role_free(role);
545	abac_role_free(prin_role);
546	}
547
548	abac_graph_t abac_graph_query(abac_graph_t graph, char role, char principal) {
549	abac_graph_derive_links(graph);
550
551	abac_graph_t *return_graph = abac_graph_new();
552	_query(graph, role, principal, return_graph);
553	abac_graph_derive_links(return_graph);
554	return return_graph;
555	}
556
557	abac_graph_t abac_graph_principal_creds(abac_graph_t graph, char *principal) {
558	abac_graph_derive_links(graph);
559	abac_graph_t *result_graph = abac_graph_new();
560	abac_list_t *result = abac_graph_postorder_reverse_credentials(graph,
561	principal);
562	abac_credential_t *cur = NULL;
563	abac_list_foreach(result, cur,
564	abac_graph_add_credential(result_graph, cur);
565	);
566	abac_list_free(result);
567	/* For each terminal role that the principal can reach, roll a proof into
568	the result_graph. */
569	abac_vertex_t *vertex = NULL;
570	for (vertex = result_graph->vertices; vertex != NULL;
571	vertex = vertex->hh.next) {
572	if ( abac_list_size(vertex->reverse_edges) == 0)
573	_query(graph, vertex->name, principal, result_graph);
574	}
575	abac_graph_derive_links(result_graph);
576	return result_graph;
577	}
578
579
580	/**
581	* Get all the credentials (attribute/issuer cert pairs) from the graph.
582	*/
583	abac_list_t abac_graph_credentials(abac_graph_t graph) {
584	abac_list_t *credentials = abac_list_new();
585
586	abac_vertex_t *vertex;
587
588	for (vertex = graph->vertices; vertex != NULL; vertex = vertex->hh.next) {
589	abac_edge_t *edge;
590	abac_list_foreach(vertex->edges, edge,
591	if (edge->credential != NULL)
592	abac_list_add(credentials, abac_credential_dup(edge->credential));
593	);
594	}
595
596	return credentials;
597	}
598
599	void abac_graph_free(abac_graph_t *graph) {
600	abac_vertex_t *vertex;
601	abac_edge_t *edge;
602
603	// kill derived edges
604	_clear_derived(graph);
605
606	// delete vertices
607	while ((vertex = graph->vertices) != NULL) {
608	HASH_DEL(graph->vertices, vertex);
609
610	abac_role_free(vertex->role);
611
612	abac_list_foreach(vertex->edges, edge,
613	if (edge->credential != NULL)
614	abac_credential_free(edge->credential);
615	free(edge);
616	);
617	abac_list_free(vertex->edges);
618
619	// the prereq vertices will be freed by the outer while loop
620	if (vertex->prereqs != NULL)
621	abac_list_free(vertex->prereqs);
622
623	free(vertex);
624	}
625
626	free(graph);
627	}
628
629	abac_role_t abac_vertex_role(abac_vertex_t vertex) {
630	return vertex->role;
631	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: