/* abac.c using prolog */ #include #include #include #include #include "abac.h" #include "abac_pl.h" #include "abac_pl_yap.h" #ifdef DEBUG_IT #include "abac_pl_yap_dbg.h" #endif #include "abac_util.h" #include "abac_verifier.h" static int debug = 1; struct _abac_context_t { abac_pl_t *pl; #ifdef DEBUG_IT /* this is just for debugging */ abac_pl_yap_dbg_t *dpl; #endif }; /** * Init the library. */ void libabac_init(void) { void libabac_deinit(void); static int has_been_init = 0; // called every time a context is created, so only do it once if (!has_been_init) { abac_verifier_init(); atexit(libabac_deinit); has_been_init = 1; } } /** * Deinit the library. */ void libabac_deinit(void) { abac_verifier_deinit(); } /** * Create a new abac context. */ abac_context_t *abac_context_new(void) { libabac_init(); abac_context_t *ctx = abac_xmalloc(sizeof(abac_context_t)); ctx->pl = abac_pl_new(); #ifdef DEBUG_IT if (debug) { ctx->dpl = abac_pl_yap_dbg_new(); } else ctx->dpl = NULL; #endif return ctx; } /** * Free an abac context. */ void abac_context_free(abac_context_t *ctx) { assert(ctx != NULL); abac_pl_free(ctx->pl); #ifdef DEBUG_IT if (ctx->dpl) abac_pl_yap_dbg_free(ctx->dpl); #endif free(ctx); } /** * Load an ID cert from a file. */ int abac_context_load_id_file(abac_context_t *ctx, char *filename) { assert(ctx != NULL); assert(filename != NULL); int ret = abac_verifier_load_id_file(filename); if (ret == ABAC_CERT_SUCCESS) { // add into yap } return ret; } /** * Load an ID cert from a chunk. */ int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert) { assert(ctx != NULL); chunk_t cert_chunk = { cert.ptr, cert.len }; return abac_verifier_load_id_chunk(cert_chunk); } /** * Load an attribute cert from a file. */ int abac_context_load_attribute_file(abac_context_t *ctx, char *filename) { int ret, add_ret; abac_credential_t *cred; assert(ctx != NULL); assert(filename != NULL); ret = abac_verifier_load_attribute_cert_file(filename, &cred); if (ret == ABAC_CERT_SUCCESS) { add_ret = abac_pl_add_credential(ctx->pl, cred); assert(add_ret != ABAC_PL_CRED_INVALID); /* MEI, XXX this is weird.. abac_credential_free(cred); **/ } return ret; } /** * Load an attribute cert from a chunk. */ int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert) { int ret, add_ret; abac_credential_t *cred; assert(ctx != NULL); chunk_t cert_chunk = { cert.ptr, cert.len }; ret = abac_verifier_load_attribute_cert_chunk(cert_chunk, &cred); if (ret == ABAC_CERT_SUCCESS) { add_ret = abac_pl_add_credential(ctx->pl, cred); assert(add_ret != ABAC_PL_CRED_INVALID); abac_credential_free(cred); } return ret; } #define ID_PAT "/*_ID.{der,pem}" #define ATTR_PAT "/*_attr.der" /** * Load a directory full of certs. */ void abac_context_load_directory(abac_context_t *ctx, char *path) { char *glob_pat; glob_t glob_buf; int i, ret; assert(ctx != NULL); assert(path != NULL); int dirlen = strlen(path); glob_pat = abac_xmalloc(dirlen + sizeof(ID_PAT)); memcpy(glob_pat, path, dirlen); // first load ID certs memcpy(glob_pat + dirlen, ID_PAT, sizeof(ID_PAT)); glob(glob_pat, GLOB_BRACE, NULL, &glob_buf); // TODO check for error for (i = 0; i < glob_buf.gl_pathc; ++i) { char *cert_file = glob_buf.gl_pathv[i]; printf("--> ID cert... %s\n", cert_file); ret = abac_context_load_id_file(ctx, cert_file); if (ret != ABAC_CERT_SUCCESS) warnx("Couldn't load ID cert %s", cert_file); } globfree(&glob_buf); // then load attr certs memcpy(glob_pat + dirlen, ATTR_PAT, sizeof(ATTR_PAT)); glob(glob_pat, 0, NULL, &glob_buf); // TODO check for error for (i = 0; i < glob_buf.gl_pathc; ++i) { char *cert_file = glob_buf.gl_pathv[i]; printf("--> attr cert... %s\n", cert_file); ret = abac_context_load_attribute_file(ctx, cert_file); if (ret != ABAC_CERT_SUCCESS) warnx("Couldn't load attribute cert %s", cert_file); } globfree(&glob_buf); free(glob_pat); } /** * Run a query on the data in an abac context. Returns a NULL-terminated array * of abac_credential_t. Success/failure in *success. */ abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success) { abac_credential_t **credentials = NULL, *cur; int i = 0; assert(ctx != NULL); assert(role != NULL); assert(principal != NULL); assert(success != NULL); abac_list_t *result = abac_pl_query(ctx->pl, role, principal); int size = abac_list_size(result); if (size > 0) *success = 1; else { // XXX NOT SURE YET.. // return partial proof } // make the array (leave space to NULL terminate it) // n.b., even if the list is empty, we still return an array that // only contains the NULL terminator credentials = abac_xmalloc(sizeof(abac_credential_t *) * (size + 1)); if(size) { abac_list_foreach(result, cur, credentials[i++] = cur; ); } credentials[i] = NULL; abac_list_free(result); return credentials; } /** * A NULL-terminated array of all the credentials in the context. */ abac_credential_t **abac_context_credentials(abac_context_t *ctx) { assert(ctx != NULL); } /** * Frees a NULL-terminated list of credentials. */ void abac_context_credentials_free(abac_credential_t **credentials) { int i; if (credentials == NULL) return; for (i = 0; credentials[i] != NULL; ++i) abac_credential_free(credentials[i]); free(credentials); } #ifdef DEBUG_IT // for debugging only void abac_context_debug_run(abac_context_t *ctx) { if (ctx) { abac_pl_yap_dbg_run_can(ctx->dpl); } } #endif