| 1 | #ifndef __ABAC_H__ |
|---|
| 2 | #define __ABAC_H__ |
|---|
| 3 | |
|---|
| 4 | #include <abac_common.h> |
|---|
| 5 | #include <abac_list.h> |
|---|
| 6 | #include <abac_stack.h> |
|---|
| 7 | |
|---|
| 8 | typedef struct _abac_context_t abac_context_t; |
|---|
| 9 | typedef struct _abac_credential_t abac_credential_t; |
|---|
| 10 | typedef struct _abac_role_t abac_role_t; |
|---|
| 11 | typedef struct _abac_id_cert_t abac_id_cert_t; |
|---|
| 12 | |
|---|
| 13 | typedef struct _abac_condition_t abac_condition_t; |
|---|
| 14 | typedef struct _abac_param_t abac_param_t; |
|---|
| 15 | typedef struct _abac_param_list_t abac_param_list_t; |
|---|
| 16 | |
|---|
| 17 | /* |
|---|
| 18 | * ABAC functions, operating on an ABAC context. |
|---|
| 19 | */ |
|---|
| 20 | abac_context_t *abac_context_new(void); |
|---|
| 21 | abac_context_t *abac_context_dup(abac_context_t *ctx); |
|---|
| 22 | void abac_context_free(abac_context_t *ctx); |
|---|
| 23 | |
|---|
| 24 | /* see the bottom of the file for possible return codes */ |
|---|
| 25 | int abac_context_load_id_file(abac_context_t *ctx, char *filename); |
|---|
| 26 | int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert); |
|---|
| 27 | int abac_context_load_attribute_file(abac_context_t *ctx, char *filename); |
|---|
| 28 | int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert); |
|---|
| 29 | |
|---|
| 30 | /* load an entire directory full of certs */ |
|---|
| 31 | void abac_context_load_directory(abac_context_t *ctx, char *path); |
|---|
| 32 | |
|---|
| 33 | /* abac query, returns a NULL-terminated array of credentials on success, NULL on fail */ |
|---|
| 34 | abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success); |
|---|
| 35 | |
|---|
| 36 | /* get all the credentials from the context, returns a NULL-terminated array of credentials */ |
|---|
| 37 | abac_credential_t **abac_context_credentials(abac_context_t *ctx); |
|---|
| 38 | |
|---|
| 39 | /* use this to free the results of either of the previous two functions */ |
|---|
| 40 | void abac_context_credentials_free(abac_credential_t **credentials); |
|---|
| 41 | |
|---|
| 42 | /* |
|---|
| 43 | * Operations on credentials |
|---|
| 44 | */ |
|---|
| 45 | abac_role_t *abac_credential_head(abac_credential_t *cred); |
|---|
| 46 | abac_role_t *abac_credential_tail(abac_credential_t *cred); |
|---|
| 47 | abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred); |
|---|
| 48 | abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred); |
|---|
| 49 | abac_credential_t *abac_credential_lookup(char *cred_string); |
|---|
| 50 | char* abac_credential_clause(abac_credential_t *cred); |
|---|
| 51 | |
|---|
| 52 | abac_credential_t *abac_credential_dup(abac_credential_t *cred); |
|---|
| 53 | void abac_credential_free(abac_credential_t *cred); |
|---|
| 54 | |
|---|
| 55 | /* |
|---|
| 56 | * Operations on roles. |
|---|
| 57 | */ |
|---|
| 58 | abac_role_t *abac_role_principal_new(char *principal); |
|---|
| 59 | abac_role_t *abac_role_role_new(char *principal, char *abac_role_name); |
|---|
| 60 | abac_role_t *abac_role_linking_new(char *principal, char *linked_role, char *abac_role_name); |
|---|
| 61 | abac_role_t *abac_role_intersection_new(char *name, abac_list_t *prereqs); |
|---|
| 62 | |
|---|
| 63 | int abac_verify_roletype(char *type); |
|---|
| 64 | void abac_role_free(abac_role_t *role); |
|---|
| 65 | |
|---|
| 66 | abac_role_t *abac_role_from_string(char *string); |
|---|
| 67 | abac_role_t *abac_role_dup(abac_role_t *role); |
|---|
| 68 | |
|---|
| 69 | int abac_role_is_principal(abac_role_t *role); |
|---|
| 70 | int abac_role_is_role(abac_role_t *role); |
|---|
| 71 | int abac_role_is_linking(abac_role_t *role); |
|---|
| 72 | int abac_role_is_intersection(abac_role_t *role); |
|---|
| 73 | |
|---|
| 74 | char *abac_role_string(abac_role_t *role); |
|---|
| 75 | char *abac_role_linked_role(abac_role_t *role); |
|---|
| 76 | char *abac_role_role_name(abac_role_t *role); |
|---|
| 77 | char *abac_role_principal(abac_role_t *role); |
|---|
| 78 | abac_list_t *abac_role_prereqs(abac_role_t *role); |
|---|
| 79 | |
|---|
| 80 | abac_param_list_t *abac_role_linked_role_params(abac_role_t *role); |
|---|
| 81 | abac_param_list_t *abac_role_role_params(abac_role_t *role); |
|---|
| 82 | |
|---|
| 83 | char *abac_role_attr_key(abac_role_t *head_role, abac_role_t *tail_role); |
|---|
| 84 | |
|---|
| 85 | /* |
|---|
| 86 | * Operations on params. |
|---|
| 87 | */ |
|---|
| 88 | abac_param_t *abac_param_new(int type, char *name, char *cond); |
|---|
| 89 | void abac_param_free(abac_param_t *ptr); |
|---|
| 90 | abac_param_list_t *abac_param_list_new(abac_param_t *param); |
|---|
| 91 | abac_param_list_t *abac_param_list_free(abac_param_list_t *ptr); |
|---|
| 92 | abac_param_list_t *abac_param_list_add_param(abac_param_list_t *, abac_param_t *param); |
|---|
| 93 | char* abac_param_list_string(abac_param_list_t *ptr); |
|---|
| 94 | char* abac_param_list_string_with_condition(abac_param_list_t *ptr); |
|---|
| 95 | |
|---|
| 96 | /* |
|---|
| 97 | * Error codes for loading certificates. |
|---|
| 98 | */ |
|---|
| 99 | #define ABAC_CERT_SUCCESS 0 // certificate loaded, all is well |
|---|
| 100 | #define ABAC_CERT_INVALID -1 // invalid format; also file not found |
|---|
| 101 | #define ABAC_CERT_BAD_SIG -2 // invalid signature |
|---|
| 102 | #define ABAC_CERT_MISSING_ISSUER -3 // missing ID cert that issued the attribute cert |
|---|
| 103 | #define ABAC_CERT_BAD_CN -4 // ID cert is not matching CN=principal format |
|---|
| 104 | #define ABAC_CERT_BAD_YAP -5 // failed to insert into prolog engine |
|---|
| 105 | |
|---|
| 106 | #endif /* __ABAC_H__ */ |
|---|
