Context Navigation

source: libabac/abac_pl_gen.c @ 8bd77b5

mei_rt2mei_rt2_fix_1

Last change on this file since 8bd77b5 was 8bd77b5, checked in by Mei <mei@…>, 12 years ago

1) convert parser and libabac to use id cred and attr cred like

creddy (move those 2 files to libabac).

2) fix up abac.hh to work with expanded libabac. can now build

structure from python script

3) redid the credential dump using the internal credential table

instead of depending on a search in db.

Property mode set to 100644

File size: 18.7 KB

Line
1
2
3	/***********************************************************************/
4	/* clause generation called from parser to generate credential clauses */
5	/***********************************************************************/
6	#include <stdio.h>
7	#include <assert.h>
8	#include <stdlib.h>
9
10	#include "abac_internal.h"
11	#include "abac_set.h"
12	#include "abac_util.h"
13
14	#include "uthash.h"
15
16	// index to generate C1,C2..
17	static int cred_count=0;
18
19	static int debug=0;
20
21	extern int using_this;
22
23	extern char* abac_yyfptr_encoded;
24	extern int abac_yy_cnt_yy_id_certs();
25	extern void abac_yy_free_yy_id_certs();
26	extern char *abac_yy_string_yy_id_certs();
27	extern void abac_yy_free_yy_constraints();
28	extern char *abac_yy_string_yy_constraints();
29
30	/***********************************************************************/
31	static char* isX()
32	{
33	static char x_string[2]="X";
34	static char this_string[5]="This";
35	if(using_this)
36	return this_string;
37	else
38	return x_string;
39	}
40
41	static int _get_next_cred_idx()
42	{
43	cred_count++;
44	return cred_count;
45	}
46
47	/* remember to free the returned string */
48	static char *_compose_cred_list()
49	{
50	int i=cred_count;
51	if(cred_count==0) return "";
52
53	char clist=(char )abac_xmalloc(sizeof(char)(cred_count)3);
54	strcpy(clist,"C1");
55	if (cred_count==1) return clist;
56
57	i=1;
58	while(i!=cred_count) {
59	i++;
60	sprintf(clist,"%s,C%d",clist,i);
61	}
62	return clist;
63	}
64
65	/***********************************************************************/
66	/* generate role(p_name, r_name, param..) */
67	/* or oset(p_name, r_name, param..) */
68	static char* generate_pl_head_string(abac_aspect_t *ptr)
69	{
70	char *tmp=NULL;
71	char *principalname=abac_aspect_principal_name(ptr);
72	char *aspectname=abac_aspect_aspect_name(ptr);
73	char *typestring=abac_aspect_type_string(ptr);
74	char *param_string=NULL;
75	int cnt=0;
76
77	/* can not be a linked role */
78	abac_param_list_t *aspect_params=abac_aspect_aspect_params(ptr);
79	if(aspect_params) {
80	param_string=abac_param_list_string(aspect_params);
81	}
82
83	if (param_string != NULL) {
84	cnt=asprintf(&tmp,"%s(%s,%s,%s)",
85	typestring, principalname, aspectname, param_string);
86	free(param_string);
87	} else {
88	cnt=asprintf(&tmp,"%s(%s,%s)",
89	typestring, principalname, aspectname);
90	}
91
92	if(debug && tmp) printf("head_string: (%s)\n",tmp);
93	if(cnt>0)
94	return tmp;
95	else
96	return NULL;
97	}
98
99	/* generate role(p_name, r_name, param..) with isMember call ?? */
100	/* generate oset(p_name, r_name, param..) with isMember call ?? */
101	static char* generate_pl_tail_string(abac_aspect_t *ptr)
102	{
103
104	char *tmp=NULL;
105
106	/* for oset case,
107	A.oset <- B
108	A.oset <- Obj
109	A.oset <- B.oset
110	A.oset <- B.role.oset
111	*/
112	/* o only if it is an oset and object */
113	if(abac_aspect_is_object(ptr)) {
114	char *objectname=abac_aspect_object_name(ptr);
115	tmp=abac_xstrdup(objectname);
116	if(debug && tmp) printf("tail_string1: (%s)\n",tmp);
117	return tmp;
118	} else {
119	char *principalname=abac_aspect_principal_name(ptr);
120	char *aspectname=abac_aspect_aspect_name(ptr);
121	char *linkedname=abac_aspect_linked_role_name(ptr);
122	char *typestring=abac_aspect_type_string(ptr);
123
124	char *param_string=NULL;
125	char *linked_param_string=NULL;
126	int cnt=0;
127
128	abac_param_list_t *aspect_params=abac_aspect_aspect_params(ptr);
129	if(aspect_params) {
130	param_string=abac_param_list_string(aspect_params);
131	}
132
133	abac_param_list_t *linked_role_params=abac_aspect_linked_role_params(ptr);
134	if(linked_role_params) {
135	linked_param_string=abac_param_list_string(linked_role_params);
136	}
137
138	/* b.r.r */
139	if(linkedname!=NULL && aspectname!=NULL && principalname!=NULL ) {
140	int fst=_get_next_cred_idx();
141	int snd=_get_next_cred_idx();
142	if(linked_param_string !=NULL) {
143	if (param_string != NULL) {
144	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(%s,%s(Y,%s,%s),C%d)",
145	principalname,
146	linkedname,linked_param_string,fst,
147	isX(), typestring,
148	aspectname,param_string,snd);
149	free(param_string);
150	} else {
151	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(%s,%s(Y,%s),C%d)",
152	principalname,
153	linkedname,linked_param_string,fst,
154	isX(), typestring,
155	aspectname,snd);
156	}
157	free(linked_param_string);
158	} else {
159	if (aspect_params != NULL) {
160	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(%s,%s(Y,%s,%s),C%d)",
161	principalname,
162	linkedname,fst,
163	isX(),typestring,
164	aspectname,param_string,snd);
165	free(param_string);
166	} else {
167	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(%s,%s(Y,%s),C%d)",
168	principalname,
169	linkedname,fst,
170	isX(),typestring,
171	aspectname,snd);
172	}
173	}
174	if(debug && tmp) printf("tail_string1: (%s)\n",tmp);
175	if(cnt>0)
176	return tmp;
177	else
178	return NULL;
179	}
180	/* b.r */
181	if(linkedname==NULL && aspectname!=NULL && principalname!=NULL ) {
182	int fst=_get_next_cred_idx();
183	if(param_string != NULL) {
184	cnt=asprintf(&tmp,"isMember(%s,%s(%s,%s,%s),C%d)",
185	isX(),typestring,
186	principalname, aspectname, param_string, fst);
187	free(param_string);
188	} else {
189	cnt=asprintf(&tmp,"isMember(%s,%s(%s,%s),C%d)",
190	isX(), typestring,
191	principalname, aspectname, fst);
192	}
193	if(debug && tmp) printf("tail_string2: (%s)\n",tmp);
194	if(cnt>0)
195	return tmp;
196	else
197	return NULL;
198	}
199	/* b */
200	if(linkedname==NULL && aspectname==NULL && principalname!=NULL ) {
201	tmp=abac_xstrdup(principalname);
202	if(debug && tmp) printf("tail_string3: (%s)\n",tmp);
203	return tmp;
204	}
205
206	if(debug && tmp) printf("tail_string4: (%s)\n",tmp);
207	return tmp;
208	}
209	return tmp;
210	}
211
212
213	/********************************************************************************/
214
215	static char _build_constraint_rule_clause(char head_string, char *tail_string)
216	{
217	/only, A.R <- B /
218	char *tmp;
219	int idx=_get_next_cred_idx();
220	asprintf(&tmp, "isMember(%s,%s,C%d)", tail_string,head_string,idx);
221	return tmp;
222	}
223
224	static char _build_rule_clause(char aspectname, char *head_string,
225	char tail_string, char id_string, char *constraint_string)
226	{
227	char *tmp=NULL;
228
229	if(aspectname == NULL) {
230	/* A.R <- B */
231	if(id_string == NULL && constraint_string == NULL) {
232	asprintf(&tmp, "isMember(%s,%s,['%s'])",
233	tail_string,head_string,abac_yyfptr_encoded);
234	} else {
235	if(id_string == NULL) {
236	asprintf(&tmp, "isMember(%s,%s,['%s']) :- %s",
237	tail_string,head_string,abac_yyfptr_encoded,
238	constraint_string);
239	} else if(constraint_string == NULL) {
240	asprintf(&tmp, "isMember(%s,%s,['%s']) :- %s",
241	tail_string,head_string,abac_yyfptr_encoded,
242	id_string);
243	} else { asprintf(&tmp, "isMember(%s,%s,['%s']) :- %s,%s",
244	tail_string,head_string,abac_yyfptr_encoded,
245	id_string, constraint_string);
246	}
247	}
248	} else {
249	/* A.R <- B.R */
250	/* A.R <- B.R.R */
251	if (cred_count==0) {
252	if(id_string == NULL && constraint_string == NULL) {
253	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s",
254	isX(),
255	head_string, abac_yyfptr_encoded, tail_string);
256	} else {
257	if(id_string == NULL) {
258	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s,%s",
259	isX(),
260	head_string, abac_yyfptr_encoded, tail_string,
261	constraint_string);
262	} else if(constraint_string == NULL) {
263	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s,%s",
264	isX(),
265	head_string, abac_yyfptr_encoded, id_string,
266	tail_string);
267	} else {
268	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s,%s,%s",
269	isX(),
270	head_string, abac_yyfptr_encoded, id_string,
271	tail_string, constraint_string);
272	}
273	}
274	} else {
275	char *tmp_cred_list=_compose_cred_list();
276	if(id_string == NULL && constraint_string == NULL) {
277	asprintf(&tmp,"isMember(%s,%s,L):-%s, appendL([['%s'],%s],L)",
278	isX(),
279	head_string, tail_string,
280	abac_yyfptr_encoded, tmp_cred_list);
281	} else {
282	if(id_string == NULL) {
283	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
284	isX(),
285	head_string, tail_string, constraint_string,
286	abac_yyfptr_encoded, tmp_cred_list);
287	} else if(constraint_string == NULL) {
288	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
289	isX(),
290	head_string, id_string, tail_string,
291	abac_yyfptr_encoded, tmp_cred_list);
292	} else {
293	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, %s, appendL([['%s'],%s],L)",
294	isX(),
295	head_string, id_string, tail_string,
296	constraint_string,
297	abac_yyfptr_encoded, tmp_cred_list);
298	}
299	}
300	free(tmp_cred_list);
301	cred_count=0;
302	}
303	}
304	return tmp;
305	}
306
307
308	static char generate_pl_rule_clause(char head_rule_string,
309	abac_aspect_t tail_rule, char id_string, char *constraint_string)
310	{
311	char *aspectname=abac_aspect_aspect_name(tail_rule);
312	char *tail_rule_string=generate_pl_tail_string(tail_rule);
313	if(aspectname == NULL && tail_rule_string == NULL)
314	goto error;
315	char *tmp=_build_rule_clause(aspectname,head_rule_string, tail_rule_string,
316	id_string, constraint_string);
317	if(tail_rule_string) free(tail_rule_string);
318	return tmp;
319
320	error:
321	if(tail_rule_string) free(tail_rule_string);
322	return NULL;
323	}
324
325	static char _add_string(char dstr, char *nstr)
326	{
327	if(strlen(dstr)==0) {
328	dstr=abac_xstrdup(nstr);
329	return dstr;
330	} else {
331	int len = strlen(dstr)+strlen(nstr)+2;
332	char tmp=abac_xmalloc(lensizeof(char));
333	sprintf(tmp,"%s,%s", dstr,nstr);
334	free(dstr);
335	return tmp;
336	}
337	return NULL;
338	}
339
340	static char _build_intersecting_clause(char head_role_string,
341	char tail_role_string, char id_string, char* constraint_string)
342	{
343	char *tmp;
344
345	if (cred_count==0) {
346	if(id_string == NULL && constraint_string == NULL) {
347	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s",
348	isX(),
349	head_role_string, abac_yyfptr_encoded, tail_role_string);
350	} else {
351	if(id_string == NULL) {
352	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s, %s",
353	isX(),
354	head_role_string, abac_yyfptr_encoded,
355	tail_role_string, constraint_string);
356	} else if(constraint_string == NULL) {
357	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s, %s",
358	isX(),
359	head_role_string, abac_yyfptr_encoded,
360	id_string, tail_role_string);
361	} else {
362	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s, %s, %s",
363	isX(),
364	head_role_string, abac_yyfptr_encoded,
365	id_string, tail_role_string, constraint_string);
366	}
367	}
368	} else {
369	char *tmp_cred_list=_compose_cred_list();
370	if(id_string == NULL && constraint_string == NULL) {
371	asprintf(&tmp,"isMember(%s,%s,L):-%s, appendL([['%s'],%s],L)",
372	isX(),
373	head_role_string, tail_role_string,
374	abac_yyfptr_encoded, tmp_cred_list);
375	} else {
376	if(id_string == NULL) {
377	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
378	isX(),
379	head_role_string, tail_role_string, constraint_string,
380	abac_yyfptr_encoded, tmp_cred_list);
381	} else if(constraint_string == NULL) {
382	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
383	isX(),
384	head_role_string, id_string, tail_role_string,
385	abac_yyfptr_encoded, tmp_cred_list);
386	} else {
387	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, %s, appendL([['%s'],%s],L)",
388	isX(),
389	head_role_string, id_string, tail_role_string, constraint_string,
390	abac_yyfptr_encoded, tmp_cred_list);
391	}
392	}
393	free(tmp_cred_list);
394	cred_count=0;
395	}
396	return tmp;
397	}
398
399	static char generate_pl_intersecting_clause(char head_role_string,
400	abac_aspect_t tail_role, char id_string, char* constraint_string)
401	{
402	char *tmp=NULL;
403	char* tail_role_string=NULL;
404	abac_list_t *list=abac_aspect_prereqs(tail_role);
405	/* A.R <- B.R & C.R.R */
406	/* A.O <- B.O & C.R.O */
407
408	if (list != NULL) {
409	abac_aspect_t *cur;
410	abac_list_foreach(list, cur,
411	char *ntmp=generate_pl_tail_string(cur);
412	if(debug) printf(" intersecting tail: (%s)\n",ntmp);
413	if(tail_role_string==NULL) {
414	tail_role_string=abac_xstrdup(ntmp);
415	} else {
416	tmp=tail_role_string;
417	tail_role_string=NULL;
418	asprintf(&tail_role_string,"%s, %s",tmp,ntmp);
419	free(tmp);
420	}
421	free(ntmp);
422	);
423	}
424
425	if(debug) printf(" final intersecting tail: (%s)\n",tail_role_string);
426	tmp=_build_intersecting_clause(head_role_string, tail_role_string, id_string,constraint_string);
427	if(tail_role_string) free(tail_role_string);
428	return tmp;
429	}
430
431	/* generate the yap isMember rule clause for the credential stmt */
432	abac_list_t generate_pl_clauses(abac_aspect_t head_aspect, abac_aspect_t *tail_aspect)
433	{
434	char *tmp=NULL;
435	char *id_clauses_string=NULL;
436	char *constraint_clauses_string=NULL;
437	abac_list_t *clauses=abac_list_new();
438
439	int cnt=abac_yy_cnt_yy_id_certs();
440	if(cnt > 0) { /* string it up */
441	id_clauses_string=abac_yy_string_yy_id_certs();
442	abac_yy_free_yy_id_certs();
443	}
444
445	/* make a loop here */
446	cnt=abac_yy_cnt_yy_constraints();
447	if(cnt > 0) {
448	constraint_clauses_string=abac_yy_string_yy_constraints();
449	abac_yy_free_yy_constraints();
450	}
451
452	/* generate head's string */
453	char *head_string=generate_pl_head_string(head_aspect);
454	if(head_string == NULL)
455	goto error;
456
457	/* tail side */
458	if(abac_aspect_is_intersection(tail_aspect)) {
459	tmp=generate_pl_intersecting_clause(head_string, tail_aspect,
460	id_clauses_string, constraint_clauses_string);
461	} else {
462	tmp=generate_pl_rule_clause(head_string, tail_aspect,
463	id_clauses_string, constraint_clauses_string);
464	}
465	if(tmp==NULL)
466	goto error;
467
468	abac_list_add(clauses,tmp);
469	return clauses;
470
471	error:
472	if(head_string) free(head_string);
473	if(id_clauses_string) free(id_clauses_string);
474	if(constraint_clauses_string) free(constraint_clauses_string);
475	return clauses;
476	}
477
478	/* should be just 1 */
479	char generate_pl_constraint_clause(abac_aspect_t head_aspect, char *tail_string)
480	{
481	/* generate head's role or oset string */
482	char *head_string=generate_pl_head_string(head_aspect);
483	if(head_string == NULL)
484	goto error;
485
486	/* tail side */
487	char *tmp=_build_constraint_rule_clause(head_string, tail_string);
488	if(tmp==NULL)
489	goto error;
490
491	return tmp;
492
493	error:
494	if(head_string) free(head_string);
495	return NULL;
496	}
497
498	/* integer(X)<10 */
499	/* X='abc' */
500	char generate_pl_range_constraint(char typestr,char var,char val,char *op)
501	{
502	char *tmp=NULL;
503	if(typestr)
504	asprintf(&tmp,"%s(%s)%s%s",typestr,var,op,val);
505	else
506	asprintf(&tmp,"%s%s%s",var,op,val);
507	return tmp;
508	}
509
510	/* compare(op,var,val) */
511	char generate_pl_range_time_constraint(char var,char val,char op)
512	{
513	char *tmp=NULL;
514	asprintf(&tmp,"compare(%s,%s,%s)",op,var,val);
515	return tmp;
516	}
517
518	/* generate the yap isType rule clause for the type,
519	isType(Acme, keyid); */
520	char generate_pl_type_clause(char principalname, int type)
521	{
522	char *tmp=NULL;
523	char *typeid= abac_idtype_string(type);
524	if(typeid==NULL \|\| strcmp(typeid,"NULL")==0)
525	panic("generate_pl_type_clause: can not have null typeid");
526	int cnt=asprintf(&tmp,"isType(%s,%s)",
527	principalname, typeid);
528	return tmp;
529	}
530

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: libabac/abac_pl_gen.c @ 8bd77b5

Download in other formats: