Context Navigation

source: libabac/abac_pl_gen.c @ d037f54

mei_rt2mei_rt2_fix_1

Last change on this file since d037f54 was d037f54, checked in by Mei <mei@…>, 12 years ago

1) able to programmatially build structure, bake attribute credential

write it out to a .der file and use prover to bring it back and
process just like other .der files.
-- tested with rt1 like policy without constraint.

2) changed abac_term structure alittle to ready it for 2 pass code

gen.

Property mode set to 100644

File size: 19.3 KB

Line
1
2	/***********************************************************************/
3	/* clause generation called to generate credential clauses with a */
4	/* given credential syntax structure (made from parser or from a */
5	/* pre-existing structure */
6	/* There are 2 passes, */
7	/* first pass, process named cred id, and constraint range/role/oset */
8	/* 2nd pass, process rule left / right */
9	/***********************************************************************/
10	#include <stdio.h>
11	#include <assert.h>
12	#include <stdlib.h>
13
14	#include "abac_internal.h"
15	#include "abac_set.h"
16	#include "abac_util.h"
17
18	#include "uthash.h"
19
20	// index to generate C1,C2..
21	static int cred_count=0;
22
23	static int debug=0;
24	int ABAC_IN_PROLOG=0;
25
26	extern int using_this;
27
28
29	extern char* abac_yyfptr_encoded;
30	extern int abac_yy_cnt_yy_id_certs();
31	extern void abac_yy_free_yy_id_certs();
32	extern char *abac_yy_string_yy_id_certs();
33	extern void abac_yy_free_yy_constraints();
34	extern char *abac_yy_string_yy_constraints();
35
36	/***********************************************************************/
37	char prologIt(char str)
38	{
39	char *tmp=NULL;
40	asprintf(&tmp,"p%s",str);
41	return tmp;
42	}
43
44	static char* isX()
45	{
46	static char x_string[2]="X";
47	static char this_string[5]="This";
48	if(using_this)
49	return this_string;
50	else
51	return x_string;
52	}
53
54	static int _get_next_cred_idx()
55	{
56	cred_count++;
57	return cred_count;
58	}
59
60	/* remember to free the returned string */
61	static char *_compose_cred_list()
62	{
63	int i=cred_count;
64	if(cred_count==0) return "";
65
66	char clist=(char )abac_xmalloc(sizeof(char)(cred_count)3);
67	strcpy(clist,"C1");
68	if (cred_count==1) return clist;
69
70	i=1;
71	while(i!=cred_count) {
72	i++;
73	sprintf(clist,"%s,C%d",clist,i);
74	}
75	return clist;
76	}
77
78	/***********************************************************************/
79	/* generate role(p_name, r_name, param..) */
80	/* or oset(p_name, r_name, param..) */
81	static char* generate_pl_head_string(abac_aspect_t *ptr)
82	{
83	char *tmp=NULL;
84	char *principalname;
85	PROLOG(principalname=abac_aspect_principal_name(ptr););
86	char *aspectname=abac_aspect_aspect_name(ptr);
87	char *typestring=abac_aspect_type_string(ptr);
88	char *param_string=NULL;
89	int cnt=0;
90
91	/* can not be a linked role */
92	abac_param_list_t *aspect_params=abac_aspect_aspect_params(ptr);
93	if(aspect_params) {
94	PROLOG(param_string=abac_param_list_string(aspect_params););
95	}
96
97	if (param_string != NULL) {
98	cnt=asprintf(&tmp,"%s(%s,%s,%s)",
99	typestring, principalname, aspectname, param_string);
100	free(param_string);
101	} else {
102	cnt=asprintf(&tmp,"%s(%s,%s)",
103	typestring, principalname, aspectname);
104	}
105
106	if(debug && tmp) printf("head_string: (%s)\n",tmp);
107	if(cnt>0)
108	return tmp;
109	else
110	return NULL;
111	}
112
113	/* generate role(p_name, r_name, param..) with isMember call ?? */
114	/* generate oset(p_name, r_name, param..) with isMember call ?? */
115	static char* generate_pl_tail_string(abac_aspect_t *ptr)
116	{
117
118	char *tmp=NULL;
119
120	/* for oset case,
121	A.oset <- B
122	A.oset <- Obj
123	A.oset <- B.oset
124	A.oset <- B.role.oset
125	*/
126	/* o only if it is an oset and object */
127	if(abac_aspect_is_object(ptr)) {
128	char *objectname=abac_aspect_object_name(ptr);
129	tmp=abac_xstrdup(objectname);
130	if(debug && tmp) printf("tail_string1: (%s)\n",tmp);
131	return tmp;
132	} else {
133	char *principalname;
134	PROLOG(principalname=abac_aspect_principal_name(ptr););
135	char *aspectname=abac_aspect_aspect_name(ptr);
136	char *linkedname=abac_aspect_linked_role_name(ptr);
137	char *typestring=abac_aspect_type_string(ptr);
138
139	char *param_string=NULL;
140	char *linked_param_string=NULL;
141	int cnt=0;
142
143	abac_param_list_t *aspect_params=abac_aspect_aspect_params(ptr);
144	if(aspect_params) {
145	PROLOG(param_string=abac_param_list_string(aspect_params););
146	}
147
148	abac_param_list_t *linked_role_params=abac_aspect_linked_role_params(ptr);
149	if(linked_role_params) {
150	PROLOG(linked_param_string=abac_param_list_string(linked_role_params););
151	}
152
153	/* b.r.r */
154	if(linkedname!=NULL && aspectname!=NULL && principalname!=NULL ) {
155	int fst=_get_next_cred_idx();
156	int snd=_get_next_cred_idx();
157	if(linked_param_string !=NULL) {
158	if (param_string != NULL) {
159	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(%s,%s(Y,%s,%s),C%d)",
160	principalname,
161	linkedname,linked_param_string,fst,
162	isX(), typestring,
163	aspectname,param_string,snd);
164	free(param_string);
165	} else {
166	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(%s,%s(Y,%s),C%d)",
167	principalname,
168	linkedname,linked_param_string,fst,
169	isX(), typestring,
170	aspectname,snd);
171	}
172	free(linked_param_string);
173	} else {
174	if (aspect_params != NULL) {
175	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(%s,%s(Y,%s,%s),C%d)",
176	principalname,
177	linkedname,fst,
178	isX(),typestring,
179	aspectname,param_string,snd);
180	free(param_string);
181	} else {
182	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(%s,%s(Y,%s),C%d)",
183	principalname,
184	linkedname,fst,
185	isX(),typestring,
186	aspectname,snd);
187	}
188	}
189	if(debug && tmp) printf("tail_string1: (%s)\n",tmp);
190	if(cnt>0)
191	return tmp;
192	else
193	return NULL;
194	}
195	/* b.r */
196	if(linkedname==NULL && aspectname!=NULL && principalname!=NULL ) {
197	int fst=_get_next_cred_idx();
198	if(param_string != NULL) {
199	cnt=asprintf(&tmp,"isMember(%s,%s(%s,%s,%s),C%d)",
200	isX(),typestring,
201	principalname, aspectname, param_string, fst);
202	free(param_string);
203	} else {
204	cnt=asprintf(&tmp,"isMember(%s,%s(%s,%s),C%d)",
205	isX(), typestring,
206	principalname, aspectname, fst);
207	}
208	if(debug && tmp) printf("tail_string2: (%s)\n",tmp);
209	if(cnt>0)
210	return tmp;
211	else
212	return NULL;
213	}
214	/* b */
215	if(linkedname==NULL && aspectname==NULL && principalname!=NULL ) {
216	tmp=abac_xstrdup(principalname);
217	if(debug && tmp) printf("tail_string3: (%s)\n",tmp);
218	return tmp;
219	}
220
221	if(debug && tmp) printf("tail_string4: (%s)\n",tmp);
222	return tmp;
223	}
224	return tmp;
225	}
226
227
228	/********************************************************************************/
229
230	static char _build_constraint_rule_clause(char head_string, char *tail_string)
231	{
232	/only, A.R <- B /
233	char *tmp;
234	int idx=_get_next_cred_idx();
235	asprintf(&tmp, "isMember(%s,%s,C%d)", tail_string,head_string,idx);
236	return tmp;
237	}
238
239	static char _build_rule_clause(char aspectname, char *head_string,
240	char tail_string, char id_string, char *constraint_string)
241	{
242	char *tmp=NULL;
243
244	if(aspectname == NULL) {
245	/* A.R <- B */
246	if(id_string == NULL && constraint_string == NULL) {
247	asprintf(&tmp, "isMember(%s,%s,['%s'])",
248	tail_string,head_string,abac_yyfptr_encoded);
249	} else {
250	if(id_string == NULL) {
251	asprintf(&tmp, "isMember(%s,%s,['%s']) :- %s",
252	tail_string,head_string,abac_yyfptr_encoded,
253	constraint_string);
254	} else if(constraint_string == NULL) {
255	asprintf(&tmp, "isMember(%s,%s,['%s']) :- %s",
256	tail_string,head_string,abac_yyfptr_encoded,
257	id_string);
258	} else { asprintf(&tmp, "isMember(%s,%s,['%s']) :- %s,%s",
259	tail_string,head_string,abac_yyfptr_encoded,
260	id_string, constraint_string);
261	}
262	}
263	} else {
264	/* A.R <- B.R */
265	/* A.R <- B.R.R */
266	if (cred_count==0) {
267	if(id_string == NULL && constraint_string == NULL) {
268	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s",
269	isX(),
270	head_string, abac_yyfptr_encoded, tail_string);
271	} else {
272	if(id_string == NULL) {
273	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s,%s",
274	isX(),
275	head_string, abac_yyfptr_encoded, tail_string,
276	constraint_string);
277	} else if(constraint_string == NULL) {
278	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s,%s",
279	isX(),
280	head_string, abac_yyfptr_encoded, id_string,
281	tail_string);
282	} else {
283	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s,%s,%s",
284	isX(),
285	head_string, abac_yyfptr_encoded, id_string,
286	tail_string, constraint_string);
287	}
288	}
289	} else {
290	char *tmp_cred_list=_compose_cred_list();
291	if(id_string == NULL && constraint_string == NULL) {
292	asprintf(&tmp,"isMember(%s,%s,L):-%s, appendL([['%s'],%s],L)",
293	isX(),
294	head_string, tail_string,
295	abac_yyfptr_encoded, tmp_cred_list);
296	} else {
297	if(id_string == NULL) {
298	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
299	isX(),
300	head_string, tail_string, constraint_string,
301	abac_yyfptr_encoded, tmp_cred_list);
302	} else if(constraint_string == NULL) {
303	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
304	isX(),
305	head_string, id_string, tail_string,
306	abac_yyfptr_encoded, tmp_cred_list);
307	} else {
308	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, %s, appendL([['%s'],%s],L)",
309	isX(),
310	head_string, id_string, tail_string,
311	constraint_string,
312	abac_yyfptr_encoded, tmp_cred_list);
313	}
314	}
315	free(tmp_cred_list);
316	cred_count=0;
317	}
318	}
319	return tmp;
320	}
321
322
323	static char generate_pl_rule_clause(char head_rule_string,
324	abac_aspect_t tail_rule, char id_string, char *constraint_string)
325	{
326	char *aspectname=abac_aspect_aspect_name(tail_rule);
327	char *tail_rule_string=generate_pl_tail_string(tail_rule);
328	if(aspectname == NULL && tail_rule_string == NULL)
329	goto error;
330	char *tmp=_build_rule_clause(aspectname,head_rule_string, tail_rule_string,
331	id_string, constraint_string);
332	if(tail_rule_string) free(tail_rule_string);
333	return tmp;
334
335	error:
336	if(tail_rule_string) free(tail_rule_string);
337	return NULL;
338	}
339
340	static char _add_string(char dstr, char *nstr)
341	{
342	if(strlen(dstr)==0) {
343	dstr=abac_xstrdup(nstr);
344	return dstr;
345	} else {
346	int len = strlen(dstr)+strlen(nstr)+2;
347	char tmp=abac_xmalloc(lensizeof(char));
348	sprintf(tmp,"%s,%s", dstr,nstr);
349	free(dstr);
350	return tmp;
351	}
352	return NULL;
353	}
354
355	static char _build_intersecting_clause(char head_role_string,
356	char tail_role_string, char id_string, char* constraint_string)
357	{
358	char *tmp;
359
360	if (cred_count==0) {
361	if(id_string == NULL && constraint_string == NULL) {
362	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s",
363	isX(),
364	head_role_string, abac_yyfptr_encoded, tail_role_string);
365	} else {
366	if(id_string == NULL) {
367	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s, %s",
368	isX(),
369	head_role_string, abac_yyfptr_encoded,
370	tail_role_string, constraint_string);
371	} else if(constraint_string == NULL) {
372	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s, %s",
373	isX(),
374	head_role_string, abac_yyfptr_encoded,
375	id_string, tail_role_string);
376	} else {
377	asprintf(&tmp,"isMember(%s,%s,['%s']):-%s, %s, %s",
378	isX(),
379	head_role_string, abac_yyfptr_encoded,
380	id_string, tail_role_string, constraint_string);
381	}
382	}
383	} else {
384	char *tmp_cred_list=_compose_cred_list();
385	if(id_string == NULL && constraint_string == NULL) {
386	asprintf(&tmp,"isMember(%s,%s,L):-%s, appendL([['%s'],%s],L)",
387	isX(),
388	head_role_string, tail_role_string,
389	abac_yyfptr_encoded, tmp_cred_list);
390	} else {
391	if(id_string == NULL) {
392	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
393	isX(),
394	head_role_string, tail_role_string, constraint_string,
395	abac_yyfptr_encoded, tmp_cred_list);
396	} else if(constraint_string == NULL) {
397	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
398	isX(),
399	head_role_string, id_string, tail_role_string,
400	abac_yyfptr_encoded, tmp_cred_list);
401	} else {
402	asprintf(&tmp,"isMember(%s,%s,L):-%s, %s, %s, appendL([['%s'],%s],L)",
403	isX(),
404	head_role_string, id_string, tail_role_string, constraint_string,
405	abac_yyfptr_encoded, tmp_cred_list);
406	}
407	}
408	free(tmp_cred_list);
409	cred_count=0;
410	}
411	return tmp;
412	}
413
414	static char generate_pl_intersecting_clause(char head_role_string,
415	abac_aspect_t tail_role, char id_string, char* constraint_string)
416	{
417	char *tmp=NULL;
418	char* tail_role_string=NULL;
419	abac_list_t *list=abac_aspect_prereqs(tail_role);
420	/* A.R <- B.R & C.R.R */
421	/* A.O <- B.O & C.R.O */
422
423	if (list != NULL) {
424	abac_aspect_t *cur;
425	abac_list_foreach(list, cur,
426	char *ntmp=generate_pl_tail_string(cur);
427	if(debug) printf(" intersecting tail: (%s)\n",ntmp);
428	if(tail_role_string==NULL) {
429	tail_role_string=abac_xstrdup(ntmp);
430	} else {
431	tmp=tail_role_string;
432	tail_role_string=NULL;
433	asprintf(&tail_role_string,"%s, %s",tmp,ntmp);
434	free(tmp);
435	}
436	free(ntmp);
437	);
438	}
439
440	if(debug) printf(" final intersecting tail: (%s)\n",tail_role_string);
441	tmp=_build_intersecting_clause(head_role_string, tail_role_string, id_string,constraint_string);
442	if(tail_role_string) free(tail_role_string);
443	return tmp;
444	}
445
446	/* generate the yap isMember rule clause for the credential stmt */
447	abac_list_t generate_pl_clauses(abac_aspect_t head_aspect, abac_aspect_t *tail_aspect)
448	{
449	char *tmp=NULL;
450	char *id_clauses_string=NULL;
451	char *constraint_clauses_string=NULL;
452	abac_list_t *clauses=abac_list_new();
453
454	int cnt=abac_yy_cnt_yy_id_certs();
455	if(cnt > 0) { /* string it up */
456	id_clauses_string=abac_yy_string_yy_id_certs();
457	abac_yy_free_yy_id_certs();
458	}
459
460	/* make a loop here */
461	cnt=abac_yy_cnt_yy_constraints();
462	if(cnt > 0) {
463	constraint_clauses_string=abac_yy_string_yy_constraints();
464	abac_yy_free_yy_constraints();
465	}
466
467	/* generate head's string */
468	char *head_string=generate_pl_head_string(head_aspect);
469	if(head_string == NULL)
470	goto error;
471
472	/* tail side */
473	if(abac_aspect_is_intersection(tail_aspect)) {
474	tmp=generate_pl_intersecting_clause(head_string, tail_aspect,
475	id_clauses_string, constraint_clauses_string);
476	} else {
477	tmp=generate_pl_rule_clause(head_string, tail_aspect,
478	id_clauses_string, constraint_clauses_string);
479	}
480	if(tmp==NULL)
481	goto error;
482
483	abac_list_add(clauses,tmp);
484	return clauses;
485
486	error:
487	if(head_string) free(head_string);
488	if(id_clauses_string) free(id_clauses_string);
489	if(constraint_clauses_string) free(constraint_clauses_string);
490	return clauses;
491	}
492
493	/* should be just 1 */
494	char generate_pl_constraint_clause(abac_aspect_t head_aspect, char *tail_string)
495	{
496	/* generate head's role or oset string */
497	char *head_string=generate_pl_head_string(head_aspect);
498	if(head_string == NULL)
499	goto error;
500
501	/* tail side */
502	char *tmp=_build_constraint_rule_clause(head_string, tail_string);
503	if(tmp==NULL)
504	goto error;
505
506	return tmp;
507
508	error:
509	if(head_string) free(head_string);
510	return NULL;
511	}
512
513	/* integer(X)<10 */
514	/* X='abc' */
515	char generate_pl_range_constraint(char typestr,char var,char val,char *op)
516	{
517	char *tmp=NULL;
518	if(typestr)
519	asprintf(&tmp,"%s(%s)%s%s",typestr,var,op,val);
520	else
521	asprintf(&tmp,"%s%s%s",var,op,val);
522	return tmp;
523	}
524
525	/* compare(op,var,val) */
526	char generate_pl_range_time_constraint(char var,char val,char op)
527	{
528	char *tmp=NULL;
529	asprintf(&tmp,"compare(%s,%s,%s)",op,var,val);
530	return tmp;
531	}
532
533	/* generate the yap isType rule clause for the type,
534	isType(Acme, keyid); */
535	char generate_pl_type_clause(char principalname, int type)
536	{
537	char *tmp=NULL;
538	char *typeid= abac_idtype_string(type);
539	if(typeid==NULL \|\| strcmp(typeid,"NULL")==0)
540	panic("generate_pl_type_clause: can not have null typeid");
541	int cnt=asprintf(&tmp,"isType(%s,%s)",
542	principalname, typeid);
543	return tmp;
544	}
545

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: libabac/abac_pl_gen.c @ d037f54

Download in other formats: