Context Navigation

source: libabac/abac_pl_gen.c @ d0efdec

mei_rt2

Last change on this file since d0efdec was 2e9455f, checked in by Mei <mei@…>, 11 years ago
1) added namespace 2) tweak ?This, 3) allowing linking role/oset as constraining conditions 4) adding access_tests regression testing that uses GENI's access policy 5) added couple multi contexts regression tests 6) add compression/uncompression calls to abac_encode_string/abac_decode_string (libstrongwan only allows 512 char for attribute rule storage) 7) add attribute_now option to creddy that takes a whole char string for attribute rule
Property mode set to `100644`
File size: 24.6 KB

Line
1
2	/***********************************************************************/
3	/* clause generation called to generate credential clauses with a */
4	/* given credential syntax structure (made from parser or from a */
5	/* pre-existing structure */
6	/* There are 2 passes, */
7	/* first pass, process named cred id, and constraint range/role/oset */
8	/* 2nd pass, process rule left / right */
9	/***********************************************************************/
10	#include <stdio.h>
11	#include <assert.h>
12	#include <stdlib.h>
13
14	#include "abac_pl_gen.h"
15	#include "abac_internal.h"
16	#include "abac_list.h"
17	#include "abac_util.h"
18	#include "abac_context.h"
19	#include "abac_aspect.h"
20	#include "abac_term.h"
21	#include "abac_verifier.h"
22
23	#include "uthash.h"
24
25	// index to generate C1,C2..
26	static int cred_count=0;
27
28	static int debug=0;
29	int ABAC_IN_PROLOG=0;
30
31	abac_list_t *abac_pl_constraints=NULL;
32
33	/* to track id certs within a rule clause */
34	typedef struct _abac_id_cert_t {
35	char *principalname;
36	int type; /* keyidtype */
37	} abac_id_cert_t;
38	abac_list_t *abac_pl_id_certs = NULL;
39
40	static int gg_using_this=0;
41	char* yyfptr_encode=NULL;
42
43
44	/* local */
45	char generate_pl_type_clause(abac_context_t ,char *, int);
46	/***********************************************************************/
47	/* this is called by creddy as a shortcut */
48	int generate_pl_clauses_dump(abac_context_t ctxt, abac_aspect_t head_aspect,
49	abac_aspect_t tail_aspect, char attr_string, char *encoded_attr_string,
50	char *filename, int using_this)
51	{
52	FILE *out;
53	abac_list_t *clauses = generate_pl_clauses(ctxt,head_aspect, tail_aspect, encoded_attr_string,using_this);
54
55	int cnt=abac_list_size(clauses);
56	out = fopen(filename, "a+");
57	char *cur=NULL;
58	fprintf(out,"##########################################\n");
59	fprintf(out,"## %s <- %s\n", abac_aspect_string_with_condition(head_aspect),
60	abac_aspect_string_with_condition(tail_aspect));
61	fprintf(out,"## %s\n",attr_string);
62	abac_list_foreach(clauses, cur,
63	fprintf(out,"##\n%s\n",cur);
64	if(cur) free(cur);
65	);
66	fprintf(out,"\n");
67	fclose(out);
68	abac_list_free(clauses);
69	return cnt;
70	}
71
72	/***********************************************************************/
73	static void _set_yyfptr_encode(char *string)
74	{
75	yyfptr_encode=abac_xstrdup(string);
76	}
77
78	/***********************************************************************/
79	static char* isX()
80	{
81	static char x_string[2]="X";
82	static char this_string[5]="This";
83	if(gg_using_this)
84	return this_string;
85	else
86	return x_string;
87	}
88
89	static int _get_next_cred_idx()
90	{
91	cred_count++;
92	return cred_count;
93	}
94
95	/* remember to free the returned string */
96	static char *_compose_cred_list()
97	{
98	int i=cred_count;
99	if(cred_count==0) return "";
100
101	char clist=(char )abac_xmalloc(sizeof(char)(cred_count)3);
102	strcpy(clist,"C1");
103	if (cred_count==1) return clist;
104
105	i=1;
106	while(i!=cred_count) {
107	i++;
108	sprintf(clist,"%s,C%d",clist,i);
109	}
110	return clist;
111	}
112
113
114	/************************************************************************/
115	/* this is for tracking prolog constraints */
116	void abac_pl_init_constraints()
117	{
118	abac_pl_constraints = abac_list_new();
119	}
120
121	void abac_pl_free_constraints()
122	{
123	char *cur;
124	abac_list_foreach(abac_pl_constraints, cur,
125	if(cur)
126	free(cur);
127	);
128	abac_list_free(abac_pl_constraints);
129	abac_pl_constraints=NULL;
130	}
131
132	int abac_pl_cnt_constraints()
133	{
134	return abac_list_size(abac_pl_constraints);
135	}
136
137	char *abac_pl_string_constraints()
138	{
139	int first=1;
140	char *tmp=NULL;
141	char *final=NULL;
142	char* cur;
143	abac_list_foreach(abac_pl_constraints, cur,
144	if(cur)
145	if(first) {
146	final=abac_xstrdup(cur);
147	first=0;
148	} else {
149	tmp=final;
150	final=NULL;
151	int cnt=asprintf(&final,"%s,%s", tmp, cur);
152	}
153	);
154	return final;
155	}
156
157	void abac_pl_add_constraints(char *constraint)
158	{
159	if(abac_pl_constraints == NULL)
160	abac_pl_init_constraints();
161	char* nptr=abac_xstrdup(constraint);
162	abac_list_add(abac_pl_constraints, nptr);
163	}
164
165
166	/************************************************************************/
167	void abac_pl_init_id_certs()
168	{
169	abac_pl_id_certs = abac_list_new();
170	}
171
172	void abac_pl_free_id_certs()
173	{
174	if(abac_pl_id_certs==NULL)
175	return;
176
177	abac_id_cert_t *id;
178	abac_list_foreach(abac_pl_id_certs, id,
179	if(id)
180	free(id->principalname);
181	free(id);
182	);
183	abac_list_free(abac_pl_id_certs);
184	abac_pl_id_certs = NULL;
185	}
186
187	int abac_pl_cnt_id_certs()
188	{
189	return abac_list_size(abac_pl_id_certs);
190	}
191
192	char abac_pl_string_id_certs(abac_context_t ctxt)
193	{
194	char *tmp=NULL;
195	abac_id_cert_t *cur;
196	abac_list_foreach(abac_pl_id_certs, cur,
197	if(cur)
198	if(tmp==NULL) {
199	tmp=generate_pl_type_clause(ctxt,cur->principalname,cur->type);
200	} else {
201	asprintf(&tmp,"%s,%s", tmp,
202	generate_pl_type_clause(ctxt,cur->principalname,cur->type));
203	}
204	);
205	return tmp;
206	}
207
208	void abac_pl_add_id_certs(char *principalname, int type)
209	{
210	abac_id_cert_t *id_cert=NULL;
211	int found=0;
212	abac_id_cert_t *cur;
213
214	if(debug) {
215	fprintf(stderr,"add_id_certs: adding --> (%s)\n", principalname);
216	}
217
218	if(abac_pl_id_certs == NULL) {
219	abac_pl_init_id_certs();
220	} else {
221	abac_list_foreach(abac_pl_id_certs, cur,
222	if(cur)
223	if(strcmp(cur->principalname,principalname)==0) {
224	found=1;
225	break;
226	}
227	);
228	}
229
230	if (found) {
231	return;
232	} else {
233	id_cert=abac_xmalloc(sizeof(abac_id_cert_t));
234	id_cert->principalname=abac_xstrdup(principalname);
235	id_cert->type=type;
236	abac_list_add(abac_pl_id_certs, id_cert);
237	}
238	}
239
240	/***********************************************************************/
241	/* generate role(p_name, r_name, param..) */
242	/* or oset(p_name, r_name, param..) */
243	/* mainly for aspect that is if A.R <- B format */
244	static char* generate_pl_head_string(abac_aspect_t *ptr)
245	{
246	char *tmp=NULL;
247	char *principalname;
248	PROLOG(principalname=abac_aspect_principal_name(ptr););
249	char *aspectname=abac_aspect_aspect_name(ptr);
250	char *typestring=abac_aspect_type_string(ptr);
251	char *param_string=NULL;
252	int cnt=0;
253
254	/* can not be a linked role */
255	abac_param_list_t *aspect_params=abac_aspect_aspect_params(ptr);
256	if(aspect_params) {
257	PROLOG(param_string=abac_param_list_string(aspect_params););
258	}
259
260	if (param_string != NULL) {
261	cnt=asprintf(&tmp,"%s(%s,%s,%s)",
262	typestring, principalname, aspectname, param_string);
263	free(param_string);
264	} else {
265	cnt=asprintf(&tmp,"%s(%s,%s)",
266	typestring, principalname, aspectname);
267	}
268
269	if(debug && tmp) fprintf(stderr,"generate_pl_head_string: (%s)\n",tmp);
270	if(cnt>0)
271	return tmp;
272	else
273	return NULL;
274	}
275
276	/* generate role(p_name, r_name, param..) with isMember call ?? */
277	/* generate oset(p_name, r_name, param..) with isMember call ?? */
278	/* for aspect that could also be with linked role */
279	static char* generate_pl_tail_string(abac_context_t ctxt,abac_aspect_t ptr, char *varX)
280	{
281	char *tmp=NULL;
282	char *namespace=abac_context_namespace(ctxt);
283
284	/* for oset case,
285	A.oset <- B
286	A.oset <- Obj
287	A.oset <- B.oset
288	A.oset <- B.role.oset
289	*/
290	/* o only if it is an oset and object */
291	if(abac_aspect_is_object(ptr)) {
292	char *objectname=abac_aspect_object_name(ptr);
293	tmp=abac_xstrdup(objectname);
294	return tmp;
295	} else {
296	char *principalname;
297	PROLOG(principalname=abac_aspect_principal_name(ptr););
298	char *aspectname=abac_aspect_aspect_name(ptr);
299	char *linkedname=abac_aspect_linked_role_name(ptr);
300	char *typestring=abac_aspect_type_string(ptr);
301
302	char *param_string=NULL;
303	char *linked_param_string=NULL;
304	int cnt=0;
305
306	abac_param_list_t *aspect_params=abac_aspect_aspect_params(ptr);
307	if(aspect_params) {
308	PROLOG(param_string=abac_param_list_string(aspect_params););
309	}
310
311	abac_param_list_t *linked_role_params=abac_aspect_linked_role_params(ptr);
312	if(linked_role_params) {
313	PROLOG(linked_param_string=abac_param_list_string(linked_role_params););
314	}
315
316	/* b.r.r */
317	if(linkedname!=NULL && aspectname!=NULL && principalname!=NULL ) {
318	int fst=_get_next_cred_idx();
319	int snd=_get_next_cred_idx();
320	if(linked_param_string !=NULL) {
321	if (param_string != NULL) {
322	cnt=asprintf(&tmp,"isMember(%s,Y,role(%s,%s,%s),C%d),isMember(%s,%s,%s(Y,%s,%s),C%d)",
323	namespace, principalname, linkedname,linked_param_string,fst,
324	namespace,varX, typestring, aspectname,param_string,snd);
325	free(param_string);
326	} else {
327	cnt=asprintf(&tmp,"isMember(%s,Y,role(%s,%s,%s),C%d),isMember(%s,%s,%s(Y,%s),C%d)",
328	namespace, principalname, linkedname,linked_param_string,fst,
329	namespace, varX, typestring, aspectname,snd);
330	}
331	free(linked_param_string);
332	} else {
333	if (aspect_params != NULL) {
334	cnt=asprintf(&tmp,"isMember(%s,Y,role(%s,%s),C%d),isMember(%s,%s,%s(Y,%s,%s),C%d)",
335	namespace, principalname,linkedname,fst,
336	namespace, varX,typestring, aspectname,param_string,snd);
337	free(param_string);
338	} else {
339	cnt=asprintf(&tmp,"isMember(%s,Y,role(%s,%s),C%d),isMember(%s,%s,%s(Y,%s),C%d)",
340	namespace, principalname, linkedname,fst,
341	namespace, varX,typestring, aspectname,snd);
342	}
343	}
344	if(cnt>0)
345	return tmp;
346	else
347	return NULL;
348	}
349	/* b.r */
350	if(linkedname==NULL && aspectname!=NULL && principalname!=NULL ) {
351	int fst=_get_next_cred_idx();
352	if(param_string != NULL) {
353	cnt=asprintf(&tmp,"isMember(%s,%s,%s(%s,%s,%s),C%d)",
354	namespace,varX,typestring,
355	principalname, aspectname, param_string, fst);
356	free(param_string);
357	} else {
358	cnt=asprintf(&tmp,"isMember(%s,%s,%s(%s,%s),C%d)",
359	namespace,varX, typestring,
360	principalname, aspectname, fst);
361	}
362	if(cnt>0)
363	return tmp;
364	else
365	return NULL;
366	}
367	/* b */
368	if(linkedname==NULL && aspectname==NULL && principalname!=NULL ) {
369	tmp=abac_xstrdup(principalname);
370	return tmp;
371	}
372
373	return tmp;
374	}
375	return tmp;
376	}
377
378
379	/********************************************************************************/
380
381	static char _build_constraint_rule_clause(abac_context_t ctxt,char head_string, char tail_string)
382	{
383	/for A.R <- B /
384	if(debug)
385	fprintf(stderr,"calling _build_constraint_rule_clause (%s)(%s)\n", head_string, tail_string);
386	char *tmp;
387	int idx=_get_next_cred_idx();
388	asprintf(&tmp, "isMember(%s,%s,%s,C%d)",
389	abac_context_namespace(ctxt),tail_string,head_string,idx);
390	return tmp;
391	}
392
393	static char _build_rule_clause(abac_context_t ctxt, char aspectname, char head_string,
394	char tail_string, char id_string, char constraint_string, char varX)
395	{
396	char *tmp=NULL;
397	char *namespace=abac_context_namespace(ctxt);
398
399	if(aspectname == NULL) {
400	/* A.R <- B */
401	if(id_string == NULL && constraint_string == NULL) {
402	asprintf(&tmp, "isMember(%s,%s,%s,['%s'])",
403	namespace, tail_string,head_string,yyfptr_encode);
404	} else {
405	if(id_string == NULL) {
406	asprintf(&tmp, "isMember(%s,%s,%s,['%s']) :- %s",
407	namespace, tail_string,head_string,yyfptr_encode,
408	constraint_string);
409	} else if(constraint_string == NULL) {
410	asprintf(&tmp, "isMember(%s,%s,%s,['%s']) :- %s",
411	namespace, tail_string,head_string,yyfptr_encode,
412	id_string);
413	} else { asprintf(&tmp, "isMember(%s,%s,%s,['%s']) :- %s,%s",
414	namespace, tail_string,head_string,yyfptr_encode,
415	id_string, constraint_string);
416	}
417	}
418	} else {
419	/* A.R <- B.R */
420	/* A.R <- B.R.R */
421	if (cred_count==0) {
422	if(id_string == NULL && constraint_string == NULL) {
423	asprintf(&tmp,"isMember(%s,%s,%s,['%s']):-%s",
424	namespace,varX,
425	head_string, yyfptr_encode, tail_string);
426	} else {
427	if(id_string == NULL) {
428	asprintf(&tmp,"isMember(%s,%s,%s,['%s']):-%s,%s",
429	namespace,varX,
430	head_string, yyfptr_encode, tail_string,
431	constraint_string);
432	} else if(constraint_string == NULL) {
433	asprintf(&tmp,"isMember(%s,%s,%s,['%s']):-%s,%s",
434	namespace,varX,
435	head_string, yyfptr_encode, id_string,
436	tail_string);
437	} else {
438	asprintf(&tmp,"isMember(%s,%s,%s,['%s']):-%s,%s,%s",
439	namespace,varX,
440	head_string, yyfptr_encode, id_string,
441	tail_string, constraint_string);
442	}
443	}
444	} else {
445	char *tmp_cred_list=_compose_cred_list();
446	if(id_string == NULL && constraint_string == NULL) {
447	asprintf(&tmp,"isMember(%s,%s,%s,L):-%s, appendL([['%s'],%s],L)",
448	namespace,varX,
449	head_string, tail_string,
450	yyfptr_encode, tmp_cred_list);
451	} else {
452	if(id_string == NULL) {
453	asprintf(&tmp,"isMember(%s,%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
454	namespace,varX,
455	head_string, tail_string, constraint_string,
456	yyfptr_encode, tmp_cred_list);
457	} else if(constraint_string == NULL) {
458	asprintf(&tmp,"isMember(%s,%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
459	namespace,varX,
460	head_string, id_string, tail_string,
461	yyfptr_encode, tmp_cred_list);
462	} else {
463	asprintf(&tmp,"isMember(%s,%s,%s,L):-%s, %s, %s, appendL([['%s'],%s],L)",
464	namespace,varX,
465	head_string, id_string, tail_string,
466	constraint_string,
467	yyfptr_encode, tmp_cred_list);
468	}
469	}
470	free(tmp_cred_list);
471	cred_count=0;
472	}
473	}
474	return tmp;
475	}
476
477
478	static char generate_pl_rule_clause(abac_context_t ctxt,char *head_rule_string,
479	abac_aspect_t tail_rule, char id_string, char constraint_string, char varX)
480	{
481	char *aspectname=abac_aspect_aspect_name(tail_rule);
482	char *tail_rule_string=generate_pl_tail_string(ctxt,tail_rule,varX);
483	if(aspectname == NULL && tail_rule_string == NULL)
484	goto error;
485	char *tmp=_build_rule_clause(ctxt,aspectname,
486	head_rule_string, tail_rule_string, id_string, constraint_string, varX);
487	if(tail_rule_string) free(tail_rule_string);
488	return tmp;
489
490	error:
491	if(tail_rule_string) free(tail_rule_string);
492	return NULL;
493	}
494
495	static char _add_string(char dstr, char *nstr)
496	{
497	if(strlen(dstr)==0) {
498	dstr=abac_xstrdup(nstr);
499	return dstr;
500	} else {
501	int len = strlen(dstr)+strlen(nstr)+2;
502	char tmp=abac_xmalloc(lensizeof(char));
503	sprintf(tmp,"%s,%s", dstr,nstr);
504	free(dstr);
505	return tmp;
506	}
507	return NULL;
508	}
509
510	static char _build_intersecting_clause(abac_context_t ctxt,
511	char head_role_string, char tail_role_string, char* id_string,
512	char* constraint_string,char *varX)
513	{
514	char *tmp;
515	char *namespace=abac_context_namespace(ctxt);
516
517	if (cred_count==0) {
518	if(id_string == NULL && constraint_string == NULL) {
519	asprintf(&tmp,"isMember(%s,%s,%s,['%s']):-%s",
520	namespace,varX,
521	head_role_string, yyfptr_encode, tail_role_string);
522	} else {
523	if(id_string == NULL) {
524	asprintf(&tmp,"isMember(%s,%s,%s,['%s']):-%s, %s",
525	namespace,varX,
526	head_role_string, yyfptr_encode,
527	tail_role_string, constraint_string);
528	} else if(constraint_string == NULL) {
529	asprintf(&tmp,"isMember(%s,%s,%s,['%s']):-%s, %s",
530	namespace,varX,
531	head_role_string, yyfptr_encode,
532	id_string, tail_role_string);
533	} else {
534	asprintf(&tmp,"isMember(%s,%s,%s,['%s']):-%s, %s, %s",
535	namespace,varX,
536	head_role_string, yyfptr_encode,
537	id_string, tail_role_string, constraint_string);
538	}
539	}
540	} else {
541	char *tmp_cred_list=_compose_cred_list();
542	if(id_string == NULL && constraint_string == NULL) {
543	asprintf(&tmp,"isMember(%s,%s,%s,L):-%s, appendL([['%s'],%s],L)",
544	namespace,varX,
545	head_role_string, tail_role_string,
546	yyfptr_encode, tmp_cred_list);
547	} else {
548	if(id_string == NULL) {
549	asprintf(&tmp,"isMember(%s,%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
550	namespace,varX,
551	head_role_string, tail_role_string, constraint_string,
552	yyfptr_encode, tmp_cred_list);
553	} else if(constraint_string == NULL) {
554	asprintf(&tmp,"isMember(%s,%s,%s,L):-%s, %s, appendL([['%s'],%s],L)",
555	namespace,varX,
556	head_role_string, id_string, tail_role_string,
557	yyfptr_encode, tmp_cred_list);
558	} else {
559	asprintf(&tmp,"isMember(%s,%s,%s,L):-%s, %s, %s, appendL([['%s'],%s],L)",
560	namespace,varX,
561	head_role_string, id_string, tail_role_string, constraint_string,
562	yyfptr_encode, tmp_cred_list);
563	}
564	}
565	free(tmp_cred_list);
566	cred_count=0;
567	}
568	return tmp;
569	}
570
571	static char generate_pl_intersecting_clause(abac_context_t ctxt,
572	char head_role_string, abac_aspect_t tail_role, char* id_string,
573	char* constraint_string, char *varX)
574	{
575	char *tmp=NULL;
576	char* tail_role_string=NULL;
577	abac_list_t *list=abac_aspect_prereqs(tail_role);
578	/* A.R <- B.R & C.R.R */
579	/* A.O <- B.O & C.R.O */
580
581	if (list != NULL) {
582	abac_aspect_t *cur;
583	abac_list_foreach(list, cur,
584	char *ntmp=generate_pl_tail_string(ctxt,cur,varX);
585	if(debug) fprintf(stderr," intersecting tail: (%s)\n",ntmp);
586	if(tail_role_string==NULL) {
587	tail_role_string=abac_xstrdup(ntmp);
588	} else {
589	tmp=tail_role_string;
590	tail_role_string=NULL;
591	asprintf(&tail_role_string,"%s, %s",tmp,ntmp);
592	free(tmp);
593	}
594	free(ntmp);
595	);
596	}
597
598	if(debug) fprintf(stderr," final intersecting tail: (%s)\n",tail_role_string);
599	tmp=_build_intersecting_clause(ctxt,head_role_string, tail_role_string,
600	id_string,constraint_string, varX);
601	if(tail_role_string) free(tail_role_string);
602	return tmp;
603	}
604
605	/** THIS NEEDS TO BE LOCKED ***/
606	/* XXXX */
607	/* generate the prolog isMember rule clause for the credential stmt */
608	abac_list_t generate_pl_clauses(abac_context_t ctxt,abac_aspect_t *head_aspect,
609	abac_aspect_t tail_aspect,char encoded_attr_string, int using_this)
610	{
611	char *tmp=NULL;
612	char *id_clauses_string=NULL;
613	char *constraint_clauses_string=NULL;
614	abac_list_t *clauses=abac_list_new();
615
616	gg_using_this=using_this;
617
618	if(encoded_attr_string!=NULL)
619	_set_yyfptr_encode(encoded_attr_string);
620
621	/* preprocess both sides first */
622	preprocess_pl_head(ctxt,head_aspect);
623	preprocess_pl_tail(ctxt,tail_aspect);
624
625	int cnt=abac_pl_cnt_id_certs();
626	if(cnt > 0) { /* string it up */
627	id_clauses_string=abac_pl_string_id_certs(ctxt);
628	abac_pl_free_id_certs();
629	}
630
631	/* make a loop here */
632	cnt=abac_pl_cnt_constraints();
633	if(cnt > 0) {
634	constraint_clauses_string=abac_pl_string_constraints();
635	abac_pl_free_constraints();
636	}
637
638	/* generate head's string */
639	char *head_string=generate_pl_head_string(head_aspect);
640	if(head_string == NULL)
641	goto error;
642
643	/* tail side */
644	if(abac_aspect_is_intersection(tail_aspect)) {
645	tmp=generate_pl_intersecting_clause(ctxt,head_string, tail_aspect,
646	id_clauses_string, constraint_clauses_string, isX());
647	} else {
648	tmp=generate_pl_rule_clause(ctxt,head_string, tail_aspect,
649	id_clauses_string, constraint_clauses_string, isX());
650	}
651	if(tmp==NULL)
652	goto error;
653
654	abac_list_add(clauses,tmp);
655	return clauses;
656
657	error:
658	if(head_string) free(head_string);
659	if(id_clauses_string) free(id_clauses_string);
660	if(constraint_clauses_string) free(constraint_clauses_string);
661	return clauses;
662	}
663
664	char generate_pl_constraint_clause(abac_context_t ctxt,abac_aspect_t head_aspect, char tail_string)
665	{
666	char *tmp=NULL;
667	char *head_string=NULL;
668
669	if(abac_aspect_is_linking(head_aspect)) { /* leverage on its b.r.r gen code */
670	tmp= generate_pl_tail_string(ctxt,head_aspect,tail_string);
671	} else {
672	/* generate head's role or oset string */
673	char *head_string=generate_pl_head_string(head_aspect);
674	if(head_string == NULL)
675	goto error;
676
677	/* tail side */
678	tmp=_build_constraint_rule_clause(ctxt,head_string, tail_string);
679	if(tmp==NULL) goto error;
680	if(head_string) free(head_string);
681	}
682
683	error:
684	if(head_string) free(head_string);
685	return tmp;
686	}
687
688	/* integer(X)<10 */
689	/* X='abc' */
690	char generate_pl_range_constraint(char typestr,char var,char val,char *op)
691	{
692	char *tmp=NULL;
693	if(typestr)
694	asprintf(&tmp,"%s(%s)%s%s",typestr,var,op,val);
695	else
696	asprintf(&tmp,"%s%s%s",var,op,val);
697	return tmp;
698	}
699
700	/* compare(op,var,val) */
701	char generate_pl_range_time_constraint(char var,char val,char op)
702	{
703	char *tmp=NULL;
704	asprintf(&tmp,"compare(%s,%s,%s)",op,var,val);
705	return tmp;
706	}
707
708	/* generate the prolog isType rule clause for the type,
709	isType(namespace,Acme, keyid); */
710	char generate_pl_type_clause(abac_context_t ctxt,char *principalname, int type)
711	{
712	char *tmp=NULL;
713	char *typeid= abac_idtype_string(type);
714	if(typeid==NULL \|\| strcmp(typeid,"NULL")==0)
715	panic("generate_pl_type_clause: can not have null typeid");
716	if(debug)
717	fprintf(stderr,"generate type clause, (%s)\n", principalname);
718	int cnt=asprintf(&tmp,"isType(%s,%s,%s)",
719	abac_context_namespace(ctxt),principalname, typeid);
720	return tmp;
721	}
722

Note: See TracBrowser for help on using the repository browser.

Download in other formats: