Context Navigation

source: libabac/abac_pl_gen.c @ da5afdf

mei_rt2mei_rt2_fix_1meiyap-rt1rt2

Last change on this file since da5afdf was da5afdf, checked in by Mei <mei@…>, 12 years ago

1) add static contraint

(limited to integer at this time)

Property mode set to 100644

File size: 19.6 KB

Line
1
2
3	/***********************************************************************/
4	/* clause generation called from parser to generate credential clauses */
5	/***********************************************************************/
6	#include <stdio.h>
7	#include <assert.h>
8	#include <stdlib.h>
9
10	#include "abac_set.h"
11	#include "abac_util.h"
12	#include "abac_pl.h"
13
14	#include "uthash.h"
15
16	// index to generate C1,C2..
17	static int cred_count=0;
18	extern char* abac_yyfptr_encoded;
19	extern int abac_cnt_yy_id_certs();
20	extern void abac_free_yy_id_certs();
21	extern char *abac_string_yy_id_certs();
22	char *abac_addon_clauses=NULL;
23
24	/***********************************************************************/
25	static int _get_next_cred_idx()
26	{
27	cred_count++;
28	return cred_count;
29	}
30
31	/* remember to free the returned string */
32	static char *_compose_cred_list()
33	{
34	int i=cred_count;
35	if(cred_count==0) return "";
36
37	char clist=(char )abac_xmalloc(sizeof(char)(cred_count)3);
38	strcpy(clist,"C1");
39	if (cred_count==1) return clist;
40
41	i=1;
42	while(i!=cred_count) {
43	i++;
44	sprintf(clist,"%s,C%d",clist,i);
45	}
46	return clist;
47	}
48
49	/* generate role(p_name, r_name, param..) */
50	static char* generate_pl_head_role_string(abac_role_t *role)
51	{
52	char *tmp=NULL;
53	char *principalname=abac_role_principal_cn(role);
54	char *rolename=abac_role_role_name(role);
55	char *param_string=NULL;
56	int cnt=0;
57
58	/* can not be a linked role */
59	abac_param_list_t *role_params=abac_role_role_params(role);
60	if(role_params) {
61	param_string=abac_param_list_string(role_params);
62	}
63
64	if (param_string != NULL) {
65	cnt=asprintf(&tmp,"role(%s,%s,%s)", principalname, rolename, param_string);
66	free(param_string);
67	} else {
68	cnt=asprintf(&tmp,"role(%s,%s)", principalname, rolename);
69	}
70	if(cnt>0)
71	return tmp;
72	else
73	return NULL;
74	}
75
76	/* generate role(p_name, r_name, param..) with isMember call ?? */
77	static char* generate_pl_tail_role_string(abac_role_t *role)
78	{
79	char *tmp;
80	char *principalname=abac_role_principal_cn(role);
81	char *rolename=abac_role_role_name(role);
82	char *linkedname=abac_role_linked_role(role);
83
84	char *param_string=NULL;
85	char *linked_param_string=NULL;
86	int cnt=0;
87
88	abac_param_list_t *role_params=abac_role_role_params(role);
89	if(role_params) {
90	param_string=abac_param_list_string(role_params);
91	}
92
93	abac_param_list_t *linked_role_params=abac_role_linked_role_params(role);
94	if(linked_role_params) {
95	linked_param_string=abac_param_list_string(linked_role_params);
96	}
97
98	/* b.r.r */
99	if(linkedname!=NULL && rolename!=NULL && principalname!=NULL ) {
100	int fst=_get_next_cred_idx();
101	int snd=_get_next_cred_idx();
102	if(linked_param_string !=NULL) {
103	if (param_string != NULL) {
104	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(X,role(Y,%s,%s),C%d)",
105	principalname,
106	linkedname,linked_param_string,fst,
107	rolename,param_string,snd);
108	free(param_string);
109	} else {
110	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(X,role(Y,%s),C%d)",
111	principalname,
112	linkedname,linked_param_string,fst,
113	rolename,snd);
114	}
115	free(linked_param_string);
116	} else {
117	if (role_params != NULL) {
118	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(X,role(Y,%s,%s),C%d)",
119	principalname,
120	linkedname,fst,
121	rolename,param_string,snd);
122	free(param_string);
123	} else {
124	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(X,role(Y,%s),C%d)",
125	principalname,
126	linkedname,fst,
127	rolename,snd);
128	}
129	}
130	if(cnt>0)
131	return tmp;
132	else
133	return NULL;
134	}
135	/* b.r */
136	if(linkedname==NULL && rolename!=NULL && principalname!=NULL ) {
137	int fst=_get_next_cred_idx();
138	if(param_string != NULL) {
139	cnt=asprintf(&tmp,"isMember(X,role(%s,%s,%s),C%d)",
140	principalname, rolename, param_string, fst);
141	free(param_string);
142	} else {
143	cnt=asprintf(&tmp,"isMember(X,role(%s,%s),C%d)",
144	principalname, rolename, fst);
145	}
146	if(cnt>0)
147	return tmp;
148	else
149	return NULL;
150	}
151	/* b */
152	if(linkedname==NULL && rolename==NULL && principalname!=NULL ) {
153	tmp=abac_xstrdup(principalname);
154	return tmp;
155	}
156
157	return tmp;
158	}
159
160
161	/* generate oset(p_name, r_name, param..) */
162	static char* generate_pl_head_oset_string(abac_oset_t *oset)
163	{
164	char *tmp=NULL;
165	char *principalname=abac_oset_principal_cn(oset);
166	char *osetname=abac_oset_oset_name(oset);
167	char *param_string=NULL;
168	int cnt=0;
169
170	/* can not be a linked role */
171	abac_param_list_t *oset_params=abac_oset_oset_params(oset);
172	if(oset_params) {
173	param_string=abac_param_list_string(oset_params);
174	}
175
176	if (param_string != NULL) {
177	cnt=asprintf(&tmp,"oset(%s,%s,%s)", principalname, osetname, param_string);
178	free(param_string);
179	} else {
180	cnt=asprintf(&tmp,"oset(%s,%s)", principalname, osetname);
181	}
182	if(cnt>0)
183	return tmp;
184	else
185	return NULL;
186	}
187
188	/* generate oset(p_name, r_name, param..) with isMember call ?? */
189	static char* generate_pl_tail_oset_string(abac_oset_t *oset)
190	{
191	char *tmp;
192	/*
193	A.oset <- B
194	A.oset <- Obj
195	A.oset <- B.oset
196	A.oset <- B.role.oset
197	*/
198	/* o */
199	if(abac_oset_is_object(oset)) {
200	char *objectname=abac_oset_object_cn(oset);
201	tmp=abac_xstrdup(objectname);
202	return tmp;
203	} else {
204	char *principalname=abac_oset_principal_cn(oset);
205	char *osetname=abac_oset_oset_name(oset);
206	char *linkedname=abac_oset_linked_role(oset);
207
208	char *param_string=NULL;
209	char *linked_param_string=NULL;
210	int cnt=0;
211
212	abac_param_list_t *oset_params=abac_oset_oset_params(oset);
213	if(oset_params) {
214	param_string=abac_param_list_string(oset_params);
215	}
216
217	abac_param_list_t *linked_role_params=abac_oset_linked_role_params(oset);
218	if(linked_role_params) {
219	linked_param_string=abac_param_list_string(linked_role_params);
220	}
221
222	/* b.r.r */
223	if(linkedname!=NULL && osetname!=NULL && principalname!=NULL ) {
224	int fst=_get_next_cred_idx();
225	int snd=_get_next_cred_idx();
226	if(linked_param_string !=NULL) {
227	if (param_string != NULL) {
228	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(X,oset(Y,%s,%s),C%d)",
229	principalname,
230	linkedname,linked_param_string,fst,
231	osetname,param_string,snd);
232	free(param_string);
233	} else {
234	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(X,oset(Y,%s),C%d)",
235	principalname,
236	linkedname,linked_param_string,fst,
237	osetname,snd);
238	}
239	free(linked_param_string);
240	} else {
241	if (oset_params != NULL) {
242	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(X,oset(Y,%s,%s),C%d)",
243	principalname,
244	linkedname,fst,
245	osetname,param_string,snd);
246	free(param_string);
247	} else {
248	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(X,oset(Y,%s),C%d)",
249	principalname,
250	linkedname,fst,
251	osetname,snd);
252	}
253	}
254	if(cnt>0)
255	return tmp;
256	else
257	return NULL;
258	}
259	/* b.r */
260	if(linkedname==NULL && osetname!=NULL && principalname!=NULL ) {
261	int fst=_get_next_cred_idx();
262	if(param_string != NULL) {
263	cnt=asprintf(&tmp,"isMember(X,oset(%s,%s,%s),C%d)",
264	principalname, osetname, param_string, fst);
265	free(param_string);
266	} else {
267	cnt=asprintf(&tmp,"isMember(X,oset(%s,%s),C%d)",
268	principalname, osetname, fst);
269	}
270	if(cnt>0)
271	return tmp;
272	else
273	return NULL;
274	}
275	/* b */
276	if(linkedname==NULL && osetname==NULL && principalname!=NULL ) {
277	tmp=abac_xstrdup(principalname);
278	return tmp;
279	}
280
281	}
282	return tmp;
283	}
284
285
286	/********************************************************************************/
287
288	static char _build_constraint_rule_clause(char head_string, char *tail_string)
289	{
290	/only, A.R <- B /
291	char *tmp;
292	int idx=_get_next_cred_idx();
293	asprintf(&tmp, "isMember(%s,%s,C%d)", tail_string,head_string,idx);
294	return tmp;
295	}
296
297	static char _build_rule_clause(char rolename, char head_string, char tail_string)
298	{
299	char *tmp=NULL;
300
301	if(rolename == NULL) {
302	/* A.R <- B */
303	if(abac_addon_clauses==NULL) {
304	asprintf(&tmp, "isMember(%s,%s,['%s'])",
305	tail_string,head_string,abac_yyfptr_encoded);
306	} else {
307	asprintf(&tmp, "isMember(%s,%s,['%s']) :- %s",
308	tail_string,head_string,abac_yyfptr_encoded,
309	abac_addon_clauses);
310	free(abac_addon_clauses);
311	abac_addon_clauses=NULL;
312	}
313	} else {
314	/* A.R <- B.R */
315	/* A.R <- B.R.R */
316	if (cred_count==0) {
317	if(abac_addon_clauses==NULL) {
318	asprintf(&tmp,"isMember(X,%s,['%s']):-%s",
319	head_string, abac_yyfptr_encoded, tail_string);
320	} else {
321	asprintf(&tmp,"isMember(X,%s,['%s']):-%s, %s",
322	head_string, abac_yyfptr_encoded,
323	tail_string,abac_addon_clauses);
324	free(abac_addon_clauses);
325	abac_addon_clauses=NULL;
326	}
327	} else {
328	char *tmp_cred_list=_compose_cred_list();
329	if(abac_addon_clauses == NULL) {
330	asprintf(&tmp,"isMember(X,%s,L):-%s, appendL([['%s'],%s],L)",
331	head_string, tail_string,
332	abac_yyfptr_encoded, tmp_cred_list);
333	} else {
334	asprintf(&tmp,"isMember(X,%s,L):-%s, %s, appendL([['%s'],%s],L)",
335	head_string, tail_string, abac_addon_clauses,
336	abac_yyfptr_encoded, tmp_cred_list);
337	free(abac_addon_clauses);
338	abac_addon_clauses=NULL;
339	}
340	free(tmp_cred_list);
341	cred_count=0;
342	}
343	}
344	return tmp;
345	}
346
347
348	static char generate_pl_rule_role_clause(char head_role_string, abac_role_t *tail_role)
349	{
350	char *rolename=abac_role_role_name(tail_role);
351	char *tail_role_string=generate_pl_tail_role_string(tail_role);
352	if(rolename == NULL && tail_role_string == NULL)
353	goto error;
354	char *tmp=_build_rule_clause(rolename,head_role_string, tail_role_string);
355	if(tail_role_string) free(tail_role_string);
356	return tmp;
357
358	error:
359	if(tail_role_string) free(tail_role_string);
360	return NULL;
361	}
362
363	static char generate_pl_rule_oset_clause(char head_oset_string, abac_oset_t *tail_oset)
364	{
365	char *osetname=abac_oset_oset_name(tail_oset);
366	char *tail_oset_string=generate_pl_tail_oset_string(tail_oset);
367	if(osetname == NULL && tail_oset_string == NULL)
368	goto error;
369	char *tmp=_build_rule_clause(osetname,head_oset_string, tail_oset_string);
370	if(tail_oset_string) free(tail_oset_string);
371	return tmp;
372
373	error:
374	if(tail_oset_string) free(tail_oset_string);
375	return NULL;
376	}
377
378
379	static char _add_string(char dstr, char *nstr)
380	{
381	if(strlen(dstr)==0) {
382	dstr=abac_xstrdup(nstr);
383	return dstr;
384	} else {
385	int len = strlen(dstr)+strlen(nstr)+2;
386	char tmp=abac_xmalloc(lensizeof(char));
387	sprintf(tmp,"%s,%s", dstr,nstr);
388	free(dstr);
389	return tmp;
390	}
391	return NULL;
392	}
393
394	static char _build_intersecting_clause(char head_role_string, char *tail_role_string)
395	{
396	char *tmp;
397
398	if (cred_count==0) {
399	if(abac_addon_clauses ==NULL) {
400	asprintf(&tmp,"isMember(X,%s,['%s']):-%s",
401	head_role_string, abac_yyfptr_encoded, tail_role_string);
402	} else {
403	asprintf(&tmp,"isMember(X,%s,['%s']):-%s, %s",
404	head_role_string, abac_yyfptr_encoded, tail_role_string,
405	abac_addon_clauses);
406	free(abac_addon_clauses);
407	abac_addon_clauses=NULL;
408	}
409	} else {
410	char *tmp_cred_list=_compose_cred_list();
411	if(abac_addon_clauses ==NULL) {
412	asprintf(&tmp,"isMember(X,%s,L):-%s, appendL([['%s'],%s],L)",
413	head_role_string, tail_role_string,
414	abac_yyfptr_encoded, tmp_cred_list);
415	} else {
416	asprintf(&tmp,"isMember(X,%s,L):-%s, appendL([['%s'],%s],L), %s",
417	head_role_string, tail_role_string,
418	abac_yyfptr_encoded, tmp_cred_list,abac_addon_clauses);
419	free(abac_addon_clauses);
420	abac_addon_clauses=NULL;
421	}
422	free(tmp_cred_list);
423	cred_count=0;
424	}
425	return tmp;
426	}
427
428	static char generate_pl_intersecting_role_clause(char head_role_string, abac_role_t *tail_role)
429	{
430	char *tmp=NULL;
431	char* tail_role_string=NULL;
432	abac_list_t *list=abac_role_prereqs(tail_role);
433	/* A.R <- B.R & C.R.R */
434
435	if (list != NULL) {
436	abac_role_t *cur;
437	abac_list_foreach(list, cur,
438	char *ntmp=generate_pl_tail_role_string(cur);
439	if(tail_role_string==NULL)
440	asprintf(&tail_role_string,"%s",ntmp);
441	else
442	asprintf(&tail_role_string,"%s, %s",tail_role_string,ntmp);
443	free(ntmp);
444	);
445	}
446
447	tmp=_build_intersecting_clause(head_role_string, tail_role_string);
448	if(tail_role_string) free(tail_role_string);
449	return tmp;
450	}
451
452	static char generate_pl_intersecting_oset_clause(char head_oset_string, abac_oset_t *tail_oset)
453	{
454	char *tmp=NULL;
455	char* tail_oset_string=NULL;
456	abac_list_t *list=abac_oset_prereqs(tail_oset);
457	/* A.O <- B.O & C.R.O */
458
459	if (list != NULL) {
460	abac_oset_t *cur;
461	abac_list_foreach(list, cur,
462	char *ntmp=generate_pl_tail_oset_string(cur);
463	if(tail_oset_string==NULL)
464	asprintf(&tail_oset_string,"%s",ntmp);
465	else
466	asprintf(&tail_oset_string,"%s, %s",tail_oset_string,ntmp);
467	free(ntmp);
468	);
469	}
470
471	tmp=_build_intersecting_clause(head_oset_string, tail_oset_string);
472	if(tail_oset_string) free(tail_oset_string);
473	return tmp;
474	}
475
476	/* generate the yap isMember rule clause for the credential stmt */
477	abac_list_t generate_pl_role_clauses(abac_role_t head_role, abac_role_t *tail_role)
478	{
479	char *tmp=NULL;
480	abac_list_t *clauses=abac_list_new();
481
482	int cnt=abac_cnt_yy_id_certs();
483	if(cnt > 0) { /* string it up */
484	//abac_addon_clauses=abac_string_yy_id_certs();
485	tmp=abac_string_yy_id_certs();
486	abac_free_yy_id_certs();
487	}
488
489	cnt=abac_cnt_yy_constraints();
490	if(cnt > 0) {
491	char *ntmp=abac_string_yy_constraints();
492	abac_free_yy_constraints();
493	if(tmp)
494	asprintf(&tmp,"%s,%s",tmp,ntmp);
495	else tmp=ntmp;
496	}
497	abac_addon_clauses=tmp;
498
499	/* generate head's role string */
500	char *head_role_string=generate_pl_head_role_string(head_role);
501	if(head_role_string == NULL)
502	goto error;
503
504	/* tail side */
505	if(abac_role_is_intersection(tail_role)) {
506	tmp=generate_pl_intersecting_role_clause(head_role_string, tail_role);
507	} else {
508	tmp=generate_pl_rule_role_clause(head_role_string, tail_role);
509	}
510	if(tmp==NULL)
511	goto error;
512
513	abac_list_add(clauses,tmp);
514	return clauses;
515
516	error:
517	if(head_role_string) free(head_role_string);
518	return clauses;
519	}
520
521	abac_list_t generate_pl_oset_clauses(abac_oset_t head_oset, abac_oset_t *tail_oset)
522	{
523	char *tmp=NULL;
524	abac_list_t *clauses=abac_list_new();
525
526	int cnt=abac_cnt_yy_id_certs();
527	if(cnt > 0) { /* string it up */
528	tmp=abac_string_yy_id_certs();
529	abac_free_yy_id_certs();
530	}
531
532	cnt=abac_cnt_yy_constraints();
533	if(cnt > 0) {
534	char *ntmp=abac_string_yy_constraints();
535	abac_free_yy_constraints();
536	if(tmp)
537	asprintf(&tmp,"%s,%s",tmp,ntmp);
538	else tmp=ntmp;
539	}
540	abac_addon_clauses=tmp;
541
542	/* generate head's oset string */
543	char *head_oset_string=generate_pl_head_oset_string(head_oset);
544	if(head_oset_string == NULL)
545	goto error;
546
547	/* tail side */
548	if(abac_oset_is_intersection(tail_oset)) {
549	tmp=generate_pl_intersecting_oset_clause(head_oset_string, tail_oset);
550	} else {
551	tmp=generate_pl_rule_oset_clause(head_oset_string, tail_oset);
552	}
553	if(tmp==NULL)
554	goto error;
555
556	abac_list_add(clauses,tmp);
557	return clauses;
558
559	error:
560	if(head_oset_string) free(head_oset_string);
561	return clauses;
562	}
563
564	/* should be just 1 */
565	char generate_pl_role_constraint_clause(abac_role_t head_role, char *tail_string)
566	{
567	/* generate head's role string */
568	char *head_role_string=generate_pl_head_role_string(head_role);
569	if(head_role_string == NULL)
570	goto error;
571
572	/* tail side */
573	char *tmp=_build_constraint_rule_clause(head_role_string, tail_string);
574	if(tmp==NULL)
575	goto error;
576
577	return tmp;
578
579	error:
580	if(head_role_string) free(head_role_string);
581	return NULL;
582	}
583
584
585
586	/* so far, for integer type only */
587	char generate_pl_range_constraint_clause(char typestr,char var,char val,char *op)
588	{
589	char *tmp=NULL;
590	asprintf(&tmp,"%s(%s)%s%s",typestr,var,op,val);
591	return tmp;
592	}
593
594	/* should just be 1 clause */
595	char generate_pl_oset_constraint_clause(abac_oset_t head_oset,
596	char *tail_string)
597	{
598	/* generate head's oset string */
599	char *head_oset_string=generate_pl_head_oset_string(head_oset);
600	if(head_oset_string == NULL)
601	goto error;
602
603	/* tail side */
604	char *tmp=_build_constraint_rule_clause(head_oset_string, tail_string);
605	if(tmp==NULL)
606	goto error;
607
608	return tmp;
609	error:
610	if(head_oset_string) free(head_oset_string);
611	return NULL;
612	}
613
614
615	/* generate the yap isType rule clause for the type,
616	isType(Acme, keyid); */
617	char generate_pl_type_clause(char principalname, int type)
618	{
619	char *tmp=NULL;
620	char *typeid= abac_keyid_type(type);
621	int cnt=asprintf(&tmp,"isType(%s,%s)",
622	principalname, typeid);
623	return tmp;
624	}
625

Note: See TracBrowser for help on using the repository browser.

Download in other formats: