Context Navigation

source: libabac/abac_pl_gen.c @ e88c95b

mei_rt2mei_rt2_fix_1meiyap-rt1rt2

Last change on this file since e88c95b was e88c95b, checked in by Mei <mei@…>, 12 years ago

1) switch the order of terms within the rule clause.

carl said more specific should be at the earlier part of rule so
it won't backtrack to death.

2) unset some debug flag in creddy

Property mode set to 100644

File size: 19.6 KB

Line
1
2
3	/***********************************************************************/
4	/* clause generation called from parser to generate credential clauses */
5	/***********************************************************************/
6	#include <stdio.h>
7	#include <assert.h>
8	#include <stdlib.h>
9
10	#include "abac_set.h"
11	#include "abac_util.h"
12	#include "abac_pl.h"
13
14	#include "uthash.h"
15
16	// index to generate C1,C2..
17	static int cred_count=0;
18	extern char* abac_yyfptr_encoded;
19	extern int abac_cnt_yy_id_certs();
20	extern void abac_free_yy_id_certs();
21	extern char *abac_string_yy_id_certs();
22	char *abac_addon_clauses=NULL;
23
24	/***********************************************************************/
25	static int _get_next_cred_idx()
26	{
27	cred_count++;
28	return cred_count;
29	}
30
31	/* remember to free the returned string */
32	static char *_compose_cred_list()
33	{
34	int i=cred_count;
35	if(cred_count==0) return "";
36
37	char clist=(char )abac_xmalloc(sizeof(char)(cred_count)3);
38	strcpy(clist,"C1");
39	if (cred_count==1) return clist;
40
41	i=1;
42	while(i!=cred_count) {
43	i++;
44	sprintf(clist,"%s,C%d",clist,i);
45	}
46	return clist;
47	}
48
49	/* generate role(p_name, r_name, param..) */
50	static char* generate_pl_head_role_string(abac_role_t *role)
51	{
52	char *tmp=NULL;
53	char *principalname=abac_role_principal_cn(role);
54	char *rolename=abac_role_role_name(role);
55	char *param_string=NULL;
56	int cnt=0;
57
58	/* can not be a linked role */
59	abac_param_list_t *role_params=abac_role_role_params(role);
60	if(role_params) {
61	param_string=abac_param_list_string(role_params);
62	}
63
64	if (param_string != NULL) {
65	cnt=asprintf(&tmp,"role(%s,%s,%s)", principalname, rolename, param_string);
66	free(param_string);
67	} else {
68	cnt=asprintf(&tmp,"role(%s,%s)", principalname, rolename);
69	}
70	if(cnt>0)
71	return tmp;
72	else
73	return NULL;
74	}
75
76	/* generate role(p_name, r_name, param..) with isMember call ?? */
77	static char* generate_pl_tail_role_string(abac_role_t *role)
78	{
79	char *tmp;
80	char *principalname=abac_role_principal_cn(role);
81	char *rolename=abac_role_role_name(role);
82	char *linkedname=abac_role_linked_role(role);
83
84	char *param_string=NULL;
85	char *linked_param_string=NULL;
86	int cnt=0;
87
88	abac_param_list_t *role_params=abac_role_role_params(role);
89	if(role_params) {
90	param_string=abac_param_list_string(role_params);
91	}
92
93	abac_param_list_t *linked_role_params=abac_role_linked_role_params(role);
94	if(linked_role_params) {
95	linked_param_string=abac_param_list_string(linked_role_params);
96	}
97
98	/* b.r.r */
99	if(linkedname!=NULL && rolename!=NULL && principalname!=NULL ) {
100	int fst=_get_next_cred_idx();
101	int snd=_get_next_cred_idx();
102	if(linked_param_string !=NULL) {
103	if (param_string != NULL) {
104	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(X,role(Y,%s,%s),C%d)",
105	principalname,
106	linkedname,linked_param_string,fst,
107	rolename,param_string,snd);
108	free(param_string);
109	} else {
110	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(X,role(Y,%s),C%d)",
111	principalname,
112	linkedname,linked_param_string,fst,
113	rolename,snd);
114	}
115	free(linked_param_string);
116	} else {
117	if (role_params != NULL) {
118	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(X,role(Y,%s,%s),C%d)",
119	principalname,
120	linkedname,fst,
121	rolename,param_string,snd);
122	free(param_string);
123	} else {
124	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(X,role(Y,%s),C%d)",
125	principalname,
126	linkedname,fst,
127	rolename,snd);
128	}
129	}
130	if(cnt>0)
131	return tmp;
132	else
133	return NULL;
134	}
135	/* b.r */
136	if(linkedname==NULL && rolename!=NULL && principalname!=NULL ) {
137	int fst=_get_next_cred_idx();
138	if(param_string != NULL) {
139	cnt=asprintf(&tmp,"isMember(X,role(%s,%s,%s),C%d)",
140	principalname, rolename, param_string, fst);
141	free(param_string);
142	} else {
143	cnt=asprintf(&tmp,"isMember(X,role(%s,%s),C%d)",
144	principalname, rolename, fst);
145	}
146	if(cnt>0)
147	return tmp;
148	else
149	return NULL;
150	}
151	/* b */
152	if(linkedname==NULL && rolename==NULL && principalname!=NULL ) {
153	tmp=abac_xstrdup(principalname);
154	return tmp;
155	}
156
157	return tmp;
158	}
159
160
161	/* generate oset(p_name, r_name, param..) */
162	static char* generate_pl_head_oset_string(abac_oset_t *oset)
163	{
164	char *tmp=NULL;
165	char *principalname=abac_oset_principal_cn(oset);
166	char *osetname=abac_oset_oset_name(oset);
167	char *param_string=NULL;
168	int cnt=0;
169
170	/* can not be a linked role */
171	abac_param_list_t *oset_params=abac_oset_oset_params(oset);
172	if(oset_params) {
173	param_string=abac_param_list_string(oset_params);
174	}
175
176	if (param_string != NULL) {
177	cnt=asprintf(&tmp,"oset(%s,%s,%s)", principalname, osetname, param_string);
178	free(param_string);
179	} else {
180	cnt=asprintf(&tmp,"oset(%s,%s)", principalname, osetname);
181	}
182	if(cnt>0)
183	return tmp;
184	else
185	return NULL;
186	}
187
188	/* generate oset(p_name, r_name, param..) with isMember call ?? */
189	static char* generate_pl_tail_oset_string(abac_oset_t *oset)
190	{
191	char *tmp;
192	/*
193	A.oset <- B
194	A.oset <- Obj
195	A.oset <- B.oset
196	A.oset <- B.role.oset
197	*/
198	/* o */
199	if(abac_oset_is_object(oset)) {
200	char *objectname=abac_oset_object_cn(oset);
201	tmp=abac_xstrdup(objectname);
202	return tmp;
203	} else {
204	char *principalname=abac_oset_principal_cn(oset);
205	char *osetname=abac_oset_oset_name(oset);
206	char *linkedname=abac_oset_linked_role(oset);
207
208	char *param_string=NULL;
209	char *linked_param_string=NULL;
210	int cnt=0;
211
212	abac_param_list_t *oset_params=abac_oset_oset_params(oset);
213	if(oset_params) {
214	param_string=abac_param_list_string(oset_params);
215	}
216
217	abac_param_list_t *linked_role_params=abac_oset_linked_role_params(oset);
218	if(linked_role_params) {
219	linked_param_string=abac_param_list_string(linked_role_params);
220	}
221
222	/* b.r.r */
223	if(linkedname!=NULL && osetname!=NULL && principalname!=NULL ) {
224	int fst=_get_next_cred_idx();
225	int snd=_get_next_cred_idx();
226	if(linked_param_string !=NULL) {
227	if (param_string != NULL) {
228	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(X,oset(Y,%s,%s),C%d)",
229	principalname,
230	linkedname,linked_param_string,fst,
231	osetname,param_string,snd);
232	free(param_string);
233	} else {
234	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s,%s),C%d),isMember(X,oset(Y,%s),C%d)",
235	principalname,
236	linkedname,linked_param_string,fst,
237	osetname,snd);
238	}
239	free(linked_param_string);
240	} else {
241	if (oset_params != NULL) {
242	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(X,oset(Y,%s,%s),C%d)",
243	principalname,
244	linkedname,fst,
245	osetname,param_string,snd);
246	free(param_string);
247	} else {
248	cnt=asprintf(&tmp,"isMember(Y,role(%s,%s),C%d),isMember(X,oset(Y,%s),C%d)",
249	principalname,
250	linkedname,fst,
251	osetname,snd);
252	}
253	}
254	if(cnt>0)
255	return tmp;
256	else
257	return NULL;
258	}
259	/* b.r */
260	if(linkedname==NULL && osetname!=NULL && principalname!=NULL ) {
261	int fst=_get_next_cred_idx();
262	if(param_string != NULL) {
263	cnt=asprintf(&tmp,"isMember(X,oset(%s,%s,%s),C%d)",
264	principalname, osetname, param_string, fst);
265	free(param_string);
266	} else {
267	cnt=asprintf(&tmp,"isMember(X,oset(%s,%s),C%d)",
268	principalname, osetname, fst);
269	}
270	if(cnt>0)
271	return tmp;
272	else
273	return NULL;
274	}
275	/* b */
276	if(linkedname==NULL && osetname==NULL && principalname!=NULL ) {
277	tmp=abac_xstrdup(principalname);
278	return tmp;
279	}
280
281	}
282	return tmp;
283	}
284
285
286	/********************************************************************************/
287
288	static char _build_constraint_rule_clause(char head_string, char *tail_string)
289	{
290	/only, A.R <- B /
291	char *tmp;
292	int idx=_get_next_cred_idx();
293	asprintf(&tmp, "isMember(%s,%s,C%d)", tail_string,head_string,idx);
294	return tmp;
295	}
296
297	static char _build_rule_clause(char rolename, char head_string, char tail_string)
298	{
299	char *tmp=NULL;
300
301	if(rolename == NULL) {
302	/* A.R <- B */
303	if(abac_addon_clauses==NULL) {
304	asprintf(&tmp, "isMember(%s,%s,['%s'])",
305	tail_string,head_string,abac_yyfptr_encoded);
306	} else {
307	asprintf(&tmp, "isMember(%s,%s,['%s']) :- %s",
308	tail_string,head_string,abac_yyfptr_encoded,
309	abac_addon_clauses);
310	free(abac_addon_clauses);
311	abac_addon_clauses=NULL;
312	}
313	} else {
314	/* A.R <- B.R */
315	/* A.R <- B.R.R */
316	if (cred_count==0) {
317	if(abac_addon_clauses==NULL) {
318	asprintf(&tmp,"isMember(X,%s,['%s']):-%s",
319	head_string, abac_yyfptr_encoded, tail_string);
320	} else {
321	asprintf(&tmp,"isMember(X,%s,['%s']):-%s, %s",
322	head_string, abac_yyfptr_encoded,
323	tail_string,abac_addon_clauses);
324	free(abac_addon_clauses);
325	abac_addon_clauses=NULL;
326	}
327	} else {
328	char *tmp_cred_list=_compose_cred_list();
329	if(abac_addon_clauses == NULL) {
330	asprintf(&tmp,"isMember(X,%s,L):-%s, appendL([['%s'],%s],L)",
331	head_string, tail_string,
332	abac_yyfptr_encoded, tmp_cred_list);
333	} else {
334	asprintf(&tmp,"isMember(X,%s,L):-%s, %s, appendL([['%s'],%s],L)",
335	head_string, tail_string, abac_addon_clauses,
336	abac_yyfptr_encoded, tmp_cred_list);
337	free(abac_addon_clauses);
338	abac_addon_clauses=NULL;
339	}
340	free(tmp_cred_list);
341	cred_count=0;
342	}
343	}
344	return tmp;
345	}
346
347
348	static char generate_pl_rule_role_clause(char head_role_string, abac_role_t *tail_role)
349	{
350	char *rolename=abac_role_role_name(tail_role);
351	char *tail_role_string=generate_pl_tail_role_string(tail_role);
352	if(rolename == NULL && tail_role_string == NULL)
353	goto error;
354	char *tmp=_build_rule_clause(rolename,head_role_string, tail_role_string);
355	if(tail_role_string) free(tail_role_string);
356	return tmp;
357
358	error:
359	if(tail_role_string) free(tail_role_string);
360	return NULL;
361	}
362
363	static char generate_pl_rule_oset_clause(char head_oset_string, abac_oset_t *tail_oset)
364	{
365	char *osetname=abac_oset_oset_name(tail_oset);
366	char *tail_oset_string=generate_pl_tail_oset_string(tail_oset);
367	if(osetname == NULL && tail_oset_string == NULL)
368	goto error;
369	char *tmp=_build_rule_clause(osetname,head_oset_string, tail_oset_string);
370	if(tail_oset_string) free(tail_oset_string);
371	return tmp;
372
373	error:
374	if(tail_oset_string) free(tail_oset_string);
375	return NULL;
376	}
377
378
379	static char _add_string(char dstr, char *nstr)
380	{
381	if(strlen(dstr)==0) {
382	dstr=abac_xstrdup(nstr);
383	return dstr;
384	} else {
385	int len = strlen(dstr)+strlen(nstr)+2;
386	char tmp=abac_xmalloc(lensizeof(char));
387	sprintf(tmp,"%s,%s", dstr,nstr);
388	free(dstr);
389	return tmp;
390	}
391	return NULL;
392	}
393
394	static char _build_intersecting_clause(char head_role_string, char *tail_role_string)
395	{
396	char *tmp;
397
398	if (cred_count==0) {
399	if(abac_addon_clauses ==NULL) {
400	asprintf(&tmp,"isMember(X,%s,['%s']):-%s",
401	head_role_string, abac_yyfptr_encoded, tail_role_string);
402	} else {
403	asprintf(&tmp,"isMember(X,%s,['%s']):-%s, %s",
404	head_role_string, abac_yyfptr_encoded,
405	tail_role_string, abac_addon_clauses);
406	free(abac_addon_clauses);
407	abac_addon_clauses=NULL;
408	}
409	} else {
410	char *tmp_cred_list=_compose_cred_list();
411	if(abac_addon_clauses ==NULL) {
412	asprintf(&tmp,"isMember(X,%s,L):-%s, appendL([['%s'],%s],L)",
413	head_role_string, tail_role_string,
414	abac_yyfptr_encoded, tmp_cred_list);
415	} else {
416	asprintf(&tmp,"isMember(X,%s,L):-%s, %s, appendL([['%s'],%s],L)",
417	head_role_string, tail_role_string, abac_addon_clauses,
418	abac_yyfptr_encoded, tmp_cred_list);
419	free(abac_addon_clauses);
420	abac_addon_clauses=NULL;
421	}
422	free(tmp_cred_list);
423	cred_count=0;
424	}
425	return tmp;
426	}
427
428	static char generate_pl_intersecting_role_clause(char head_role_string, abac_role_t *tail_role)
429	{
430	char *tmp=NULL;
431	char* tail_role_string=NULL;
432	abac_list_t *list=abac_role_prereqs(tail_role);
433	/* A.R <- B.R & C.R.R */
434
435	if (list != NULL) {
436	abac_role_t *cur;
437	abac_list_foreach(list, cur,
438	char *ntmp=generate_pl_tail_role_string(cur);
439	if(tail_role_string==NULL)
440	asprintf(&tail_role_string,"%s",ntmp);
441	else
442	asprintf(&tail_role_string,"%s, %s",tail_role_string,ntmp);
443	free(ntmp);
444	);
445	}
446
447	tmp=_build_intersecting_clause(head_role_string, tail_role_string);
448	if(tail_role_string) free(tail_role_string);
449	return tmp;
450	}
451
452	static char generate_pl_intersecting_oset_clause(char head_oset_string, abac_oset_t *tail_oset)
453	{
454	char *tmp=NULL;
455	char* tail_oset_string=NULL;
456	abac_list_t *list=abac_oset_prereqs(tail_oset);
457	/* A.O <- B.O & C.R.O */
458
459	if (list != NULL) {
460	abac_oset_t *cur;
461	abac_list_foreach(list, cur,
462	char *ntmp=generate_pl_tail_oset_string(cur);
463	if(tail_oset_string==NULL)
464	asprintf(&tail_oset_string,"%s",ntmp);
465	else
466	asprintf(&tail_oset_string,"%s, %s",tail_oset_string,ntmp);
467	free(ntmp);
468	);
469	}
470
471	tmp=_build_intersecting_clause(head_oset_string, tail_oset_string);
472	if(tail_oset_string) free(tail_oset_string);
473	return tmp;
474	}
475
476	/* generate the yap isMember rule clause for the credential stmt */
477	abac_list_t generate_pl_role_clauses(abac_role_t head_role, abac_role_t *tail_role)
478	{
479	char *tmp=NULL;
480	abac_list_t *clauses=abac_list_new();
481
482	int cnt=abac_cnt_yy_id_certs();
483	if(cnt > 0) { /* string it up */
484	//abac_addon_clauses=abac_string_yy_id_certs();
485	tmp=abac_string_yy_id_certs();
486	abac_free_yy_id_certs();
487	}
488
489	cnt=abac_cnt_yy_constraints();
490	if(cnt > 0) {
491	char *ntmp=abac_string_yy_constraints();
492	abac_free_yy_constraints();
493	if(tmp)
494	asprintf(&tmp,"%s,%s",tmp,ntmp);
495	else tmp=ntmp;
496	}
497	abac_addon_clauses=tmp;
498
499	/* generate head's role string */
500	char *head_role_string=generate_pl_head_role_string(head_role);
501	if(head_role_string == NULL)
502	goto error;
503
504	/* tail side */
505	if(abac_role_is_intersection(tail_role)) {
506	tmp=generate_pl_intersecting_role_clause(head_role_string, tail_role);
507	} else {
508	tmp=generate_pl_rule_role_clause(head_role_string, tail_role);
509	}
510	if(tmp==NULL)
511	goto error;
512
513	abac_list_add(clauses,tmp);
514	return clauses;
515
516	error:
517	if(head_role_string) free(head_role_string);
518	return clauses;
519	}
520
521	abac_list_t generate_pl_oset_clauses(abac_oset_t head_oset, abac_oset_t *tail_oset)
522	{
523	char *tmp=NULL;
524	abac_list_t *clauses=abac_list_new();
525
526	int cnt=abac_cnt_yy_id_certs();
527	if(cnt > 0) { /* string it up */
528	tmp=abac_string_yy_id_certs();
529	abac_free_yy_id_certs();
530	}
531
532	cnt=abac_cnt_yy_constraints();
533	if(cnt > 0) {
534	char *ntmp=abac_string_yy_constraints();
535	abac_free_yy_constraints();
536	if(tmp)
537	asprintf(&tmp,"%s,%s",tmp,ntmp);
538	else tmp=ntmp;
539	}
540	abac_addon_clauses=tmp;
541
542	/* generate head's oset string */
543	char *head_oset_string=generate_pl_head_oset_string(head_oset);
544	if(head_oset_string == NULL)
545	goto error;
546
547	/* tail side */
548	if(abac_oset_is_intersection(tail_oset)) {
549	tmp=generate_pl_intersecting_oset_clause(head_oset_string, tail_oset);
550	} else {
551	tmp=generate_pl_rule_oset_clause(head_oset_string, tail_oset);
552	}
553	if(tmp==NULL)
554	goto error;
555
556	abac_list_add(clauses,tmp);
557	return clauses;
558
559	error:
560	if(head_oset_string) free(head_oset_string);
561	return clauses;
562	}
563
564	/* should be just 1 */
565	char generate_pl_role_constraint_clause(abac_role_t head_role, char *tail_string)
566	{
567	/* generate head's role string */
568	char *head_role_string=generate_pl_head_role_string(head_role);
569	if(head_role_string == NULL)
570	goto error;
571
572	/* tail side */
573	char *tmp=_build_constraint_rule_clause(head_role_string, tail_string);
574	if(tmp==NULL)
575	goto error;
576
577	return tmp;
578
579	error:
580	if(head_role_string) free(head_role_string);
581	return NULL;
582	}
583
584
585
586	/* so far, for integer type only */
587	char generate_pl_range_constraint_clause(char typestr,char var,char val,char *op)
588	{
589	char *tmp=NULL;
590	asprintf(&tmp,"%s(%s)%s%s",typestr,var,op,val);
591	return tmp;
592	}
593
594	/* should just be 1 clause */
595	char generate_pl_oset_constraint_clause(abac_oset_t head_oset,
596	char *tail_string)
597	{
598	/* generate head's oset string */
599	char *head_oset_string=generate_pl_head_oset_string(head_oset);
600	if(head_oset_string == NULL)
601	goto error;
602
603	/* tail side */
604	char *tmp=_build_constraint_rule_clause(head_oset_string, tail_string);
605	if(tmp==NULL)
606	goto error;
607
608	return tmp;
609	error:
610	if(head_oset_string) free(head_oset_string);
611	return NULL;
612	}
613
614
615	/* generate the yap isType rule clause for the type,
616	isType(Acme, keyid); */
617	char generate_pl_type_clause(char principalname, int type)
618	{
619	char *tmp=NULL;
620	char *typeid= abac_keyid_type(type);
621	int cnt=asprintf(&tmp,"isType(%s,%s)",
622	principalname, typeid);
623	return tmp;
624	}
625

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: libabac/abac_pl_gen.c @ e88c95b

Download in other formats: