Context Navigation

source: libabac/abac_pl_pre.c @ d0efdec

mei_rt2

Last change on this file since d0efdec was 2e9455f, checked in by Mei <mei@…>, 11 years ago
1) added namespace 2) tweak ?This, 3) allowing linking role/oset as constraining conditions 4) adding access_tests regression testing that uses GENI's access policy 5) added couple multi contexts regression tests 6) add compression/uncompression calls to abac_encode_string/abac_decode_string (libstrongwan only allows 512 char for attribute rule storage) 7) add attribute_now option to creddy that takes a whole char string for attribute rule
Property mode set to `100644`
File size: 9.0 KB

Line
1
2	/***********************************************************************/
3	/* abac_pl_pre.c */
4	/* clause preprocesing called to make partial prolog clause generations*/
5	/* -> process named cred id, and constraint range/role/oset */
6	/***********************************************************************/
7	#include <stdio.h>
8	#include <assert.h>
9	#include <stdlib.h>
10
11	#include "abac_util.h"
12
13	#include "abac_pl_pre.h"
14	#include "abac_term.h"
15	#include "abac_aspect.h"
16	#include "abac_list.h"
17	#include "abac_pl_gen.h"
18	#include "abac_pl_yap.h"
19
20	static int debug=0;
21
22	/****************************************************************/
23	/* add the range condition to constraint list */
24	/* this is for integer and float only */
25	static void _preprocess_range_numeric_constraint(abac_term_t *ptr)
26	{
27	assert(abac_term_constraint(ptr));
28	char *var=abac_term_name(ptr);
29	char *typestr=abac_term_type_name(ptr);
30	abac_condition_t *cond=abac_term_constraint(ptr);
31
32	char *tmplist=NULL;
33	char *tmp=NULL;
34	int as_range=1; /* either , or ; */
35
36	abac_condition_set_range_string(cond);
37
38	abac_list_t *rlist=abac_condition_range_list(cond);
39	abac_item_t *cur;
40	abac_list_foreach(rlist, cur,
41	int type=abac_item_type(cur);
42	char *val=abac_item_val(cur);
43	switch(type) {
44	case e_ITEM_MIN:
45	tmp=generate_pl_range_constraint(typestr,var,val,">=");
46	break;
47	case e_ITEM_MAX:
48	tmp=generate_pl_range_constraint(typestr,var,val,"=<");
49	break;
50	case e_ITEM_TARGET:
51	tmp=generate_pl_range_constraint(NULL,var,val,"=");
52	as_range=0;
53	break;
54	}
55	/* ; is prolog's disjunction built in predicate */
56	if(tmplist) {
57	if(as_range)
58	asprintf(&tmplist,"%s,%s",tmplist,tmp);
59	else
60	asprintf(&tmplist,"%s;%s",tmplist,tmp);
61	} else {
62	tmplist=tmp;
63	}
64	tmp=NULL;
65	);
66	asprintf(&tmplist,"(%s)",tmplist);
67	abac_pl_add_constraints(tmplist);
68	}
69
70	/****************************************************************/
71	/* this is for time only */
72	static void _preprocess_range_time_constraint(abac_term_t *ptr)
73	{
74	assert(abac_term_constraint(ptr));
75	char *var=abac_term_name(ptr);
76	char *typestr=abac_term_type_name(ptr);
77	abac_condition_t *cond=abac_term_constraint(ptr);
78	abac_list_t *rlist=abac_condition_range_list(cond);
79	assert(rlist);
80
81	char *tmplist=NULL;
82	char *tmp=NULL;
83	char *ttmp=NULL;
84	char *tlist=NULL;
85	int as_range=1; /* either , or ; */
86
87	abac_condition_set_range_string(cond);
88
89	abac_item_t *cur;
90	/* a list of values -- in chars */
91	abac_list_foreach(rlist, cur,
92	int type=abac_item_type(cur);
93	char *tval=abac_item_val(cur);
94	char *val=abac_term_to_time(tval);
95	switch(type) {
96	case e_ITEM_MIN:
97	ttmp=generate_pl_range_time_constraint(var,val,">");
98	tmp=generate_pl_range_time_constraint(var,val,"=");
99	asprintf(&tlist,"(%s;%s)",ttmp,tmp);
100	tmp=tlist;
101	break;
102	case e_ITEM_MAX:
103	ttmp=generate_pl_range_time_constraint(var,val,"=");
104	tmp=generate_pl_range_time_constraint(var,val,"<");
105	asprintf(&tlist,"(%s;%s)",ttmp,tmp);
106	tmp=tlist;
107	break;
108	case e_ITEM_TARGET:
109	tmp=generate_pl_range_time_constraint(var,val,"=");
110	as_range=0;
111	break;
112	}
113	free(val);
114	/* ; is prolog's disjunction built in predicate */
115	if(tmplist) {
116	if(as_range)
117	asprintf(&tmplist,"%s,%s",tmplist,tmp);
118	else
119	asprintf(&tmplist,"%s;%s",tmplist,tmp);
120	} else {
121	tmplist=tmp;
122	}
123	tmp=NULL;
124	);
125
126	asprintf(&tmplist,"(%s)",tmplist);
127
128	/* generate a clause with above and add into db */
129	tmp=abac_pl_add_range_constraint_clause(var,tmplist);
130	abac_pl_add_constraints(tmp);
131	}
132
133	/****************************************************************/
134	/* this is for string and urn only */
135	static void _preprocess_range_string_constraint(abac_term_t *ptr)
136	{
137	assert(abac_term_constraint(ptr));
138	char *var=abac_term_name(ptr);
139	char *typestr=abac_term_type_name(ptr);
140	abac_condition_t *cond=abac_term_constraint(ptr);
141	abac_list_t *rlist=abac_condition_range_list(cond);
142	assert(rlist);
143
144	char *tmplist=NULL;
145	char *tmp=NULL;
146
147	abac_condition_set_range_string(cond);
148	abac_item_t *cur;
149
150	/* a list of values -- in chars */
151	abac_list_foreach(rlist, cur,
152	int type=abac_item_type(cur);
153	char *val=abac_item_val(cur);
154	switch(type) {
155	case e_ITEM_MIN:
156	panic("_preprocess_range_string_constraint, invalid range type - min");
157	break;
158	case e_ITEM_MAX:
159	/* invalid range type */
160	panic("_preprocess_range_string_constraint, invalid range type - max");
161	break;
162	case e_ITEM_TARGET:
163	tmp=generate_pl_range_constraint(NULL,var,val,"=");
164	break;
165	}
166	/* ; is prolog's disjunction built in predicate */
167	if(tmplist)
168	asprintf(&tmplist,"%s;%s",tmplist,tmp);
169	else tmplist=tmp;
170	tmp=NULL;
171	);
172	asprintf(&tmplist,"(%s)",tmplist);
173	/* generate a clause with above and add into db */
174	tmp=abac_pl_add_range_constraint_clause(var,tmplist);
175	abac_pl_add_constraints(tmp);
176	}
177
178
179	/***********************************************************************/
180	void preprocess_pl_term(abac_context_t ctxt,abac_term_t ptr)
181	{
182	/* add id */
183	char *name=abac_term_name(ptr);
184	char *type=abac_term_type_name(ptr);
185
186	if(abac_term_type(ptr) == e_TERM_PRINCIPAL && abac_term_isnamed(ptr)) {
187	int type=e_KEYID;
188	abac_pl_add_id_certs(name,type);
189	if(debug) fprintf(stderr,"preprocess_pl_term: adding %s to id_certs\n",name);
190	}
191
192	abac_condition_t *cond=abac_term_constraint(ptr);
193	if(cond != NULL) {
194	if(abac_condition_is_range(cond)) {
195	if(abac_term_is_numeric(ptr)) {
196	_preprocess_range_numeric_constraint(ptr);
197	} else if (abac_term_is_alpha(ptr)) {
198	_preprocess_range_string_constraint(ptr);
199	} else if (abac_term_is_time(ptr)) {
200	_preprocess_range_time_constraint(ptr);
201	}
202	} else {
203	/* special handling of role/oset constraining condition */
204	if(debug) fprintf(stderr,"expecting either oset/role constraint with %s\n",name);
205	abac_aspect_t *cptr=abac_condition_of_aspect(cond);
206	preprocess_pl_head(ctxt,cptr);
207
208	/* generate the prolog clause */
209	char *tmp=generate_pl_constraint_clause(ctxt,cptr,name);
210	abac_condition_set_aspect_string(cond,tmp);
211	abac_pl_add_constraints(tmp);
212	}
213	}
214	}
215
216	void preprocess_pl_params(abac_context_t ctxt,abac_param_list_t ptr)
217	{
218	abac_list_t *list=abac_param_list(ptr);
219	assert(list);
220	abac_term_t *cur;
221	abac_list_foreach(list, cur,
222	preprocess_pl_term(ctxt,cur);
223	);
224	}
225
226	void preprocess_pl_head(abac_context_t ctxt,abac_aspect_t ptr)
227	{
228	char *principalname;
229	PROLOG(principalname=abac_aspect_principal_name(ptr););
230	int idtype=abac_aspect_get_issuer_idtype(ptr);
231	abac_pl_add_id_certs(principalname,idtype);
232	if(debug)
233	fprintf(stderr,"preprocess_pl_head: adding %s to id_certs\n",principalname);
234
235	abac_param_list_t *aspect_params=abac_aspect_aspect_params(ptr);
236	if(aspect_params) {
237	preprocess_pl_params(ctxt,aspect_params);
238	}
239	abac_param_list_t *linked_role_params=abac_aspect_linked_role_params(ptr);
240	if(linked_role_params) {
241	preprocess_pl_params(ctxt,linked_role_params);
242	}
243
244	}
245
246	void preprocess_pl_tail(abac_context_t ctxt,abac_aspect_t ptr)
247	{
248	/* if it is an intersection, preprocess each one */
249
250	abac_list_t *list=abac_aspect_prereqs(ptr);
251	if(list != 0) {
252	abac_aspect_t *cur;
253	abac_list_foreach(list, cur,
254	if(cur)
255	preprocess_pl_tail(ctxt,cur);
256	);
257	return;
258	}
259
260	/* for oset case,
261	A.oset <- B
262	A.oset <- Obj
263	A.oset <- B.oset
264	A.oset <- B.role.oset
265	*/
266	/* if it is an oset and object */
267	if(abac_aspect_is_object(ptr)) {
268	abac_term_t *tptr=abac_aspect_object_term(ptr);
269	if(tptr)
270	preprocess_pl_term(ctxt,tptr);
271	} else {
272	char *principalname;
273	PROLOG(principalname=abac_aspect_principal_name(ptr););
274	int idtype=abac_aspect_get_issuer_idtype(ptr);
275	abac_pl_add_id_certs(principalname,idtype);
276	if(debug)
277	fprintf(stderr,"preprocess_pl_tail: adding %s to id_certs\n",principalname);
278	abac_param_list_t *aspect_params=abac_aspect_aspect_params(ptr);
279	if(aspect_params) {
280	preprocess_pl_params(ctxt,aspect_params);
281	}
282
283	abac_param_list_t *linked_role_params=abac_aspect_linked_role_params(ptr);
284	if(linked_role_params) {
285	preprocess_pl_params(ctxt,linked_role_params);
286	}
287	}
288	}
289
290
291

Note: See TracBrowser for help on using the repository browser.

Download in other formats: