Context Navigation

source: libabac/abac_pl_yy.c @ da5afdf

mei_rt2mei_rt2_fix_1meiyap-rt1rt2

Last change on this file since da5afdf was da5afdf, checked in by Mei <mei@…>, 12 years ago

1) add static contraint

(limited to integer at this time)

Property mode set to 100644

File size: 36.7 KB

Line
1
2	/* C declarations */
3	#include <stdio.h>
4	#include <string.h>
5	#include <stdlib.h>
6	#include <assert.h>
7
8	#include "abac_util.h"
9	#include "abac_pl_yy.h"
10
11	static int debug=0;
12
13	extern abac_list_t generate_pl_role_clauses(abac_role_t , abac_role_t *);
14	extern abac_list_t generate_pl_oset_clauses(abac_oset_t , abac_oset_t *);
15	extern void panic(char*);
16	extern char generate_pl_type_clause(char , int);
17	void _add_yy_id_certs(char *, int);
18	static void _free_yy_oset(abac_yy_oset_t *ptr);
19	static void _free_yy_term_data(abac_yy_term_data_t *ptr);
20	abac_role_t validate_head_role(abac_yy_expression_t expr);
21
22	abac_list_t *abac_yap_clauses=NULL;
23	/* this is to track individual id credentials */
24	abac_stack_t *abac_yap_id_clauses=NULL;
25
26	int abac_yap_is_oset=0;
27	abac_role_t *abac_yap_head_role=NULL;
28	abac_role_t *abac_yap_tail_role=NULL;
29
30	abac_oset_t *abac_yap_head_oset=NULL;
31	abac_oset_t *abac_yap_tail_oset=NULL;
32
33	/* to track id certs within a rule clause */
34	typedef struct _abac_yy_id_cert_t {
35	char *principalname;
36	int type; /* keyidtype */
37	char *clause;
38	} abac_yy_id_cert_t;
39	abac_list_t *abac_yy_id_certs = NULL;
40
41	/* structure to hold the range information
42	within a static constraints on few types of
43	oset types
44	[a..b], [a..], [..b], [a],[a,b],[many a]
45	e_yy_RANGE_MIN=1;
46	e_yy_RANGE_MAX=2;
47	e_yy_RANGE_TARGET=3;
48	*/
49	typedef struct _abac_yy_range_t {
50	int type;
51	char *val;
52	} abac_yy_range_t;
53
54	/* to track role/oset constraint clauses used within a rule clause,
55	collect them up in one place */
56	typedef struct _abac_yy_constraint_t {
57	char *clause;
58	} abac_yy_constraint_t;
59	abac_list_t *abac_yy_constraints = NULL;
60
61	/* local principal structure [keyid:USC] */
62	struct _abac_yy_principal_t {
63	int type;
64	char *sha; // sha is null when this is of object type
65	char *cn;
66	};
67
68	/* [principal:?Z]:..., must match a principal name */
69	struct _abac_yy_term_principal_t {
70	int type; /* this needs to be implicitly determined */
71	char *name;
72	char *condition;
73	void *cptr; // ptr to a saved abac_role_t
74	abac_yy_expression_t *cond_head_expr;
75	};
76
77	/* if has condition, then it is a variable,
78	ie,
79	[int:?Year]:<1930..1932>,
80	if no condition, then it is a constant,
81	ie,
82	[int:10]
83	*/
84	struct _abac_yy_term_data_t {
85	int is_variable;
86	int type;
87	char *name;
88	char *condition;
89	void *cptr; // ptr to a saved abac_oset_t
90	abac_list_t *cond_range;
91	abac_yy_expression_t *cond_head_expr; // parking stub
92	};
93
94	/* local term structure, will distinguish it in the future */
95	/* e_yy_DTERM_DATA, all other types
96	e_yy_DTERM_NAMED, keyid:bob
97	e_yy_DTERM_PRINCIPAL, principal:?P
98	e_yy_DTERM_ANONYMOUS ? */
99	struct _abac_yy_term_t {
100	union {
101	abac_yy_principal_t *n_ptr;
102	abac_yy_term_principal_t *p_ptr;
103	abac_yy_term_data_t *d_ptr;
104	} term;
105	int type;
106	struct _abac_yy_term_t *next;
107	int bcnt; /* this is to track number of terms in this linked up list */
108	};
109
110	/* local role structure */
111	struct _abac_yy_role_t {
112	int type;
113	char *name;
114	abac_yy_term_t *terms;
115	struct _abac_yy_role_t *next;
116	int bcnt; /* this is to track number of roles in this linked up list */
117	};
118
119	/* local oset structure */
120	struct _abac_yy_oset_t {
121	int type;
122	char *name;
123	abac_yy_term_t *terms;
124	struct _abac_yy_oset_t *next;
125	int bcnt; /* this is to track number of oset in this linked up list */
126	};
127
128	/* A, A.r, A.r.r */
129	/* type: e_yy_EXPR_NAMED,e_yy_EXPR_ROLE,e_yy_EXPR_LINKED */
130	/* A/obj, A.o, A.r.o */
131	/* type: e_yy_EXPR_NAMED, e_yy_EXPR_OBJECT, e_yy_EXPR_OSET,e_yy_EXPR_LINKED */
132	struct _abac_yy_expression_t {
133	int type;
134	union {
135	abac_yy_principal_t *principal;
136	abac_yy_term_data_t *object;
137	};
138	abac_yy_role_t *linked_role;
139	union {
140	abac_yy_role_t *role;
141	abac_yy_oset_t *oset;
142	};
143	struct _abac_yy_expression_t *next;
144	int bcnt;
145	};
146	static void _free_yy_term(abac_yy_term_t *ptr);
147
148	/************************************************************************/
149	static void _free_yy_range(abac_list_t *ptr)
150	{
151	if (ptr != NULL) {
152	abac_yy_range_t *cur;
153	abac_list_foreach(ptr, cur,
154	if(cur && cur->val) free(cur->val);
155	free(cur);
156	);
157	abac_list_free(ptr);
158	}
159	}
160
161	char string_yy_cond_range(abac_list_t ptr)
162	{
163	assert(ptr);
164	char *tmp=NULL;
165	char *min=NULL;
166	char *max=NULL;
167	char *val=NULL;
168	int type;
169
170	abac_yy_range_t *cur;
171	abac_list_foreach(ptr, cur,
172	type=cur->type;
173	val=cur->val;
174	switch (type) {
175	case e_yy_RANGE_MIN:
176	min=strdup(cur->val);
177	break;
178	case e_yy_RANGE_MAX:
179	max=strdup(cur->val);
180	break;
181	case e_yy_RANGE_TARGET:
182	if(val)
183	asprintf(&val,"%s,%s",val,cur->val);
184	else val=strdup(cur->val);
185	break;
186	}
187	);
188	if(max && min) {
189	asprintf(&tmp,"[%s..%s]",min,max);
190	free(max);
191	free(min);
192	return tmp;
193	}
194	if(max) {
195	asprintf(&tmp,"[..%s]",max);
196	free(max);
197	return tmp;
198	}
199	if(min) {
200	asprintf(&tmp,"[%s..]",min);
201	free(min);
202	return tmp;
203	}
204	if(val) {
205	asprintf(&tmp,"[%s]",val);
206	free(val);
207	return tmp;
208	}
209	return NULL;
210	}
211
212	abac_list_t addto_yy_val_range(abac_list_t ptr, char * val)
213	{
214	abac_yy_range_t *range=
215	(abac_yy_range_t *) abac_xmalloc(sizeof(abac_yy_range_t));
216	range->type=e_yy_RANGE_TARGET;
217	range->val=strdup(val);
218	abac_list_add(ptr, range);
219	return ptr;
220	}
221
222	static abac_list_t _addto_yy_range(abac_list_t ptr, int type, char * val)
223	{
224	abac_yy_range_t *range=
225	(abac_yy_range_t *) abac_xmalloc(sizeof(abac_yy_range_t));
226	range->type=type;
227	range->val=strdup(val);
228	abac_list_add(ptr, range);
229	return ptr;
230	}
231
232	abac_list_t make_yy_val_range(char val)
233	{
234	abac_list_t *ptr=abac_list_new();
235	addto_yy_val_range(ptr,val);
236	return ptr;
237	}
238
239	abac_list_t make_yy_minmax_range(char min, char *max)
240	{
241	abac_list_t *ptr=abac_list_new();
242	_addto_yy_range(ptr, e_yy_RANGE_MIN, min);
243	_addto_yy_range(ptr, e_yy_RANGE_MAX, max);
244	return ptr;
245	}
246
247	abac_list_t make_yy_min_range(char min)
248	{
249	abac_list_t *ptr=abac_list_new();
250	_addto_yy_range(ptr, e_yy_RANGE_MIN, min);
251	return ptr;
252	}
253
254	abac_list_t make_yy_max_range(char max)
255	{
256	abac_list_t *ptr=abac_list_new();
257	_addto_yy_range(ptr, e_yy_RANGE_MAX, max);
258	return ptr;
259	}
260
261	/************************************************************************/
262	abac_stack_t *abac_get_yap_id_clauses()
263	{
264	return abac_yap_id_clauses;
265	}
266
267	abac_stack_t *abac_init_yap_id_clauses()
268	{
269	abac_yap_id_clauses=abac_stack_new();
270	return abac_yap_id_clauses;
271	}
272
273	void abac_free_yap_id_clauses()
274	{
275	if (abac_yap_id_clauses != NULL)
276	abac_stack_free(abac_yap_id_clauses);
277	}
278
279	void set_yap_clauses(abac_list_t *clauses)
280	{
281	abac_yap_clauses=clauses;
282	if(debug) {
283	printf("printing out abac_yap_clauses:\n");
284	abac_print_clauses(abac_yap_clauses,NULL);
285	}
286	}
287
288	abac_list_t *abac_get_yap_clauses()
289	{
290	return abac_yap_clauses;
291	}
292
293	void abac_free_yap_clauses()
294	{
295	if (abac_yap_clauses != NULL) {
296	char *cur;
297	abac_list_foreach(abac_yy_id_certs, cur,
298	if(cur) free(cur);
299	);
300	abac_list_free(abac_yap_clauses);
301	}
302	}
303
304	int abac_get_yap_is_oset()
305	{
306	return abac_yap_is_oset;
307	}
308
309	abac_role_t *abac_get_yap_head_role()
310	{
311	return abac_yap_head_role;
312	}
313
314	abac_role_t *abac_get_yap_tail_role()
315	{
316	return abac_yap_tail_role;
317	}
318
319	abac_oset_t *abac_get_yap_head_oset()
320	{
321	return abac_yap_head_oset;
322	}
323
324	abac_oset_t *abac_get_yap_tail_oset()
325	{
326	return abac_yap_tail_oset;
327	}
328
329	/*******************************************************************/
330	void abac_init_yy_id_certs()
331	{
332	abac_yy_id_certs = abac_list_new();
333	}
334
335	void abac_free_yy_id_certs()
336	{
337	abac_yy_id_cert_t *id;
338	abac_list_foreach(abac_yy_id_certs, id,
339	if(id)
340	free(id->principalname);
341	free(id->clause);
342	free(id);
343	);
344	abac_list_free(abac_yy_id_certs);
345	abac_yy_id_certs = NULL;
346	}
347
348	int abac_cnt_yy_id_certs()
349	{
350	return abac_list_size(abac_yy_id_certs);
351	}
352
353	char *abac_string_yy_id_certs()
354	{
355	int first=1;
356	char *tmp=NULL;
357	abac_yy_id_cert_t *cur;
358	abac_list_foreach(abac_yy_id_certs, cur,
359	if(cur)
360	if(first) {
361	tmp=abac_xstrdup(cur->clause);
362	first=0;
363	} else {
364	int cnt=asprintf(&tmp,"%s,%s", tmp, cur->clause);
365	}
366	);
367	return tmp;
368	}
369
370	void _add_yy_id_certs(char *principalname, int type)
371	{
372	abac_yy_id_cert_t *id_cert=NULL;
373
374	int found=0;
375	abac_yy_id_cert_t *cur;
376	abac_list_foreach(abac_yy_id_certs, cur,
377	if(cur)
378	if(strcmp(cur->principalname,principalname)==0) {
379	found=1;
380	break;
381	}
382	);
383
384	if (found) {
385	return;
386	} else {
387	id_cert=abac_xmalloc(sizeof(abac_yy_id_cert_t));
388	id_cert->principalname=abac_xstrdup(principalname);
389	id_cert->type=type;
390	id_cert->clause=generate_pl_type_clause(principalname,type);
391	abac_list_add(abac_yy_id_certs, id_cert);
392	}
393	}
394
395	/****************************************************************************/
396	void abac_init_yy_constraints()
397	{
398	abac_yy_constraints = abac_list_new();
399	}
400
401	void abac_free_yy_constraints()
402	{
403	abac_yy_constraint_t *cur;
404	abac_list_foreach(abac_yy_constraints, cur,
405	if(cur && cur->clause)
406	free(cur->clause);
407	free(cur);
408	);
409	abac_list_free(abac_yy_constraints);
410	abac_yy_constraints=NULL;
411	}
412
413	int abac_cnt_yy_constraints()
414	{
415	return abac_list_size(abac_yy_constraints);
416	}
417
418	char *abac_string_yy_constraints()
419	{
420	int first=1;
421	char *tmp=NULL;
422	abac_yy_constraint_t *cur;
423	abac_list_foreach(abac_yy_constraints, cur,
424	if(cur && cur->clause)
425	if(first) {
426	tmp=abac_xstrdup(cur->clause);
427	first=0;
428	} else {
429	int cnt=asprintf(&tmp,"%s,%s", tmp, cur->clause);
430	}
431	);
432	return tmp;
433	}
434
435	abac_yy_constraint_t abac_add_yy_constraints(char constraint)
436	{
437	abac_yy_constraint_t *ptr=
438	(abac_yy_constraint_t *) abac_xmalloc(sizeof(abac_yy_constraint_t));
439	ptr->clause=strdup(constraint);
440	abac_list_add(abac_yy_constraints, ptr);
441	return ptr;
442	}
443
444	/****************************************************************************/
445	abac_yy_principal_t make_yy_principal(char sha, char *cn, int type)
446	{
447	abac_yy_principal_t *ptr=
448	(abac_yy_principal_t*)abac_xmalloc(sizeof(abac_yy_principal_t));
449	ptr->sha=abac_xstrdup(sha);
450	ptr->cn=abac_xstrdup(cn);
451	ptr->type=type;
452	return ptr;
453	}
454
455	static void _free_yy_principal(abac_yy_principal_t *ptr)
456	{
457	free(ptr->sha);
458	if(ptr->cn)
459	free(ptr->cn);
460	free(ptr);
461	}
462
463	int get_yy_principal_type(abac_yy_principal_t *ptr)
464	{
465	return ptr->type;
466	}
467
468	char get_yy_principal_principalname(abac_yy_principal_t ptr)
469	{
470	if(ptr->sha == NULL)
471	return ptr->cn;
472	return ptr->sha;
473	}
474
475	abac_yy_role_t make_yy_role(char name, abac_yy_term_t *terms)
476	{
477	abac_yy_role_t ptr=(abac_yy_role_t)abac_xmalloc(sizeof(abac_yy_role_t));
478	ptr->name=abac_xstrdup(name);
479	ptr->terms=terms;
480	ptr->next=NULL;
481	ptr->bcnt=1;
482	return ptr;
483	}
484
485	static void _free_yy_role(abac_yy_role_t *ptr)
486	{
487	free(ptr->name);
488	if(ptr->terms)
489	_free_yy_term(ptr->terms);
490	if(ptr->next)
491	_free_yy_role(ptr->next);
492	free(ptr);
493	}
494
495	/* type: e_yy_EXPR_NAMED, e_yy_EXPR_OBJECT, e_yy_EXPR_OSET,e_yy_EXPR_LINKED */
496
497	abac_yy_expression_t make_yy_expression(int type,void pptr, void optr, abac_yy_role_t linked_role)
498	{
499	abac_yy_expression_t *ptr=
500	(abac_yy_expression_t*)abac_xmalloc(sizeof(abac_yy_expression_t));
501	ptr->type = type;
502	if(type == e_yy_EXPR_OBJECT) {
503	ptr->object=(abac_yy_term_data_t *)pptr;
504	} else {
505	ptr->principal = (abac_yy_principal_t *)pptr;
506	}
507	if(type == e_yy_EXPR_OSET)
508	ptr->oset = (abac_yy_oset_t *) optr;
509	else
510	ptr->role = (abac_yy_role_t *) optr;
511	ptr->linked_role=linked_role;
512	ptr->next=NULL;
513
514	return ptr;
515	}
516
517	abac_yy_term_data_t get_yy_expression_object(abac_yy_expression_t ptr)
518	{
519	if(ptr->type == e_yy_EXPR_OBJECT)
520	return ptr->object;
521	return NULL;
522	}
523
524	abac_yy_expression_t add_yy_expression(abac_yy_expression_t nexpr,
525	abac_yy_expression_t *exprs)
526	{
527	int i=exprs->bcnt;
528	nexpr->next=exprs;
529	nexpr->bcnt=i+1;
530	return nexpr;
531	}
532
533	static void _free_yy_expression(abac_yy_expression_t *ptr)
534	{
535	if(ptr->type == e_yy_EXPR_OBJECT) {
536	if(ptr->object)
537	_free_yy_term_data(ptr->object);
538	} else {
539	if(ptr->principal)
540	_free_yy_principal(ptr->principal);
541	}
542	if(ptr->type == e_yy_EXPR_OSET) {
543	if(ptr->oset)
544	_free_yy_oset(ptr->oset);
545	} else {
546	if(ptr->role)
547	_free_yy_role(ptr->role);
548	}
549	if(ptr->linked_role)
550	_free_yy_role(ptr->linked_role);
551	if(ptr->next)
552	_free_yy_expression(ptr->next);
553
554	free(ptr);
555	}
556
557	abac_yy_oset_t make_yy_oset(char name, abac_yy_term_t *terms)
558	{
559	abac_yy_oset_t ptr=(abac_yy_oset_t)abac_xmalloc(sizeof(abac_yy_oset_t));
560	ptr->name=abac_xstrdup(name);
561	ptr->terms=terms;
562	ptr->next=NULL;
563	ptr->bcnt=1;
564	return ptr;
565	}
566
567	static void _free_yy_oset(abac_yy_oset_t *ptr)
568	{
569	free(ptr->name);
570	if(ptr->terms)
571	_free_yy_term(ptr->terms);
572	if(ptr->next)
573	_free_yy_oset(ptr->next);
574	free(ptr);
575	}
576
577	/**********************************************************************/
578	static void _oset_add_terms(int linked, abac_oset_t *oset,
579	abac_yy_term_t *terms)
580	{
581	abac_yy_term_t *curr = terms;
582	int type;
583	char *name=NULL;
584	char *cond=NULL;
585	void *ptr=NULL;
586	while (curr) {
587	switch (curr->type) {
588	case e_yy_DTERM_DATA:
589	{
590	abac_yy_term_data_t *ptr=curr->term.d_ptr;
591	type=ptr->type;
592	name=abac_xstrdup(ptr->name);
593	cond=abac_xstrdup(ptr->condition);
594	ptr=ptr->cptr;
595	break;
596	}
597	case e_yy_DTERM_PRINCIPAL:
598	{
599	abac_yy_term_principal_t *ptr=curr->term.p_ptr;
600	type=abac_verify_term_type("principal");
601	name=abac_xstrdup(ptr->name);
602	cond=abac_xstrdup(ptr->condition);
603	ptr=ptr->cptr;
604	break;
605	}
606	case e_yy_DTERM_NAMED:
607	{
608	abac_yy_principal_t *ptr=curr->term.n_ptr;
609	type=ptr->type;
610	/* XXX should be switching to sha in the future */
611	name=abac_xstrdup(ptr->cn);
612	cond=NULL;
613	ptr=NULL;
614	break;
615	}
616	case e_yy_DTERM_ANONYMOUS:
617	{
618	type=0;
619	name=abac_xstrdup("_");
620	cond=NULL;
621	ptr=NULL;
622	break;
623	}
624	}
625
626	abac_term_t *param=abac_term_new(type,name,cond,ptr);
627	if (linked)
628	abac_oset_oset_add_linked_param(oset, param);
629	else
630	abac_oset_oset_add_param(oset, param);
631	curr=curr->next;
632	}
633	}
634
635	static void _oset_add_linked_terms(abac_oset_t oset, abac_yy_term_t terms)
636	{
637	int linked=1;
638	_oset_add_terms(linked, oset, terms);
639	}
640
641	static void _oset_add_oset_terms(abac_oset_t oset, abac_yy_term_t terms)
642	{
643	int linked=0;
644	_oset_add_terms(linked, oset, terms);
645	}
646
647
648	abac_oset_t validate_intersected_tail_oset(abac_oset_t oset)
649	{
650	abac_oset_t *ret_oset=NULL;
651	abac_list_t *prereqs = abac_list_new();
652	abac_list_add(prereqs, oset);
653	ret_oset = abac_oset_intersection_new("intersectingOSET", prereqs);
654	return ret_oset;
655	}
656
657	/* A.oset */
658	abac_oset_t validate_head_oset(abac_yy_expression_t expr)
659	{
660	abac_yy_principal_t *principal=expr->principal;
661	abac_yy_oset_t *oset=expr->oset;
662
663	char *principalname=get_yy_principal_principalname(principal);
664	char *osetname=oset->name;
665	abac_yy_term_t *terms=oset->terms;
666
667	abac_oset_t *ret_oset=abac_oset_oset_new(principalname, osetname);
668	if (ret_oset==NULL) {
669	set_error_code(ABAC_RT_ROLE_INVALID);
670	goto error;
671	}
672	if (!abac_oset_is_oset(ret_oset)) {
673	set_error_code(ABAC_RT_CERT_INVALID);
674	goto error;
675	}
676	// insert the params for the oset
677	if(terms) {
678	_oset_add_oset_terms(ret_oset, terms);
679	}
680	_add_yy_id_certs(principal->cn,principal->type);
681
682	return ret_oset;
683
684	error:
685	return NULL;
686	}
687
688	/* B */
689	abac_oset_t validate_named_tail_oset(abac_yy_expression_t expr)
690	{
691	abac_yy_principal_t *principal=expr->principal;
692	char *principalname=principal->sha;
693	abac_oset_t *ret_oset=NULL;
694
695	ret_oset = abac_oset_principal_new(principalname);
696
697	_add_yy_id_certs(principal->cn,principal->type);
698
699	if (ret_oset==NULL)
700	goto error;
701	return ret_oset;
702
703	error:
704	panic("can not generate a simple named tail oset");
705	return NULL;
706	}
707
708
709	/* [keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] */
710	abac_oset_t validate_object_tail_oset(abac_yy_expression_t expr)
711	{
712	abac_yy_term_data_t *object=get_yy_expression_object(expr);
713	assert(object != NULL);
714
715	char *name=object->name;
716	int type=object->type;
717	char *cond=object->condition;
718	void *ptr=object->cptr;
719	abac_term_t *term=abac_term_new(type,name,cond,ptr);
720	abac_oset_t *ret_oset=abac_oset_object_new(term);
721
722	if(get_yy_term_data_is_variable(object))
723	_add_yy_id_certs(name,type);
724
725	if (ret_oset==NULL)
726	goto error;
727	return ret_oset;
728
729	error:
730	panic("can not generate a simple object tail oset");
731	return NULL;
732	}
733
734
735	/* B.oset */
736	abac_oset_t validate_oset_tail_oset(abac_yy_expression_t expr)
737	{
738	abac_yy_principal_t *principal=expr->principal;
739	abac_yy_oset_t *oset=expr->oset;
740
741	char *principalname=principal->sha;
742
743	char *osetname=oset->name;
744	abac_yy_term_t *terms=oset->terms;
745
746	int ret;
747	abac_oset_t *ret_oset=NULL;
748
749	ret_oset = abac_oset_oset_new(principalname, osetname);
750	if (ret_oset==NULL)
751	goto error;
752
753	if(terms) {
754	_oset_add_oset_terms(ret_oset, terms);
755	}
756
757	_add_yy_id_certs(principal->cn,principal->type);
758
759	return ret_oset;
760
761	error:
762	panic("can not generate a simple tail oset");
763	return NULL;
764	}
765
766	/* B.role.oset */
767	abac_oset_t validate_linked_tail_oset(abac_yy_expression_t expr)
768	{
769	abac_yy_principal_t *principal=expr->principal;
770	abac_yy_oset_t *oset=expr->oset;
771	abac_yy_role_t *linked_role=expr->linked_role;
772
773	char *principalname=principal->sha;
774
775	char *osetname=oset->name;
776	abac_yy_term_t *terms=oset->terms;
777
778	char *linkedrolename=linked_role->name;
779	abac_yy_term_t *linked_terms=linked_role->terms;
780
781	int ret;
782	abac_oset_t *ret_oset=abac_oset_linking_new(principalname,
783	linkedrolename, osetname);
784	if (ret_oset==NULL)
785	goto error;
786
787	if(linked_terms) {
788	_oset_add_linked_terms(ret_oset, linked_terms);
789	}
790	if(terms) {
791	_oset_add_oset_terms(ret_oset, terms);
792	}
793
794	_add_yy_id_certs(principal->cn,principal->type);
795
796	return ret_oset;
797
798	error:
799	panic("can not generate linked tail oset");
800	return NULL;
801	}
802
803
804
805	abac_list_t make_oset_statement(abac_yy_expression_t headexpr,
806	abac_yy_expression_t *tailexpr)
807	{
808	abac_oset_t *head_oset=NULL;
809	abac_oset_t *tail_oset=NULL;
810
811	/* build up left side's abac oset structure */
812	head_oset=validate_head_oset(headexpr);
813	if(head_oset == NULL)
814	goto error;
815
816	/* build up the right side's abac oset structure */
817	abac_yy_expression_t *curr_tail = tailexpr;
818	int intersecting=(tailexpr->next != NULL)? 1:0;
819	abac_oset_t *curr_oset = NULL;
820	while (curr_tail) {
821	switch(curr_tail->type) {
822	case e_yy_EXPR_OBJECT:
823	curr_oset=validate_object_tail_oset(curr_tail);
824	break;
825	case e_yy_EXPR_NAMED:
826	curr_oset=validate_named_tail_oset(curr_tail);
827	break;
828	case e_yy_EXPR_OSET:
829	curr_oset=validate_oset_tail_oset(curr_tail);
830	break;
831	case e_yy_EXPR_LINKED:
832	curr_oset=validate_linked_tail_oset(curr_tail);
833	break;
834	}
835	if(curr_oset==NULL)
836	goto error;
837
838	/* check if first one */
839	if(tail_oset==NULL) {
840	if(intersecting)
841	tail_oset=validate_intersected_tail_oset(curr_oset);
842	else
843	tail_oset=curr_oset;
844	} else {
845	abac_oset_add_intersecting_oset(tail_oset,curr_oset);
846	}
847	curr_tail=curr_tail->next;
848	} /* while */
849
850	/* XXX collect up type clauses, constraint clauses and
851	generate rule clauses */
852	abac_list_t *tmp=generate_pl_oset_clauses(head_oset,tail_oset);
853	if(tmp == NULL)
854	goto error;
855
856	if(debug) {
857	abac_print_oset_string_with_condition(head_oset,NULL);
858	abac_print_oset_string_with_condition(tail_oset,NULL);
859	}
860
861	_free_yy_expression(headexpr);
862	_free_yy_expression(tailexpr);
863	abac_yap_head_oset=head_oset;
864	abac_yap_tail_oset=tail_oset;
865	abac_yap_is_oset=1;
866	return tmp;
867
868	error:
869	_free_yy_expression(headexpr);
870	_free_yy_expression(tailexpr);
871	if(head_oset)
872	abac_oset_free(head_oset);
873	if(tail_oset)
874	abac_oset_free(tail_oset);
875	return NULL;
876	}
877
878	/***********************************************************************/
879	/*
880	struct _abac_yy_term_data_t {
881	int is_variable;
882	int type;
883	char *name;
884	char *condition;
885	void *cptr; // ptr to a saved abac_oset_t
886	abac_list_t *cond_range;
887	abac_yy_expression_t *cond_head_expr;
888	};
889	*/
890
891	abac_yy_term_data_t make_yy_term_data(char name)
892	{
893	abac_yy_term_data_t *ptr=
894	(abac_yy_term_data_t*)abac_xmalloc(sizeof(abac_yy_term_data_t));
895	ptr->name=abac_xstrdup(name);
896	ptr->type=0;
897	ptr->is_variable=0;
898	ptr->condition=NULL;
899	ptr->cond_head_expr=NULL;
900	ptr->cptr=NULL;
901	ptr->cond_range=NULL;
902	return ptr;
903	}
904
905	abac_list_t get_yy_term_data_cond_range(abac_yy_term_data_t ptr)
906	{
907	return ptr->cond_range;
908	}
909
910	char get_yy_term_data_name(abac_yy_term_data_t ptr)
911	{
912	return ptr->name;
913	}
914
915	int is_yy_term_data_has_constraint(abac_yy_term_data_t *ptr)
916	{
917	if(ptr->cond_head_expr != NULL)
918	return 1;
919	/* only select few */
920	if( ptr->cond_range != NULL && abac_term_is_integer_type(ptr->type))
921	return 1;
922	return 0;
923	}
924
925	void set_yy_term_data_cond_range(abac_yy_term_data_t *ptr,
926	abac_list_t *range)
927	{
928	ptr->cond_range=range;
929	}
930
931	void set_yy_term_data_cond_head_expr(abac_yy_term_data_t *ptr,
932	abac_yy_expression_t *expr)
933	{
934	ptr->cond_head_expr=expr;
935	}
936
937	abac_yy_expression_t get_yy_term_data_cond_head_expr(abac_yy_term_data_t ptr)
938	{
939	return ptr->cond_head_expr;
940	}
941
942	void set_yy_term_data_type(abac_yy_term_data_t ptr, char typestr)
943	{
944	int type=abac_verify_term_type(typestr);
945	ptr->type=type;
946	}
947
948	void set_yy_term_data_cptr(abac_yy_term_data_t ptr, void vptr)
949	{
950	ptr->cptr=vptr;
951	}
952
953	void set_yy_term_data_condition(abac_yy_term_data_t ptr, char cond)
954	{
955	ptr->condition=strdup(cond);
956	}
957
958	void set_yy_term_data_is_variable(abac_yy_term_data_t *ptr)
959	{
960	ptr->is_variable=1;
961	}
962
963	int get_yy_term_data_is_variable(abac_yy_term_data_t *ptr)
964	{
965	return ptr->is_variable;
966	}
967
968	static void _free_yy_term_data(abac_yy_term_data_t *ptr)
969	{
970	free(ptr->name);
971	if(ptr->condition)
972	free(ptr->condition);
973	if(ptr->cond_head_expr)
974	_free_yy_expression(ptr->cond_head_expr);
975	if(ptr->cond_range);
976	_free_yy_range(ptr->cond_range);
977	free(ptr);
978	}
979
980	abac_yy_term_principal_t make_yy_term_principal(char name)
981	{
982	abac_yy_term_principal_t *ptr=
983	(abac_yy_term_principal_t*)abac_xmalloc(sizeof(abac_yy_term_principal_t));
984	ptr->name=abac_xstrdup(name);
985	ptr->condition=NULL;
986	ptr->cond_head_expr=NULL;
987	return ptr;
988	}
989
990	void set_yy_term_principal_cptr(abac_yy_term_principal_t ptr, void vptr)
991	{
992	ptr->cptr=vptr;
993	}
994
995	void set_yy_term_principal_condition(abac_yy_term_principal_t ptr, char cond)
996	{
997	ptr->condition=abac_xstrdup(cond);
998	}
999
1000	abac_yy_expression_t get_yy_term_principal_cond_head_expr(abac_yy_term_principal_t ptr)
1001	{
1002	return ptr->cond_head_expr;
1003	}
1004
1005	void set_yy_term_principal_cond_head_expr(abac_yy_term_principal_t *ptr,
1006	abac_yy_expression_t *expr)
1007	{
1008	ptr->cond_head_expr=expr;
1009	}
1010
1011	static void _free_yy_term_principal(abac_yy_term_principal_t *ptr)
1012	{
1013	free(ptr->name);
1014	if(ptr->condition)
1015	free(ptr->condition);
1016	if(ptr->cond_head_expr)
1017	_free_yy_expression(ptr->cond_head_expr);
1018	free(ptr);
1019	}
1020
1021	abac_yy_term_t *make_yy_term_dterm_anonymous()
1022	{
1023	abac_yy_term_t ptr=(abac_yy_term_t)abac_xmalloc(sizeof(abac_yy_term_t));
1024	ptr->type = e_yy_DTERM_ANONYMOUS;
1025	ptr->next=NULL;
1026	ptr->bcnt=1;
1027	return ptr;
1028	}
1029
1030	abac_yy_term_t make_yy_term_dterm_principal(abac_yy_term_principal_t pptr)
1031	{
1032	abac_yy_term_t ptr=(abac_yy_term_t)abac_xmalloc(sizeof(abac_yy_term_t));
1033	ptr->type = e_yy_DTERM_PRINCIPAL;
1034	ptr->term.p_ptr=pptr;
1035	ptr->next=NULL;
1036	ptr->bcnt=1;
1037	return ptr;
1038	}
1039
1040	abac_yy_term_t make_yy_term_dterm_named(abac_yy_principal_t nptr)
1041	{
1042	abac_yy_term_t ptr=(abac_yy_term_t)abac_xmalloc(sizeof(abac_yy_term_t));
1043	ptr->type = e_yy_DTERM_NAMED;
1044	ptr->term.n_ptr=nptr;
1045	ptr->next=NULL;
1046	ptr->bcnt=1;
1047	return ptr;
1048	}
1049
1050	abac_yy_term_t make_yy_term_dterm_data(abac_yy_term_data_t dptr)
1051	{
1052	abac_yy_term_t ptr=(abac_yy_term_t)abac_xmalloc(sizeof(abac_yy_term_t));
1053	ptr->type = e_yy_DTERM_DATA;
1054	ptr->term.d_ptr=dptr;
1055	ptr->next=NULL;
1056	ptr->bcnt=1;
1057	return ptr;
1058	}
1059
1060	abac_yy_term_t add_yy_term(abac_yy_term_t nterm, abac_yy_term_t *terms)
1061	{
1062	int i=terms->bcnt;
1063	nterm->next=terms;
1064	nterm->bcnt=i+1;
1065	return nterm;
1066	}
1067
1068	static void _free_yy_term(abac_yy_term_t *ptr)
1069	{
1070	switch (ptr->type) {
1071	case e_yy_DTERM_DATA:
1072	_free_yy_term_data(ptr->term.d_ptr);
1073	break;
1074	case e_yy_DTERM_NAMED:
1075	_free_yy_principal(ptr->term.n_ptr);
1076	break;
1077	case e_yy_DTERM_PRINCIPAL:
1078	_free_yy_term_principal(ptr->term.p_ptr);
1079	break;
1080	case e_yy_DTERM_ANONYMOUS:
1081	break;
1082	}
1083	if(ptr->next)
1084	_free_yy_term(ptr->next);
1085	free(ptr);
1086	}
1087
1088	/****************************************************************/
1089	/* add the condition to constraint list */
1090	char make_yy_oset_constraint(abac_yy_term_data_t ptr, char *tail_string)
1091	{
1092	abac_yy_expression_t *head_expr=get_yy_term_data_cond_head_expr(ptr);
1093	if(head_expr) {
1094	abac_oset_t *head_oset=validate_head_oset(head_expr);
1095	if(head_oset == NULL)
1096	goto error;
1097
1098	char *tmp=generate_pl_oset_constraint_clause(head_oset,tail_string);
1099	set_yy_term_data_condition(ptr,tmp);
1100	set_yy_term_data_cptr(ptr,head_oset);
1101	abac_add_yy_constraints(tmp);
1102	return tmp;
1103	}
1104	return NULL;
1105	error:
1106	return NULL;
1107	}
1108	/****************************************************************/
1109	/* add the range condition to constraint list */
1110
1111	void make_yy_range_constraint(abac_yy_term_data_t ptr, char var)
1112	{
1113	char *typestr=abac_term_type(ptr->type);
1114	abac_list_t *rlist=get_yy_term_data_cond_range(ptr);
1115	char *tmplist=NULL;
1116	char *tmp=NULL;
1117	int is_range=1; /* either , or \| */
1118	if(rlist) {
1119	char *rstring=string_yy_cond_range(rlist);
1120	set_yy_term_data_condition(ptr,rstring);
1121	abac_yy_range_t *cur;
1122
1123	abac_list_foreach(rlist, cur,
1124	int type=cur->type;
1125	char *val=cur->val;
1126	switch(type) {
1127	case e_yy_RANGE_MIN:
1128	tmp=generate_pl_range_constraint_clause(typestr,var,val,">");
1129	break;
1130	case e_yy_RANGE_MAX:
1131	tmp=generate_pl_range_constraint_clause(typestr,var,val,"<");
1132	break;
1133	case e_yy_RANGE_TARGET:
1134	tmp=generate_pl_range_constraint_clause(typestr,var,val,"=");
1135	int is_range=0;
1136	break;
1137	}
1138	if(tmplist) {
1139	if(is_range)
1140	asprintf(&tmplist,"%s,%s",tmplist,tmp);
1141	else
1142	asprintf(&tmplist,"%s;%s",tmplist,tmp);
1143	} else {
1144	tmplist=tmp;
1145	}
1146	tmp=NULL;
1147	);
1148	asprintf(&tmplist,"(%s)",tmplist);
1149	abac_add_yy_constraints(tmplist);
1150	}
1151	}
1152
1153	char make_yy_role_constraint(abac_yy_term_principal_t ptr, char *tail_string)
1154	{
1155	char *tmp=NULL;
1156	abac_role_t *head_role=NULL;
1157
1158	abac_yy_expression_t *head_expr=get_yy_term_principal_cond_head_expr(ptr);
1159	/* build up left side's abac role constraint structure */
1160	head_role=validate_head_role(head_expr);
1161	if(head_role == NULL)
1162	goto error;
1163
1164	tmp=generate_pl_role_constraint_clause(head_role,tail_string);
1165	set_yy_term_principal_condition(ptr,tmp);
1166	set_yy_term_principal_cptr(ptr,head_role);
1167	abac_add_yy_constraints(tmp);
1168	return tmp;
1169
1170	error:
1171	return NULL;
1172	}
1173
1174	/****************************************************************/
1175	static void _role_add_terms(int linked, abac_role_t *role,
1176	abac_yy_term_t *terms)
1177	{
1178	abac_yy_term_t *curr = terms;
1179	int type;
1180	char *name=NULL;
1181	char *cond=NULL;
1182	void *ptr=NULL;
1183	while (curr) {
1184	switch (curr->type) {
1185	case e_yy_DTERM_DATA:
1186	{
1187	abac_yy_term_data_t *ptr=curr->term.d_ptr;
1188	type=ptr->type;
1189	name=abac_xstrdup(ptr->name);
1190	cond=abac_xstrdup(ptr->condition);
1191	ptr=ptr->cptr;
1192	break;
1193	}
1194	case e_yy_DTERM_PRINCIPAL:
1195	{
1196	abac_yy_term_principal_t *ptr=curr->term.p_ptr;
1197	type=abac_verify_term_type("principal");
1198	name=abac_xstrdup(ptr->name);
1199	cond=abac_xstrdup(ptr->condition);
1200	ptr=ptr->cptr;
1201	break;
1202	}
1203	case e_yy_DTERM_NAMED:
1204	{
1205	abac_yy_principal_t *ptr=curr->term.n_ptr;
1206	type=ptr->type;
1207	/* XXX should be switching to sha in the future */
1208	name=abac_xstrdup(ptr->cn);
1209	cond=NULL;
1210	ptr=NULL;
1211	break;
1212	}
1213	case e_yy_DTERM_ANONYMOUS:
1214	{
1215	type=0;
1216	name=abac_xstrdup("_");
1217	cond=NULL;
1218	ptr=NULL;
1219	break;
1220	}
1221	}
1222	abac_term_t *param=abac_term_new(type,name,cond,ptr);
1223	if (linked)
1224	abac_role_role_add_linked_param(role, param);
1225	else
1226	abac_role_role_add_param(role, param);
1227	curr=curr->next;
1228	}
1229	}
1230
1231	static void _role_add_linked_terms(abac_role_t role, abac_yy_term_t terms)
1232	{
1233	int linked=1;
1234	_role_add_terms(linked, role, terms);
1235	}
1236
1237	static void _role_add_role_terms(abac_role_t role, abac_yy_term_t terms)
1238	{
1239	int linked=0;
1240	_role_add_terms(linked, role, terms);
1241	}
1242
1243
1244	abac_role_t validate_intersected_tail_role(abac_role_t role)
1245	{
1246	abac_role_t *ret_role=NULL;
1247	abac_list_t *prereqs = abac_list_new();
1248	abac_list_add(prereqs, role);
1249	ret_role = abac_role_intersection_new("intersectingROLE", prereqs);
1250	return ret_role;
1251	}
1252
1253	abac_role_t validate_head_role(abac_yy_expression_t expr)
1254	{
1255	abac_yy_principal_t *principal=expr->principal;
1256	abac_yy_role_t *role=expr->role;
1257
1258	char *principalname=get_yy_principal_principalname(principal);
1259	char *rolename=role->name;
1260	abac_yy_term_t *terms=role->terms;
1261	abac_role_t *ret_role=NULL;
1262
1263	ret_role=abac_role_role_new(principalname, rolename);
1264	if (ret_role==NULL) {
1265	set_error_code(ABAC_RT_ROLE_INVALID);
1266	goto error;
1267	}
1268	if (!abac_role_is_role(ret_role)) {
1269	set_error_code(ABAC_RT_CERT_INVALID);
1270	goto error;
1271	}
1272	// insert the params for the role
1273	if(terms) {
1274	_role_add_role_terms(ret_role, terms);
1275	}
1276
1277	_add_yy_id_certs(principal->cn,principal->type);
1278
1279	return ret_role;
1280
1281	error:
1282	return NULL;
1283	}
1284
1285	abac_role_t validate_named_tail_role(abac_yy_expression_t expr)
1286	{
1287	abac_yy_principal_t *principal=expr->principal;
1288	char *principalname=get_yy_principal_principalname(principal);
1289	abac_role_t *ret_role=NULL;
1290
1291	ret_role = abac_role_principal_new(principalname);
1292	_add_yy_id_certs(principal->cn,principal->type);
1293
1294	if (ret_role==NULL)
1295	goto error;
1296	return ret_role;
1297
1298	error:
1299	panic("can not generate a simple named tail role");
1300	return NULL;
1301	}
1302
1303	abac_role_t validate_role_tail_role(abac_yy_expression_t expr)
1304	{
1305	abac_yy_principal_t *principal=expr->principal;
1306	abac_yy_role_t *role=expr->role;
1307
1308	char *principalname=get_yy_principal_principalname(principal);
1309
1310	char *rolename=role->name;
1311	abac_yy_term_t *terms=role->terms;
1312
1313	int ret;
1314	abac_role_t *ret_role=NULL;
1315
1316	ret_role = abac_role_role_new(principalname, rolename);
1317	if (ret_role==NULL)
1318	goto error;
1319
1320	if(terms) {
1321	_role_add_role_terms(ret_role, terms);
1322	}
1323
1324	_add_yy_id_certs(principal->cn,principal->type);
1325
1326	return ret_role;
1327
1328	error:
1329	panic("can not generate a simple tail role");
1330	return NULL;
1331	}
1332	/* need to validate/generate a linked role out of this */
1333	abac_role_t validate_linked_tail_role(abac_yy_expression_t expr)
1334	{
1335	abac_yy_principal_t *principal=expr->principal;
1336	abac_yy_role_t *role=expr->role;
1337	abac_yy_role_t *linked_role=expr->linked_role;
1338
1339	char *principalname=get_yy_principal_principalname(principal);
1340
1341	char *rolename=role->name;
1342	abac_yy_term_t *terms=role->terms;
1343
1344	char *linkedrolename=linked_role->name;
1345	abac_yy_term_t *linked_terms=linked_role->terms;
1346
1347	int ret;
1348	abac_role_t *ret_role=NULL;
1349
1350	ret_role = abac_role_linking_new(principalname, linkedrolename, rolename);
1351	if (ret_role==NULL)
1352	goto error;
1353
1354	if(linked_terms) {
1355	_role_add_linked_terms(ret_role, linked_terms);
1356	}
1357	if(terms) {
1358	_role_add_role_terms(ret_role, terms);
1359	}
1360
1361	_add_yy_id_certs(principal->cn,principal->type);
1362
1363	return ret_role;
1364
1365	error:
1366	panic("can not generate linked tail role");
1367	return NULL;
1368	}
1369
1370
1371	/* build up the abac structure and also create the yap clause
1372	and insert it into db */
1373	abac_list_t make_role_statement(abac_yy_expression_t headexpr,
1374	abac_yy_expression_t *tailexpr)
1375	{
1376	abac_role_t *head_role=NULL;
1377	abac_role_t *tail_role=NULL;
1378
1379	/* build up left side's abac role structure */
1380	head_role=validate_head_role(headexpr);
1381	if(head_role == NULL)
1382	goto error;
1383
1384	/* build up the right side's abac role structure */
1385	abac_yy_expression_t *curr_tail = tailexpr;
1386	int intersecting=(tailexpr->next != NULL)? 1:0;
1387	abac_role_t *curr_role = NULL;
1388	while (curr_tail) {
1389	switch(curr_tail->type) {
1390	case e_yy_EXPR_NAMED:
1391	curr_role=validate_named_tail_role(curr_tail);
1392	break;
1393	case e_yy_EXPR_ROLE:
1394	curr_role=validate_role_tail_role(curr_tail);
1395	break;
1396	case e_yy_EXPR_LINKED:
1397	curr_role=validate_linked_tail_role(curr_tail);
1398	break;
1399	}
1400	if(curr_role==NULL)
1401	goto error;
1402
1403	/* check if first one */
1404	if(tail_role==NULL) {
1405	if(intersecting)
1406	tail_role=validate_intersected_tail_role(curr_role);
1407	else
1408	tail_role=curr_role;
1409	} else {
1410	abac_role_add_intersecting_role(tail_role,curr_role);
1411	}
1412	curr_tail=curr_tail->next;
1413	} /* while */
1414
1415	/* collect up type clauses, constraint clases and
1416	generate the final rule clauses */
1417	abac_list_t *tmp=generate_pl_role_clauses(head_role,tail_role);
1418	if(tmp == NULL)
1419	goto error;
1420
1421	if(debug) {
1422	abac_print_role_string_with_condition(head_role,NULL);
1423	abac_print_role_string_with_condition(tail_role,NULL);
1424	}
1425
1426	_free_yy_expression(headexpr);
1427	_free_yy_expression(tailexpr);
1428	abac_yap_head_role=head_role;
1429	abac_yap_tail_role=tail_role;
1430	abac_yap_is_oset=0;
1431	return tmp;
1432
1433	error:
1434	_free_yy_expression(headexpr);
1435	_free_yy_expression(tailexpr);
1436	if(head_role)
1437	abac_role_free(head_role);
1438	if(tail_role)
1439	abac_role_free(tail_role);
1440	return NULL;
1441	}
1442
1443

Note: See TracBrowser for help on using the repository browser.

Download in other formats: