Context Navigation

source: libabac/abac_verifier.c @ 9806e76

mei_rt2mei_rt2_fix_1meiyap-rt1rt2

Last change on this file since 9806e76 was 7b548fa, checked in by Mei <mei@…>, 12 years ago

1) add time static constraint
2) add example balltime_rt2_typed
3) change the way that time is being kept

from 20120228T080000 to time(2012,2,28,8,0,0) and
the constraint check is via compare(op,time1,time2)

Property mode set to 100644

File size: 17.7 KB

Rev	Line
[53e540d]	1
	2	// include the GNU extension of asprintf
	3	#define _GNU_SOURCE
	4
[186cb75]	5	#include <assert.h>
[202a7f9]	6	#include <stdio.h>
[186cb75]	7
[5450aeb]	8	#include <library.h>
	9	#include <credentials/certificates/certificate.h>
	10	#include <credentials/certificates/x509.h>
	11	#include <credentials/certificates/ac.h>
	12
[43e3b71]	13	#include "abac_verifier.h"
[5450aeb]	14
[342e28f]	15	#include "abac_list.h"
[3c251d0]	16	#include "abac_util.h"
[202a7f9]	17	#include "abac_rt.h"
[5450aeb]	18
[b5a3da4]	19	extern abac_role_t *abac_yy_get_rule_head_role();
	20	extern abac_role_t *abac_yy_get_rule_tail_role();
	21	extern abac_oset_t *abac_yy_get_rule_head_oset();
	22	extern abac_oset_t *abac_yy_get_rule_tail_oset();
	23	extern int abac_yy_get_rule_is_oset();
	24	extern abac_list_t *abac_yy_get_rule_clauses();
[da5afdf]	25	extern char* abac_decode_string(char *);
[b5a3da4]	26	extern void abac_yy_free_rule_clauses();
[0d0c3a9]	27	extern char generate_pl_type_clause(char , int);
	28
[202a7f9]	29
	30	/* keeping this a fixed enum is to have tighter control of
	31	what are acceptabletypes of keyid are we allowing */
[0d0c3a9]	32	typedef enum _keyidtype_t {
	33	e_KEYID = 1,
	34	} keyidtype_t;
	35
[202a7f9]	36	/* keyidname[keyidtype] */
[da5afdf]	37	static char * const keyidname[] =
[202a7f9]	38	{
	39	"badidtype", "keyid", 0
	40	};
	41
[0d0c3a9]	42	typedef enum _credtype_t {
[da5afdf]	43	e_CREDTYPE_ROLE =1,
[0d0c3a9]	44	e_CREDTYPE_OSET =2,
	45	} credtype_t;
[da5afdf]	46
	47	static int keyidname_cnt=1;
[202a7f9]	48
	49	struct _abac_id_cert_t {
[5450aeb]	50	char *keyid;
[53e540d]	51	char *cn;
[202a7f9]	52	int type; /* keyidtype */
[5450aeb]	53	certificate_t *cert;
[202a7f9]	54	char *clause;
[5450aeb]	55
	56	UT_hash_handle hh;
[202a7f9]	57	};
[5450aeb]	58
[da5afdf]	59	/* can store either role or oset */
[401a054]	60	struct _abac_credential_t {
[da5afdf]	61	int type;
	62	void *head;
	63	void *tail;
[5f99fbc]	64	certificate_t *cert;
	65	certificate_t *issuer;
[202a7f9]	66	abac_list_t *clauses;
[fbb591e]	67
	68	int refcount;
[5f99fbc]	69	};
	70
[53e540d]	71	typedef struct _abac_str_cred_t {
	72	char *strid;
	73	abac_credential_t *cred;
	74
	75	UT_hash_handle hh;
	76	} abac_str_cred_t;
	77
[43e3b71]	78	abac_id_cert_t *id_certs = NULL;
[53e540d]	79	abac_str_cred_t *str_creds = NULL;
[5450aeb]	80
[202a7f9]	81	static int debug=0;
	82	static void check_id_cert(abac_id_cert_t *id_cert);
[da5afdf]	83	extern void abac_print_role_string_with_condition(abac_role_t role, FILE);
[202a7f9]	84
	85	//
[da5afdf]	86	void abac_print_cred_info(abac_credential_t cred, FILE fp)
[202a7f9]	87	{
[da5afdf]	88	if(fp == NULL)
	89	fp=stdout;
	90
[202a7f9]	91	if(debug) {
[da5afdf]	92	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
[202a7f9]	93	if(cred->head) {
[da5afdf]	94	fprintf(fp," head cred(%d):\n",(int)cred->head);
	95	if(cred->type == e_CREDTYPE_ROLE)
	96	abac_print_role_string_with_condition((abac_role_t*)cred->head,fp);
	97	else
	98	abac_print_oset_string_with_condition((abac_oset_t*)cred->head,fp);
[202a7f9]	99	}
	100	if(cred->tail) {
[da5afdf]	101	fprintf(fp,"\n tail cred(%d):\n",(int)cred->tail);
	102	if(cred->type == e_CREDTYPE_ROLE)
	103	abac_print_role_string_with_condition((abac_role_t*)cred->tail,fp);
	104	else
	105	abac_print_oset_string_with_condition((abac_oset_t*)cred->tail,fp);
[202a7f9]	106	}
	107
	108	abac_list_t *clauses=cred->clauses;
	109	if (clauses != NULL) {
	110	char *cur=NULL;
	111	abac_list_foreach(clauses, cur,
[da5afdf]	112	fprintf(fp,"\n a clause(%d):\n",(int)cur);
[202a7f9]	113	if(cur)
[da5afdf]	114	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
[202a7f9]	115	);
	116	}
	117	} else {
[da5afdf]	118	fprintf(fp," ");
	119	if(cred->type == e_CREDTYPE_ROLE)
	120	abac_print_role_string_with_condition((abac_role_t *)cred->head,fp);
	121	else abac_print_oset_string_with_condition((abac_oset_t *)cred->head,fp);
	122	fprintf(fp," <- ");
	123	if(cred->type == e_CREDTYPE_ROLE)
	124	abac_print_role_string_with_condition((abac_role_t *)cred->tail,fp);
	125	else abac_print_oset_string_with_condition((abac_oset_t *)cred->tail,fp);
	126	fprintf(fp,"\n");
[202a7f9]	127	}
	128	}
	129
	130	//
	131	int abac_verify_keyid_type(char *type) {
	132	int i;
	133
	134	if (type == NULL)
	135	return 0;
	136
	137	for (i = 1; i <= keyidname_cnt ; i++)
	138	if(strcmp(type,keyidname[i])==0)
	139	return i;
	140	return 0;
	141	}
	142
	143	char *abac_keyid_type(int i)
	144	{
	145	return keyidname[i];
	146	}
	147
[5450aeb]	148	// convert a chunk to a lowercase binary string
	149	// malloc's the string
	150	static char *_chunk_to_string(chunk_t chunk) {
	151	int i;
	152
[3c251d0]	153	char ret = abac_xmalloc(chunk.len 2 + 1);
[5450aeb]	154
	155	for (i = 0; i < chunk.len; ++i)
	156	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
	157
	158	return ret;
	159	}
	160
	161	// verify that cert was issued by issuer
	162	// cert and issuer can be the same, in which case the self-sig is validated
[0779c99]	163	static int _verify_signature(certificate_t issuer, certificate_t cert) {
[5450aeb]	164	if (cert->issued_by(cert, issuer))
	165	if (cert->get_validity(cert, NULL, NULL, NULL))
	166	return 1;
	167	return 0;
	168	}
	169
	170	/**
	171	* Init the verifier subsystem.
	172	*/
[43e3b71]	173	void abac_verifier_init(void) {
[1324a63]	174	// silence all debugging
	175
[5450aeb]	176	if (!library_init(NULL))
	177	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
	178
	179	if (!lib->plugins->load(lib->plugins, NULL,
	180	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
	181	exit(SS_RC_INITIALIZATION_FAILED);
	182	}
	183
[186cb75]	184	/**
	185	* Uninitialize the system, free up any allocated memory.
	186	*/
[43e3b71]	187	void abac_verifier_deinit(void) {
	188	abac_id_cert_t *id;
[186cb75]	189	while ((id = id_certs) != NULL) {
	190	HASH_DEL(id_certs, id);
	191
	192	free(id->keyid);
[53e540d]	193	free(id->cn);
[186cb75]	194	id->cert->destroy(id->cert);
	195	free(id);
	196	}
[55c272b]	197
[53e540d]	198	abac_str_cred_t *id2;
	199	while ((id2 = str_creds) != NULL) {
	200	HASH_DEL(str_creds, id2);
	201
	202	free(id2->strid);
	203	free(id2);
	204	}
	205
[55c272b]	206	library_deinit();
[186cb75]	207	}
	208
[5450aeb]	209	/**
	210	* Load an ID certificate.
	211	*/
[202a7f9]	212	static int _load_id(certificate_t cert, abac_id_cert_t *id_cert_ret) {
[327e808]	213	abac_id_cert_t *id_cert = NULL;
[5450aeb]	214	char *keyid = NULL;
	215	chunk_t id;
	216	int ret;
[2ef48fa]	217	x509_t x509 = (x509_t )cert;
[5450aeb]	218
[e898049]	219	assert(cert != NULL);
[5450aeb]	220
[2ef48fa]	221	// get the key ID
	222	id = x509->get_subjectKeyIdentifier(x509);
[327e808]	223	keyid = _chunk_to_string(id);
	224
[0d0c3a9]	225	/* Mike said this is the way it is */
[53e540d]	226	char *str;
	227	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
	228
[36b100a]	229	/* add p to cn name here */
[202a7f9]	230	char cn=(char )abac_xmalloc(strlen(str)+2);
[53e540d]	231	cn[0]='p';
	232	int n=sscanf(str,"CN=%s", &(cn[1]));
	233	if ( n!=1 ) {
	234	ret = ABAC_CERT_BAD_CN;
	235	goto error;
	236	}
	237
[202a7f9]	238	if(debug) {
	239	printf ("DEBUG:keyid %s \n", keyid);
	240	printf( "DEBUG:issuer '%s' \n", str);
	241	printf ("DEBUG:cn %s \n", cn);
	242	}
[53e540d]	243	free(str);
	244
[327e808]	245	// if we already have this cert 'error' with success
	246	HASH_FIND_STR(id_certs, keyid, id_cert);
	247	if (id_cert != NULL) {
	248	ret = ABAC_CERT_SUCCESS;
	249	goto error;
	250	}
	251
[5450aeb]	252	// validate sig
[0779c99]	253	ret = _verify_signature(cert, cert);
	254	if (!ret) {
	255	ret = ABAC_CERT_BAD_SIG;
	256	goto error;
	257	}
[5450aeb]	258
	259	// success, add the key to the map of certificates
[327e808]	260	id_cert = abac_xmalloc(sizeof(abac_id_cert_t));
[5450aeb]	261	id_cert->keyid = keyid;
	262	id_cert->cert = cert;
[53e540d]	263	id_cert->cn = cn;
[da5afdf]	264	id_cert->type = e_KEYID;
[202a7f9]	265	id_cert->clause = generate_pl_type_clause(cn, id_cert->type);
	266
[5450aeb]	267	HASH_ADD_KEYPTR(hh, id_certs, id_cert->keyid, strlen(id_cert->keyid), id_cert);
	268
[202a7f9]	269	*id_cert_ret=id_cert;
	270
[0779c99]	271	return ABAC_CERT_SUCCESS;
[5450aeb]	272
	273	error:
[327e808]	274	if (keyid != NULL) free(keyid);
[53e540d]	275	if (cn != NULL) free(cn);
[5450aeb]	276
[0779c99]	277	return ret;
[5450aeb]	278	}
	279
[202a7f9]	280	static void check_id_cert(abac_id_cert_t *id_cert)
	281	{
	282	if(id_cert) {
	283	printf("checking on this id_cert %d\n", (int)id_cert);
	284	printf(" --> sha is (%s)\n", id_cert->keyid);
	285	printf(" --> cn is (%s)\n", id_cert->cn);
	286	}
	287	}
	288
	289	/**
	290	* Load an attribute cert as string.
	291	* have minimum syntax & validity check
	292	*/
	293	static int _load_attribute_string(char* attr_string) {
	294	printf("NOT implemented yet!!!");
	295	return ABAC_CERT_INVALID;
	296	}
	297
[e898049]	298	/**
	299	* Load an ID cert from a file.
	300	*/
[202a7f9]	301	int abac_verifier_load_id_file(char filename, abac_id_cert_t *id_cert_ret) {
[61278ec]	302	if (lib == NULL)
	303	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	304
[e898049]	305	// load the cert
	306	certificate_t *cert = lib->creds->create(
	307	lib->creds, CRED_CERTIFICATE, CERT_X509,
	308	BUILD_FROM_FILE, filename,
	309	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	310	BUILD_END
	311	);
	312	if (cert == NULL)
[0779c99]	313	return ABAC_CERT_INVALID;
[202a7f9]	314	return _load_id(cert,id_cert_ret);
[e898049]	315	}
	316
	317	/**
	318	* Load an ID cert from a chunk.
	319	*/
[202a7f9]	320	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_cert_t **id_cert_ret) {
[e898049]	321	// load the cert
	322	certificate_t *cert = lib->creds->create(
	323	lib->creds, CRED_CERTIFICATE, CERT_X509,
	324	BUILD_BLOB_ASN1_DER, chunk,
	325	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	326	BUILD_END
	327	);
	328	if (cert == NULL)
[0779c99]	329	return ABAC_CERT_INVALID;
[202a7f9]	330	return _load_id(cert,id_cert_ret);
[e898049]	331	}
	332
[53e540d]	333
[da5afdf]	334	void abac_print_clauses(abac_list_t clauses, FILE fp)
[202a7f9]	335	{
	336	if (clauses != NULL) {
	337	char *cur;
[7b548fa]	338	printf("total-- %d clauses\n", abac_list_size(clauses));
[202a7f9]	339	abac_list_foreach(clauses, cur,
[da5afdf]	340	if(cur) {
	341	if(fp)
	342	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
	343	else printf ("a clause, %d(%s)\n", (int)cur,cur);
	344	}
[202a7f9]	345	);
	346	}
	347	}
	348
[da5afdf]	349	static int _verify_valid_role_credential(certificate_t *cert,
	350	abac_credential_t *cred_ret, char encoded_attr_string)
	351	{
[53e540d]	352	abac_role_t *head_role = NULL;
	353	abac_role_t *tail_role = NULL;
[202a7f9]	354	abac_list_t *clauses=NULL;
[53e540d]	355	abac_id_cert_t *issuer;
	356	int ret, i;
	357
	358	// get the attr
[b5a3da4]	359	head_role = abac_yy_get_rule_head_role();
	360	tail_role = abac_yy_get_rule_tail_role();
	361	clauses = abac_yy_get_rule_clauses();
[53e540d]	362
[da5afdf]	363	// get the issuer based on keyid
	364	char *principalname = abac_role_principal(head_role);
	365	HASH_FIND_STR(id_certs, principalname, issuer);
	366	if (issuer == NULL) {
	367	ret = ABAC_CERT_MISSING_ISSUER;
[53e540d]	368	goto error;
	369	}
	370
[da5afdf]	371	// make sure the issuer's signed it
	372	ret = _verify_signature(issuer->cert, cert);
	373	if (!ret) {
[b5a3da4]	374	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
[53e540d]	375	goto error;
	376	}
[da5afdf]	377
	378	// at this point we know we have a good attribute cert
	379	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
	380	cred->type= e_CREDTYPE_ROLE;
	381	cred->head = head_role;
	382	cred->tail = tail_role;
	383	cred->cert = cert;
	384	cred->issuer = issuer->cert->get_ref(issuer->cert);
	385	cred->clauses = clauses;
	386	cred->refcount = 1;
	387	*cred_ret = cred;
	388
	389	// success, add the key to the map of certificates
	390	abac_str_cred_t *str_cred;
	391	str_cred=abac_xmalloc(sizeof(abac_str_cred_t));
	392	str_cred->strid=strdup(encoded_attr_string);
	393	str_cred->cred=cred;
	394	HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred);
	395
	396	return ABAC_CERT_SUCCESS;
	397
	398	error:
	399	if (head_role) abac_role_free(head_role);
	400	if (tail_role) abac_role_free(tail_role);
[b5a3da4]	401	abac_yy_free_rule_clauses();
[da5afdf]	402
	403	return ret;
	404	}
	405
	406	static int _verify_valid_oset_credential(certificate_t *cert,
	407	abac_credential_t *cred_ret, char encoded_attr_string)
	408	{
	409	abac_oset_t *head_oset = NULL;
	410	abac_oset_t *tail_oset = NULL;
	411	abac_list_t *clauses=NULL;
	412	abac_id_cert_t *issuer;
	413	int ret, i;
	414
	415	// get the attr
[b5a3da4]	416	head_oset = abac_yy_get_rule_head_oset();
	417	tail_oset = abac_yy_get_rule_tail_oset();
	418	clauses = abac_yy_get_rule_clauses();
[53e540d]	419
	420	// get the issuer based on keyid
[da5afdf]	421	char *principalname = abac_oset_principal(head_oset);
[202a7f9]	422	HASH_FIND_STR(id_certs, principalname, issuer);
[53e540d]	423	if (issuer == NULL) {
	424	ret = ABAC_CERT_MISSING_ISSUER;
	425	goto error;
	426	}
	427
	428	// make sure the issuer's signed it
	429	ret = _verify_signature(issuer->cert, cert);
	430	if (!ret) {
[b5a3da4]	431	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
[53e540d]	432	goto error;
	433	}
	434
	435	// at this point we know we have a good attribute cert
	436	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
[da5afdf]	437	cred->type= e_CREDTYPE_OSET;
	438	cred->head = head_oset;
	439	cred->tail = tail_oset;
[53e540d]	440	cred->cert = cert;
	441	cred->issuer = issuer->cert->get_ref(issuer->cert);
[202a7f9]	442	cred->clauses = clauses;
[53e540d]	443	cred->refcount = 1;
	444	*cred_ret = cred;
	445
	446	// success, add the key to the map of certificates
	447	abac_str_cred_t *str_cred;
	448	str_cred=abac_xmalloc(sizeof(abac_str_cred_t));
[da5afdf]	449	str_cred->strid=strdup(encoded_attr_string);
[53e540d]	450	str_cred->cred=cred;
	451	HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred);
	452
[da5afdf]	453	return ABAC_CERT_SUCCESS;
	454
	455	error:
	456	if (head_oset) abac_oset_free(head_oset);
	457	if (tail_oset) abac_oset_free(tail_oset);
[b5a3da4]	458	abac_yy_free_rule_clauses();
[da5afdf]	459
	460	return ret;
	461	}
	462	/**
	463	* Load an attribute cert.
	464	* Returns true only if the certificate is valid and is issued by the proper
	465	* authority.
	466	*/
	467	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
	468	ietf_attributes_t *attr_cert = NULL;
	469	abac_id_cert_t *issuer;
	470	int ret, i;
	471
	472	// get the attr
	473	ac_t ac = (ac_t )cert;
	474	attr_cert = ac->get_groups(ac);
	475	if (attr_cert == NULL) {
	476	ret = ABAC_CERT_INVALID;
	477	goto error;
	478	}
	479
	480	char *encoded_attr_string=attr_cert->get_string(attr_cert);
	481	char *attr_string = abac_decode_string(encoded_attr_string);
	482	if(debug)
	483	printf("string to be yyparse..(%s)\n",attr_string);
	484
	485	if (attr_string == NULL) {
	486	ret = ABAC_CERT_INVALID;
	487	goto error;
	488	}
	489
	490	/* call into yacc parser */
	491	abac_reset_yyfptr(attr_string);
[b5a3da4]	492	abac_yy_init();
[da5afdf]	493	int rc=yyparse();
	494	if (rc) {
	495	ret = ABAC_CERT_INVALID;
	496	goto error;
	497	}
	498
[b5a3da4]	499	if(abac_yy_get_rule_is_oset()) {
[da5afdf]	500	ret=_verify_valid_oset_credential(cert,cred_ret,encoded_attr_string);
	501	} else {
	502	ret=_verify_valid_role_credential(cert,cred_ret,encoded_attr_string);
	503	}
	504
[53e540d]	505	// free up some crap
	506	attr_cert->destroy(attr_cert);
	507
	508	return ABAC_CERT_SUCCESS;
	509
	510	error:
[202a7f9]	511	if (cert) cert->destroy(cert);
	512	if (attr_cert) attr_cert->destroy(attr_cert);
[0779c99]	513	return ret;
[5450aeb]	514	}
[5f99fbc]	515
[e898049]	516	/**
	517	* Load an attribute cert from a file.
	518	*/
[0779c99]	519	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
[e898049]	520	// load the cert
	521	certificate_t *cert = lib->creds->create(
	522	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	523	BUILD_FROM_FILE, filename,
	524	BUILD_END
	525	);
	526	if (cert == NULL)
[0779c99]	527	return ABAC_CERT_INVALID;
	528	return _load_attribute_cert(cert, cred);
[e898049]	529	}
	530
[202a7f9]	531	/**
	532	* Load attribute cert rules from a file. (this should only be used to test)
	533	*/
	534	int abac_verifier_load_certs_file(char *filename) {
	535	size_t nbytes=0;
	536	char *input=NULL;
	537	FILE *fp;
	538	int ret;
	539
	540	fp=fopen(filename, "r");
	541
	542	if(fp == NULL)
	543	return ABAC_CERT_INVALID;
	544
	545	while( (ret=getline(&input, &nbytes, fp)) != -1 ) {
	546	ret=_load_attribute_string(input);
	547	free(input);
	548	if(ret != ABAC_CERT_SUCCESS )
	549	fclose(fp);
	550	return ret;
	551	}
	552	fclose(fp);
	553	return ABAC_CERT_SUCCESS;
	554	}
	555
	556
[e898049]	557	/**
	558	* Load an attribute cert from a chunk.
	559	*/
[0779c99]	560	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
[e898049]	561	// load the cert
	562	certificate_t *cert = lib->creds->create(
	563	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	564	BUILD_BLOB_ASN1_DER, chunk,
	565	BUILD_END
	566	);
	567	if (cert == NULL)
[0779c99]	568	return ABAC_CERT_INVALID;
	569	return _load_attribute_cert(cert, cred);
[e898049]	570	}
	571
[85cdf53]	572	/**
	573	* Return the encoding of the attribute cert.
	574	*/
[401a054]	575	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
	576	chunk_t encoding = cred->cert->get_encoding(cred->cert);
[9efbfbf]	577	abac_chunk_t ret = { encoding.ptr, encoding.len };
	578	return ret;
[85cdf53]	579	}
	580
	581	/**
	582	* Return the encoding of the issuer cert.
	583	*/
[401a054]	584	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
	585	chunk_t encoding = cred->issuer->get_encoding(cred->issuer);
[9efbfbf]	586	abac_chunk_t ret = { encoding.ptr, encoding.len };
	587	return ret;
[85cdf53]	588	}
[186cb75]	589
[53e540d]	590	/**
	591	* Return the clause of the cert
	592	*/
[202a7f9]	593	abac_list_t abac_credential_clauses(abac_credential_t cred) {
	594	return cred->clauses;
[53e540d]	595	}
	596
[202a7f9]	597
[186cb75]	598	/**
[fbb591e]	599	* Increase the ref count of a credential.
[186cb75]	600	*/
[401a054]	601	abac_credential_t abac_credential_dup(abac_credential_t cred) {
	602	assert(cred != NULL);
[186cb75]	603
[fbb591e]	604	++cred->refcount;
	605	return cred;
[186cb75]	606	}
	607
[53e540d]	608	/**
	609	* lookup for a credential.
	610	*/
[202a7f9]	611	abac_credential_t abac_credential_lookup(char cred_string)
	612	{
	613	if(debug)
	614	printf("DEBUG:doing abac_crendential_lookup ... (%s)\n", cred_string);
[53e540d]	615	abac_str_cred_t *str_cred;
	616	HASH_FIND_STR(str_creds, cred_string, str_cred);
	617	if (str_cred == NULL) {
[202a7f9]	618	if(debug) printf("DEBUG:NOT FOUND..\n");
[53e540d]	619	return NULL;
	620	}
[202a7f9]	621	if(debug) printf("DEBUG:FOUND..(%d)\n", (int) str_cred->cred);
[53e540d]	622	return str_cred->cred;
	623	}
	624
[186cb75]	625	/**
[fbb591e]	626	* Decrease the reference count of a credential, freeing it when it reaches 0.
[186cb75]	627	*/
[202a7f9]	628	void abac_credential_free(abac_credential_t *cred)
	629	{
	630	if(debug)
	631	printf("DEBUG:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->clauses);
	632
[401a054]	633	if (cred == NULL)
[186cb75]	634	return;
	635
[fbb591e]	636	--cred->refcount;
	637	if (cred->refcount > 0)
	638	return;
	639
[da5afdf]	640	if(cred->type == e_CREDTYPE_ROLE) {
	641	abac_role_free((abac_role_t *)cred->head);
	642	abac_role_free((abac_role_t *)cred->tail);
	643	} else {
	644	abac_oset_free((abac_oset_t *)cred->head);
	645	abac_oset_free((abac_oset_t *)cred->tail);
	646	}
[401a054]	647	cred->cert->destroy(cred->cert);
	648	cred->issuer->destroy(cred->issuer); // reference counted
[b5a3da4]	649	/* no need to freeyap_clauses here */
[401a054]	650	free(cred);
[186cb75]	651	}
[53e540d]	652
[202a7f9]	653	char abac_id_clause(abac_id_cert_t id_cert)
	654	{
	655	if(id_cert)
	656	return id_cert->clause;
	657	return NULL;
	658	}
	659
[53e540d]	660	/* retrieve the cn that is associated with this sha_string */
	661	char abac_cn_with_sha(char sha_string) {
	662
	663	// get the issuer based on keyid
	664	abac_id_cert_t *id_cert;
	665	HASH_FIND_STR(id_certs, sha_string, id_cert);
	666	if (id_cert == NULL) {
	667	return NULL;
	668	}
[202a7f9]	669	if(debug)
	670	check_id_cert(id_cert);
[53e540d]	671	return id_cert->cn;
	672	}
	673
	674	/* retrieve the cn that is associated with the principal of this role */
[202a7f9]	675	char abac_cn_with_role(abac_role_t role) {
[53e540d]	676
[202a7f9]	677	char *principal = abac_role_principal(role);
[53e540d]	678	return abac_cn_with_sha(principal);
	679	}
	680
[da5afdf]	681	/* retrieve the cn that is associated with the principal of this oset */
	682	char abac_cn_with_oset(abac_oset_t oset) {
	683	char *principal = abac_oset_principal(oset);
	684	return abac_cn_with_sha(principal);
	685	}
	686

Note: See TracBrowser for help on using the repository browser.

Download in other formats: