Context Navigation

source: libabac/rt2.y @ 2e9455f

mei_rt2

Last change on this file since 2e9455f was 2e9455f, checked in by Mei <mei@…>, 11 years ago
1) added namespace 2) tweak ?This, 3) allowing linking role/oset as constraining conditions 4) adding access_tests regression testing that uses GENI's access policy 5) added couple multi contexts regression tests 6) add compression/uncompression calls to abac_encode_string/abac_decode_string (libstrongwan only allows 512 char for attribute rule storage) 7) add attribute_now option to creddy that takes a whole char string for attribute rule
Property mode set to `100644`
File size: 14.3 KB

Line
1
2	/* bison grammar rules for process new rt2 statements */
3
4	%{
5	// include the GNU extension of asprintf
6	#define _GNU_SOURCE
7
8	/* C declarations */
9	#include <stdio.h>
10	#include <string.h>
11
12	#include "abac_pl_yy.h"
13	#include "abac_verifier.h"
14	#include "rt2.h"
15
16	/* lex tie-ins flag */
17	int yyerror (char *s);
18	static int debug=0;
19
20	FILE *abac_yyout = NULL;
21	char *abac_yyfptr = NULL;
22	void *abac_yyctxt=NULL;
23
24	#define USE(evalue) ((getenv(evalue)!=NULL)?1:0)
25	#define OUT(msg) { if(debug) fprintf(abac_yyout,"\n===%s\n",msg); }
26
27	void panic(char *msg);
28
29	%}
30	/* Bison declarations */
31	%union {
32	struct _abac_yy_principal_t *pstruct;
33	struct _abac_yy_term_principal_t *ppstruct;
34	struct _abac_yy_term_data_t *pdstruct;
35	struct _abac_yy_roleoset_t *rostruct;
36	struct _abac_yy_term_t *dstruct;
37	struct _abac_yy_expression_t *estruct;
38	struct _abac_list_t *lstruct;
39	char string; / For returning char strings */
40	int intval; /* for returning some value */
41	}
42
43	%start input
44
45	%type <intval> stmt
46	%type <rostruct> rolepart
47	%type <estruct> roleleft
48	%type <estruct> roleright
49	%type <estruct> roleterm
50	%type <rostruct> osetpart
51	%type <estruct> osetleft
52	%type <estruct> osetright
53	%type <estruct> osetterm
54	%type <pstruct> keypart
55	%type <dstruct> terms
56	%type <dstruct> term
57	%type <pdstruct> typedpart
58	%type <pdstruct> otypetail
59	%type <ppstruct> principalpart
60	%type <lstruct> rangetype
61	%type <lstruct> values
62
63	%token <string> IDEN /* keyname or rolename or osetname */
64	%token <string> CAPIDEN /* variable name */
65	%token <string> ROLE /* the word, role */
66	%token <string> OSET /* the word, oset */
67	%token <string> PRINCIPAL /* the word, principal */
68	%token <string> THIS /* the word, this */
69	%token <string> OTYPE /* integer,boolean,urn,time,string,float */
70	%token <string> OTYPE_CONSTANT
71	%token <string> VARIABLE_CONSTANT /* constant for ?AAA */
72	%token <string> KEYTYPE /* keyid \| or something else */
73	%token <string> KEYID_CONSTANT /* keyid \| or something else */
74	%token <string> VALUE /* range value in static constraint */
75
76	%token <operator> DERIVE "<-"
77	%token <operator> DOT "."
78	%token <operator> AND "&"
79	%token <operator> LPAREN "("
80	%token <operator> RPAREN ")"
81	%token <operator> LSQUARE "["
82	%token <operator> RSQUARE "]"
83	%token <operator> LANGLE "<"
84	%token <operator> RANGLE ">"
85	%token <operator> COLON ":"
86	%token <operator> COMMA ","
87	%token <operator> QMARK "?"
88	%token <operator> DOTDOT ".."
89
90	%%
91	/* Grammar rules */
92
93	input: /* empty */
94	{ }
95	\| stmt
96	{
97	/* SUCCESS */
98	}
99	;
100
101	/* generate/concate prolog credentials clauses */
102	stmt : roleleft DERIVE roleright
103	{
104	abac_yy_expression_t *headexpr=$1;
105	abac_yy_expression_t *tailexpr=$3;
106	int rc=make_role_statement(headexpr, tailexpr);
107	if(rc) {
108	panic("unable to parse the role rule statment");
109	YYERROR;
110	} else {
111	$$=rc;
112	}
113	}
114	\| osetleft DERIVE osetright
115	{
116	abac_yy_expression_t *headexpr=$1;
117	abac_yy_expression_t *tailexpr=$3;
118	int rc=make_oset_statement(headexpr, tailexpr);
119	if(rc) {
120	panic("unable to parse the oset rule statment");
121	YYERROR;
122	} else {
123	$$=rc;
124	}
125	}
126	;
127	/*
128	[keyid:isi].role:modifyBy([keyid:mike])
129	[keyid:acme].role:preferred
130	*/
131	roleleft : keypart DOT rolepart
132	{
133	abac_yy_principal_t *keypart=$1;
134	abac_yy_roleoset_t *rolepart=$3;
135	abac_yy_expression_t *expr=
136	make_yy_expression(e_yy_EXPR_ROLE,keypart,rolepart,NULL);
137	$$=expr;
138	}
139	;
140
141	/* [keyid:mike] */
142	keypart : LSQUARE KEYTYPE COLON
143	{ abac_ll_push_keyid_yystate(); }
144	KEYID_CONSTANT
145	{ abac_ll_pop_yystate(); }
146	RSQUARE
147	{
148	int idtype=abac_verify_idtype_type($2);
149	char *tmp=NULL;
150	asprintf(&tmp,"%s",$5);
151	$$=make_yy_principal(tmp, tmp, idtype);
152	char *cn=abac_cn_with_sha(tmp);
153	if(cn && idtype) {
154	$$=make_yy_principal(tmp, cn, idtype);
155	} else {
156	if((USE("ABAC_CN")) && (cn==NULL)) {
157	if(debug)
158	asprintf(&tmp,"encountered an invalid SHA id(%s)",$5);
159	else asprintf(&tmp,"encountered an invalid SHA id");
160	panic(tmp);
161	free(tmp);
162	YYERROR;
163	}
164	$$=make_yy_principal(tmp, NULL, idtype);
165	}
166	}
167	;
168	/*
169	role:modifyBy([keyid:mike],[keyid:ted])
170	role:modifyBy([keyid:mike])
171	role:preferred
172	*/
173	rolepart : ROLE COLON IDEN LPAREN terms RPAREN
174	{
175	$$=make_yy_roleoset_role($3,$5);
176	}
177	\| ROLE COLON IDEN
178	{
179	$$=make_yy_roleoset_role($3,NULL);
180	}
181	;
182
183	/*
184	[keyid:mike],[keyid:ted]
185	[keyid:mike]
186	[principal:?Z]
187	[int:99]
188	[int:?Z]
189	[?this], this could be any of type...
190	[?]
191	*/
192	terms : term COMMA terms
193	{
194	abac_yy_term_t *nterm=$1;
195	abac_yy_term_t *terms=$3;
196	$$=add_yy_term(nterm, terms);
197	}
198	\| term
199	{
200	$$=$1;
201	}
202	;
203
204	term : LSQUARE QMARK THIS RSQUARE
205	{ $$= make_yy_term_dterm_this(); }
206	\| LSQUARE QMARK RSQUARE
207	{ $$= make_yy_term_dterm_anonymous(); }
208	\| keypart
209	{ $$= make_yy_term_dterm_named($1); }
210	\| principalpart
211	{ $$= make_yy_term_dterm_principal($1); }
212	\| typedpart
213	{ $$= make_yy_term_dterm_data($1); }
214	;
215
216	values : VALUE COMMA values
217	{ $$=add_yy_val_range($3, $1); }
218	\| VALUE
219	{ $$=make_yy_val_range($1); }
220	;
221
222
223	rangetype : LSQUARE VALUE DOTDOT VALUE RSQUARE
224	{ $$=make_yy_minmax_range($2,$4); }
225	\| LSQUARE DOTDOT VALUE RSQUARE
226	{ $$=make_yy_max_range($3); }
227	\| LSQUARE VALUE DOTDOT RSQUARE
228	{ $$=make_yy_min_range($2); }
229	\| LSQUARE values RSQUARE
230	{ $$=$2; }
231	;
232
233	/* [otype:?Z{oset-constraint}] */
234	/* [int:?I:[10 .. 20] */
235	/* [float:?F:[0.5 .. 2.5] */
236	/* [string:?S:["abc",'efg',"hij"] -only listed range */
237	/* urn same as string */
238	/* time like int but with quoted string values */
239	/* XXX would have to extend this if want the linked oset in the
240	constraints..
241	[otype:?Z{linked oset-constraint}]
242	*/
243	otypetail : VARIABLE_CONSTANT COLON
244	{
245	abac_ll_pop_yystate();
246	abac_ll_push_range_yystate();
247	}
248	rangetype
249	{
250	abac_ll_pop_yystate();
251	abac_yy_term_data_t *ptr=make_yy_term_data();
252	set_yy_term_data_name(ptr,$1);
253	set_yy_term_data_is_variable(ptr);
254	set_yy_term_data_cond_range(ptr,$4);
255	$$=ptr;
256	OUT("otypetail_1");
257	}
258	\| VARIABLE_CONSTANT
259	{ abac_ll_pop_yystate(); }
260	osetterm
261	{
262	abac_yy_term_data_t *ptr=make_yy_term_data();
263	set_yy_term_data_name(ptr,$1);
264	set_yy_term_data_is_variable(ptr);
265	set_yy_term_data_cond_head_expr(ptr,$3);
266	$$=ptr;
267	OUT("otypetail_2");
268	}
269	\| VARIABLE_CONSTANT
270	{
271	abac_ll_pop_yystate();
272	abac_yy_term_data_t *ptr=make_yy_term_data();
273	set_yy_term_data_name(ptr,$1);
274	set_yy_term_data_is_variable(ptr);
275	$$=ptr;
276	OUT("otypetail_3");
277	}
278	\| OTYPE_CONSTANT
279	{
280	abac_ll_pop_yystate();
281	abac_yy_term_data_t *ptr=make_yy_term_data();
282	set_yy_term_data_name(ptr,$1);
283	$$=ptr;
284	OUT("otypetail_4");
285	}
286	\| QMARK
287	{
288	abac_ll_pop_yystate();
289	abac_yy_term_data_t *ptr=make_yy_term_data();
290	set_yy_term_data_is_anonymous(ptr);
291	$$= ptr;
292	}
293	;
294
295	typedpart : LSQUARE OTYPE COLON
296	{ abac_ll_push_yystate($2); }
297	otypetail RSQUARE
298	{
299	abac_yy_term_data_t *ptr=$5;
300	set_yy_term_data_type(ptr,$2);
301	if(is_yy_term_data_has_constraint(ptr)) {
302	char *tail_string=get_yy_term_data_name(ptr);
303	make_yy_range_constraint(ptr);
304	make_yy_oset_constraint(ptr,tail_string);
305	}
306	$$=$5;
307	}
308	;
309
310
311
312	/* [principal:?] */
313	/* [principal:?Z] */
314	/* [principal:?This] */
315	/* [principal:?Z{role-constraint}] */
316	/* XXX if want to allow linked role constraint need to swap roleleft
317	into roleterm.. but make sure the tree is right
318	3/21/13, [principal:?Z[keyid:A].role:roleA.role:roleB([string:?P])]
319	*/
320	principalpart : LSQUARE PRINCIPAL COLON QMARK IDEN roleterm RSQUARE
321	{
322	abac_yy_expression_t *expr=$6;
323	char *tail_string=$5;
324	abac_yy_term_principal_t *ptr=make_yy_term_principal();
325	set_yy_term_principal_name(ptr,tail_string);
326	set_yy_term_principal_cond_head_expr(ptr,expr);
327	make_yy_role_constraint(ptr,tail_string);
328	$$=ptr;
329	OUT("principalpart_1");
330	}
331	\| LSQUARE PRINCIPAL COLON QMARK IDEN RSQUARE
332	{
333	abac_yy_term_principal_t *ptr=make_yy_term_principal();
334	set_yy_term_principal_name(ptr,$5);
335	$$ = ptr;
336	OUT("principalpart_2");
337	}
338	\| LSQUARE PRINCIPAL COLON QMARK RSQUARE
339	{
340	abac_yy_term_principal_t *ptr=make_yy_term_principal();
341	set_yy_term_principal_is_anonymous(ptr);
342	$$ = ptr;
343	OUT("principalpart_3");
344	}
345	;
346
347	roleright : roleterm AND roleright
348	{
349	abac_yy_expression_t *nexpr=$1;
350	abac_yy_expression_t *exprs=$3;
351	$$=add_yy_expression(nexpr,exprs);
352	}
353	\| roleterm
354	{ $$=$1; }
355	;
356
357	/* role at tail/right side
358	[keyid:usc].role:employee.role:friend
359	[keyid:usc].role:worker
360	[keyid:mike]
361	*/
362	roleterm : keypart DOT rolepart DOT rolepart
363	{
364	abac_yy_principal_t *keypart=$1;
365	abac_yy_roleoset_t *linked_rolepart=$3;
366	abac_yy_roleoset_t *rolepart=$5;
367	abac_yy_expression_t *expr=
368	make_yy_expression(e_yy_EXPR_LINKED,keypart,rolepart,linked_rolepart);
369	$$=expr;
370	OUT("roleterm_1");
371	}
372	\| keypart DOT rolepart
373	{
374	abac_yy_principal_t *keypart=$1;
375	abac_yy_roleoset_t *rolepart=$3;
376	abac_yy_expression_t *expr=
377	make_yy_expression(e_yy_EXPR_ROLE,keypart,rolepart,NULL);
378	$$=expr;
379	OUT("roleterm_2");
380	}
381	\| keypart
382	{
383	abac_yy_principal_t *keypart=$1;
384	abac_yy_expression_t *expr=
385	make_yy_expression(e_yy_EXPR_NAMED,keypart,NULL,NULL);
386	$$=expr;
387	OUT("roleterm_3");
388	}
389	;
390
391	osetterm : keypart DOT rolepart DOT osetpart
392	{
393	abac_yy_principal_t *keypart=$1;
394	abac_yy_roleoset_t *linked_rolepart=$3;
395	abac_yy_roleoset_t *osetpart=$5;
396	abac_yy_expression_t *expr=
397	make_yy_expression(e_yy_EXPR_LINKED,keypart,osetpart,linked_rolepart);
398	$$=expr;
399	OUT("osetterm_1");
400	}
401	\| keypart DOT osetpart
402	{
403	abac_yy_principal_t *keypart=$1;
404	abac_yy_roleoset_t *osetpart=$3;
405	abac_yy_expression_t *expr=
406	make_yy_expression(e_yy_EXPR_OSET,keypart,osetpart,NULL);
407	$$=expr;
408	OUT("osetterm_2");
409	}
410	\| keypart
411	{
412	abac_yy_principal_t *keypart=$1;
413	abac_yy_expression_t *expr=
414	make_yy_expression(e_yy_EXPR_NAMED,keypart,NULL,NULL);
415	$$=expr;
416	OUT("osetterm_3");
417	}
418	\| typedpart
419	{
420	abac_yy_term_data_t *objpart=$1;
421	abac_yy_expression_t *expr=
422	make_yy_expression(e_yy_EXPR_OBJECT,objpart,NULL,NULL);
423	$$=expr;
424	OUT("osetterm_4");
425	}
426	;
427
428	/*
429	oset:access([urn:'fileA'])
430	*/
431	osetpart : OSET COLON IDEN LPAREN terms RPAREN
432	{
433	$$=make_yy_roleoset_oset($3,$5);
434	}
435	\| OSET COLON IDEN
436	{
437	$$=make_yy_roleoset_oset($3,NULL);
438	}
439	;
440
441
442	osetleft : keypart DOT osetpart
443	{
444	abac_yy_principal_t *keypart=$1;
445	abac_yy_roleoset_t *osetpart=$3;
446	abac_yy_expression_t *expr=
447	make_yy_expression(e_yy_EXPR_OSET,keypart,osetpart,NULL);
448	$$=expr;
449	OUT("osetleft");
450	}
451	;
452
453	osetright : osetterm AND osetright
454	{
455	abac_yy_expression_t *nexpr=$1;
456	abac_yy_expression_t *exprs=$3;
457	$$=add_yy_expression(nexpr,exprs);
458	OUT("osetright_1");
459	}
460	\| osetterm
461	{
462	$$=$1;
463	OUT("osetright_2");
464	}
465	;
466	%%
467
468
469	/* Additional C code */
470	int yywrap()
471	{
472	/* exit when done lexing the current input */
473	return 1;
474	}
475
476	int yyerror (char *s)
477	{
478	fprintf (abac_yyout,"yyerror: %s\n", s);
479	}
480
481	/* setting defaults */
482	void abac_yyinit()
483	{
484	abac_yyout=abac_ll_get_yyout();
485	abac_yyfptr = abac_ll_get_yyfptr();
486	OUT("======================================");
487	}
488
489	void panic(char *msg)
490	{
491	OUT("panic, EEEEKKKKKK...");
492	yyerror(msg);
493	}
494

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format