Akenti Policy Engine C++ API
C++ library interface
The Akenti Engine class provides two methods to perfom a checkAccess operation.
Both methods have only two inputs: the name of the resource and the DN/CADN of the
user. They return true if a capabilty certificate was generated or was found in
the cache. The capability certificate contains a list of actions. Some actions may
have conditions attached to them. Critical conditions must all evaluate to true
otherwise the user should be denied access.
The Akenti library must be intialized once before any checkAccess call is
made. The initialization process reads a number of parameters from a
configuration file.
static bool AkentiInit::init(const string& confFile, string& status);
confFile
| in
| Name of an Akenti configuration file
|
status
| out
| A message describing the intialization proceeded
|
returnValue
| true
| if it was successful
|
| false
| otherwise
|
bool AkentiEngine::checkAccess(const string& resource,
const AkentiPrincipal& user,
CapabilityCertificate& capabilityCert,
AkentiMessage& mesg) const;
where:
resource
| in
| Name of the resource requested by the user.
|
user
| in
| Distinguished name of the user (and its CA) requesting access
|
capabilityCert
| out
| Contains the resource, the user's DN, his actions, and possibly conditions
on those actions.
|
mesg
| out
| Contains a numeric error code and a descriptive message.
|
returnValue
| true
| if a capability certificate was generated or found in the cache.
|
| false
| otherwise
|
bool AkentiEngine::checkAccess(const string& resource,
const AkentiPrincipal& user,
PolicyContext& policyContext,
AkentiMessage& mesg) const;
where:
resource
| in
| name of resource as requested by the user
|
user
| in
| Distinguished name of the user (and its CA) requesting access
|
policyContext
| out
| Contains resource, principal, possibly a list of policy, use-conditions,
and attribute certificates, and the capability certificate if any.
|
mesg
| out
| Contains a numeric error code and a descriptive message.
|
returnValue
| true
| if a capability certificate was generated or found in the cache.
|
| false
| otherwise
|
Examples
// Includes and namespaces
#include <string>
#include <vector>
#include <set>
#include <iostream>
#include "AkentiEngine.hpp"
#include "AkentiInit.hpp"
#include "AkentiPrincipal.hpp"
#include "CapabilityCertificate.hpp"
#include "AkentiMessage.hpp"
#include "Exception.hpp"
#include "Error.hpp"
using namespace Akenti;
using namespace std;
Example 1
This simple example assumes that the checkAccess call will not result in a capabality
certificate containing conditional actions. That is only AKENTI and X509 attributes are
used in the use-conditions.
void example1() {
try {
string resource = "microscope";
string userDN = "/C=US/..../CN=Abdelilah Essiari";
string caDN = "/C=US/..../CN=DOE Grid CA";
string confFileName = "./akentiConf";
AkentiPrincipal user(userDN, caDN);
// Initialization can be done once during the lifetime of a program.
string status;
if (!AkentiInit::init(confFileName,status)) {
cout << status << endl;
return;
}
AkentiEngine eng;
CapabilityCertificate capCert;
AkentiMessage msg;
if (!eng.checkAccess(resource, user, capCert, msg)) {
cout << msg.toString() << ", ";
return;
}
const vector<string>& actions = capCert->getUnConditionalActions();
for (int i = 0; i < actions.size(); ++i) {
cout << actions[i] << ", ";
}
} catch(Exception& ex) {
// SHOULD NEVER HAPPEN
} catch(Error& err) {
// SHOULD NEVER HAPPEN
} catch(...) {
// SHOULD NEVER HAPPEN
}
}
Example 2
This example shows the use of an evaluator to deal with conditional actions. This impllies EXT_AUTH and SYSTEM attributes are used in the use-conditions.
this.
#include "ConditionalActions.hpp"
#include "AttributeInfo.hpp"
#include "ExpressionEvaluator.hpp"
#include "Expression.hpp"
#include "TokenType.hpp"
/**
* A sample evaluator to handle SYSTEM/EXT_AUTH attributes.
*/
class MyEvaluator : public ExpressionEvaluator {
public:
MyEvaluator(ConditionalActions condActions)
: idx(0), condActions(condActions) {
}
int evaluate() {
Expression expr = Expression(condActions.getConstraint());
return expr.evaluate(*this);
}
bool evaluate(TokenType op, const string& attr, const string& value) {
const vector<AttributeInfo>& attrInfos = condActions.getAttributeInfos();
const AttributeInfo& info = attrInfos[idx++];
if (info.getType() == AttributeInfo::SYSTEM) {
bool ok = ...; // here we evaluate attr op value
return ok;
} else { // info.getType() = EXT_AUTH
bool ok = ...; // here we evaluate attr op value
// by contacting the apprpriate external authority.
return ok;
}
}
private:
ConditionalActions& condActions;
int idx;
};
void example2() {
try {
string resource = "microscope";
string userDN = "/C=US/..../CN=Abdelilah Essiari";
string caDN = "/C=US/..../CN=DOE Grid CA";
string confFileName = "./akentiConf";
AkentiPrincipal user(userDN, caDN);
// This needs to be done only once during the lifetime of a program.
string status;
if (!AkentiInit::init(confFileName,status)) {
return;
}
AkentiEngine eng;
CapabilityCertificate capCert;
AkentiMessage msg;
if (!eng.checkAccess(resource, user, capCert, msg)) {
return; // DENY ACCESS
}
// used to hold granted actions
set<string> bag;
// HANDLE CONDITIONAL ACTIONS
const vector<ConditionalActions>& condActionsList = capCert->getConditionalActions();
for (int i = 0; i < condActionsList.size(); ++i) {
MyEvaluator evaluator(condActionsList[i]);
bool ok = evaluator.evaluate();
if (!ok && condActionsList[i].isCritical()) {
return; // DENY ACCESS
}
const vector<string>& actions = condActions[i].getActions();
for (int i = 0; i < actions.size(); ++i) {
bag.insert(actions[i]);
}
}
// ADD UNCONDITIONAL ACTIONS
const vector<string>& actions = capCert->getUnConditionalActions();
for (int i = 0; i < actions.size(); ++i) {
bag.insert(actions[i]);
}
if (!bag.size()) {
return; // NO ACTIONS
}
// At this point the bag contains granted actions.
} catch(Exception& ex) {
// SHOULD NEVER HAPPEN
} catch(Error& err) {
// SHOULD NEVER HAPPEN
} catch(...) {
// SHOULD NEVER HAPPEN
}
}
Last modified: Fri Oct 10 01:33:45 PDT 2003