Akenti Policy Engine C++ API
C++ library interface
The Akenti Engine class provides two methods to perfom a checkAccess operation.
Both methods have only two inputs: the name of the resource and the DN/CADN
of the user. They return true if a capabilty certificate was generated or
was found in the cache. The capability certificate contains a list of actions.
Some actions may have conditions attached to them. Critical conditions must
all evaluate to true otherwise the user should be denied access.
The Akenti library must be intialized once before any checkAccess call
is made. The initialization process reads a number of parameters from
a configuration file.
static bool AkentiInit::init(const string& confFile, string& status);
confFile |
in |
Name of an Akenti configuration file |
status |
out |
A message describing the intialization proceeded |
returnValue |
true |
if it was successful |
|
false |
otherwise |
bool AkentiEngine::checkAccess(const string& resource,
const AkentiPrincipal& user,
CapabilityCertificate& capabilityCert,
AkentiMessage& mesg) const;
where:
resource |
in |
Name of the resource requested by the user. |
user |
in |
Distinguished name of the user (and its CA) requesting access
|
capabilityCert |
out |
Contains the resource, the user's DN, his actions, and possibly
conditions on those actions. |
mesg |
out |
Contains a numeric error code and a descriptive message. |
returnValue |
true |
if a capability certificate was generated or found in the
cache. |
|
false |
otherwise |
bool AkentiEngine::checkAccess(const string& resource,
const AkentiPrincipal& user,
PolicyContext& policyContext,
AkentiMessage& mesg) const;
where:
resource |
in |
name of resource as requested by the user |
user |
in |
Distinguished name of the user (and its CA) requesting access
|
policyContext |
out |
Contains resource, principal, possibly a list of policy, use-conditions,
and attribute certificates, and the capability certificate if any.
|
mesg |
out |
Contains a numeric error code and a descriptive message. |
returnValue |
true |
if a capability certificate was generated or found in the
cache. |
|
false |
otherwise
|
void setDesiredActions(const set<string>& desiredActions);
where:
desiredActions
|
in
|
list of string actions that match some of the
actions granted by the UseConditons for the resource
|
void setRestrictedAttributes(const multimap&
restrictedAttributes);
where:
restrictedAttributes
|
in |
list of string attribute/value pairs that that will
be assumed for the user on subsequent calls to checkAccess |
Examples
// Includes and namespaces
#include <string>
#include <vector>
#include <set>
#include <iostream>
#include "AkentiEngine.hpp"
#include "AkentiInit.hpp"
#include "AkentiPrincipal.hpp"
#include "CapabilityCertificate.hpp"
#include "AkentiMessage.hpp"
#include "Exception.hpp"
#include "Error.hpp"
using namespace Akenti;
using namespace std;
Example 1
This simple example assumes that the checkAccess call will not result
in a capabality certificate containing conditional actions. That is only
AKENTI and X509 attributes are used in the use-conditions.
void example1() {
try {
string resource = "microscope";
string userDN = "/C=US/..../CN=Abdelilah Essiari";
string caDN = "/C=US/..../CN=DOE Grid CA";
string confFileName = "./akentiConf";
AkentiPrincipal user(userDN, caDN);
// Initialization can be done once during the lifetime of a program.
string status;
if (!AkentiInit::init(confFileName,status)) {
cout << status << endl;
return;
}
AkentiEngine eng;
CapabilityCertificate capCert;
AkentiMessage msg;
if (!eng.checkAccess(resource, user, capCert, msg)) {
cout << msg.toString() << ", ";
return;
}
const vector<string>& actions = capCert->getUnConditionalActions();
for (int i = 0; i < actions.size(); ++i) {
cout << actions[i] << ", ";
}
} catch(Exception& ex) {
// SHOULD NEVER HAPPEN
} catch(Error& err) {
// SHOULD NEVER HAPPEN
} catch(...) {
// SHOULD NEVER HAPPEN
}
}
Example 2
This example shows the use of an evaluator to deal with conditional
actions. This impllies EXT_AUTH and SYSTEM attributes are used in the use-conditions.
this.
#include "ConditionalActions.hpp"
#include "AttributeInfo.hpp"
#include "ExpressionEvaluator.hpp"
#include "Expression.hpp"
#include "TokenType.hpp"
/**
* A sample evaluator to handle SYSTEM/EXT_AUTH attributes.
*/
class MyEvaluator : public ExpressionEvaluator {
public:
MyEvaluator(ConditionalActions condActions)
: idx(0), condActions(condActions) {
}
int evaluate() {
Expression expr = Expression(condActions.getConstraint());
return expr.evaluate(*this);
}
bool evaluate(TokenType op, const string& attr, const string& value) {
const vector<AttributeInfo>& attrInfos = condActions.getAttributeInfos();
const AttributeInfo& info = attrInfos[idx++];
if (info.getType() == AttributeInfo::SYSTEM) {
bool ok = ...; // here we evaluate attr op value
return ok;
} else { // info.getType() = EXT_AUTH
bool ok = ...; // here we evaluate attr op value
// by contacting the apprpriate external authority.
return ok;
}
}
private:
ConditionalActions& condActions;
int idx;
};
void example2() {
try {
string resource = "microscope";
string userDN = "/C=US/..../CN=Abdelilah Essiari";
string caDN = "/C=US/..../CN=DOE Grid CA";
string confFileName = "./akentiConf";
AkentiPrincipal user(userDN, caDN);
// This needs to be done only once during the lifetime of a program.
string status;
if (!AkentiInit::init(confFileName,status)) {
return;
}
AkentiEngine eng;
CapabilityCertificate capCert;
AkentiMessage msg;
if (!eng.checkAccess(resource, user, capCert, msg)) {
return; // DENY ACCESS
}
// used to hold granted actions
set<string> bag;
// HANDLE CONDITIONAL ACTIONS
const vector<ConditionalActions>& condActionsList = capCert->getConditionalActions();
for (int i = 0; i < condActionsList.size(); ++i) {
MyEvaluator evaluator(condActionsList[i]);
bool ok = evaluator.evaluate();
if (!ok && condActionsList[i].isCritical()) {
return; // DENY ACCESS
}
const vector<string>& actions = condActions[i].getActions();
for (int i = 0; i < actions.size(); ++i) {
bag.insert(actions[i]);
}
}
// ADD UNCONDITIONAL ACTIONS
const vector<string>& actions = capCert->getUnConditionalActions();
for (int i = 0; i < actions.size(); ++i) {
bag.insert(actions[i]);
}
if (!bag.size()) {
return; // NO ACTIONS
}
// At this point the bag contains granted actions.
} catch(Exception& ex) {
// SHOULD NEVER HAPPEN
} catch(Error& err) {
// SHOULD NEVER HAPPEN
} catch(...) {
// SHOULD NEVER HAPPEN
}
}
Last modified: Fri Oct 10 01:33:45 PDT 2003