namespace Akenti class CertificateCache
A PolicyCollector verifies the Policy and
proceeds to collect the UseCondition certificates
-
Policy(bool isLeaf, const AkentiCertificate& policyCert)
-
Constructs this object
- ~Policy()
-
Destroys this object
- bool isLeaf() const
-
Returns true if this Policy applies to a leaf resource
- const string& getResource() const
-
Returns the name of the resource that this policy applies to
- string hashCode() const
-
Returns the hashCode of the policy certificate contained in this
Policy
- long getCacheTime() const
-
Returns the cacheTime in seconds
- const AkentiPrincipal& getGuarantor() const
-
Returns the AkentiPrincipal that issued the policy certificate
contained in this Policy
- const AkentiCertificate& getPolicyCertificate() const
-
Returns the policy certificate contained in this
Policy
- bool isRootPolicy() const
-
Returns true if the policy certificate contained in
this Policy aplies to a root resource
- const vector <CertificateAuthorityInfo> & getCertificateAuthorityInfos() const
-
Returns the CertificateAuthorityInfos trusted
by this root Policy
- vector <Certificate> getCACerts() const
-
Returns the CA Certificates trusted by this
root Policy
- const vector & getIdentityDirectories() const
-
Returns the directories used to fetch x509 identity certficates
- const vector & getAttributeDirectories() const
-
Returns the directories used to fetch attribute certficates
- int numOfUseCondIssuerGroups() const
-
Returns the number of the UseCondIssuerGroups
that are allowed to issue UseCondition certifcates
for this resource
- const UseCondIssuerGroup& getUseCondIssuerGroup(int groupIndex) const
-
Returns the UseCondIssuerGroup at index groupIndex
- void addUCCertificate(const AkentiCertificate& ucCert)
-
Adds a UseCondition certificate specified by ucCert to
this Policy
- const vector & getUCCerts() const
-
Returns the UseCondition certificates that apply
to this Policy
- string paramString() const
-
Returns a string for debugging purposes
- PolicyAuthorizer(CertificateCache& cache, Verifier& verifier, const PolicyContext& context)
-
Constructs this object
- bool authorize(set& actions)
-
Determines the allowable actions
- ~PolicyAuthorizer()
-
bool authorize(const Policy& policy, set& actions)
-
Helper function
Documentation
A PolicyCollector verifies the Policy and
proceeds to collect the UseCondition certificates.
- Policy(bool isLeaf, const AkentiCertificate& policyCert)
-
Constructs this object. The policy certificate specified by
policyCert must be of type RootPolicy or Policy.
- Throws:
- Error if policyCert is not intialized or of the wrong type
- Parameters:
- isLeaf - bool true if this policy applies to a leaf resource
policyCert - AkentiCertificate policy certificate
- See Also:
- AkentiCertificate
getType()
- ~Policy()
-
Destroys this object
- bool isLeaf() const
-
Returns true if this Policy applies to a leaf resource.
- Returns:
- true if the resource is a leaf, false otherwise
- const string& getResource() const
-
Returns the name of the resource that this policy applies to.
This call is redirected to the policy certificate contained in
this Policy.
- Returns:
- the name of the resource
- See Also:
- getResource()
- string hashCode() const
-
Returns the hashCode of the policy certificate contained in this
Policy.
- Returns:
- the hashCode of the policy certificate
- See Also:
- hashCode()
- long getCacheTime() const
-
Returns the cacheTime in seconds. This call is redirected to the
policy certificate contained in this policy.
- Returns:
- the cache time in seconds
- See Also:
- getCacheTime()
- const AkentiPrincipal& getGuarantor() const
-
Returns the AkentiPrincipal that issued the policy certificate
contained in this Policy.
- Returns:
- the issuer of the policy certificate
- See Also:
- getGuarantor()
AkentiPrincipal
- const AkentiCertificate& getPolicyCertificate() const
-
Returns the policy certificate contained in this
Policy.
- Returns:
- the policy certificate
- See Also:
- AkentiCertificate
- bool isRootPolicy() const
-
Returns true if the policy certificate contained in
this Policy aplies to a root resource.
- Returns:
- true if the resource is root, false otherwise
- const vector <CertificateAuthorityInfo> & getCertificateAuthorityInfos() const
-
Returns the CertificateAuthorityInfos trusted
by this root Policy.
- Throws:
- Error if this is not a root resource.
- Returns:
- the CertificateAuthorityInfos trusted by this root resource
- See Also:
- getCertificateAuthorityInfos()
CertificateAuthorityInfo
- vector <Certificate> getCACerts() const
-
Returns the CA Certificates trusted by this
root Policy.
- Throws:
- Error if this is not a root resource.
- Returns:
- the certificates of the CAs trusted by this root resource.
- See Also:
- getCertificateAuthorityInfos()
getCertificate()
Certificate
- const vector & getIdentityDirectories() const
-
Returns the directories used to fetch x509 identity certficates.
- Returns:
- the x509 certificate directories
- See Also:
- getIdentityDirectories()
Policy
- const vector & getAttributeDirectories() const
-
Returns the directories used to fetch attribute certficates.
- Returns:
- the attribute certificate directories
- See Also:
- getAttributeDirectories()
Directory
- int numOfUseCondIssuerGroups() const
-
Returns the number of the UseCondIssuerGroups
that are allowed to issue UseCondition certifcates
for this resource.
- Returns:
- the number of UseCondIssuerGroups
- See Also:
- getUseCondIssuerGroups()
- const UseCondIssuerGroup& getUseCondIssuerGroup(int groupIndex) const
-
Returns the UseCondIssuerGroup at index groupIndex.
- Throws:
- Error if groupIndex is out of range
- Parameters:
- groupIndex - int the index of the UC group
- See Also:
- getUseCondIssuerGroups()
- void addUCCertificate(const AkentiCertificate& ucCert)
-
Adds a UseCondition certificate specified by ucCert to
this Policy.
- Throws:
- Error if ucCert is not of type UseCondition
- See Also:
- UseConditionCertificateImpl
getType()
- const vector & getUCCerts() const
-
Returns the UseCondition certificates that apply
to this Policy.
- Returns:
- the UseCondition certificates
- See Also:
- UseConditionCertificateImpl
AkentiCertificate
- string paramString() const
-
Returns a string for debugging purposes
- PolicyAuthorizer(CertificateCache& cache, Verifier& verifier, const PolicyContext& context)
-
Constructs this object.
The CertificateVerifier is used to verify the Attribute Certificates
that are used in the decision loop.
The CertificateCache is queried for Attribute certificates.
If these certificates are not found in the cache, this
PolicyAuthorizer collects them and puts them in the cache.
The PolicyContext contains the name of the resource,
the AkentiPrincipal that is accessing the resource, and
all the policy certificates that apply to that resource.
The PolicyAuthorizer assumes that all the certificates
policy and UseCondition have been found to be trusted.
- bool authorize(set& actions)
-
Determines the allowable actions.
Algorithm to determine these actions:
For each policy:
Evaluate the UseCondition certificates.
For each UseCondition:
If a UseCondition certificate evaluates to false
and enable is true access is denied.
If a UseCondition certificate evaluates to true
we just add the actions specified by that UseCondition.
Otherwise we do nothing.
Algorithm to evaluate a UseCondition:
The boolean expression specified in the UseCondition
is evaluated using short-circuit evaluation. Therefore not
all attribute/value pairs are considered.
For each attribute/value pair, we have two cases:
a) X509
First we check if the CA of the AkentiPrincipal
is one of the CAs that can attest to this attribute value pair.
Second we check if the DistinguishedName contains the
attribute/value pair.
b) GENERIC:
This involves using attribute certificates.
The collection of attribute certificates is essenatially the
same as the collection of X509 identity certificates. See
CertificateVerifier. The verification has an additional test
which makes sure that the issuer of the attribute certificate
is one of the issuers for this attribute/value pair.
- ~PolicyAuthorizer()
- Author:
- Abdelilah Essiari
Srilekha Mudumbai
- Version:
- 1.1 00/05/01
- See Also:
- Policy
CertificateVerifier
CertificateCache
CacheCertHolder
alphabetic index hierarchy of classes
this page has been generated automatically by doc++
(c)opyright by Malte Zöckler, Roland Wunderling
contact: doc++@zib.de