/*
* Creates a XACML Request containing a XACML Subject with the given subjectid, a XACML Resource
* with the given resourceid and a XACML Action with the given actionid.
*
* @param [in/out] request address of the pointer to the XACML request object
* @param [in] subjectid, a X.509 DN, attribute value of the XACML Request/Subject element
* @param [in] resourceid attribute value of the XACML Request/Resource element
* @param [in] actionid attribute value of the XACML Request/Action element
* @return 0 on success or error code on failure.
*/
static int create_xacml_request(xacml_request_t ** request,const char * subjectid, const char * resourceid, const char * actionid)
{
xacml_subject_t * subject;
xacml_attribute_t * subject_attr_id;
xacml_resource_t * resource;
xacml_attribute_t * resource_attr_id;
xacml_action_t * action;
xacml_attribute_t * action_attr_id;
/* XACML Subject with subjectid Attribute value */
subject= xacml_subject_create();
if (subject == NULL) {
fprintf(stderr,"can not create XACML Subject\n");
return 1;
}
subject_attr_id= xacml_attribute_create(XACML_SUBJECT_ID);
if (subject_attr_id == NULL) {
fprintf(stderr,"can not create XACML Subject/Attribute:%s\n",XACML_SUBJECT_ID);
xacml_subject_delete(subject);
return 1;
}
// set X.509 DN value
xacml_attribute_addvalue(subject_attr_id,subjectid);
// set attribute datatype for X.509 DN
xacml_attribute_setdatatype(subject_attr_id,XACML_DATATYPE_X500NAME);
xacml_subject_addattribute(subject,subject_attr_id);
/* XACML Resource with resourceid Attribute value */
resource= xacml_resource_create();
if (resource == NULL) {
fprintf(stderr,"can not create XACML Resource\n");
xacml_subject_delete(subject);
return 2;
}
resource_attr_id= xacml_attribute_create(XACML_RESOURCE_ID);
if (resource_attr_id == NULL) {
fprintf(stderr,"can not create XACML Resource/Attribute:%s\n",XACML_RESOURCE_ID);
xacml_subject_delete(subject);
xacml_resource_delete(resource);
return 2;
}
xacml_attribute_addvalue(resource_attr_id,resourceid);
xacml_resource_addattribute(resource,resource_attr_id);
/* XACML Action with actionid Attribute value */
action= xacml_action_create();
if (action == NULL) {
fprintf(stderr,"can not create XACML Action\n");
xacml_subject_delete(subject);
xacml_resource_delete(resource);
return 3;
}
action_attr_id= xacml_attribute_create(XACML_ACTION_ID);
if (action_attr_id == NULL) {
fprintf(stderr,"can not create XACML Action/Attribute:%s\n",XACML_ACTION_ID);
xacml_subject_delete(subject);
xacml_resource_delete(resource);
xacml_action_delete(action);
return 3;
}
xacml_attribute_addvalue(action_attr_id,actionid);
xacml_action_addattribute(action,action_attr_id);
/* XACML Request with all elements */
*request= xacml_request_create();
if (*request == NULL) {
fprintf(stderr,"can not create XACML Request\n");
xacml_subject_delete(subject);
xacml_resource_delete(resource);
xacml_action_delete(action);
return 4;
}
xacml_request_addsubject(*request,subject);
xacml_request_addresource(*request,resource);
xacml_request_setaction(*request,action);
return 0;
}
/*
* Creates a new Subject/Attribute XACML_SUBJECT_KEY_INFO based on the
* XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN.
* Creates new Subject/Attributes XACML_GRIDWN_ATTRIBUTE_FQAN and
* XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY based on XACML_AUTHZINTEROP_SUBJECT_VOMS_FQAN and
* XACML_AUTHZINTEROP_SUBJECT_VOMS_PRIMARY_FQAN.
* Adds the XACML_GRIDWN_ATTRIBUTE_PROFILE_ID in the Environment if not already present.
*/
static int authzinterop2gridwn_pip_process(xacml_request_t ** request) {
int i, j, profile_id_present;
size_t subjects_l= xacml_request_subjects_length(*request);
xacml_environment_t * environment;
size_t environment_attrs_l;
for (i= 0; i<subjects_l; i++) {
xacml_subject_t * subject= xacml_request_getsubject(*request,i);
size_t subject_attrs_l= xacml_subject_attributes_length(subject);
for(j= 0; j<subject_attrs_l; j++) {
xacml_attribute_t * attr= xacml_subject_getattribute(subject,j);
const char * attr_id= xacml_attribute_getid(attr);
if (strncmp(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN,attr_id,strlen(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN)) == 0) {
xacml_attribute_t * keyinfo= xacml_attribute_clone(attr);
pep_log_debug("%s: clone subject[%d].attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j,attr_id);
if (keyinfo!=NULL) {
pep_log_debug("%s: set cloned attribute id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_SUBJECT_KEY_INFO);
xacml_attribute_setid(keyinfo,XACML_SUBJECT_KEY_INFO);
pep_log_debug("%s: set cloned attribute datatype= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_DATATYPE_STRING);
xacml_attribute_setdatatype(keyinfo,XACML_DATATYPE_STRING);
if (xacml_subject_addattribute(subject,keyinfo) != PEP_XACML_OK) {
pep_log_error("%s: failed to add new attribute{%s} to subject[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_SUBJECT_KEY_INFO,i);
xacml_attribute_delete(keyinfo);
}
}
else {
pep_log_warn("%s: failed to clone subject[%d].attribute[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j);
}
}
else if (strncmp(XACML_AUTHZINTEROP_SUBJECT_VOMS_PRIMARY_FQAN,attr_id,strlen(XACML_AUTHZINTEROP_SUBJECT_VOMS_PRIMARY_FQAN))==0) {
xacml_attribute_t * fqan_primary= xacml_attribute_clone(attr);
pep_log_debug("%s: clone subject[%d].attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j,attr_id);
if (fqan_primary!=NULL) {
pep_log_debug("%s: set cloned attribute id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY);
xacml_attribute_setid(fqan_primary,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY);
pep_log_debug("%s: set cloned attribute datatype= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_DATATYPE_FQAN);
xacml_attribute_setdatatype(fqan_primary,XACML_GRIDWN_DATATYPE_FQAN);
if (xacml_subject_addattribute(subject,fqan_primary) != PEP_XACML_OK) {
pep_log_error("%s: failed to add new attribute{%s} to subject[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY,i);
xacml_attribute_delete(fqan_primary);
}
}
else {
pep_log_warn("%s: failed to clone subject[%d].attribute[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j);
}
}
else if (strncmp(XACML_AUTHZINTEROP_SUBJECT_VOMS_FQAN,attr_id,strlen(XACML_AUTHZINTEROP_SUBJECT_VOMS_FQAN))==0) {
xacml_attribute_t * fqans= xacml_attribute_clone(attr);
pep_log_debug("%s: clone subject[%d].attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j,attr_id);
if (fqans!=NULL) {
pep_log_debug("%s: set cloned attribute id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY);
xacml_attribute_setid(fqans,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY);
pep_log_debug("%s: set cloned attribute datatype= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_DATATYPE_FQAN);
xacml_attribute_setdatatype(fqans,XACML_GRIDWN_DATATYPE_FQAN);
if (xacml_subject_addattribute(subject,fqans) != PEP_XACML_OK) {
pep_log_error("%s: failed to add new attribute{%s} to subject[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_FQAN_PRIMARY,i);
xacml_attribute_delete(fqans);
}
}
else {
pep_log_warn("%s: failed to clone subject[%d].attribute[%d]",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID, i,j);
}
}
}
}
/* check environment for Grid WN AuthZ Profile ID, if not present add it */
environment= xacml_request_getenvironment(*request);
/* create environment if not already existing */
if (environment==NULL) {
environment= xacml_environment_create();
if (environment!=NULL) {
xacml_request_setenvironment(*request,environment);
}
else {
pep_log_warn("%s: failed to create XACML Environment",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID);
}
}
environment_attrs_l= xacml_environment_attributes_length(environment);
profile_id_present= 0;
for (i= 0; i<environment_attrs_l; i++) {
xacml_attribute_t * attr= xacml_environment_getattribute(environment,i);
const char * attr_id= xacml_attribute_getid(attr);
if (strncmp(XACML_GRIDWN_ATTRIBUTE_PROFILE_ID,attr_id,strlen(XACML_GRIDWN_ATTRIBUTE_PROFILE_ID))==0) {
pep_log_debug("%s: found environment.attribute[%d].id= %s",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,i,attr_id);
profile_id_present= 1;
}
}
/* profile id is not present, then add it */
if (!profile_id_present && environment) {
/* create env attribute */
xacml_attribute_t * env_attr= xacml_attribute_create(XACML_GRIDWN_ATTRIBUTE_PROFILE_ID);
if (env_attr!=NULL) {
xacml_attribute_setdatatype(env_attr,XACML_DATATYPE_ANYURI);
xacml_attribute_addvalue(env_attr,XACML_GRIDWN_PROFILE_VERSION);
xacml_environment_addattribute(environment,env_attr);
}
else {
pep_log_warn("%s: failed to create XACML Environment/Attribute{%s}",AUTHZINTEROP_TO_GRIDWN_ADAPTER_ID,XACML_GRIDWN_ATTRIBUTE_PROFILE_ID);
}
}
return 0;
}
/*
* MAIN
*
* usage: ./test-pep <URL>
*/
int main(int argc, char **argv) {
PEP * pep;
pep_error_t pep_rc;
char * url= "http://localhost:8080/PEPd/authz?random";
if (argc == 2) {
url= argv[1];
info("%s: using endpoint URL: %s",argv[0], url);
}
info("initialize PEP...");
pep= pep_initialize();
if (pep == NULL) {
error("test_pep: pep_initialize() failed");
return -1;
}
info("set LOG options...");
pep_setoption(pep,PEP_OPTION_LOG_STDERR,stderr);
pep_setoption(pep,PEP_OPTION_LOG_LEVEL,PEP_LOGLEVEL_DEBUG); // DEBUG, INFO, WARN and ERROR
pep_setoption(pep,PEP_OPTION_LOG_HANDLER,log_handler_pep); // will override stderr log handler
info("create PIP");
pep_pip_t * pip= pip_create("PIPRequestDumper",pip_init,pip_process,pip_destroy);
if (pip == NULL) {
error("test_pep: pip_create(...) failed");
pep_destroy(pep);
return -1;
}
info("install PIP: %s",pip->id);
pep_rc= pep_addpip(pep,pip);
if (pep_rc != PEP_OK) {
error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc));
pep_destroy(pep);
return -1;
}
info("install PIP: %s",authzinterop2gridwn_adapter_pip->id);
pep_rc= pep_addpip(pip,authzinterop2gridwn_adapter_pip);
if (pep_rc != PEP_OK) {
error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc));
pep_destroy(pep);
return -1;
}
info("install PIP: %s",pip->id);
pep_rc= pep_addpip(pep,pip);
if (pep_rc != PEP_OK) {
error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc));
pep_destroy(pep);
return -1;
}
info("create OH and add to PEP...");
pep_obligationhandler_t * oh= oh_create("OHResponseDumper",oh_init,oh_process,oh_destroy);
if (oh == NULL) {
error("test_pep: oh_create(...) failed");
pep_destroy(pep);
return -1;
}
pep_rc= pep_addobligationhandler(pep,oh);
if (pep_rc != PEP_OK) {
error("test_pep: pep_addobligationhandler() failed: %s",pep_strerror(pep_rc));
pep_destroy(pep);
return -1;
}
// create a XACML request
info("create XACML request...");
xacml_request_t * request= xacml_request_create();
assert(request);
info("add XACML subject(cert-chain)...");
xacml_subject_t * subject= xacml_subject_create();
assert(subject);
xacml_attribute_t * certchain= xacml_attribute_create(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN);
assert(certchain);
xacml_attribute_addvalue(certchain,"PEM_ENCODE_PROXY_CERTCHAIN...");
xacml_attribute_setdatatype(certchain,XACML_DATATYPE_BASE64BINARY);
xacml_subject_addattribute(subject,certchain);
xacml_request_addsubject(request,subject);
info("add XACML resource(resource-id)...");
xacml_resource_t * resource= xacml_resource_create();
assert(resource);
xacml_attribute_t * resource_id= xacml_attribute_create(XACML_RESOURCE_ID);
assert(resource_id);
xacml_attribute_addvalue(resource_id,"http://authz-interop.org/xacml/resource/resource-type/wn");
xacml_resource_addattribute(resource,resource_id);
xacml_request_addresource(request,resource);
info("set XACML action(action-id)...");
xacml_action_t * action= xacml_action_create();
assert(action);
xacml_attribute_t * action_id= xacml_attribute_create(XACML_ACTION_ID);
assert(action_id);
xacml_attribute_addvalue(action_id,"http://authz-interop.org/xacml/action/action-type/execute-now");
xacml_action_addattribute(action,action_id);
xacml_request_setaction(request,action);
info("set XACML environment(path)...");
xacml_environment_t * environment= xacml_environment_create();
assert(environment);
xacml_attribute_t * path= xacml_attribute_create("x-urn:authz:env:path");
assert(path);
xacml_attribute_addvalue(path,"/usr/bin");
xacml_attribute_addvalue(path,"/opt/glite/bin");
xacml_attribute_addvalue(path,"/home/johndoe/bin");
xacml_environment_addattribute(environment,path);
xacml_request_setenvironment(request,environment);
// add many PEPd endpoints for failover testing
info("set PEPd endpoint: %s", url);
pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, url);
info("set PEPd endpoint: %s", "http://www.google.com");
pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://www.google.com");
info("set PEPd endpoint: %s", "http://localhost:8080/PEPd/authz?s7");
pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080/PEPd/authz?s7");
info("set PEPd endpoint: %s", "http://nasjflkasdjflj.com");
pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://nasjflkasdjflj.com");
info("set PEPd endpoint: %s", "http://localhost:8080/PEPd/authz?s3");
pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080/PEPd/authz?s3");
info("set PEPd endpoint: %s", "http://hestia.switch.ch/PEPd/authz?s8");
pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://hestia.switch.ch/PEPd/authz?s8");
info("set PEPd endpoint: %s", "http://localhost:8080"); // respond OK 200
pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080");
// send authz request and process
if (pep_rc != PEP_OK) {
error("test_pep: pep_setoption(PEP_OPTION_ENDPOINT_URL,%s) failed: %s",url,pep_strerror(pep_rc));
pep_destroy();
return -1;
}
info("send XACML request to PEPd");
xacml_response_t * response= NULL;
pep_rc= pep_authorize(&request,&response);
if (pep_rc != PEP_OK) {
error("test_pep: pep_authorize(request,response) failed: %s",pep_strerror(pep_rc));
xacml_request_delete(request);
xacml_response_delete(response);
pep_destroy();
pip_delete(pip);
oh_delete(oh);
return -1;
}
info("delete XACML request and response...");
xacml_request_delete(request);
xacml_response_delete(response);
info("destroy PEP...");
pep_rc= pep_destroy();
if (pep_rc != PEP_OK) {
error("test_pep: pep_destroy() failed: %s",pep_strerror(pep_rc));
pip_delete(pip);
oh_delete(oh);
return pep_rc;
}
// WARNING: call these only AFTER pep_destroy()...
info("delete PIP and OH structs...");
pip_delete(pip);
oh_delete(oh);
info("done.");
return 0;
}
