/* * Creates a XACML Request containing a XACML Subject with the given subjectid, a XACML Resource * with the given resourceid and a XACML Action with the given actionid. * * @param [in/out] request address of the pointer to the XACML request object * @param [in] subjectid, a X.509 DN, attribute value of the XACML Request/Subject element * @param [in] resourceid attribute value of the XACML Request/Resource element * @param [in] actionid attribute value of the XACML Request/Action element * @return 0 on success or error code on failure. */ static int create_xacml_request(xacml_request_t ** request,const char * subjectid, const char * resourceid, const char * actionid) { xacml_subject_t * subject; xacml_attribute_t * subject_attr_id; xacml_resource_t * resource; xacml_attribute_t * resource_attr_id; xacml_action_t * action; xacml_attribute_t * action_attr_id; /* XACML Subject with subjectid Attribute value */ subject= xacml_subject_create(); if (subject == NULL) { fprintf(stderr,"can not create XACML Subject\n"); return 1; } subject_attr_id= xacml_attribute_create(XACML_SUBJECT_ID); if (subject_attr_id == NULL) { fprintf(stderr,"can not create XACML Subject/Attribute:%s\n",XACML_SUBJECT_ID); xacml_subject_delete(subject); return 1; } // set X.509 DN value xacml_attribute_addvalue(subject_attr_id,subjectid); // set attribute datatype for X.509 DN xacml_attribute_setdatatype(subject_attr_id,XACML_DATATYPE_X500NAME); xacml_subject_addattribute(subject,subject_attr_id); /* XACML Resource with resourceid Attribute value */ resource= xacml_resource_create(); if (resource == NULL) { fprintf(stderr,"can not create XACML Resource\n"); xacml_subject_delete(subject); return 2; } resource_attr_id= xacml_attribute_create(XACML_RESOURCE_ID); if (resource_attr_id == NULL) { fprintf(stderr,"can not create XACML Resource/Attribute:%s\n",XACML_RESOURCE_ID); xacml_subject_delete(subject); xacml_resource_delete(resource); return 2; } xacml_attribute_addvalue(resource_attr_id,resourceid); xacml_resource_addattribute(resource,resource_attr_id); /* XACML Action with actionid Attribute value */ action= xacml_action_create(); if (action == NULL) { fprintf(stderr,"can not create XACML Action\n"); xacml_subject_delete(subject); xacml_resource_delete(resource); return 3; } action_attr_id= xacml_attribute_create(XACML_ACTION_ID); if (action_attr_id == NULL) { fprintf(stderr,"can not create XACML Action/Attribute:%s\n",XACML_ACTION_ID); xacml_subject_delete(subject); xacml_resource_delete(resource); xacml_action_delete(action); return 3; } xacml_attribute_addvalue(action_attr_id,actionid); xacml_action_addattribute(action,action_attr_id); /* XACML Request with all elements */ *request= xacml_request_create(); if (*request == NULL) { fprintf(stderr,"can not create XACML Request\n"); xacml_subject_delete(subject); xacml_resource_delete(resource); xacml_action_delete(action); return 4; } xacml_request_addsubject(*request,subject); xacml_request_addresource(*request,resource); xacml_request_setaction(*request,action); return 0; }
static int xacml_resource_unmarshal(xacml_resource_t ** res, const hessian_object_t * h_resource) { const char * map_type; xacml_resource_t * resource; size_t map_l; int i, j; if (hessian_gettype(h_resource) != HESSIAN_MAP) { log_error("xacml_resource_unmarshal: wrong Hessian type: %d (%s).", hessian_gettype(h_resource), hessian_getclassname(h_resource)); return PEP_IO_ERROR; } map_type= hessian_map_gettype(h_resource); if (map_type == NULL) { log_error("xacml_resource_unmarshal: NULL Hessian map type."); return PEP_IO_ERROR; } if (strcmp(XACML_HESSIAN_RESOURCE_CLASSNAME,map_type) != 0) { log_error("xacml_resource_unmarshal: wrong Hessian map type: %s.",map_type); return PEP_IO_ERROR; } resource= xacml_resource_create(); if (resource == NULL) { log_error("xacml_resource_unmarshal: can't create XACML resource."); return PEP_IO_ERROR; } /* parse all map pair<key>s */ map_l= hessian_map_length(h_resource); for(i= 0; i<map_l; i++) { hessian_object_t * h_map_key= hessian_map_getkey(h_resource,i); const char * key; if (hessian_gettype(h_map_key) != HESSIAN_STRING) { log_error("xacml_resource_unmarshal: Hessian map<key> is not an Hessian string at: %d.",i); xacml_resource_delete(resource); return PEP_IO_ERROR; } key= hessian_string_getstring(h_map_key); if (key == NULL) { log_error("xacml_resource_unmarshal: Hessian map<key>: NULL string at: %d.",i); xacml_resource_delete(resource); return PEP_IO_ERROR; } /* content (can be null) */ if (strcmp(XACML_HESSIAN_RESOURCE_CONTENT,key) == 0) { hessian_object_t * h_string= hessian_map_getvalue(h_resource,i); hessian_t h_string_type= hessian_gettype(h_string); const char * content; if ( h_string_type != HESSIAN_STRING && h_string_type != HESSIAN_NULL) { log_error("xacml_resource_unmarshal: Hessian map<'%s',value> is not a Hessian string or null at: %d.",key,i); xacml_resource_delete(resource); return PEP_IO_ERROR; } content= NULL; if (h_string_type == HESSIAN_STRING) { content= hessian_string_getstring(h_string); } if (xacml_resource_setcontent(resource,content) != PEP_XACML_OK) { log_error("xacml_resource_unmarshal: can't set content: %s to XACML resource.",content); xacml_resource_delete(resource); return PEP_IO_ERROR; } } /* attributes list */ else if (strcmp(XACML_HESSIAN_RESOURCE_ATTRIBUTES,key) == 0) { hessian_object_t * h_attributes= hessian_map_getvalue(h_resource,i); size_t h_attributes_l; if (hessian_gettype(h_attributes) != HESSIAN_LIST) { log_error("xacml_resource_unmarshal: Hessian map<'%s',value> is not a Hessian list at: %d.",key, i); xacml_resource_delete(resource); return PEP_IO_ERROR; } h_attributes_l= hessian_list_length(h_attributes); for(j= 0; j<h_attributes_l; j++) { hessian_object_t * h_attr= hessian_list_get(h_attributes,j); xacml_attribute_t * attribute= NULL; if (xacml_attribute_unmarshal(&attribute,h_attr) != PEP_IO_OK) { log_error("xacml_resource_unmarshal: can't unmarshal XACML attribute at: %d.",j); xacml_resource_delete(resource); return PEP_IO_ERROR; } if (xacml_resource_addattribute(resource,attribute) != PEP_XACML_OK) { log_error("xacml_resource_unmarshal: can't add XACML attribute to XACML resource at: %d",j); xacml_resource_delete(resource); xacml_attribute_delete(attribute); return PEP_IO_ERROR; } } } else { /* unkown key ??? */ log_warn("xacml_resource_unmarshal: unknown Hessian map<key>: %s at: %d.",key,i); } } *res= resource; return PEP_IO_OK; }
/* * MAIN * * usage: ./test-pep <URL> */ int main(int argc, char **argv) { PEP * pep; pep_error_t pep_rc; char * url= "http://localhost:8080/PEPd/authz?random"; if (argc == 2) { url= argv[1]; info("%s: using endpoint URL: %s",argv[0], url); } info("initialize PEP..."); pep= pep_initialize(); if (pep == NULL) { error("test_pep: pep_initialize() failed"); return -1; } info("set LOG options..."); pep_setoption(pep,PEP_OPTION_LOG_STDERR,stderr); pep_setoption(pep,PEP_OPTION_LOG_LEVEL,PEP_LOGLEVEL_DEBUG); // DEBUG, INFO, WARN and ERROR pep_setoption(pep,PEP_OPTION_LOG_HANDLER,log_handler_pep); // will override stderr log handler info("create PIP"); pep_pip_t * pip= pip_create("PIPRequestDumper",pip_init,pip_process,pip_destroy); if (pip == NULL) { error("test_pep: pip_create(...) failed"); pep_destroy(pep); return -1; } info("install PIP: %s",pip->id); pep_rc= pep_addpip(pep,pip); if (pep_rc != PEP_OK) { error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } info("install PIP: %s",authzinterop2gridwn_adapter_pip->id); pep_rc= pep_addpip(pip,authzinterop2gridwn_adapter_pip); if (pep_rc != PEP_OK) { error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } info("install PIP: %s",pip->id); pep_rc= pep_addpip(pep,pip); if (pep_rc != PEP_OK) { error("test_pep: pep_addpip() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } info("create OH and add to PEP..."); pep_obligationhandler_t * oh= oh_create("OHResponseDumper",oh_init,oh_process,oh_destroy); if (oh == NULL) { error("test_pep: oh_create(...) failed"); pep_destroy(pep); return -1; } pep_rc= pep_addobligationhandler(pep,oh); if (pep_rc != PEP_OK) { error("test_pep: pep_addobligationhandler() failed: %s",pep_strerror(pep_rc)); pep_destroy(pep); return -1; } // create a XACML request info("create XACML request..."); xacml_request_t * request= xacml_request_create(); assert(request); info("add XACML subject(cert-chain)..."); xacml_subject_t * subject= xacml_subject_create(); assert(subject); xacml_attribute_t * certchain= xacml_attribute_create(XACML_AUTHZINTEROP_SUBJECT_CERTCHAIN); assert(certchain); xacml_attribute_addvalue(certchain,"PEM_ENCODE_PROXY_CERTCHAIN..."); xacml_attribute_setdatatype(certchain,XACML_DATATYPE_BASE64BINARY); xacml_subject_addattribute(subject,certchain); xacml_request_addsubject(request,subject); info("add XACML resource(resource-id)..."); xacml_resource_t * resource= xacml_resource_create(); assert(resource); xacml_attribute_t * resource_id= xacml_attribute_create(XACML_RESOURCE_ID); assert(resource_id); xacml_attribute_addvalue(resource_id,"http://authz-interop.org/xacml/resource/resource-type/wn"); xacml_resource_addattribute(resource,resource_id); xacml_request_addresource(request,resource); info("set XACML action(action-id)..."); xacml_action_t * action= xacml_action_create(); assert(action); xacml_attribute_t * action_id= xacml_attribute_create(XACML_ACTION_ID); assert(action_id); xacml_attribute_addvalue(action_id,"http://authz-interop.org/xacml/action/action-type/execute-now"); xacml_action_addattribute(action,action_id); xacml_request_setaction(request,action); info("set XACML environment(path)..."); xacml_environment_t * environment= xacml_environment_create(); assert(environment); xacml_attribute_t * path= xacml_attribute_create("x-urn:authz:env:path"); assert(path); xacml_attribute_addvalue(path,"/usr/bin"); xacml_attribute_addvalue(path,"/opt/glite/bin"); xacml_attribute_addvalue(path,"/home/johndoe/bin"); xacml_environment_addattribute(environment,path); xacml_request_setenvironment(request,environment); // add many PEPd endpoints for failover testing info("set PEPd endpoint: %s", url); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, url); info("set PEPd endpoint: %s", "http://www.google.com"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://www.google.com"); info("set PEPd endpoint: %s", "http://localhost:8080/PEPd/authz?s7"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080/PEPd/authz?s7"); info("set PEPd endpoint: %s", "http://nasjflkasdjflj.com"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://nasjflkasdjflj.com"); info("set PEPd endpoint: %s", "http://localhost:8080/PEPd/authz?s3"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080/PEPd/authz?s3"); info("set PEPd endpoint: %s", "http://hestia.switch.ch/PEPd/authz?s8"); pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://hestia.switch.ch/PEPd/authz?s8"); info("set PEPd endpoint: %s", "http://localhost:8080"); // respond OK 200 pep_rc= pep_setoption(PEP_OPTION_ENDPOINT_URL, "http://localhost:8080"); // send authz request and process if (pep_rc != PEP_OK) { error("test_pep: pep_setoption(PEP_OPTION_ENDPOINT_URL,%s) failed: %s",url,pep_strerror(pep_rc)); pep_destroy(); return -1; } info("send XACML request to PEPd"); xacml_response_t * response= NULL; pep_rc= pep_authorize(&request,&response); if (pep_rc != PEP_OK) { error("test_pep: pep_authorize(request,response) failed: %s",pep_strerror(pep_rc)); xacml_request_delete(request); xacml_response_delete(response); pep_destroy(); pip_delete(pip); oh_delete(oh); return -1; } info("delete XACML request and response..."); xacml_request_delete(request); xacml_response_delete(response); info("destroy PEP..."); pep_rc= pep_destroy(); if (pep_rc != PEP_OK) { error("test_pep: pep_destroy() failed: %s",pep_strerror(pep_rc)); pip_delete(pip); oh_delete(oh); return pep_rc; } // WARNING: call these only AFTER pep_destroy()... info("delete PIP and OH structs..."); pip_delete(pip); oh_delete(oh); info("done."); return 0; }