Back to index

nordugrid-arc-nox  1.1.0~rc6
Defines | Functions
ArcRule.cpp File Reference
#include <string>
#include <fstream>
#include <iostream>
#include <list>
#include <arc/security/ArcPDP/attr/AttributeValue.h>
#include <arc/security/ArcPDP/attr/BooleanAttribute.h>
#include <arc/security/ArcPDP/fn/EqualFunction.h>
#include <arc/security/ArcPDP/fn/MatchFunction.h>
#include <arc/security/ArcPDP/fn/InRangeFunction.h>
#include "ArcEvaluationCtx.h"
#include "ArcRule.h"

Go to the source code of this file.


#define DEFAULT_ATTRIBUTE_TYPE   "string"


static ArcSec::MatchResult itemMatch (ArcSec::OrList items, std::list< ArcSec::RequestAttribute * > req, Id_MatchResult &idmatched)

Define Documentation

#define DEFAULT_ATTRIBUTE_TYPE   "string"

Definition at line 24 of file ArcRule.cpp.

Function Documentation

static ArcSec::MatchResult itemMatch ( ArcSec::OrList  items,
std::list< ArcSec::RequestAttribute * >  req,
Id_MatchResult idmatched 
) [static]

Definition at line 193 of file ArcRule.cpp.


  ArcSec::OrList::iterator orit;
  ArcSec::AndList::iterator andit;
  std::list<ArcSec::RequestAttribute*>::iterator reqit;

  bool indeterminate = true;

  idmatched = ID_NO_MATCH;

  //Go through each <Subject> <Resource> <Action> or <Context> under 
  //<Subjects> <Resources> <Actions> or<Contexts>
  //For example, go through each <Subject> element under <Subjects> in a rule, 
  //once one <Subject> element is satisfied, skip out.
  for( orit = items.begin(); orit != items.end(); orit++ ){
    int all_fraction_matched = 0;
    int all_id_matched = 0;
    //For example, go through each <Attribute> element in one <Subject>, 
    //all of the <Attribute> elements should be satisfied 
    for(andit = (*orit).begin(); andit != (*orit).end(); andit++){
      bool one_req_matched = false;
      bool one_id_matched = false;

      //go through each <Attribute> element in one <Subject> in Request.xml, 
      //all of the <Attribute> should be satisfied.
      for(reqit = req.begin(); reqit != req.end(); reqit++){
        //evaluate two "AttributeValue*" based on "Function" definition in "Rule"
        AttributeValue* res = NULL;
          res = ((*andit).second)->evaluate((*andit).first, (*reqit)->getAttributeValue());
        } catch(std::exception&) { };
        BooleanAttribute bool_attr(true);
          one_req_matched = true;
        if(res) delete res;

        //distinguish whether the "id" of the two <Attribute>s (from request and policy) are matched
        //here we distinguish three kinds of situation: 
        //1. All the <Attribute> id under one <Subject> (or other type) in the policy side is matched by 
        //<Attribute> id under one <Subject> in the request side;
        //2. Part of id is matched;
        //3. None of id is matched at all.
        if( ((*andit).first)->getId() == ((*reqit)->getAttributeValue())->getId() )
          one_id_matched = true;
      // if any of the <Attribute> in one Request's <Subject> matches one of the 
      // Rule.Subjects.Subject.Attribute, count the match number. Later if all of the 
      // <Attribute>s under Rule.Subjects.Subject are matched, then the Rule.Subjects.Subject
      // is mathed.
      if(one_req_matched) all_fraction_matched +=1;

      //Similar to above, except only "id" is considered, not including the "value" of <Attribute> 
      if(one_id_matched) all_id_matched +=1;
    //One Rule.Subjects.Subject is satisfied (all of the Attribute value and Attribute Id are matched) 
    //by the RequestTuple.Subject
    if(all_fraction_matched == int((*orit).size())){
      idmatched = ID_MATCH;
      return MATCH;
    else if(all_id_matched == int((*orit).size())) { idmatched = ID_MATCH; indeterminate = false; /*break;*/ }
    //else if(all_id_matched > 0) { idmatched = ID_PARTIAL_MATCH; }
  if(indeterminate) return INDETERMINATE;
  return NO_MATCH;

Here is the call graph for this function:

Here is the caller graph for this function: