Back to index

nordugrid-arc-nox  1.1.0~rc6
Classes | Typedefs | Enumerations | Functions | Variables
ArcSec Namespace Reference

ArcRequest, Parsing the specified Arc request format. More...

Classes

class  LocalMapDirect
class  LocalMapPool
class  LocalMapList
class  LocalMap
class  IdentityMap
 Apply Tests message against list of PDPs. More...
class  FileLock
class  SimpleMap
class  SecHandler
 Base class for simple security handling plugins. More...
class  SecHandlerPluginArgument
class  SecHandlerConfig
 Helper class to create Security Handler configuration. More...
class  AlgFactory
 Interface for algorithm factory class. More...
class  CombiningAlg
 Interface for combining algrithm. More...
class  DenyOverridesCombiningAlg
 Implement the "Deny-Overrides" algorithm. More...
class  OrderedCombiningAlg
class  PermitOverridesCombiningAlg
 Implement the "Permit-Overrides" algorithm. More...
class  AnyURIAttribute
class  AttributeFactory
 Base attribute factory class. More...
class  AttributeProxy
 Interface for creating the AttributeValue object, it will be used by AttributeFactory. More...
class  AttributeValue
 Interface for containing different type of <Attribute> node for both policy and request. More...
class  BooleanAttribute
class  DateTimeAttribute
 Format: YYYYMMDDHHMMSSZ Day Month DD HH:MM:SS YYYY YYYY-MM-DD HH:MM:SS YYYY-MM-DDTHH:MM:SS+HH:MM YYYY-MM-DDTHH:MM:SSZ. More...
class  TimeAttribute
 Format: HHMMSSZ HH:MM:SS HH:MM:SS+HH:MM HH:MM:SSZ. More...
class  DateAttribute
class  DurationAttribute
 Formate: *P??Y??M??DT??H??M??S. More...
struct  ArcPeriod
class  PeriodAttribute
 Formate: *datetime"/"duration *datetime"/"datetime *duration"/"datetime. More...
class  GenericAttribute
class  RequestAttribute
 Wrapper which includes AttributeValue object which is generated according to date type of one spefic node in Request.xml. More...
class  StringAttribute
class  X500NameAttribute
class  RequestTuple
class  EvaluationCtx
 EvaluationCtx, in charge of storing some context information for. More...
class  Evaluator
 Interface for policy evaluation. Execute the policy evaluation, based on the request and policy. More...
class  EvaluatorContext
 Context for evaluator. It includes the factories which will be used to create related objects. More...
class  EvaluatorLoader
 EvaluatorLoader is implemented as a helper class for loading different Evaluator objects, like ArcEvaluator. More...
class  EqualFunction
 Evaluate whether the two values are equal. More...
class  FnFactory
 Interface for function factory class. More...
class  Function
 Interface for function, which is in charge of evaluating two AttributeValue. More...
class  InRangeFunction
class  MatchFunction
 Evaluate whether arg1 (value in regular expression) matched arg0 (lable in regular expression) More...
class  Policy
 Interface for containing and processing different types of policy. More...
class  PolicyParser
 A interface which will isolate the policy object from actual policy storage (files, urls, database) More...
class  PolicyStore
 Storage place for policy objects. More...
struct  Attr
 Attr contains a tuple of attribute type and value. More...
class  Attrs
 Attrs is a container for one or more Attr. More...
class  Request
 Base class/Interface for request, includes a container for RequestItems and some operations. More...
class  RequestItem
 Interface for request item container, <subjects, actions, objects, ctxs> tuple. More...
class  ResponseItem
 Evaluation result concerning one RequestTuple. More...
class  ResponseList
class  Response
 Container for the evaluation results. More...
struct  EvalResult
 Struct to record the xml node and effect, which will be used by Evaluator to get the information about which rule/policy(in xmlnode) is satisfied. More...
class  Source
 Acquires and parses XML document from specified source. More...
class  SourceFile
 Convenience class for obtaining XML document from file. More...
class  SourceURL
 Convenience class for obtaining XML document from remote URL. More...
struct  AuthzRequestSection
 These structure are based on the request schema for PDP, so far it can apply to the ArcPDP's request schema, see src/hed/pdc/Request.xsd and src/hed/pdc/Request.xml. More...
struct  AuthzRequest
class  PDPConfigContext
class  PDP
 Base class for Policy Decision Point plugins. More...
class  PDPPluginArgument
class  Security
 Common stuff used by security related slasses. More...
class  DelegationCollector
class  DelegationSecAttr
class  DelegationMultiSecAttr
class  AllowPDP
 This PDP always return true (allow) More...
class  ArcAuthZ
 Tests message against list of PDPs. More...
class  ArcAlgFactory
 Algorithm factory class for Arc. More...
class  ArcAttributeFactory
 Attribute factory class for Arc specified attributes. More...
class  ArcAttributeProxy
 Arc specific AttributeProxy class. More...
class  ArcRequestTuple
 RequestTuple, container which includes the. More...
class  ArcEvaluationCtx
 EvaluationCtx, in charge of storing some context information for evaluation, including Request, current time, etc. More...
class  ArcEvaluator
 Execute the policy evaluation, based on the request and policy. More...
class  ArcFnFactory
 Function factory class for Arc specified attributes. More...
class  ArcPDPContext
class  ArcPDP
 ArcPDP - PDP which can handle the Arc specific request and policy schema. More...
class  ArcPolicy
 ArcPolicy class to parse and operate Arc specific <Policy> node. More...
class  ArcRequest
class  ArcRequestItem
 Container, <Subjects, Actions, Objects, Contexts> tuple. More...
class  ArcRule
 ArcRule class to parse Arc specific <Rule> node. More...
class  DelegationPDP
 DeleagtionPDP - PDP which can handle the Arc specific request and policy provided as identity delegation policy. More...
class  DelegationContext
class  DelegationSH
class  DenyPDP
 This PDP always returns false (deny) More...
class  GACLEvaluator
class  GACLPDPContext
class  GACLPDP
class  GACLPolicy
class  GACLRequest
class  PDPServiceInvoker
 PDPServiceInvoker - client which will invoke pdpservice. More...
class  SAML2SSO_AssertionConsumerSH
 Implement the funcionality of the Service Provider in SAML2 SSO profile. More...
class  SAMLAssertionSecAttr
class  SAMLTokenSH
 Adds WS-Security SAML Token into SOAP Header. More...
class  SimpleListPDP
 Tests X509 subject against list of subjects in file. More...
class  UsernameTokenSH
 Adds WS-Security Username Token into SOAP Header. More...
class  X509TokenSH
 Adds WS-Security X509 Token into SOAP Header. More...
class  AttributeDesignator
class  AttributeSelector
class  XACMLAlgFactory
 Algorithm factory class for XACML. More...
class  XACMLApply
class  XACMLAttributeFactory
 Attribute factory class for XACML specified attributes. More...
class  XACMLAttributeProxy
 XACML specific AttributeProxy class. More...
class  XACMLCondition
 XACMLCondition class to parse and operate XACML specific <Condition> node. More...
class  XACMLEvaluationCtx
 EvaluationCtx, in charge of storing some context information for evaluation, including Request, current time, etc. More...
class  XACMLEvaluator
 Execute the policy evaluation, based on the request and policy. More...
class  XACMLFnFactory
 Function factory class for XACML specified attributes. More...
class  XACMLPDPContext
class  XACMLPDP
 XACMLPDP - PDP which can handle the XACML specific request and policy schema. More...
class  XACMLPolicy
 XACMLPolicy class to parse and operate XACML specific <Policy> node. More...
class  XACMLRequest
class  XACMLRule
 XACMLRule class to parse XACML specific <Rule> node. More...
class  XACMLTargetMatch
class  XACMLTargetMatchGroup
class  XACMLTargetSection
class  XACMLTarget
 XACMLTarget class to parse and operate XACML specific <Target> node. More...
class  Charon
 A Service which includes the ArcPDP functionality; it can be deployed as an independent service to provide request evaluation functionality for the other remote services. More...
class  Service_Delegation
 A Service which launches the proxy certificate request; it accepts the request from. More...
class  Service_AA
 A Service which includes the AttributeAuthority functionality; it accepts the <samlp:AttributeQuery> which includes the <Subject> of the principal from the request and <Attribute> which the request would get; it access some local attribute database and returns <samlp:Assertion> which includes the <Attribute> More...
class  Service_SLCS
 A Service which signs the short-lived certificate; it accepts the certificate signing request (CSR) from from client side through soap, signs a short-lived certificate and sends back through soap. This service is supposed to be deployed together with the SPService and saml2sso.serviceprovider handler, in order to sign certificate based on the authentication result from saml2sso profile. Also the saml attribute (inside the saml assertion from saml2sso profile) will be put into the signed short-lived certificate. By deploying this service together with SPService and saml2sso.serviceprovider handler, we can get the convertion from username/password ------> x509 certificate. More...

Typedefs

typedef std::map< std::string,
CombiningAlg * > 
AlgMap
typedef std::map< std::string,
AttributeProxy * > 
AttrProxyMap
typedef std::map< std::string,
Function * > 
FnMap
typedef std::list< RequestItem * > ReqItemList
 Following is some general structures and classes for storing the request information. In principle, the request structure shoud be in XML format, and also can include a few items.
typedef std::list
< RequestAttribute * > 
Subject
 Attribute containers, which includes a few RequestAttribute objects.
typedef std::list
< RequestAttribute * > 
Resource
typedef std::list
< RequestAttribute * > 
Action
typedef std::list
< RequestAttribute * > 
Context
typedef std::list< SubjectSubList
 Containers, which include a few Subject, Resource, Action or Context objects.
typedef std::list< ResourceResList
typedef std::list< ActionActList
typedef std::list< ContextCtxList
typedef std::list< Policy * > Policies
typedef std::pair
< AttributeValue *, Function * > 
Match
 Pair Match include the AttributeValue object in <Rule> and the Function which is used to handle the AttributeValue, default function is "Equal", if some other function is used, it should be explicitly specified, e.g. <Subject type="string" function="Match">/vo.knowarc/usergroupA</Subject>
typedef std::list< MatchAndList
 "And" relationship means the request should satisfy all of the items <Subject> <SubFraction type="X500DN">/O=Grid/OU=KnowARC/CN=XYZ</SubFraction> <SubFraction type="ShibName">urn:mace:shibboleth:examples</SubFraction> </Subject>
typedef std::list< AndListOrList
 OrList - include items inside one <Subjects> (or <Resources> <Actions> <Conditions>)

Enumerations

enum  EvaluatorCombiningAlg { EvaluatorFailsOnDeny, EvaluatorStopsOnDeny, EvaluatorStopsOnPermit, EvaluatorStopsNever }
enum  Result { DECISION_PERMIT = 0, DECISION_DENY = 1, DECISION_INDETERMINATE = 2, DECISION_NOT_APPLICABLE = 3 }
 Evaluation result. More...
enum  MatchResult { MATCH = 0, NO_MATCH = 1, INDETERMINATE = 2 }
 Match result. More...
enum  Id_MatchResult { ID_MATCH = 0, ID_PARTIAL_MATCH = 1, ID_NO_MATCH = 2 }

Functions

static std::string get_val (std::string &str)
static LocalMapMakeLocalMap (Arc::XMLNode pdp)
 ORDERED_ALG_CLASS (PermitDenyIndeterminateNotApplicableCombiningAlg)
 ORDERED_ALG_CLASS (PermitDenyNotApplicableIndeterminateCombiningAlg)
 ORDERED_ALG_CLASS (PermitIndeterminateDenyNotApplicableCombiningAlg)
 ORDERED_ALG_CLASS (PermitIndeterminateNotApplicableDenyCombiningAlg)
 ORDERED_ALG_CLASS (PermitNotApplicableDenyIndeterminateCombiningAlg)
 ORDERED_ALG_CLASS (PermitNotApplicableIndeterminateDenyCombiningAlg)
 ORDERED_ALG_CLASS (DenyPermitIndeterminateNotApplicableCombiningAlg)
 ORDERED_ALG_CLASS (DenyPermitNotApplicableIndeterminateCombiningAlg)
 ORDERED_ALG_CLASS (DenyIndeterminatePermitNotApplicableCombiningAlg)
 ORDERED_ALG_CLASS (DenyIndeterminateNotApplicablePermitCombiningAlg)
 ORDERED_ALG_CLASS (DenyNotApplicablePermitIndeterminateCombiningAlg)
 ORDERED_ALG_CLASS (DenyNotApplicableIndeterminatePermitCombiningAlg)
 ORDERED_ALG_CLASS (IndeterminatePermitDenyNotApplicableCombiningAlg)
 ORDERED_ALG_CLASS (IndeterminatePermitNotApplicableDenyCombiningAlg)
 ORDERED_ALG_CLASS (IndeterminateDenyPermitNotApplicableCombiningAlg)
 ORDERED_ALG_CLASS (IndeterminateDenyNotApplicablePermitCombiningAlg)
 ORDERED_ALG_CLASS (IndeterminateNotApplicablePermitDenyCombiningAlg)
 ORDERED_ALG_CLASS (IndeterminateNotApplicableDenyPermitCombiningAlg)
 ORDERED_ALG_CLASS (NotApplicablePermitDenyIndeterminateCombiningAlg)
 ORDERED_ALG_CLASS (NotApplicablePermitIndeterminateDenyCombiningAlg)
 ORDERED_ALG_CLASS (NotApplicableDenyPermitIndeterminateCombiningAlg)
 ORDERED_ALG_CLASS (NotApplicableDenyIndeterminatePermitCombiningAlg)
 ORDERED_ALG_CLASS (NotApplicableIndeterminatePermitDenyCombiningAlg)
 ORDERED_ALG_CLASS (NotApplicableIndeterminateDenyPermitCombiningAlg)
std::ostream & operator<< (std::ostream &o, Result r)
static Arc::Logger logger (Arc::Logger::getRootLogger(),"DelegationCollector")
static bool get_proxy_policy (X509 *cert, DelegationMultiSecAttr *sattr)
Arc::Pluginget_arcpdp_alg_factory (Arc::PluginArgument *)
Arc::Pluginget_arcpdp_attr_factory (Arc::PluginArgument *)
Arc::Pluginget_arcpdp_fn_factory (Arc::PluginArgument *)
static unsigned long string_hash (const std::string &value)
static void add_subject_attribute (XMLNode item, const std::string &subject, const char *id)
Arc::Pluginget_xacmlpdp_alg_factory (Arc::PluginArgument *)
Arc::Pluginget_xacmlpdp_attr_factory (Arc::PluginArgument *)
Arc::Pluginget_xacmlpdp_fn_factory (Arc::PluginArgument *)
static Arc::Pluginget_service (Arc::PluginArgument *arg)
static std::string get_cert_str (const std::string &cert)
static Arc::LogStream logcerr (std::cerr)

Variables

Arc::XMLNode arc_evaluator_cfg_nd ("\ <ArcConfig\ xmlns=\"http://www.nordugrid.org/schemas/ArcConfig/2007\"\ xmlns:pdp=\"http://www.nordugrid.org/schemas/pdp/Config\">\ <ModuleManager>\ <Path></Path>\ </ModuleManager>\ <Plugins Name='arcshc'>\ <Plugin Name='__arc_attrfactory_modules__'>attrfactory</Plugin>\ <Plugin Name='__arc_fnfactory_modules__'>fnfactory</Plugin>\ <Plugin Name='__arc_algfactory_modules__'>algfactory</Plugin>\ <Plugin Name='__arc_evaluator_modules__'>evaluator</Plugin>\ <Plugin Name='__arc_request_modules__'>request</Plugin>\ <Plugin Name='__arc_policy_modules__'>policy</Plugin>\ </Plugins>\ <pdp:PDPConfig>\ <pdp:AttributeFactory name='arc.attrfactory' />\ <pdp:CombingAlgorithmFactory name='arc.algfactory' />\ <pdp:FunctionFactory name='arc.fnfactory' />\ <pdp:Evaluator name='arc.evaluator' />\ <pdp:Request name='arc.request' />\ <pdp:Policy name='arc.policy' />\ </pdp:PDPConfig>\ </ArcConfig>")
Arc::XMLNode xacml_evaluator_cfg_nd ("\ <ArcConfig\ xmlns=\"http://www.nordugrid.org/schemas/ArcConfig/2007\"\ xmlns:pdp=\"http://www.nordugrid.org/schemas/pdp/Config\">\ <ModuleManager>\ <Path></Path>\ </ModuleManager>\ <Plugins Name='arcshc'>\ <Plugin Name='__arc_attrfactory_modules__'>attrfactory</Plugin>\ <Plugin Name='__arc_fnfactory_modules__'>fnfactory</Plugin>\ <Plugin Name='__arc_algfactory_modules__'>algfactory</Plugin>\ <Plugin Name='__arc_evaluator_modules__'>evaluator</Plugin>\ <Plugin Name='__arc_request_modules__'>request</Plugin>\ <Plugin Name='__arc_policy_modules__'>policy</Plugin>\ </Plugins>\ <pdp:PDPConfig>\ <pdp:AttributeFactory name='xacml.attrfactory' />\ <pdp:CombingAlgorithmFactory name='xacml.algfactory' />\ <pdp:FunctionFactory name='xacml.fnfactory' />\ <pdp:Evaluator name='xacml.evaluator' />\ <pdp:Request name='xacml.request' />\ <pdp:Policy name='xacml.policy' />\ </pdp:PDPConfig>\ </ArcConfig>")
static Arc::LogStream logcerr (std::cerr)

Detailed Description

ArcRequest, Parsing the specified Arc request format.

XACMLRequest, Parsing the xacml request format.


Class Documentation

struct ArcSec::ArcPeriod

Definition at line 115 of file DateTimeAttribute.h.

Collaboration diagram for ArcSec::ArcPeriod:
Class Members
Period duration
Time endtime
Time starttime
struct ArcSec::Attr

Attr contains a tuple of attribute type and value.

Definition at line 21 of file Request.h.

Collaboration diagram for ArcSec::Attr:
Class Members
string type
string value
struct ArcSec::EvalResult

Struct to record the xml node and effect, which will be used by Evaluator to get the information about which rule/policy(in xmlnode) is satisfied.

Definition at line 38 of file Result.h.

Collaboration diagram for ArcSec::EvalResult:
Class Members
string effect
XMLNode node
struct ArcSec::AuthzRequestSection

These structure are based on the request schema for PDP, so far it can apply to the ArcPDP's request schema, see src/hed/pdc/Request.xsd and src/hed/pdc/Request.xml.

It could also apply to the XACMLPDP's request schema, since the difference is minor.

Another approach is, the service composes/marshalls the xml structure directly, then the service should use difference code to compose for ArcPDP's request schema and XACMLPDP's schema, which is not so good.

Definition at line 19 of file PDP.h.

Collaboration diagram for ArcSec::AuthzRequestSection:
Class Members
string id
string issuer
string type
string value
struct ArcSec::AuthzRequest

Definition at line 25 of file PDP.h.

Collaboration diagram for ArcSec::AuthzRequest:
Class Members
list< AuthzRequestSection > action
list< AuthzRequestSection > context
list< AuthzRequestSection > resource
list< AuthzRequestSection > subject

Typedef Documentation

typedef std::list<RequestAttribute*> ArcSec::Action

Definition at line 93 of file RequestItem.h.

typedef std::list<Action> ArcSec::ActList

Definition at line 98 of file RequestItem.h.

typedef std::map<std::string, CombiningAlg*> ArcSec::AlgMap

Definition at line 11 of file AlgFactory.h.

typedef std::list<Match> ArcSec::AndList

"And" relationship means the request should satisfy all of the items <Subject> <SubFraction type="X500DN">/O=Grid/OU=KnowARC/CN=XYZ</SubFraction> <SubFraction type="ShibName">urn:mace:shibboleth:examples</SubFraction> </Subject>

"Or" relationship meand the request should satisfy any of the items <Subjects> <Subject type="X500DN">/O=Grid/OU=KnowARC/CN=ABC</Subject> <Subject type="VOMSAttribute">/vo.knowarc/usergroupA</Subject> <Subject> <SubFraction type="X500DN">/O=Grid/OU=KnowARC/CN=XYZ</SubFraction> <SubFraction type="ShibName">urn:mace:shibboleth:examples</SubFraction> </Subject> <GroupIdRef location="./subjectgroup.xml">subgrpexample1</GroupIdRef> </Subjects>AndList - include items inside one <Subject> (or <Resource> <Action> <Condition>)

Definition at line 51 of file ArcRule.h.

typedef std::map<std::string, AttributeProxy*> ArcSec::AttrProxyMap

Definition at line 13 of file AttributeFactory.h.

typedef std::list<RequestAttribute*> ArcSec::Context

Definition at line 93 of file RequestItem.h.

typedef std::list<Context> ArcSec::CtxList

Definition at line 99 of file RequestItem.h.

typedef std::map<std::string, Function*> ArcSec::FnMap

Definition at line 11 of file FnFactory.h.

typedef std::pair<AttributeValue*, Function*> ArcSec::Match

Pair Match include the AttributeValue object in <Rule> and the Function which is used to handle the AttributeValue, default function is "Equal", if some other function is used, it should be explicitly specified, e.g. <Subject type="string" function="Match">/vo.knowarc/usergroupA</Subject>

Subjects> example inside <Rule>: <Subjects> <Subject type="X500Name">/O=NorduGrid/OU=UIO/CN=test</Subject> <Subject type="string">/vo.knowarc/usergroupA</Subject> <Subject> <SubFraction type="string">/O=Grid/OU=KnowARC/CN=XYZ</SubFraction> <SubFraction type="string">urn:mace:shibboleth:examples</SubFraction> </Subject> <GroupIdRef location="./subjectgroup.xml">subgrpexample1</GroupIdRef> </Subjects>

Definition at line 20 of file ArcRule.h.

typedef std::list<AndList> ArcSec::OrList

OrList - include items inside one <Subjects> (or <Resources> <Actions> <Conditions>)

Definition at line 54 of file ArcRule.h.

typedef std::list<Policy*> ArcSec::Policies

Definition at line 12 of file Response.h.

typedef std::list<RequestItem*> ArcSec::ReqItemList

Following is some general structures and classes for storing the request information. In principle, the request structure shoud be in XML format, and also can include a few items.

ReqItemList is a container for RequestItem objects

Definition at line 18 of file Request.h.

typedef std::list<Resource> ArcSec::ResList

Definition at line 97 of file RequestItem.h.

typedef std::list<RequestAttribute*> ArcSec::Resource

Definition at line 93 of file RequestItem.h.

typedef std::list<RequestAttribute*> ArcSec::Subject

Attribute containers, which includes a few RequestAttribute objects.

Why do we need such containers? A Subject node could be like below, include a few attributes at the same time: <Subject> <Attribute attributeid="urn:arc:subject:voms-attribute" type="xsd:string">administrator</Attribute> <Attribute attributeid="urn:arc:subject:voms-attribute" type="X500DN">/O=NorduGrid/OU=UIO/CN=admin</Attribute> </Subject> Or only include one attribute: <Subject attributeid="urn:arc:subject:dn" type="X500DN">/O=NorduGrid/OU=UIO/CN=test</Subject> Or include a few the same types of attributes at the same time: <Subject type="xsd:string"> <Attribute attributeid="urn:arc:subject:voms-attribute">administrator</Attribute> <Attribute attributeid="urn:arc:subject:voms-attribute">/O=NorduGrid/OU=UIO/CN=admin</Attribute> </Subject>

Note, <Subject> (or others) node with more than one <Attribute>s means the <Subject> owns all the included attributes at the same time. e.g. a person with email: abc and DN:/O=XYZ/OU=ABC/CN=theguy and role: administrator However, Parallel <Subject>s inside one SubList (see below about definition if ***List) does not means there is any relationship between these <Subject>s.

Then if there are two examples of <Subject> here: Subject1: <Subject> <Attribute attributeid="urn:arc:subject:voms-attribute" type="xsd:string">administrator</Attribute> <Attribute attributeid="urn:arc:subject:voms-attribute" type="X500DN">/O=NorduGrid/OU=UIO/CN=admin</Attribute> </Subject>

and, Subject2: <Subject attributeid="urn:arc:subject:voms-attribute" type="X500DN">/O=NorduGrid/OU=UIO/CN=test</Subject>

Subject3: <Subject attributeid="urn:arc:subject:voms-attribute" type="xsd:string">administrator</Subject>

the former one will be explained as the <Subject1, Action, Resource, Context> request tuple has two attributes at the same time the later one will be explained as the two <Subject2, Action, Resource, Context>, <Subject3, Action, Resource, Context> independently has one attribute. If we consider the Policy side, a policy snipet example like this: <Rule> <Subjects> <Subject type="X500DN">/O=NorduGrid/OU=UIO/CN=admin</Subject> <Subject type="xsd:string">administrator</Subject> </Subjects> <Resources>......</Resources> <Actions>......</Actions> <Conditions>......</Conditions> </Rule> then all of the Subject1 Subject2 Subject3 will satisfy the <Subjects> in policy. but if the policy snipet is like this: <Rule> <Subjects> <Subject> <SubFraction type="X500DN">/O=NorduGrid/OU=UIO/CN=admin</SubFraction> <SubFraction type="xsd:string">administrator</SubFraction> </Subject> </Subjects> <Resources>......</Resources> <Actions>......</Actions> <Conditions>......</Conditions> </Rule> then only Subject1 can satisfy the <Subjects> in policy.

A complete request item could be like: <RequestItem> <Subject attributeid="urn:arc:subject:dn" type="string">/O=NorduGrid/OU=UIO/CN=test</Subject> <Subject attributeid="urn:arc:subject:voms-attribute" type="xsd:string">administrator</Subject> <Subject> <Attribute attributeid="urn:arc:subject:voms-attribute" type="xsd:string">guest</Attribute> <Attribute attributeid="urn:arc:subject:voms-attribute" type="X500DN">/O=NorduGrid/OU=UIO/CN=anonymous</Attribute> </Subject> <Resource attributeid="urn:arc:resource:file" type="string">file://home/test</Resource> <Action attributeid="urn:arc:action:file-action" type="string">read</Action> <Action attributeid="urn:arc:action:file-action" type="string">copy</Action> <Context attributeid="urn:arc:context:date" type="period">2007-09-10T20:30:20/P1Y1M</Context> </RequestItem>

Here putting a few <Subject>s <Resource>s <Action>s or <Context>s together (inside one RequestItem) is only for the convinient of expression (there is no logical relationship between them). For more than one <<Subject>, <Resource>, <Action>, <Context>> tuples, if there is one element (e.g. <Subject>) which is different to each other, you can put these tuples together by using one tuple <<Subject1>,<Subject2>, <Resource>, <Action>, <Context>> tuple, and don't need to write a few tuples.

Definition at line 93 of file RequestItem.h.

typedef std::list<Subject> ArcSec::SubList

Containers, which include a few Subject, Resource, Action or Context objects.

Definition at line 96 of file RequestItem.h.


Enumeration Type Documentation

Enumerator:
EvaluatorFailsOnDeny 

Evaluation is carried out till any non-matching policy found and all matching policies are discarded from reported list.

This is a default behavior.

EvaluatorStopsOnDeny 

Evaluation is carried out till any non-matching policy found.

EvaluatorStopsOnPermit 

Evaluation is carried out till any matching policy found.

EvaluatorStopsNever 

Evaluation is done till all policies are checked.

Definition at line 19 of file Evaluator.h.

Enumerator:
ID_MATCH 
ID_PARTIAL_MATCH 
ID_NO_MATCH 

Definition at line 57 of file ArcRule.h.

                    {
  //The "id" of all the <Attribute>s under a <Subject> (or other type) is matched
  //by <Attribute>s under <Subject> in <RequestItem>
  ID_MATCH = 0,
  //Part "id" is matched
  ID_PARTIAL_MATCH = 1,
  //Any "id" of the <Attrubute>s is not matched
  ID_NO_MATCH = 2
};

Match result.

Enumerator:
MATCH 

Match, the request tuple <Subject, Resource, Action, Context> matches the rule.

NO_MATCH 

No_Match, the request tuple <Subject, Resource, Action, Context> does not match the rule.

INDETERMINATE 

Indeterminate, means that the request tuple <Subject, Resource, Action, Context> matches the rule, but in terms of the other "Condition", the tuple does not match.

So far, the Indeterminate has no meaning in the existing code (will never be switched to)

Definition at line 26 of file Result.h.

                   {
    MATCH = 0,
    NO_MATCH = 1,
    INDETERMINATE = 2
  };

Evaluation result.

Enumerator:
DECISION_PERMIT 

Permit.

DECISION_DENY 

Deny.

DECISION_INDETERMINATE 

Indeterminate, because of the Indeterminate from the "Matching".

DECISION_NOT_APPLICABLE 

Not_Applicable, means the the request tuple <Subject, Resource, Action, Context> does not match the rule.

So there is no way to get to the "Permit"/"Deny" effect.

Definition at line 4 of file Result.h.


Function Documentation

static void ArcSec::add_subject_attribute ( XMLNode  item,
const std::string &  subject,
const char *  id 
) [static]

Definition at line 79 of file SAMLTokenSH.cpp.

                                                                                        {
   XMLNode attr = item.NewChild("ra:SubjectAttribute");
   attr=subject; attr.NewAttribute("Type")="string";
   attr.NewAttribute("AttributeId")=id;
}

Here is the call graph for this function:

Here is the caller graph for this function:

Definition at line 24 of file ArcAlgFactory.cpp.

                                                       {
    return new ArcSec::ArcAlgFactory();
}

Definition at line 27 of file ArcAttributeFactory.cpp.

                                                        {
    return new ArcSec::ArcAttributeFactory();
}

Definition at line 29 of file ArcFnFactory.cpp.

                                                      {
    return new ArcSec::ArcFnFactory();
}
static std::string ArcSec::get_cert_str ( const std::string &  cert) [static]

Definition at line 48 of file aaservice.cpp.

                                                     {
  std::size_t pos = cert.find("BEGIN CERTIFICATE");
  if(pos != std::string::npos) {
    std::size_t pos1 = cert.find_first_of("---", pos);
    std::size_t pos2 = cert.find_first_not_of("-", pos1);
    std::size_t pos3 = cert.find_first_of("---", pos2);
    std::string str = cert.substr(pos2+1, pos3-pos2-2);
    return str;
  }
  return ("");
}

Here is the caller graph for this function:

static bool ArcSec::get_proxy_policy ( X509 *  cert,
DelegationMultiSecAttr *  sattr 
) [static]

Definition at line 29 of file DelegationCollector.cpp.

                                                                       {
  bool result = false;
#ifdef HAVE_OPENSSL_PROXY
  PROXY_CERT_INFO_EXTENSION *pci = (PROXY_CERT_INFO_EXTENSION*)X509_get_ext_d2i(cert,NID_proxyCertInfo,NULL,NULL);
  if(!pci) return true; // No proxy 
  switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
    case NID_Independent: { // No rights granted
      // Either such situation should be disallowed or 
      // policy should be generated which granst no right for enything.
      // First option is easier to implement so using it at least yet.
      logger.msg(DEBUG,"Independent proxy - no rights granted");
    }; break; 
    case NID_id_ppl_inheritAll: {
      // All right granted. No additional policies should be enforced.
      logger.msg(DEBUG,"Proxy with all rights inherited");
      result=true;
    }; break;
    case NID_id_ppl_anyLanguage: { // Here we store ARC policy
      // Either this is ARC policy is determined by examining content
      const char* policy_str = (const char *)(pci->proxyPolicy->policy->data);
      int policy_length = pci->proxyPolicy->policy->length;
      if((policy_str == NULL) || (policy_length <= 0)) {
        logger.msg(DEBUG,"Proxy with empty policy  - fail on unrecognized policy");
        break;
      };
      {
        std::string s(policy_str,policy_length);
        logger.msg(DEBUG,"Proxy with specific policy: %s",s);
      };
      result = sattr->Add(policy_str,policy_length);
      if(result) {
        logger.msg(DEBUG,"Proxy with ARC Policy");
      } else {
        logger.msg(DEBUG,"Proxy with unknown policy  - fail on unrecognized policy");
      };
    };
    default: {
      // Unsupported policy - fail
    }; break;
  };
  PROXY_CERT_INFO_EXTENSION_free(pci);
#endif
  return result;
}

Here is the call graph for this function:

Here is the caller graph for this function:

Definition at line 37 of file charon.cpp.

                                                      {
    Arc::ServicePluginArgument* srvarg =
            arg?dynamic_cast<Arc::ServicePluginArgument*>(arg):NULL;
    if(!srvarg) return NULL;
    return new Charon((Arc::Config*)(*srvarg));
}
static std::string ArcSec::get_val ( std::string &  str) [static]

Definition at line 87 of file IdentityMap.cpp.

                                         {
  std::string val;
  if(str[0] == '"') {
    std::string::size_type p = str.find('"',1);
    if(p == std::string::npos) return "";
    val=str.substr(1,p-1);
    str=str.substr(p+1);
    return val;
  };
  if(str[0] == '\'') {
    std::string::size_type p = str.find('\'',1);
    if(p == std::string::npos) return "";
    val=str.substr(1,p-1);
    str=str.substr(p+1);
    return val;
  };
  std::string::size_type p = str.find_first_of(" \t");
  if(p == std::string::npos) {
    val=str; str.resize(0);
  } else {
    val=str.substr(0,p); str=str.substr(p);
  };
  return val;
}

Here is the caller graph for this function:

Definition at line 18 of file XACMLAlgFactory.cpp.

                                                         {
    return new ArcSec::XACMLAlgFactory();
}

Definition at line 20 of file XACMLAttributeFactory.cpp.

                                                          {
    return new ArcSec::XACMLAttributeFactory();
}

Definition at line 20 of file XACMLFnFactory.cpp.

                                                        {
    return new ArcSec::XACMLFnFactory();
}
static Arc::LogStream ArcSec::logcerr ( std::cerr  ) [static]
static Arc::Logger ArcSec::logger ( Arc::Logger::  getRootLogger(),
"DelegationCollector"   
) [static]

Here is the caller graph for this function:

static LocalMap* ArcSec::MakeLocalMap ( Arc::XMLNode  pdp) [static]

Definition at line 141 of file IdentityMap.cpp.

                                              {
  Arc::XMLNode p;
  p=pdp["LocalName"];
  if(p) {
    std::string name = p;
    if(name.empty()) return NULL;
    return new LocalMapDirect(name);
  };
  p=pdp["LocalList"];
  if(p) {
    std::vector<std::string> files;
    while (p) {
        files.push_back((std::string) p);
        ++p;
    }
    if(files.empty()) return NULL;
    return new LocalMapList(files);
  };
  p=pdp["LocalSimplePool"];
  if(p) {
    std::string dir = p;
    if(dir.empty()) return NULL;
    return new LocalMapPool(dir);
  };
  return NULL;
}

Here is the caller graph for this function:

std::ostream& ArcSec::operator<< ( std::ostream &  o,
Result  r 
) [inline]

Definition at line 15 of file Result.h.

                                                        {
    switch(r) {
      case DECISION_PERMIT: return o<<"Permit";
      case DECISION_DENY: return o<<"Deny";
      case DECISION_INDETERMINATE: return o<<"Indeterminate";
      case DECISION_NOT_APPLICABLE: return o<<"Not Applicable";
    };
    return o<<"Undefined";
  };
ArcSec::ORDERED_ALG_CLASS ( PermitDenyIndeterminateNotApplicableCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( PermitDenyNotApplicableIndeterminateCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( PermitIndeterminateDenyNotApplicableCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( PermitIndeterminateNotApplicableDenyCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( PermitNotApplicableDenyIndeterminateCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( PermitNotApplicableIndeterminateDenyCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( DenyPermitIndeterminateNotApplicableCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( DenyPermitNotApplicableIndeterminateCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( DenyIndeterminatePermitNotApplicableCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( DenyIndeterminateNotApplicablePermitCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( DenyNotApplicablePermitIndeterminateCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( DenyNotApplicableIndeterminatePermitCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( IndeterminatePermitDenyNotApplicableCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( IndeterminatePermitNotApplicableDenyCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( IndeterminateDenyPermitNotApplicableCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( IndeterminateDenyNotApplicablePermitCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( IndeterminateNotApplicablePermitDenyCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( IndeterminateNotApplicableDenyPermitCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( NotApplicablePermitDenyIndeterminateCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( NotApplicablePermitIndeterminateDenyCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( NotApplicableDenyPermitIndeterminateCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( NotApplicableDenyIndeterminatePermitCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( NotApplicableIndeterminatePermitDenyCombiningAlg  )
ArcSec::ORDERED_ALG_CLASS ( NotApplicableIndeterminateDenyPermitCombiningAlg  )
static unsigned long ArcSec::string_hash ( const std::string &  value) [static]

Definition at line 117 of file DelegationSH.cpp.

                                                        {
  unsigned long ret=0;
  unsigned char md[16];
  MD5((unsigned char *)(value.c_str()),value.length(),&(md[0]));
  ret=(((unsigned long)md[0])|((unsigned long)md[1]<<8L)|
       ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
       )&0xffffffffL;
  return ret;
}

Here is the caller graph for this function:


Variable Documentation

Arc::XMLNode ArcSec::arc_evaluator_cfg_nd("\ <ArcConfig\ xmlns=\"http://www.nordugrid.org/schemas/ArcConfig/2007\"\ xmlns:pdp=\"http://www.nordugrid.org/schemas/pdp/Config\">\ <ModuleManager>\ <Path></Path>\ </ModuleManager>\ <Plugins Name='arcshc'>\ <Plugin Name='__arc_attrfactory_modules__'>attrfactory</Plugin>\ <Plugin Name='__arc_fnfactory_modules__'>fnfactory</Plugin>\ <Plugin Name='__arc_algfactory_modules__'>algfactory</Plugin>\ <Plugin Name='__arc_evaluator_modules__'>evaluator</Plugin>\ <Plugin Name='__arc_request_modules__'>request</Plugin>\ <Plugin Name='__arc_policy_modules__'>policy</Plugin>\ </Plugins>\ <pdp:PDPConfig>\ <pdp:AttributeFactory name='arc.attrfactory' />\ <pdp:CombingAlgorithmFactory name='arc.algfactory' />\ <pdp:FunctionFactory name='arc.fnfactory' />\ <pdp:Evaluator name='arc.evaluator' />\ <pdp:Request name='arc.request' />\ <pdp:Policy name='arc.policy' />\ </pdp:PDPConfig>\ </ArcConfig>")
Arc::LogStream ArcSec::logcerr(std::cerr) ( std::cerr  ) [static]
Arc::XMLNode ArcSec::xacml_evaluator_cfg_nd("\ <ArcConfig\ xmlns=\"http://www.nordugrid.org/schemas/ArcConfig/2007\"\ xmlns:pdp=\"http://www.nordugrid.org/schemas/pdp/Config\">\ <ModuleManager>\ <Path></Path>\ </ModuleManager>\ <Plugins Name='arcshc'>\ <Plugin Name='__arc_attrfactory_modules__'>attrfactory</Plugin>\ <Plugin Name='__arc_fnfactory_modules__'>fnfactory</Plugin>\ <Plugin Name='__arc_algfactory_modules__'>algfactory</Plugin>\ <Plugin Name='__arc_evaluator_modules__'>evaluator</Plugin>\ <Plugin Name='__arc_request_modules__'>request</Plugin>\ <Plugin Name='__arc_policy_modules__'>policy</Plugin>\ </Plugins>\ <pdp:PDPConfig>\ <pdp:AttributeFactory name='xacml.attrfactory' />\ <pdp:CombingAlgorithmFactory name='xacml.algfactory' />\ <pdp:FunctionFactory name='xacml.fnfactory' />\ <pdp:Evaluator name='xacml.evaluator' />\ <pdp:Request name='xacml.request' />\ <pdp:Policy name='xacml.policy' />\ </pdp:PDPConfig>\ </ArcConfig>")