CHANGES The table below lists the versions of GAA-API reference implementations corresponding to the GAA-API C-binding Internet Drafts versions. Reference implementation versions 0.1 to 0.3 were experimental. We gathered experience from integration of the GAA-API with test applications. Versions 0.4, 0.5, and 0.6.1 were integrated with GSI (Grid Security Infrastructure, http://www.globus.org/security/). Versions 0.4 and 0.5 used a pseudo-object-oriented approach. Version 0.6.1 abandoned the object-oriented approach and adopted a call-back approach where the structures are opaque and only the calls to create and manipulate the structures are defined. This is useful for binary compatibility of different GAA implementations in the future. In the version v0.6.2, GAA-API has been separated from GSI to exist as a stand-alone version. It now supports older versions of Solaris (v2.6 and older). Current version v0.7. A user manual (v0.4) with sample codes is available with the current release. ============================================================== GAA-API Version number C-binding Internet Draft -------------------------------------------------------------- 0.1 0 0.2 1 0.3 2 0.4 3 0.5 4 0.6.1 5 0.6.2 5 0.7 6 (to be submitted) ============================================================== gaa.h 1)New type is defined to specify pre-/post-/request-result-/mid- and all conditions: typedef enum { pre_cond, rr_cond, mid_cond, post_cond, all_cond } gaa_cond_type; 2) gaa_policy_right structure was modified to include four lists of conditions of different types instead of just one condition list: struct gaa_policy_right { gaa_right_type type; /* positive or negative */ gaa_string_data authority; /* defining authority */ void *value; /* within namespace defined by authority */ gaa_list_ptr pre_conditions; /* list of gaa_condition_ptr describing pre- conditions that must be met before authorization can be granted */ gaa_list_ptr rr_conditions; /* list of gaa_condition_ptr describing req-res-conditions that must be met after pre-conditions are evaluated */ gaa_list_ptr mid_conditions; /* list of gaa_condition_ptr describing mid-conditions that must be met during operation execution*/ gaa_list_ptr post_conditions; /* list of gaa_condition_ptr describing post-conditions that must be met after operation execution complets*/ struct gaaint_policy_right *i; /* internal data */ }; 3) New type gaa_state was defined to store the gaa state information to be passed to new functions gaa_execution_control and gaa_post_execution_actions: struct gaa_state{ gaa_ptr gaa; gaa_sc_ptr sc; gaa_list_ptr req_rights; gaa_answer_ptr answer; int mid; int post; }; typedef struct gaa_state gaa_state, *gaa_state_ptr; 4) New type gaa_eval_mode was defined to spesify policy evaluation mode: typedef enum { expand, /* policy can be expanded */ narrow, /* policy can be narrowed down */ exact, /* policy must no be neither expanded nor narrowed */ undefined } gaa_eval_mode; 5) Functions to allocate and free the gaa_state structure were added: extern gaa_status gaa_new_state(gaa_state_ptr *state); extern void gaa_free_state(gaa_state_ptr state); 6) A new output parametr was aded to the gaa_check_authorization function to return state information and policy. Policy parameter is changed to represent a list of policies: extern gaa_status gaa_check_authorization(gaa_ptr gaa, gaa_sc_ptr sc, gaa_list_ptr policy_list, gaa_list_ptr req_rights, gaa_answer_ptr answer, gaa_state_ptr state); 7) Two new functions are defined to perform policy enforcement during operation execution and after the operation completes: gaa_status gaa_execution_control(gaa_state_ptr state); gaa_status gaa_post_execution_actions(gaa_state_ptr state, gaa_string_data exec_status); 8) gaa_check_condition has two new input parameters rstatus and estatus (to pass operation authorization and execution status). Parameter "options" has been replaced with the parameter "right": extern gaa_status gaa_check_condition(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition *cond, gaa_time_period *vtp, int *ynm, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus); 9) gaa_policy_entry_struct and gaa_policy have an additional member mode to represent policy evaluation mode: struct gaa_policy_entry_struct { int priority; /* entry priority */ int num; /* entry number (for order within priority) */ gaa_eval_mode mode; /* evaluation mode of the policy entry. It defines whether the policy can be expanded, narrowed down or neither. */ gaa_policy_right *right; /* what right this entry grants */ }; struct gaa_policy { void *raw_policy; /* raw policy representation */ gaa_eval_mode mode; /* evaluation mode of the whole policy. It defines whether the policy can be expanded, narrowed down or neither. */ gaa_list_ptr entries; /* ordered list of gaa_policy_entry_ptr */ gaa_freefunc freeraw; /* function to free raw_policy */ struct gaaint_policy *i; /* internal data */ }; typedef struct gaa_policy gaa_policy, *gaa_policy_ptr; 10) gaa_add_policy_entry has new parameter mode: extern gaa_status gaa_add_policy_entry(gaa_policy *policy, gaa_policy_right *right, int priority, int num, gaa_eval_mode mode); 11) New functions to create a list of policies and add a policy to the list: gaa_list_ptr gaa_new_policy_list(); gaa_status gaa_add_policy(gaa_list_ptr policy_list, gaa_policy_ptr policy); 12) gaa_cond_eval_func has two new paprameters rstatus and estatus to pass operation authorization and execution status. Parameter "options" has been replaced with the parameter "right": typedef gaa_status (*gaa_cond_eval_func)(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition *condition, gaa_time_period *valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status *output_flags, void *params); 13) The pathname to the system-wide configuration file is included. This is compile-time fixed. #define GAA_SYSTEM_CONFIG_PATHNAME "/nfs/ruby/hochung/project/gaa-api/test/config/gaa.system.cf" gaa.c 1) gaa_add_condition function is modified to add condition of a particular type: gaa_status gaa_add_condition(gaa_policy_right * right, gaa_condition * condition, gaa_cond_type type) 2) New functions gaa_new_state() and gaa_free_state() are added. 3) New functions gaa_new_policy_list() and gaa_add_policy() are added. 4) Policy parameter is changed to represent a pointer to a list of policies: gaa_status gaa_get_object_policy_info(gaa_string_data object, gaa_ptr gaa, gaa_list_ptr * policy_list); gaa_constants.h 1) Three new constants are added to specify operation execution status: #define GAA_S_EXEC_SUCCESS S #define GAA_S_EXEC_FAILURE F #define GAA_S_EXEC_UNDEFINED U A new constant was added to specify default policy evaluation mode: #define GAA_C_EVAL_DEFAULT expand gaa_constants.h 2) The following error code has been added: #define GAA_S_XML_PARSER_ERR 39 gaa_policy.c 1) gaa_l_check_one_right is modified to check conditions of particular type, return indication whether request-result mid- and post- conditions are present. Parameters rstatus and estatus are used to pass operation authorization and execution status: static gaa_status gaa_l_check_one_right(gaa_ptr gaa, gaaint_sc *sc, gaa_list_ptr policy_list, gaa_request_right *right, gaa_status rstatus, gaa_string_data estatus, gaa_answer *ans, int *ynm, gaa_cond_type type, int *rr, int *mid, int *post); 2) gaa_l_check_simple has new input parameters rstatus and estatus (to pass operation authorization and execution status) and type to specify what type of conditions should be evaluated. Parameter "options" has been replaced with the parameter "right": static gaa_status gaa_l_check_simple(gaa_ptr gaa, gaaint_sc *sc, gaa_policy_entry *p_ent, gaa_request_right *right, gaa_status rstatus, gaa_string_data estatus, gaa_policy_right **pright, int *condstat, gaa_time_period *vtp, int idonly, gaa_cond_type type); 3) gaa_l_check_condition has two new paprameters rstatus and estatus to pass operation aithorization and execution status. Parameter "options" has been replaced with the parameter "right": static gaa_status gaa_l_check_condition(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition *cond, gaa_time_period *vtp, gaa_request_right *right, gaa_status rstatus, gaa_string_data estatus, int *ynm, gaaint_cond_eval_entry *ce); 4) gaa_l_check_rights is a new function to evaluate a list of access rights: static gaa_status gaa_l_check_rights(gaa_ptr gaa, gaaint_sc *sc, gaa_status rstatus, gaa_string_data estatus, gaa_list_ptr rights, gaa_list_ptr req_rights, int *ynm, gaa_cond_type type); 5) New functions are added thatimplement three-valued logic conjunction and disjunction operations. Note that the function gaa_l_arbitrate_status was deleted. static int gaa_l_three_valued_conj(int p, int q); static int gaa_l_three_valued_disj(int p, int q); 6) New function gaa_l_get_right has been added to retrieve request right equal to the policy right: static gaa_status gaa_l_get_right(gaa_ptr gaa, gaa_list_ptr req_rights, gaa_policy_right_ptr pright, gaa_request_right_ptr *right); gaa_simple.h and conditions.c 1) Functions gaasimple_check_id_cond, gaasimple_check_group_cond, gaasimple_check_group_cond and gaasimple_check_id_cond_nocase have new paprameters rstatus and estatus to pass operation authorization and execution status Parameter "options" has been replaced with the parameter "right": extern gaa_status gaasimple_check_id_cond(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition *cond, gaa_time_period *valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status *output_flags, void *params); extern gaa_status gaasimple_check_group_cond(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition *cond, gaa_time_period *valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status *output_flags, void *params); extern gaa_status gaasimple_check_group_cond(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition *cond, gaa_time_period *valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status *output_flags, void *params); extern gaa_status gaasimple_check_id_cond_nocase(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition *cond, gaa_time_period *valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status *output_flags, void *params); 2) A new function is added to evaluate audit condition: extern gaa_status gaasimple_audit_cond(gaa_ptr gaa, gaa_sc_ptr sc, gaa_time_period * valid_time, gaa_condition * cond, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status * output_flags, void * params); 3) A new function gaasimple_regex_cond() was added to evaluate regular expression condition: gaa_status gaasimple_regex_cond(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition * cond, gaa_time_period * valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status * output_flags, void * params) 4) A new function gaasimple_audit_cond() was added to evaluate audit condition: gaa_status gaasimple_audit_cond(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition * cond, gaa_time_period * valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status * output_flags, void * params) 5) A new function gaasimple_check_ipblock_cond() was added to enforce route-reject condition, from a list of blocked ip's : gaa_status gaasimple_check_ipblock_cond(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition * cond, gaa_time_period * valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status * output_flags, void * params) Note: As the option passed with the rights can belong to any call back, a prefix is attached to the option (change implemented in "test/gaa_utils.c" , an application can change this as required.) e.g, request file access IPchk_10.0.0.2 request SA setup SAchk_28800 Also the path of the blocked ip list is specified in the config file e.g./usr/src/gaa-api/test/eacls/blockiplist 6) A new function gaasimple_check_time_cond() was added to enforce time-limitation condition: gaa_status gaasimple_check_time_cond(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition * cond, gaa_time_period * valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status * output_flags, void * params) 7) A new function gaasimple_check_SAlifetime_cond() was added to limit maximum Security Associtaion(SA) lifetime condition in an IPSEC application: gaa_status gaasimple_check_SAlifetime_cond(gaa_ptr gaa, gaa_sc_ptr sc, gaa_condition * cond, gaa_time_period * valid_time, gaa_request_right_ptr right, gaa_status rstatus, gaa_string_data estatus, gaa_status * output_flags, void * params) read_eacl.c 1) A new function is added to retrieve a several policies stored locally and represented by an eacl. This function is now passed as getpolicy instead of gaasimple_read_eacl(), which is now called by the gaasimple_get_eacl_list to build a list of eacls: gaa_status gaasimple_get_eacl_list(gaa_ptr gaa, gaa_list_ptr * policy_list, gaa_string_data object, void * params); test/gaa_utils.c is modified to test gaa_execution_control and gaa_post_execution_actions. New files gaa_regex.c, gnu_regex.c and gnu_regex.h are added to handle evaluation of regular expressions. 2) A new function is added to retrieve a system-wide policy file, and local policy file(s) represented by an eacl. This function is passed as "getpolicy" (defined in config file) instead of gaasimple_get_eacl_list: The callback function, gaasimple_getpolicy_eacl(), is defined in local config file ("getpolicy" section of gaa.linux.cf), and it reads the special file (e.g. gaa.policy.loc). This special file contains the pathname to the system-wide policy file and local policy files. If multilple local policy files exist, then they are separated by a delimiter, $. The file also specifies the name of the XML-tag (e.g. 'Net*') to retrieve appropriate system-wide policies that correspond to the tag. gaa_status gaasimple_getpolicy_eacl(gaa_ptr gaa, gaa_list_ptr * policy_list, gaa_string_data object, void * params, char strTag[TAG_SIZE]) 3) Several newly created internal APIs are as follows: gaa_status gaasimple_read_sys_eacl(gaa_ptr gaa, gaa_list_ptr * policy_list, void * params, char * strTag) - The above api is called internally by gaasimple_getpolicy_eacl(). i gaa_status gaasimple_read_local_eacl(gaa_ptr gaa, gaa_list_ptr * policy_list, void * params) - The above api is called internally by gaasimple_getpolicy_eacl(). gaa_status gaasimple_i_read_sys_eacl (gaa_ptr gaa, gaa_policy ** policy, char * bufPolicy) - The above api is called internally by gaasimple_read_sys_eacl(). gaa_init.c 1) gaa_l_init() has been modified to parse two types of CONFIGURATION files (both system-wide and local). The actual work of parsing is done inside gaa_parse_cfi() which has been newly created. + {read_eacl.c} - gaasimple_read_eacl() has been modified to parse xml-based system-wide POLICY file - use regular expression matching (gaa_regex.c, gnu_regex.c and gnu_regex.h) - Several newly created APIs are: gaasimple_read_sys_eacl(), gaasimple_i_read_sys_eacl() gaa_syspolicy.c 1) A newly created file that contains all interface APIs to XML C Library to support parsing of GAA system-wide policy file and the special file (gaa.policy.loc). 2) gaa_syspolicy.h is also newly created. README 1) $SRCDIR/README has been modified to include a brief explanation about the installation of XML C Library. README-NEW 1) $SRCDIR/test/config/README-NEW has been newly created. The content of the file is similar to the original $SRCDIR/test/config/README. Makefile 1) $SRCDIR/gaa_callbacks/gaa_simple/Makefile has been modified to link XML C library, and to compile and link regular expression matching files (gaa_regex.c, gnu_regex.c & gnu_regex.h).