Central UDIF capability and certificate authorization checks. More...

#include "udif.h"
#include "capability.h"
#include "certificate.h"
#include "query.h"

Functions
UDIF_EXPORT_API bool	udif_policy_query_verb (uint8_t querytype, uint32_t *verb)
	Map a query type to the required capability verb.
UDIF_EXPORT_API bool	udif_policy_certificate_allows (const udif_certificate *certificate, uint32_t verb)
	Check whether a certificate embeds a required capability verb.
UDIF_EXPORT_API udif_policy_decision	udif_policy_authorize (const udif_certificate caller, const udif_capability capability, uint32_t verb, uint32_t scope, uint64_t ctime)
	Authorize an operation against certificate and token permissions.
UDIF_EXPORT_API udif_policy_decision	udif_policy_authorize_query (const udif_query query, const udif_certificate caller, const udif_capability *capability, uint32_t scope, uint64_t ctime)
	Authorize a query using its capability reference.

Detailed Description

Central UDIF capability and certificate authorization checks.

Function Documentation

◆ udif_policy_authorize()

UDIF_EXPORT_API udif_policy_decision udif_policy_authorize	(	const udif_certificate *	caller,
		const udif_capability *	capability,
		uint32_t	verb,
		uint32_t	scope,
		uint64_t	ctime )

Authorize an operation against certificate and token permissions.

The decision is fail-closed. The caller certificate must be valid at the supplied time, its embedded capability mask must contain the required verb, and a capability token must be present, issued to the caller, unexpired, and grant both the required verb and scope.

Parameters

caller	[const] The caller certificate
capability	[const] The resolved capability token
verb	The required capability verb
scope	The required capability scope
ctime	The current UTC time

Returns: Returns udif_policy_permit only when all checks pass

◆ udif_policy_authorize_query()

UDIF_EXPORT_API udif_policy_decision udif_policy_authorize_query	(	const udif_query *	query,
		const udif_certificate *	caller,
		const udif_capability *	capability,
		uint32_t	scope,
		uint64_t	ctime )

Authorize a query using its capability reference.

Parameters

query	[const] The query
caller	[const] The caller certificate
capability	[const] The resolved capability token
scope	The required scope
ctime	The current UTC time

Returns: Returns udif_policy_permit only when authorized

◆ udif_policy_certificate_allows()

UDIF_EXPORT_API bool udif_policy_certificate_allows	(	const udif_certificate *	certificate,
		uint32_t	verb )

Check whether a certificate embeds a required capability verb.

Parameters

certificate	[const] The caller certificate
verb	The required capability verb

Returns: Returns true when the embedded certificate mask permits the verb

◆ udif_policy_query_verb()

UDIF_EXPORT_API bool udif_policy_query_verb	(	uint8_t	querytype,
		uint32_t *	verb )

Map a query type to the required capability verb.

Parameters

querytype	The query type
verb	The output capability verb

Returns: Returns true when the query type is recognized

Functions

Detailed Description

Function Documentation

◆ udif_policy_authorize()

◆ udif_policy_authorize_query()

◆ udif_policy_certificate_allows()

◆ udif_policy_query_verb()