This is the main Scheme file for Margrave. This file holds most the functions you will need
to ask queries about AVCs, policies, and comparisions as well as to
to make AVCs and comparisons, and load XACML policy files. It loads the other required functions.
To use Margrave, make a query file that loads this file and the module
this file holds as follows:
(load-relative "[path]/Margrave/code/Margrave.scm)
(require margrave)
where "[path]" is the path to where you installed Margrave.
| margrave |
| Base Module | mzscheme |
| Description | The module holding query functions. Use the Scheme command "(require margrave)" to include it in your query files. |
|
  
1 Constants |
|
|
| list-of-change-const |
| Form | list-of-change-const |
| Description | A list of constants that represent all the possible terminals in a comparison
that correspond to a change. For example, 'PD corresponds to the change "Permit goes to Deny".
Note that "changes" like 'PP (permit stays permit) are not in the list since these "changes"
are not really changes. |
|
| list-of-real-change-const |
| Form | list-of-real-change-const |
| Description | Like the list-of-change-const, but only list those changes that will change the
behavior of the PEP. For example, 'ND (not applicable goes to deny) is not in this
list despite being in list-of-change-const since the PEP must reject any request
that yeilds either not appliacable or deny, so the PEP will do the same thing either way. |
|
2 Parsing in XACML files. |
|
|
| load-xacml-policy |
| Form | load-xacml-policy |
| Type | string * string * [bool] -> policy |
| Description | Allows parsing in one step. |
| Internal remark |
|
3 Creating AVCs. |
| Functions for creating attribute value constraints. |
|
| make-avc |
| Form | (make-avc subtarget attrid attrvalue) |
| Type | sym sym sym [bool] -> avc |
| Description | A set of requests including all
requests that have the given attrValue assigned to the given attrId
in the given subtarget. |
|
| make-avc-singleton |
| Form | (make-avc-singleton subtarget attrid attrvalue) |
| Description | Returns the AVC that contains exactly one request,
specifically the request that has only the given attribute value
associated with the given attribute id in the given
subtarget, and no other associations. |
|
| match->avc |
| Form | (match->avc match) |
| Description | Given a match, it will return the corresponding AVC.
Note that (make-avc aSubtarget anAttrId anAttrValue) does return
the same AVC as (match->avc (make-match aSubtarget anAttrId anAttrValue)) |
|
| match->avc-singleton |
| Form | (match->avc-singleton . match-list) |
| Description | Like make-avc-singleton but takes a match instead. |
|
4 AVC Connectives. |
| These mirror the boolean connectives.
One might find it easier to think of these as set opperations
where each AVC is a set of requests or matches.
For example, avc-or may be thought of as a union. |
|
| avc-not |
| Form | (avc-not avc) |
| Type | avc -> avc |
| Description | Returns that complement of the given AVC. |
|
| avc-or |
| Form | (avc-or . l) |
| Type | avc* -> avc |
| Description | Returns the union of the given AVCs. |
| See also | list version | avc-or* |
|
| avc-or* |
| Form | (avc-or* l) |
| Type | (listof avc) -> avc |
| Description | Like avc-or but takes a list of AVCs. |
| See also | non-list version | avc-or |
|
| avc-and |
| Form | (avc-and . l) |
| Type | avc* -> avc |
| Description | Returns the intersection of the given AVCs. |
| See also | list version | avc-and* |
|
| avc-and* |
| Form | (avc-and* l) |
| Type | (listof avc) -> avc |
| Description | Like avc-and but takes a list of AVCs. |
| See also | non-list version | avc-and |
|
| avc-difference |
| Form | (avc-difference l r) |
| Type | avc avc -> avc |
| Description | Returns the AVC that is the difference between l and r.
{x in l | x not in r} = l intersect (compl r) |
|
| disjoint-set |
| Form | (disjoint-set . avc-list) |
| Type | avc* -> avc |
| Description | Produces the AVC that holds all requests that fall into
no more than one of the AVCs given. |
| See also | list version | disjoint-set* |
|
| disjoint-set* |
| Form | (disjoint-set* avc-list) |
| Type | (listof avc) -> avc |
| Description | Produces the AVC that holds all requests that fall into
no more than one of the AVCs given in the list. |
| See also | non-list version | disjoint-set |
|
| partition-set |
| Form | (partition-set . avc-list) |
| Type | avc* -> avc |
| Description | Produces the AVC that holds all requests that fall into
exactly one of the AVCs given. |
| See also | list version | partition-set* |
|
| partition-set* |
| Form | (partition-set* avc-list) |
| Type | (listof avc) -> avc |
| Description | Produces the AVC that holds all requests that fall into
exactly one of the AVCs given in the list. |
| See also | non-list version | partition-set |
|
5 Predicates over AVCs. |
| These check for basic properties of AVCs. |
|
| avc-false? |
| Form | (avc-false? avc) |
| Type | avc -> bool |
| Description | Returns true iff the given AVC is the constant false.
One can view such an AVC as being empty. |
|
| avc-equal? |
| Form | (avc-equal? l r) |
| Type | avc avc -> bool |
| Description | Returns true iff the two given AVCs are equal. |
|
| avc-implication? |
| Form | (avc-implication? l r) |
| Type | avc avc -> bool |
| Description | Returns true iff l implies r.
That is, returns true when l holds all the match sets that r holds (and maybe some more).
One can view this as returning true iff l is a subset of r. |
|
6 Creating Comparisons. |
|
|
| compare-policies |
| Form | (compare-policies policy1 policy2) |
| Type | policy policy -> comparison |
| Description | Compares two policies.
Given two policies, it will merge
the two policies into a comparison that
will list all of the differences between the two
policies. The comparison will be done in the
order in which the policies are provided.
For example:
(compare p1 p2) where p1 denies all requests and p2 permits all requests that would yield a comparison in which everything is mapped to 'DP, the symbol for "deny goes to permits". |
|
7 Quantification. |
| Performs quantification over a match. |
|
| there-exists-for |
| Form | (there-exists-for avc . match-list) |
| Type | avc match* -> avc |
| Description | Makes bdd into E b in bool such that bdd[avc -> b].
Existance quantification over an avc:
does there exist a value for this match (has it or does not have it)
such that true is yielded. Maybe a better name would be "don't-care-out-match". |
| See also | list version | there-exists-for* |
|
| there-exists-for* |
| Form | (there-exists-for* avc match-list) |
| Type | avc (listof match) -> avc |
| Description | Makes the given AVC into E b in bool s.t. bdd[avc -> b]
Existance quantification over an avc,
does there exist a value for this match (has it or does not have it)
such that true is yielded. |
| See also | non-list version | there-exists-for |
|
| for-all |
| Form | (for-all avc . match-list) |
| Type | avc match* -> avc |
| Description | Like there-exits-for, but performs the for-all* operation. |
| See also | list version | for-all* |
|
| for-all* |
| Form | (for-all* avc match-list) |
| Type | avc (listof match) -> avc |
| Description | Universal quantification over an avc. |
| See also | non-list version | for-all |
|
8 Evaluating Requests. |
| These allow Margrave to act as a PDP or to view things as a PEP does. |
|
| pep-view |
| Form | (pep-view policy) |
| Type | policy -> policy |
| Description | The way the policy is enforced by a PEP
(with NA being treated as a deny) |
|
| pdp |
| Form | (pdp policy request) |
| Type | policy * avc -> decision |
| Description | Takes a policy and a request and yields the response a PDP would yield. |
| Returns | A symbol, either 'P, 'D, 'N, 'E, for permit, deny, not applicable, or excluded by constraint, respectivily. |
|
9 Restriction. |
| Get the AVC that corresponds to the terminal in which you are interested from a policy or comparison.
If for example you would like to know which requests are mapped to 'P (permit) in a policy named Pol,
you can restrict the policy to 'P with (restrict-policy-to-dec 'P Pol). This will yield the AVC that
holds all the requests that would yield 'P. |
|
| restrict-policy-to-dec |
| Form | (restrict-policy-to-dec decision policy) |
| Type | policy decision -> avc |
| Description | Get the AVC that corresponds to the terminal in which you are interested from a policy or comparison. |
|
| restrict-comparision-to-change |
| Form | (restrict-comparision-to-change change comparision) |
| Type | comparison decision -> avc |
| Description | Get the AVC that corresponds to the terminal in which you are interested from a policy or comparison. |
|
10 Constraining Policies. |
| Rule some requests out of consideration by introducing environment contraints. |
|
| constrain-policy |
| Form | (constrain-policy request-set policy) |
| Type | policy avc -> policy |
| Description | Constrain a policy to a given request-set.
All requests that are not in the request-set are mapped to EC. |
|
| constrain-policy-disjoint |
| Form | (constrain-policy-disjoint avc-list policy) |
| Type | (listof avc) policy -> policy |
| Description | Returns the policy that applies if only one of the
listed avcs is possible at once. |
|
| constrain-policy-partition |
| Form | (constrain-policy-partition avc-list policy) |
| Type | (listof avc) policy -> policy |
| Description | Like disjoint, but all requests must lay in one |
| See also | | constrain-policy-disjoint |
|
| make-nonmulti-attribute |
| Form | (make-nonmulti-attribute subtarget attrid policy) |
| Type | policy subtarget sym -> policy |
| Description | Make nonmulti-attribute : must have one or zero and no more
For example:
You know that every request will have at most one value associated with the resource-id attribute so place a make-nonmulti-attribute constraint on the policy Pol with "(make-nonmulti-attribute 'Resource 'resource-id Pol)". |
| See also | list version | make-nonmulti-attribute* |
|
| make-nonmulti-attribute* |
| Form | (make-nonmulti-attribute* list-s-id policy) |
| Type | (listof (pair subtarget sym)) policy -> policy |
| Description | |
| See also | non-list version | make-nonmulti-attribute |
|
| make-singleton-attribute |
| Form | (make-singleton-attribute subtarget attrid policy) |
| Type | policy subtarget sym -> policy |
| Description | Make single-valued attribute : must have exactly one
For example:
You know that every request will have exactly one value assocated with the resource-id attribute so place a make-nonmulti-attribute contraint on the policy Pol with "(make-nonmulti-attribute 'Resource 'resource-id Pol)". |
| See also | list version | make-singleton-attribute* |
|
| make-singleton-attribute* |
| Form | (make-singleton-attribute* list-s-id policy) |
| Type | (listof (pair subtarget sym)) policy -> policy |
| Description | |
| See also | non-list version | make-singleton-attribute |
|
11 Reducing AVCs. |
| Reduce an AVC to the parts in which you are interested. |
|
| present-combo-attrvalues |
| Form | (present-combo-attrvalues subtarget attrid avc) |
| Type | subtarget attrId avc -> avc |
| Description | |
|
| get-combo-attrval-involved-in |
| Form | (get-combo-attrval-involved-in subtarget attrid change cadd) |
| Type | subtarget attrId termial (| policy comparision) -> avc |
| Description | |
| See also | list version | make-singleton-attribute* |
|
| get-combo-attrval-involved-in* |
| Form | (get-combo-attrval-involved-in* subtarget attrid change-list cadd) |
| Type | subtarget attrId (listof termial) (| policy comparision) -> avc |
| Description | |
| See also | non-list version | make-singleton-attribute |
|
| get-combo-attrval-involved-in-change |
| Form | (get-combo-attrval-involved-in-change subtarget attrid cadd) |
| Type | cadd subtarget attrId change -> avc |
| Description | |
|
| get-combo-attrval-involved-in-real-change |
| Form | (get-combo-attrval-involved-in-real-change subtarget attrid cadd) |
| Type | cadd subtarget attrId change -> avc |
| Description | |
|
12 Test Functions. |
| These functions are for testing properties of an AVC. These functions mirror the predicates over AVCs.
If a predicate holds, they return true. Otherwise, they yield counter-examples in the form of an AVC.
If an optional fail-func is provided, they will call the fail-func with the counter-examples
if the predicate fails to hold (instead of just returning the counter-examples).
These functions are useful in testing a large number of properties since you can have the return value
of true be ignorged while having the fail-func print out which test failed and the counter-example. |
|
| avc-false-test |
| Form | avc-false-test |
| Type | (avc -> #t | avc) | (avc (avc -> a) -> #t | a) |
| Description | If the AVC is not false it calls the fail-func with the given AVC, else true is returned.
(If the AVC is not false, it is itself a counter-example.)
The default fail-func is the identity function, so by default, the non-false AVC is returned. |
| See also | mirrored predicate | avc-false? |
|
| avc-not-empty-test |
| Form | avc-not-empty-test |
| Type | (avc -> #t | avc) | (avc (avc -> a) -> #t | a) |
| Description | If the AVC is false it calls the fail-func with the given AVC, else true is returned.
(If the AVC is false, it is itself a counter-example.)
The default fail-func is the identity function, so by default, the false AVC is returned. |
|
| avc-equal-test |
| Form | avc-equal-test |
| Type | (avc avc -> #t | avc) | (avc avc (avc -> a) -> #t | a) |
| Description | If the two AVCs are equal it calls the fail-func with the difference of the two AVCs,
else true is returned.
The default fail-func is the identity function, so by default, the difference AVC is returned. |
| See also | mirrored predicate | avc-equal? |
|
| avc-implication-test |
| Form | avc-implication-test |
| Type | (avc avc -> #t | avc) | (avc avc (avc -> a) -> #t | a) |
| Description | If the first AVC does not imply the second AVC, the fail-func is called with the difference of the two AVCs,
else true is returned.
The default fail-func is the identity function, so by default, the difference AVC is returned. |
| See also | mirrored predicate | avc-implication? |
|
13 Output. |
Functions for printing string representations of AVCs, policies, and comparisons.
The functions print-avc print-policy print-comparison and print-comparison-changes
all print string representations ADDs to standard output. Since each node in an ADD
has a number corresponding to its place in the ordering of nodes, they all print
the ADD with nodes in order and numbered by that number. First, a list of these nodes
is printed in order giving to what match each node corresponds. Second, list of rows are
printed. Each row consists of list of "0"s, "1"s, and "-"s. The "0"s correpond to the
false (or else) branch of the node whose number is equal to the column number of that symbol
(see the column key at the top of the print out). The "1"s correspond to the true (then) branches
and the "-"s to don't-care. Each row ends in a terminal. A sequence of matchs that fit the pattern
of "0"s, "1"s, "-"s in a row is mapped to the terminal at the end of the row.
For example,
1:/Resource, resource-class, paper/ 2:/Resource, resource-class, review/
12
{
00 N
01 P
1- D
}
states that a request without the attribute match of resource-class to paper or to review will
recieve NotApplicable, one with just the match of resource-class to review will be Permitted,
and one with a match of resource-class to paper will be Denied regardless whether it matches
review or not. |
|
| print-avc |
| Form | (print-avc avc) |
| Type | avc -> |
| Description | Prints an AVC to the standard output port. |
| Returns | void |
|
| print-policy |
| Form | (print-policy policy) |
| Type | policy -> |
| Description | Prints a policy to the standard output port. |
| Returns | void |
|
| print-comparison |
| Form | (print-comparison comparison) |
| Type | comparison -> |
| Description | Prints a comparison to the standard output port. |
| Returns | void |
|
| print-comparison-changes |
| Form | (print-comparison-changes comparison) |
| Type | comparison -> |
| Description | Prints only the parts of a comparison that deal with changes to the standard output port. |
| Returns | void |
|
| print-policy-as-nameddnf |
| Form | (print-policy-as-nameddnf policy) |
| Type | policy -> |
| Description | Another string representation of a policy that is printed to standard output. |
| Returns | void |
|
| get-all-attrids |
| Form | (get-all-attrIds) |
| Type | -> (listof (listof attrId)) |
| Description | Return a list of lists, where the first list is for subjects,
the second for resources, the third for actions.
Each of these lists holds all the attribute ids found in that subtarget
in one of the policies loaded. |
|
| get-all-attrvalues |
| Form | (get-all-attrValues) |
| Type | -> (listof (listof (pairof attrId, (listof attrValues)))) |
| Description | Return a list of lists, where the first list is for subjects,
the second for resources, the third for actions.
Each these lists hold pairs.
The first element of each pair is an attribute id
and second is a list of all the values assocated with that attribute id
somewhere in one of policies loaded. |
|