Asylo
identity_acl_evaluator.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2017 Asylo authors
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef ASYLO_IDENTITY_IDENTITY_ACL_EVALUATOR_H_
20 #define ASYLO_IDENTITY_IDENTITY_ACL_EVALUATOR_H_
21 
22 #include "asylo/identity/identity.pb.h"
23 #include "asylo/identity/identity_acl.pb.h"
24 #include "asylo/identity/identity_expectation_matcher.h"
25 #include "asylo/util/statusor.h"
26 
27 namespace asylo {
28 
29 /// Uses `matcher` to evaluate whether `identities` satisfies `acl`.
30 ///
31 /// The ACL is provided in the form of an `IdentityAclPredicate`. An
32 /// `IdentityAclPredicate` is a recursive proto, each layer of which must
33 /// conform to the following constraints:
34 ///
35 /// * A nested IdentityAclPredicate `predicate` must have `predicate.item` set.
36 /// * A nested IdentityAclGroup `group` must have a non-empty
37 /// `group.predicates`.
38 /// * If `group`.type is `GroupType::NOT`, `group.predicates` must contain
39 /// exactly one predicate.
40 ///
41 /// Returns a non-OK status if `acl` is malformed or if
42 /// `matcher.MatchAndExplain()` returns a non-OK status when invoked with any of
43 /// `identities`.
44 ///
45 /// \param identities A list of identities to match against the ACL.
46 /// \param acl An ACL specifying expectations on an identity.
47 /// \param matcher The matcher to use to evaluate `identities` against `acl`.
48 /// \param[out] explanation An explanation of why the match failed, if the
49 /// result is false.
50 /// \return A bool indicating whether the ACL evaluated to true, or a non-OK
51 /// Status if any if the inputs are invalid.
52 StatusOr<bool> EvaluateIdentityAcl(
53  const std::vector<EnclaveIdentity> &identities,
54  const IdentityAclPredicate &acl, const IdentityExpectationMatcher &matcher,
55  std::string *explanation = nullptr);
56 
57 } // namespace asylo
58 
59 #endif // ASYLO_IDENTITY_IDENTITY_ACL_EVALUATOR_H_
asylo::kStatusMoveAssignmentMsg
ABSL_CONST_INIT const char kStatusMoveAssignmentMsg[]
asylo::EvaluateIdentityAcl
StatusOr< bool > EvaluateIdentityAcl(const std::vector< EnclaveIdentity > &identities, const IdentityAclPredicate &acl, const IdentityExpectationMatcher &matcher, std::string *explanation=nullptr)
Uses matcher to evaluate whether identities satisfies acl.