Asylo
identity_acl_evaluator.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2017 Asylo authors
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef ASYLO_IDENTITY_IDENTITY_ACL_EVALUATOR_H_
20 #define ASYLO_IDENTITY_IDENTITY_ACL_EVALUATOR_H_
21 
22 #include "asylo/identity/identity.pb.h"
23 #include "asylo/identity/identity_acl.pb.h"
24 #include "asylo/identity/identity_expectation_matcher.h"
25 #include "asylo/util/statusor.h"
26 
27 namespace asylo {
28 
29 /// Uses `matcher` to evaluate whether `identities` satisfies `acl`.
30 ///
31 /// The ACL is provided in the form of an `IdentityAclPredicate`. An
32 /// `IdentityAclPredicate` is a recursive proto, each layer of which must
33 /// conform to the following constraints:
34 ///
35 /// * A nested IdentityAclPredicate `predicate` must have `predicate.item` set.
36 /// * A nested IdentityAclGroup `group` must have a non-empty
37 /// `group.predicates`.
38 /// * If `group`.type is `GroupType::NOT`, `group.predicates` must contain
39 /// exactly one predicate.
40 ///
41 /// Returns a non-OK status if `acl` is malformed or if `matcher.Match()`
42 /// returns a non-OK status when invoked with any of `identities`.
43 ///
44 /// \param identities A list of identities to match against the ACL.
45 /// \param acl An ACL specifying expectations on an identity.
46 /// \param matcher The matcher to use to evaluate `identities` against `acl`.
47 /// \return A bool indicating whether the ACL evaluated to true, or a non-OK
48 /// Status if any if the inputs are invalid.
52 
53 } // namespace asylo
54 
55 #endif // ASYLO_IDENTITY_IDENTITY_ACL_EVALUATOR_H_
StatusOr< bool > EvaluateIdentityAcl(const std::vector< EnclaveIdentity > &identities, const IdentityAclPredicate &acl, const IdentityExpectationMatcher &matcher)
Uses matcher to evaluate whether identities satisfies acl.
Definition: aes_gcm_siv.h:37