2005-11-01 16:35:23 +00:00
|
|
|
(*****************************************************************************
|
|
|
|
* su4sml - a SecureUML repository for SML
|
|
|
|
*
|
|
|
|
* secure_uml.sml - a security language implementing mds.sig
|
|
|
|
* Copyright (C) 2005 Achim D. Brucker <brucker@inf.ethz.ch>
|
|
|
|
* Juergen Doser <doserj@inf.ethz.ch>
|
|
|
|
* Burkhart Wolff <bwolff@inf.ethz.ch>
|
|
|
|
*
|
|
|
|
* This file is part of su4sml.
|
|
|
|
*
|
|
|
|
* su4sml is free software; you can redistribute it and/or modify it under
|
|
|
|
* the terms of the GNU General Public License as published by the Free
|
|
|
|
* Software Foundation; either version 2 of the License, or (at your option)
|
|
|
|
* any later version.
|
|
|
|
*
|
|
|
|
* su4sml is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
|
|
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
|
|
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
|
|
* details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License along
|
|
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
******************************************************************************)
|
|
|
|
|
2006-12-08 17:16:33 +00:00
|
|
|
(**
|
|
|
|
* SecureUML is a simple security language based on RBAC.
|
|
|
|
* Permissions relate roles with actions and can be further constrained
|
|
|
|
* using OCL:
|
|
|
|
*)
|
2006-09-28 08:55:36 +00:00
|
|
|
signature SECUREUML =
|
|
|
|
sig
|
2007-02-06 16:30:31 +00:00
|
|
|
include SECURITY_LANGUAGE
|
2006-09-28 08:55:36 +00:00
|
|
|
type Role
|
2007-02-07 11:25:52 +00:00
|
|
|
type Subject
|
2006-11-09 16:17:09 +00:00
|
|
|
val all_roles : Configuration -> Role list
|
2007-01-22 16:31:26 +00:00
|
|
|
val all_constraints: Configuration -> Rep_OclTerm.OclTerm list
|
2007-02-07 11:25:52 +00:00
|
|
|
val all_subjects: Configuration -> Subject list
|
2006-09-28 08:55:36 +00:00
|
|
|
val constraints_of : Permission -> Rep_OclTerm.OclTerm list
|
|
|
|
val roles_of: Permission -> Role list
|
2007-02-07 11:25:52 +00:00
|
|
|
val subject_name_of: Subject -> string
|
|
|
|
val subject_roles_of:Subject -> Configuration -> Role list
|
|
|
|
|
2006-05-09 16:04:43 +00:00
|
|
|
end
|
|
|
|
|
2006-09-28 08:55:36 +00:00
|
|
|
|
2006-04-27 14:27:16 +00:00
|
|
|
(**
|
|
|
|
* SecureUML is a simple security language based on RBAC.
|
|
|
|
* Permissions relate roles with actions and can be further constrained
|
|
|
|
* using OCL:
|
|
|
|
*)
|
2006-05-09 16:04:43 +00:00
|
|
|
functor SecureUML(structure Design: DESIGN_LANGUAGE):SECUREUML =
|
2005-11-01 16:35:23 +00:00
|
|
|
struct
|
2007-02-06 16:30:31 +00:00
|
|
|
open library
|
2005-11-01 16:35:23 +00:00
|
|
|
structure Design : DESIGN_LANGUAGE = Design
|
|
|
|
|
|
|
|
type User = string
|
|
|
|
fun name_of (u:User) = u
|
|
|
|
|
|
|
|
datatype Subject = Group of string * (string list)
|
|
|
|
| User of User
|
|
|
|
|
2007-02-07 11:25:52 +00:00
|
|
|
fun subject_name_of (Group (g,_)) = g
|
|
|
|
| subject_name_of (User u) = u
|
2007-02-07 10:53:21 +00:00
|
|
|
|
2005-11-01 16:35:23 +00:00
|
|
|
type Role = string
|
2006-11-09 16:17:09 +00:00
|
|
|
|
2005-11-01 16:35:23 +00:00
|
|
|
type SubjectAssignment = (Subject * (Role list)) list
|
|
|
|
|
2007-02-06 16:30:31 +00:00
|
|
|
|
2005-11-01 16:35:23 +00:00
|
|
|
type Permission = {name: string,
|
2007-02-06 16:30:31 +00:00
|
|
|
roles: Role list,
|
|
|
|
constraints: Rep_OclTerm.OclTerm list,
|
|
|
|
actions: Design.Action list }
|
2005-11-01 16:35:23 +00:00
|
|
|
|
2006-11-09 16:17:09 +00:00
|
|
|
type Config_Type = string
|
|
|
|
|
|
|
|
type 'a partial_order = ('a * 'a) list
|
|
|
|
|
|
|
|
type Configuration = { config_type: Config_Type,
|
2007-02-06 16:30:31 +00:00
|
|
|
permissions: Permission list,
|
|
|
|
subjects: Subject list,
|
|
|
|
(* groups: Group partial_order,*)
|
|
|
|
roles: Role list,
|
2006-11-09 16:17:09 +00:00
|
|
|
rh: Role partial_order,
|
2007-02-06 16:30:31 +00:00
|
|
|
sa: SubjectAssignment }
|
2006-11-09 16:17:09 +00:00
|
|
|
|
2007-02-07 11:25:52 +00:00
|
|
|
fun subject_roles_of (s:Subject) (c:Configuration) =
|
|
|
|
(snd o valOf o (List.find (fn x => (fst x) = s)) o #sa) c
|
2006-11-09 16:17:09 +00:00
|
|
|
|
2006-09-28 08:55:36 +00:00
|
|
|
fun constraints_of (x:Permission) = #constraints x
|
|
|
|
fun roles_of (x:Permission) = #roles x
|
|
|
|
fun actions_of (p:Permission) = #actions p
|
2006-11-09 16:17:09 +00:00
|
|
|
fun all_roles (c:Configuration) = #roles c
|
2007-02-07 11:25:52 +00:00
|
|
|
fun all_subjects (c:Configuration)= #subjects c
|
2007-01-22 16:31:26 +00:00
|
|
|
fun all_constraints (c:Configuration) = List.concat (List.map constraints_of (#permissions c))
|
|
|
|
|
2006-05-17 10:19:49 +00:00
|
|
|
(** test whether a1 is (transitively) a subordinated_action of a2 *)
|
2006-05-16 14:44:25 +00:00
|
|
|
fun is_contained_in a1 a2 = (a1 = a2) orelse
|
2007-02-06 16:30:31 +00:00
|
|
|
List.exists (is_contained_in a1)
|
2006-05-17 10:36:48 +00:00
|
|
|
(Design.subordinated_actions a2)
|
2006-05-16 14:44:25 +00:00
|
|
|
|
2006-05-17 10:19:49 +00:00
|
|
|
(** test whether the permission p covers the action a. *)
|
|
|
|
fun permission_includes_action (p:Permission) (a:Design.Action) =
|
2006-05-16 14:44:25 +00:00
|
|
|
List.exists (is_contained_in a) (#actions p)
|
|
|
|
|
2005-11-01 16:35:23 +00:00
|
|
|
|
|
|
|
(* unclear yet how this will look like:
|
2007-02-06 16:30:31 +00:00
|
|
|
fun domain_of (x:'a partial_order) = ...
|
|
|
|
fun closure_of (x:'a partial_order) = ...
|
|
|
|
*)
|
2005-11-01 16:35:23 +00:00
|
|
|
|
|
|
|
fun type_of (c:Configuration) = #config_type c
|
|
|
|
|
|
|
|
fun is_empty (c:Configuration) = List.null (#permissions c) andalso
|
2007-02-06 16:30:31 +00:00
|
|
|
List.null (#subjects c)
|
2005-11-01 16:35:23 +00:00
|
|
|
|
2006-04-26 16:22:32 +00:00
|
|
|
fun getPermissions (c:Configuration) = #permissions c
|
2005-11-01 16:35:23 +00:00
|
|
|
|
|
|
|
(* the following functions have yet to be implemented *)
|
|
|
|
fun users_of p = nil
|
|
|
|
fun check_permission (u,p) = false
|
|
|
|
fun permissions_of u = nil
|
2006-01-22 21:18:26 +00:00
|
|
|
|
2006-05-16 14:44:25 +00:00
|
|
|
|
2006-05-17 17:23:26 +00:00
|
|
|
(** checks whether the classifier c has the stereotype s.
|
|
|
|
* (could be moved to rep_core?)
|
|
|
|
*)
|
|
|
|
fun classifier_has_stereotype s c = ListEq.includes (Rep.stereotypes_of c) s
|
2006-02-06 08:48:54 +00:00
|
|
|
|
2006-05-17 17:23:26 +00:00
|
|
|
(** checks whether the classifier c has none of the given stereotypes *)
|
|
|
|
fun classifier_has_no_stereotype strings c =
|
|
|
|
ListEq.disjunct strings (Rep.stereotypes_of c)
|
|
|
|
|
2006-11-09 16:17:09 +00:00
|
|
|
|
|
|
|
(** checks whether the classifier c has a parent.
|
|
|
|
* (could be moved to rep_core?)
|
2007-02-06 16:30:31 +00:00
|
|
|
*)
|
2006-11-09 16:17:09 +00:00
|
|
|
fun classifier_has_parent (Rep.Class c) = Option.isSome (#parent c)
|
|
|
|
| classifier_has_parent (Rep.Interface c) = not (List.null (#parents c))
|
|
|
|
| classifier_has_parent (Rep.Enumeration c) = Option.isSome (#parent c)
|
|
|
|
| classifier_has_parent (Rep.Primitive c) = Option.isSome (#parent c)
|
|
|
|
| classifier_has_parent (Rep.Template c) = classifier_has_parent (#classifier c)
|
|
|
|
|
2006-09-28 08:55:36 +00:00
|
|
|
fun filter_permission cs = List.filter (classifier_has_stereotype
|
|
|
|
"secuml.permission") cs
|
2006-01-22 21:18:26 +00:00
|
|
|
(* FIXME: handle groups also *)
|
2006-05-17 17:23:26 +00:00
|
|
|
fun filter_subject cs = List.filter (classifier_has_stereotype "secuml.user") cs
|
|
|
|
fun filter_role cs = List.filter (classifier_has_stereotype "secuml.role") cs
|
2006-05-03 17:29:43 +00:00
|
|
|
|
2007-02-06 16:30:31 +00:00
|
|
|
|
|
|
|
fun mkRole (C as Rep.Class c) = Rep.string_of_path (Rep.name_of C)
|
|
|
|
| mkRole _ = error ("in mkRole: argument is not a class")
|
2006-01-22 21:18:26 +00:00
|
|
|
|
|
|
|
(* FIXME: handle groups also *)
|
2006-12-15 06:52:09 +00:00
|
|
|
fun mkSubject (C as Rep.Class c) = User (Rep.string_of_path (Rep.name_of C))
|
2007-02-06 16:30:31 +00:00
|
|
|
| mkSubject _ = error ("in mkSubject: argument is not a class")
|
2006-01-22 21:18:26 +00:00
|
|
|
|
2006-12-15 06:52:09 +00:00
|
|
|
fun mkPermission cs (C as Rep.Class c) =
|
2006-05-17 17:23:26 +00:00
|
|
|
let val atts = Rep.attributes_of (Rep.Class c)
|
2007-02-07 10:53:21 +00:00
|
|
|
val att_classifiers = List.mapPartial
|
|
|
|
(fn (Rep_OclType.Classifier p) => SOME (Rep.class_of p cs)
|
|
|
|
| _ => NONE)
|
|
|
|
(map #attr_type atts)
|
2007-02-06 16:30:31 +00:00
|
|
|
val aends = Rep_Core.associationends_of (Rep.Class c)
|
|
|
|
val aend_classifiers = List.mapPartial (fn (Rep_OclType.Classifier p)
|
|
|
|
=> SOME (Rep.class_of p cs)
|
|
|
|
| _ => NONE)
|
|
|
|
(map #aend_type aends)
|
|
|
|
val classifiers = att_classifiers @ aend_classifiers
|
2006-05-17 17:23:26 +00:00
|
|
|
val role_classes = List.filter (classifier_has_stereotype "secuml.role")
|
|
|
|
classifiers
|
2006-09-28 08:55:36 +00:00
|
|
|
val root_classes = List.filter (fn x => ListEq.overlaps
|
|
|
|
(Rep.stereotypes_of x)
|
|
|
|
Design.root_stereotypes)
|
|
|
|
classifiers
|
2006-05-17 17:23:26 +00:00
|
|
|
val root_resource = hd root_classes
|
2007-02-06 16:30:31 +00:00
|
|
|
handle Empty => error ("in mkPermission: no root resource found "^
|
|
|
|
"for permission "^Rep.string_of_path (Rep.name_of C))
|
2006-05-17 17:23:26 +00:00
|
|
|
val action_attributes =
|
|
|
|
List.filter (fn x => List.exists
|
|
|
|
(fn y => List.exists
|
|
|
|
(fn z => y= z)
|
|
|
|
(#stereotypes x))
|
|
|
|
Design.action_stereotypes) atts
|
2007-02-06 16:30:31 +00:00
|
|
|
handle ex => (error_msg "could not parse permission attributes"; raise ex)
|
2006-05-17 17:23:26 +00:00
|
|
|
in
|
2006-12-15 06:52:09 +00:00
|
|
|
{ name = (Rep.string_of_path (Rep.name_of C)),
|
2006-05-17 17:23:26 +00:00
|
|
|
roles = (map (Rep.string_of_path o Rep.name_of) role_classes),
|
|
|
|
(* FIXME: find attached constraints *)
|
|
|
|
constraints = nil,
|
|
|
|
actions = if action_attributes = []
|
2007-02-06 16:30:31 +00:00
|
|
|
then error ("in mkPermission: Permission "^
|
|
|
|
(Rep.string_of_path (Rep.name_of C))^
|
|
|
|
"has no action attributes")
|
2006-05-17 17:23:26 +00:00
|
|
|
else map (Design.parse_action root_resource) action_attributes }
|
|
|
|
end
|
2007-02-06 16:30:31 +00:00
|
|
|
| mkPermission _ _ = error "in mkPermission: argument is not a class"
|
2007-01-25 16:26:11 +00:00
|
|
|
|
2007-02-07 10:53:21 +00:00
|
|
|
|
|
|
|
fun mkSubjectAssignment cs (c as (Rep.Class _)) =
|
|
|
|
let val att_classifiers = List.mapPartial
|
|
|
|
(fn (Rep_OclType.Classifier p) => SOME (Rep.class_of p cs)
|
|
|
|
| _ => NONE)
|
|
|
|
(map #attr_type (Rep.attributes_of c))
|
|
|
|
val aend_classifiers = List.mapPartial
|
|
|
|
(fn (Rep_OclType.Classifier p) => SOME (Rep.class_of p cs)
|
|
|
|
| _ => NONE)
|
|
|
|
(map #aend_type (Rep.associationends_of c))
|
|
|
|
(* FIXME: we just take all roles that are connected to the subject. *)
|
|
|
|
(* in principle, we should check the stereotype of the association, *)
|
|
|
|
(* but that does not exist in the rep datastructure... *)
|
|
|
|
val classifiers = List.filter (classifier_has_stereotype "secuml.role")
|
|
|
|
(att_classifiers @ aend_classifiers)
|
|
|
|
in
|
|
|
|
(mkSubject c, map mkRole classifiers)
|
|
|
|
end
|
2006-05-17 17:23:26 +00:00
|
|
|
|
2006-09-28 08:55:36 +00:00
|
|
|
(** parse a list of classifiers accoriding to the SecureUML profile.
|
|
|
|
* removes the classes with SecureUML stereotypes.
|
|
|
|
*)
|
2006-05-03 17:29:43 +00:00
|
|
|
fun parse (cs:Rep_Core.Classifier list) =
|
2007-02-06 16:30:31 +00:00
|
|
|
let val _ = info "parsing security configuration"
|
|
|
|
in
|
|
|
|
(List.filter (classifier_has_no_stereotype ["secuml.permission",
|
|
|
|
"secuml.role",
|
|
|
|
"secuml.subject",
|
|
|
|
"secuml.actiontype"])
|
|
|
|
cs,
|
|
|
|
{ config_type = "SecureUML",
|
|
|
|
permissions = map (mkPermission cs) (filter_permission cs),
|
|
|
|
subjects = map mkSubject (filter_subject cs),
|
2007-01-29 16:14:56 +00:00
|
|
|
roles = map mkRole (filter_role cs),
|
2007-02-06 16:30:31 +00:00
|
|
|
rh = map (fn x => (Rep.string_of_path (Rep.name_of x),
|
2007-01-29 16:14:56 +00:00
|
|
|
Rep.string_of_path (Rep.parent_name_of x)))
|
|
|
|
(List.filter classifier_has_parent (filter_role cs)),
|
2007-02-07 10:53:21 +00:00
|
|
|
sa = map (mkSubjectAssignment cs) (filter_subject cs)})
|
2007-02-06 16:30:31 +00:00
|
|
|
end
|
|
|
|
handle ex => (error_msg "in SecureUML.parse: security configuration \
|
|
|
|
\could not be parsed";
|
2007-01-29 16:14:56 +00:00
|
|
|
raise ex)
|
2005-11-01 16:35:23 +00:00
|
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|