|
| Home | FAQ | Download |
| User Guide | Applications | Internals |
| License | Publications | Contact |
|
|
Predicates in the the Antigone policy language are evaluated at run time and can be used to dynamically enforce security parameters. An explanation of using predicates can be found in Policy.
Programmers may define their own predicates to implement specialized processing. See Setting Up a Policy Implementor for details.
The following predicates are built into the software:
If a predicate can not be evaluated, then an error will be logged, and as a fallback it will evaluate to false.
The following rules apply for all predefined predicates:
timeofday is equivalent to \cTimeOfDay.timeofday) and the text it was passed.
Only evaluate to true if the current time of day is between or equal to the two times given.
Example Usage:
join : timeofday(034500,040000) :: accept;
In this example, joins to the group will only be permitted by this statement between 3:45:00 and 4:00:00 in the morning. If the current time is exactly 3:45:00 or 4:00:00 the predicate will also evaluate to true.
The "timeofday" token is not case sensitive.
There must be exactly two arguments given. Each of the hour, minute, and second must be given as two digits. They may be given in either order (largest first or smallest first.) They must be valid times (hour from 0 to 23, minute and seconds from 0 to 59) or an error will be logged and the statement will be ignored, effectively evaluating as false.
Evaluate to true if the group size is smaller than the given value.
Example:
authen: GroupSizeGreater (5) ::config(nullauth());
In this example, null authentication is permitted if there are 6 or more members in the group.
Exactly one argument must be given. It must be an integer zero or greater.
Evaluate to true if the group size is greater than the given value.
Example:
join : GroupSizeSmaller(4) :: accept;
In this example, the server and three other members will be able to join the group. The next member that attempts to join will fail until some member leaves.
Exactly one argument must be given. It must be an integer zero or greater.
Evaluate to true if the tranport mode passed matches the current transport mode. The match is not case sensitive. Exactly one parameter is permitted. The only possible values are:
foo : transportmode (asymmetric) :: bar;
The above predicate will only true if the group is using the asymmetric transport mode.
This predicate evaluates to true if the value of the given environment value matches the given value. The values are compared in a case sensitive mannar (for example, "true" would not match "True").
Exactly two parameters must be supplied. The first parameter is the name of the environment variable and the second parameter is the expected value of the environment variable.
If the environment variable is not defined then this predicate evaluates to false. The name of the environment variable is case sensitive and must match exactly.
Example:
monitor: envvar(TKSCOPE,TRUE) :: config(ascope(tclmon=true,update=250));
monitor: :: config(ascope(tclmon=false));
This example uses the environent variable TKSCOPE to drive whether the scope is enabled. If TKSCOPE is TRUE, then the scope will be enabled, otherwise it will be disabled.
This evaluate to true if a paramter is in a list. The first parameter is the string to match, and the second parameter is a list of possible values separated by a ':'.
There is an optional third parameter that gives a single character to be used as the delimeter. The possible characters to specify are: a-zA-Z0-9_'[]{}.- . Note that using ':' causes parsing errors when the policy is initially evaluated, so it can only be used in attributes, whose text are evaluated only when the predicate is evaluated. The system may be modified in the future to parse ':' correctly.
Example:
join : inlist($id, alice.bob, .) :: accept;
In this example, the id of the person must be alice or bob in order to join the group. Note also that spaces are special to the parser, and so are not permitted in the list.
This is used to determine if the current member is the group server. This predicate takes no parameters.
Example:
foo : isserver() :: bar;
The predicate will evaluate to true if the current member is the server.