Entity descriptions
The Device entity does not provide functionality to other entities, but acts as a client that attempts to gain access to methods of the Storage entity.
Device.edl
/* EDL description of the "Device" entity. */
entity device_access.Device
The Storage entity is a data repository that contains an implementation of the IStorage interface, which provides the GetInfo() method for gaining access to data.
Storage.edl
/* EDL description of the "Storage" entity. */
entity device_access.Storage
interfaces
{
/* Declaration of the named implementation of the "IStorage" interface. */
storage : device_access.IStorage
}
IStorage.idl
/* Package containing the declaration of the "IStorage" interface. */
package device_access.IStorage
/* Named constant declaration. */
const UInt32 MaxStringSize = 1024;
/* Synonym declaration for the custom type. */
typedef sequence <UInt8, MaxStringSize> String;
/* Declaration of interface methods. */
interface
{
GetInfo(out String info);
}
The LoginManager entity is a privileged process engaged in user authentication and contains an implementation of the ILoginManager interface, which provides the Login() and Logout() methods.
LoginManager.edl
/* EDL description of the "LoginManager" entity. */
entity device_access.LoginManager
interfaces
{
/**
* Declaration of the named implementation of the "ILoginManager"
* interface.
*/
loginManager : device_access.ILoginManager
}
ILoginManager.idl
/* Package containing the declaration of the "ILoginManager" interface. */
package device_access.ILoginManager
/* Named constant declaration. */
const UInt32 MaxStringSize = 1024;
/* Synonym declaration for the custom type. */
typedef sequence <UInt8, MaxStringSize> String;
/* Declaration of interface methods. */
interface
{
Login(in String loginUsername, error UInt16 status);
Logout();
}
Init description
init.yaml
entities:
# The "Device" entity can access the "LoginManager" entity.
# The "Device" entity can access the "Storage" entity.
- name: device_access.Device
connections:
- target: device_access.LoginManager
id: login_manager_connection
- target: device_access.Storage
id: storage_connection
# The "LoginManager" entity can only respond to requests.
- name: device_access.LoginManager
# The "Storage" entity can only respond to requests.
- name: device_access.Storage
Solution security policy
security.psl
/* Security configuration for the "device_access" example. */
/**
* Imports a file containing the declaration of basic policy aliases and a file
* containing the declaration of the "flow" policy family (finite-state machine).
*/
use nk.basic._
use nk.flow._
/**
* Instantiates a "session" object for the "Flow" policy class.
*/
policy object
session: Flow
{
type States = "unauthenticated" | "authenticated"
config =
{
states : ["unauthenticated", "authenticated"],
initial : "unauthenticated",
transitions :
{
"unauthenticated" : ["unauthenticated", "authenticated"],
"authenticated" : ["authenticated", "unauthenticated"],
}
}
}
/**
* Includes the "kl.core.Core" and "Einit" entities.
*/
use EDL kl.core.Core
use EDL Einit
/**
* Includes other entities used in the solution.
*/
use EDL device_access.Device
use EDL device_access.LoginManager
use EDL device_access.Storage
/**
* Allow kl.core.Core to start itself and Einit.
*/
execute src = kl.core.Core
{
match dst = kl.core.Core { grant () }
match dst = Einit { grant () }
}
/**
* Allow entities to be started by Einit.
*/
execute src = Einit
{
match dst = device_access.LoginManager { grant () }
match dst = device_access.Storage { grant () }
match dst = device_access.Device
{
/**
* Initialize the device session associated with the Device at
* Device startup.
*/
session.init {sid: dst_sid}
}
}
/**
* Allowed requests to kl.core.Core.
*/
request
dst = kl.core.Core
{
match src = Einit { grant () }
match src = device_access.LoginManager { grant () }
match src = device_access.Storage { grant () }
match src = device_access.Device { grant () }
}
/**
* Allowed responses from kl.core.Core.
*/
response
src = kl.core.Core
{
match dst = Einit { grant () }
match dst = device_access.LoginManager { grant () }
match dst = device_access.Storage { grant () }
match dst = device_access.Device { grant () }
}
/**
* Allowed requests to LoginManager.
*/
request
src = device_access.Device
dst = device_access.LoginManager
endpoint = loginManager
{
match method = Login { grant () }
match method = Logout { grant () }
}
/**
* Allowed responses from LoginManager.
*/
response
src = device_access.LoginManager
dst = device_access.Device
endpoint = loginManager
{
match method = Login { grant () }
match method = Logout { grant () }
}
/**
* Allowed requests to Storage.
*/
request
src = device_access.Device
dst = device_access.Storage
endpoint = storage
{
match method = GetInfo { grant () }
}
/**
* Allowed responses from Storage.
*/
response
src = device_access.Storage
dst = device_access.Device
endpoint = storage
{
match method = GetInfo { grant () }
}
/**
* If the Login method successfully authenticates the user, a response will be
* sent to the Device. The KSM switches the Device session state to
* authenticated on this message.
*/
response
src = device_access.LoginManager
dst = device_access.Device
endpoint = loginManager
method = Login
{
session.enter {sid: dst_sid, state: "authenticated"}
}
/**
* If the Login method refuses to authenticate this user, an error message
* will be sent to the Device. The KSM switches the Device session state to
* unauthenticated on this message.
*/
error
src = device_access.LoginManager
dst = device_access.Device
endpoint = loginManager
method = Login
{
session.enter {sid: dst_sid, state: "unauthenticated"}
}
/**
* When a request to call the Logout method is sent to the LoginManager,
* the KSM switches the Device session state to unauthenticated.
*/
request
src = device_access.Device
dst = device_access.LoginManager
endpoint = loginManager
method = Logout
{
session.enter {sid: src_sid, state: "unauthenticated"}
}
/**
* When a request to call the GetInfo method is sent to the Storage,
* the KSM checks the Device session state and allows the call if
* its state is authenticated.
*/
request
src = device_access.Device
dst = device_access.Storage
endpoint = storage
method = GetInfo
{
session.allow {sid: src_sid, states: ["authenticated"]}
}
Page top