Expand description
§ABAC Context Expression Parser & Evaluator
This module provides boolean expression parsing and evaluation for Attribute-Based Access Control (ABAC).
§Features
- Boolean Operators: AND, OR, NOT
- Comparison Operators: ==, !=, <, <=, >, >=
- Attribute Queries: HasAttribute, GetAttribute
- Recursion Limits: Prevents stack overflow from malicious expressions
- Deterministic Evaluation: O(N) complexity where N = expression size
§Syntax Examples
role == "admin"
role == "admin" AND department == "IT"
(role == "admin" OR role == "moderator") AND timestamp < "1000"
NOT (status == "banned")
role == "user" AND (age >= "18" OR has_parent_consent == "true")§Security
- Maximum expression depth: 32 (prevents stack overflow)
- Maximum expression length: 1024 characters (DoS prevention)
- Iterative evaluation where possible (reduces stack usage)
Enums§
- Compare
Op - Comparison operators for attribute values
- Context
Expr - Context expression for ABAC evaluation
Constants§
- MAX_
EXPR_ DEPTH - Maximum depth of nested expressions (prevents stack overflow)
- MAX_
EXPR_ LENGTH - Maximum length of expression string (DoS prevention)