1 | #!/bin/sh |
---|
2 | |
---|
3 | ##################################################################### |
---|
4 | # This example demonstrates using an oset (object set) to control access |
---|
5 | # to files based on the attributes of the principals. The script creates |
---|
6 | # three principals Alpha, Bob and Joe and sets out the access policy. |
---|
7 | # |
---|
8 | # files are named by URNs and are not principals. |
---|
9 | # |
---|
10 | # A principal's access rights are controlled by the Alpha principal. If a |
---|
11 | # principal has the role role::aceess(string:'Read', urn:filename) that |
---|
12 | # principal can Read filename. |
---|
13 | # The policy names 2 teams, proj1 and proj1. A principal is on proj1 if it |
---|
14 | # has the role team(string:'proj1') defined by Alpha (written |
---|
15 | # [keyid:Alpha}.role:team(string:'proj1')). Each project has an associated set |
---|
16 | # of files, defined by object sets. A file is in proj1's documents if it is in |
---|
17 | # the oset of documents('proj1') defined by Alpha, written |
---|
18 | # [keyid:Alpha].oset:documents(string:'proj1')) |
---|
19 | # |
---|
20 | # The example below lays out the policy that members of a given project can |
---|
21 | # Read the documents of that project in Credential 1 and adds file://fileA to |
---|
22 | # the document set for proj1 in Credential 2 - note that no principal is |
---|
23 | # required for fileA. Credentials 3 & 4 add Bob to proj1 and Joe to proj2. |
---|
24 | # |
---|
25 | # The attached ./run_query file runs 3 queries. First it confirms that Bob can Read |
---|
26 | # fileA, then it confirms that Joe cannot. Finally it confirms that Joe is in |
---|
27 | # proj2. |
---|
28 | |
---|
29 | # access_rt2_typed |
---|
30 | |
---|
31 | # alpha.access(Read,fileA)<-?-bob good |
---|
32 | # [keyid:Alpha].role:access([string:'Read'],[urn:'file//fileA']) <-?- [keyid:Bob] (yes) |
---|
33 | |
---|
34 | creddy --generate --cn Alpha |
---|
35 | creddy --generate --cn Bob |
---|
36 | creddy --generate --cn Joe |
---|
37 | |
---|
38 | alpha_keyid=`creddy --keyid --cert Alpha_ID.pem` |
---|
39 | bob_keyid=`creddy --keyid --cert Bob_ID.pem` |
---|
40 | joe_keyid=`creddy --keyid --cert Joe_ID.pem` |
---|
41 | |
---|
42 | access_qFqP="access([string:'Read'],[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])])" |
---|
43 | team_qP="team([string:?P])" |
---|
44 | |
---|
45 | #[keyid:alpha].role:access([string:'Read'], |
---|
46 | # [urn:?F[keyid:alpha].oset:documents([string:?P])]) |
---|
47 | # <- [keyid:alpha].role:team([string:?P]) |
---|
48 | # Credential 1 |
---|
49 | creddy --attribute \ |
---|
50 | --issuer Alpha_ID.pem --key Alpha_private.pem --role "$access_qFqP" \ |
---|
51 | --subject-cert Alpha_ID.pem --subject-role "$team_qP" \ |
---|
52 | --out Alpha_access_qFqP__alpha_team_qP_attr.der |
---|
53 | |
---|
54 | |
---|
55 | # Credential 2 |
---|
56 | #[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] |
---|
57 | creddy --attribute \ |
---|
58 | --issuer Alpha_ID.pem --key Alpha_private.pem \ |
---|
59 | --oset "documents([string:'proj1'])" \ |
---|
60 | --subject-obj "[urn:'file//fileA']" \ |
---|
61 | --out Alpha_documents_proj1__fileA_attr.der |
---|
62 | |
---|
63 | # Credential 3 |
---|
64 | # [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob] |
---|
65 | creddy --attribute \ |
---|
66 | --issuer Alpha_ID.pem --key Alpha_private.pem \ |
---|
67 | --role "team([string:'proj1'])" \ |
---|
68 | --subject-cert Bob_ID.pem \ |
---|
69 | --out Alpha_team_proj1__Bob_attr.der |
---|
70 | |
---|
71 | # Credential 4 |
---|
72 | # [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe] |
---|
73 | creddy --attribute \ |
---|
74 | --issuer Alpha_ID.pem --key Alpha_private.pem \ |
---|
75 | --role "team([string:'proj2'])" \ |
---|
76 | --subject-cert Joe_ID.pem \ |
---|
77 | --out Alpha_team_proj2__Joe_attr.der |
---|
78 | |
---|
79 | |
---|
80 | ##################################################################### |
---|
81 | # alpha.access(Read,?F:alpha.documents(?proj)) <- alpha.team(?proj) |
---|
82 | # [keyid:alpha].role:access([string:'Read'], |
---|
83 | # [urn:?F[keyid:alpha].oset:documents([string:?P])]) |
---|
84 | # <- [keyid:alpha].role:team([string:?P]) |
---|
85 | # |
---|
86 | # [keyid:alpha].role:access([string:'Read'], [urn:?F])<- [principal:?B] |
---|
87 | # [keyid:alpha].oset:documents([string:?P) <- [urn:?F] |
---|
88 | # [keyid:alpha].role:team([string:?P]) <- [principal:?B] |
---|
89 | # |
---|
90 | # |
---|
91 | # alpha.documents(proj1)<-fileA |
---|
92 | # [keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] |
---|
93 | # isMember('file//fileA', oset(alpha,documents,'proj1')) |
---|
94 | # |
---|
95 | # alpha.team(proj1)<-bob |
---|
96 | # [keyid:alpha].role:team([string:'proj1'])<-[keyid:bob] |
---|
97 | # isMember(bob,role(alpha,team,'proj1')) |
---|
98 | # |
---|
99 | # query, |
---|
100 | # alpha.access(Read,fileA)<-?-bob good |
---|
101 | # [keyid:alpha].role:access([string:'Read'],[urn:'file//fileA']) <- [keyid:bob] |
---|
102 | # isMember(bob, role(alpha, access, 'Read', 'file//fileA')). |
---|
103 | # |
---|