source: examples/access_tests/creddy_prover/scenario_s5.sh @ 7751094

mei_rt2
Last change on this file since 7751094 was 2e9455f, checked in by Mei <mei@…>, 11 years ago

1) added namespace
2) tweak ?This,
3) allowing linking role/oset as constraining conditions
4) adding access_tests regression testing that uses GENI's access policy
5) added couple multi contexts regression tests
6) add compression/uncompression calls to abac_encode_string/abac_decode_string
(libstrongwan only allows 512 char for attribute rule storage)
7) add attribute_now option to creddy that takes a whole char string for attribute
rule
  • Property mode set to 100755
File size: 10.9 KB
Line 
1#!/bin/sh
2
3#####################################################################
4# scenario #5
5#     Explores relationship between slice and qualified controls
6#
7#  Drd, a geniPI, created slices 'sliceA' and 'sliceB'
8#  Drd grants controlsQ/info to Lisa
9#  Drd grants controlsQ_/info and controlsQ_/stop to Tim
10#  Drd grants delegate_controlsQ_/info to John and
11#                                 delegate_controlsQ_/instantiate to Tim
12#  SA grants controlsQ/info and controlsQ/stop to Dan
13#  SA grants controlsQ_/info and controlsQ_/stop to Frank and
14#           controlsQ_/instantiate to Frank
15#  SA grants delegate_controlsQ_/info to James and delegate_controlsQ_/stop to Lisa
16#  SA grants delegate_controlsQ_/info (sliceB) to John
17#  SA grants controls(sliceB) to Dan
18#  SA grants delegate_controls_(sliceB) to Lisa
19#  John grants controlsQ_/info (sliceB) to James
20#  John grants controlsQ/info (sliceB) to Joe
21#
22unset ABAC_CN
23keyloc=`pwd`
24sidx=s5
25
26makeWho() {
27    WHO=$1
28    rm -rf ${WHO}_*.pem
29    creddy --generate --cn ${WHO}
30}
31makeWho GR
32makeWho IDP
33makeWho EXO
34makeWho Drd
35makeWho Frank
36makeWho Dan
37makeWho Lisa
38makeWho John
39makeWho Joe
40makeWho Tim
41makeWho James
42
43g=`creddy --keyid --cert $keyloc/G_ID.pem`
44gr=`creddy --keyid --cert $keyloc/GR_ID.pem`
45pa=`creddy --keyid --cert $keyloc/PA_ID.pem`
46sa=`creddy --keyid --cert $keyloc/SA_ID.pem`
47idp=`creddy --keyid --cert $keyloc/IDP_ID.pem`
48exo=`creddy --keyid --cert $keyloc/EXO_ID.pem`
49drd=`creddy --keyid --cert $keyloc/Drd_ID.pem`
50frank=`creddy --keyid --cert $keyloc/Frank_ID.pem`
51dan=`creddy --keyid --cert $keyloc/Dan_ID.pem`
52lisa=`creddy --keyid --cert $keyloc/Lisa_ID.pem`
53john=`creddy --keyid --cert $keyloc/John_ID.pem`
54joe=`creddy --keyid --cert $keyloc/Joe_ID.pem`
55tim=`creddy --keyid --cert $keyloc/Tim_ID.pem`
56james=`creddy --keyid --cert $keyloc/James_ID.pem`
57
58pname=${sidx}_yap_clauses
59namespace=access1
60sfile=sfile_${sidx}
61
62idp_gUser()
63{
64eval "namename=[keyid:\$$1]"
65attr="[keyid:$idp].role:geniUser <- $namename"
66name=${sidx}_IDP_gUser__$1_attr.der
67creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
68}
69
70## drd requesting a sliceA from sa
71## makeSlice $drd sliceA Drd
72makeSlice() {
73   what="'$2'"
74# Drd.slice <- 'sliceA'
75   attr="[keyid:$1].oset:slice <- [string:$what]"
76   name=${sidx}_$3_slice__$2_attr.der
77   creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
78# SA.standard <- 'sliceA'
79   attr="[keyid:$sa].oset:standard <- [string:$what]"
80   name=${sidx}_SA_standard__$2_attr.der
81   creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
82# SA.owner('sliceA') <- Drd
83   attr="[keyid:$sa].role:owner([string:$what]) <- [keyid:$1]"
84   name=${sidx}_SA_owner_$2__$3_attr.der
85   creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
86# SA.root('sliceA') <-Drd
87   attr="[keyid:$sa].role:root([string:$what]) <- [keyid:$1]"
88   name=${sidx}_SA_root_$2__$3_attr.der
89   creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
90}
91
92###############################################################################
93echo "s/$g/G/g "  > $sfile 
94echo "s/$gr/GR/g "  >> $sfile 
95echo "s/$sa/SA/g "  >> $sfile
96echo "s/$sa/SA/g "  >> $sfile
97echo "s/$idp/IDP/g "  >> $sfile
98echo "s/$exo/EXO/g "  >> $sfile
99echo "s/$drd/Drd/g "  >> $sfile
100echo "s/$frank/Frank/g "  >> $sfile
101echo "s/$dan/Dan/g "  >> $sfile
102echo "s/$lisa/Lisa/g "  >> $sfile
103echo "s/$john/John/g "  >> $sfile 
104echo "s/$joe/Joe/g "  >> $sfile
105echo "s/$tim/Tim/g "  >> $sfile
106echo "s/$james/James/g "  >> $sfile
107
108# G.geniRoot <- GR
109attr="[keyid:$g].role:geniRoot <- [keyid:$gr]"
110name=${sidx}_G_geniRoot__gr_attr.der
111creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
112
113# GR.sliceAuthorithority <- SA
114attr="[keyid:$gr].role:sliceAuthority <- [keyid:$sa]"
115name=${sidx}_GR_sliceAuthority__sa_attr.der
116creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
117
118# GR.identityProvider <- IDP
119attr="[keyid:$gr].role:identityProvider <- [keyid:$idp]"
120name=${sidx}_GR_identityProvider__idp_attr.der
121creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
122
123# GR.projectAuthority <- PA
124attr="[keyid:$gr].role:projectAuthority <- [keyid:$pa]"
125name=${sidx}_GR_projAuthority__pa_attr.der
126creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
127
128# GR.aggregate <- EXO
129attr="[keyid:$gr].role:aggregate <- [keyid:$exo]"
130name=${sidx}_GR_aggregate__exo_attr.der
131creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
132
133# IDP.geniUser <- Drd
134idp_gUser drd
135# IDP.geniUser <- Frank
136idp_gUser frank
137# IDP.geniUser <- Dan
138idp_gUser dan
139# IDP.geniUser <- Lisa
140idp_gUser lisa
141# IDP.geniUser <- John
142idp_gUser john
143# IDP.geniUser <- Joe
144idp_gUser joe
145# IDP.geniUser <- Tim
146idp_gUser tim
147# IDP.geniUser <- James
148idp_gUser james
149
150# IDP.geniPI <- Drd
151attr="[keyid:$idp].role:geniPI <- [keyid:$drd]"
152name=${sidx}_IDP_geniPI__drd_attr.der
153creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
154
155## drd requesting a sliceB from sa
156makeSlice $drd sliceB Drd
157## drd requesting a sliceA from sa
158makeSlice $drd sliceA Drd
159
160## SA gives controlsQ/info permission on sliceA to Dan
161attr="[keyid:$sa].role:controlsQ([string:'sliceA'],[string:'info']) <- [keyid:$dan]"
162name=${sidx}_SA_controlsQ_sliceA_info__dan_attr.der
163creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
164
165## SA gives controlsQ/stop permission on sliceA to Dan
166attr="[keyid:$sa].role:controlsQ([string:'sliceA'],[string:'stop']) <- [keyid:$dan]"
167name=${sidx}_SA_controlsQ_sliceA_stop__dan_attr.der
168creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
169
170## SA gives controlsQ/instantiate permission on sliceA to Frank
171attr="[keyid:$sa].role:controlsQ([string:'sliceA'],[string:'instantiate']) <- [keyid:$frank]"
172name=${sidx}_SA_controlsQ_sliceA_instantiate__frank_attr.der
173creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
174
175## SA gives controlsQ_/info permission on sliceA to Frank
176attr="[keyid:$sa].role:controlsQ_([string:'sliceA'],[string:'info']) <- [keyid:$frank]"
177name=${sidx}_SA_controlsQDel_sliceA__info_frank_attr.der
178creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
179
180## SA gives controlsQ_/stop permission on sliceA to Frank
181attr="[keyid:$sa].role:controlsQ_([string:'sliceA'],[string:'stop']) <- [keyid:$frank]"
182name=${sidx}_SA_controlsQDel_sliceA__stop_frank_attr.der
183creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
184
185## SA gives controlsQ_/instantiate permission on sliceA to John
186attr="[keyid:$sa].role:controlsQ_([string:'sliceA'],[string:'instantiate']) <- [keyid:$john]"
187name=${sidx}_SA_controlsQDel_sliceA_instantiate__john_attr.der
188creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
189
190## SA gives delegate_controlsQ_/info permission on sliceA to James
191attr="[keyid:$sa].role:delegate_controlsQ_([string:'sliceA'],[string:'info']) <- [keyid:$james]"
192name=${sidx}_SA_delcontrolsQDel_sliceA_info__james_attr.der
193creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
194
195## SA gives delegate_controlsQ_/stop permission on sliceA to Lisa
196attr="[keyid:$sa].role:delegate_controlsQ_([string:'sliceA'],[string:'stop']) <- [keyid:$lisa]"
197name=${sidx}_SA_delcontrolsQDel_sliceA_stop__lisa_attr.der
198creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
199
200## SA gives controls permission on sliceB to Dan
201attr="[keyid:$sa].role:controls([string:'sliceB']) <- [keyid:$dan]"
202name=${sidx}_SA_controls_sliceB__dan_attr.der
203creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
204
205#  SA grants delegate_controls_(sliceB) to Lisa
206attr="[keyid:$sa].role:delegate_controls_([string:'sliceB']) <- [keyid:$lisa]"
207name=${sidx}_SA_delcontrols_sliceB__lisa_attr.der
208creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
209
210## Drd gives controlsQ/info permission on sliceA to Lisa
211attr="[keyid:$drd].role:controlsQ([string:'sliceA'],[string:'info']) <- [keyid:$lisa]"
212name=${sidx}_Drd_controlsQ_sliceA_info__lisa_attr.der
213creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
214
215## Drd gives controlsQ/stop permission on sliceA to James
216attr="[keyid:$drd].role:controlsQ([string:'sliceA'],[string:'stop']) <- [keyid:$james]"
217name=${sidx}_Drd_controlsQ_sliceA_stop__james_attr.der
218creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
219
220## Drd gives controlsQ_/info permission on sliceA to Tim
221attr="[keyid:$drd].role:controlsQ_([string:'sliceA'],[string:'info']) <- [keyid:$tim]"
222name=${sidx}_Drd_controlsQDel_sliceA_info__tim_attr.der
223creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
224
225## Drd gives controlsQ/info permission on sliceA to Lisa
226attr="[keyid:$drd].role:controlsQ([string:'sliceA'],[string:'info']) <- [keyid:$lisa]"
227name=${sidx}_Drd_controlsQ_sliceA_info__lisa_attr.der
228creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
229
230## Drd gives controlsQ_/stop permission on sliceA to Tim
231attr="[keyid:$drd].role:controlsQ_([string:'sliceA'],[string:'stop']) <- [keyid:$tim]"
232name=${sidx}_Drd_controlsQDel_sliceA_stop__tim_attr.der
233creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
234
235## Drd gives delegate_controlsQ_/info permission on sliceA to John
236attr="[keyid:$drd].role:delegate_controlsQ_([string:'sliceA'],[string:'info']) <- [keyid:$john]"
237name=${sidx}_Drd_delcontrolsQDel_sliceA_info__john_attr.der
238creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
239
240## Drd gives delegate_controlsQ_/instantiate permission on sliceA to Tim
241attr="[keyid:$drd].role:delegate_controlsQ_([string:'sliceA'],[string:'instantiate']) <- [keyid:$tim]"
242name=${sidx}_Drd_delcontrolsQDel_sliceA_instantiate__tim_attr.der
243creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
244
245
246## SA gives info delegate_controlsQ_/info permission on sliceB to John
247attr="[keyid:$sa].role:delegate_controlsQ_([string:'sliceB'],[string:'info']) <- [keyid:$john]"
248name=${sidx}_Drd_delcontrolsQDel_sliceB_info__john_attr.der
249creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
250
251## John gives controlsQ_/info permission on sliceB to James
252attr="[keyid:$john].role:controlsQ_([string:'sliceB'],[string:'info']) <- [keyid:$james]"
253name=${sidx}_SA_controlsQDel_sliceB_info__james_attr.der
254creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
255
256## John gives controlsQ/info permission on sliceB to Joe
257attr="[keyid:$john].role:controlsQ([string:'sliceB'],[string:'info']) <- [keyid:$joe]"
258name=${sidx}_SA_controlsQ_sliceB_info__joe_attr.der
259creddy --attrnow --string "$attr" --out $name --out_prolog $pname --namespace $namespace
260
261
Note: See TracBrowser for help on using the repository browser.