source: examples/creddy_prover_tests/access_rt2/README @ c6d5da3

mei_rt2mei_rt2_fix_1
Last change on this file since c6d5da3 was f824a9e, checked in by Mei <mei@…>, 13 years ago

1) add more doc to python_tests

  • Property mode set to 100755
File size: 4.1 KB
RevLine 
[10e1588]1#!/bin/sh
2
[2c01913]3#####################################################################
4# This example demonstrates using an oset (object set) to control access
5# to files based on the attributes of the principals.  The script creates
6# three principals Alpha, Bob and Joe and sets out the access policy.
7#
8# files are named by URNs and are not principals.
9#
10# A principal's access rights are controlled by the Alpha principal.  If a
[9806e76]11# principal has the role role::aceess(string:'Read', urn:filename) that
12# principal can Read filename. 
[2c01913]13# The policy names 2 teams, proj1 and proj1.  A principal is on proj1 if it
14# has the role team(string:'proj1') defined by Alpha (written
15# [keyid:Alpha}.role:team(string:'proj1')).  Each project has an associated set
16# of files, defined by object sets.  A file is in proj1's documents if it is in
17# the oset of documents('proj1') defined by Alpha, written
18# [keyid:Alpha].oset:documents(string:'proj1'))
19#
20# The example below lays out the policy that members of a given project can
[9806e76]21# Read the documents of that project in Credential 1 and adds file://fileA to
[2c01913]22# the document set for proj1 in Credential 2 - note that no principal is
23# required for fileA.  Credentials 3 & 4 add Bob to proj1 and Joe to proj2.
24#
[9502c50]25# The attached ./run_query file runs 3 queries.  First it confirms that Bob can Read
[2c01913]26# fileA, then it confirms that Joe cannot.  Finally it confirms that Joe is in
27# proj2.
28
[f824a9e]29# access_rt2
[10e1588]30
[9806e76]31# alpha.access(Read,fileA)<-?-bob  good
32# [keyid:Alpha].role:access([string:'Read'],[urn:'file//fileA']) <-?- [keyid:Bob] (yes)
[10e1588]33
34creddy --generate --cn Alpha
35creddy --generate --cn Bob
36creddy --generate --cn Joe
37
38alpha_keyid=`creddy --keyid --cert Alpha_ID.pem`
39bob_keyid=`creddy --keyid --cert Bob_ID.pem`
40joe_keyid=`creddy --keyid --cert Joe_ID.pem`
41
[9806e76]42access_qFqP="access([string:'Read'],[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])])"
[10e1588]43team_qP="team([string:?P])"
44
[9806e76]45#[keyid:alpha].role:access([string:'Read'],
[da5afdf]46#                    [urn:?F[keyid:alpha].oset:documents([string:?P])])
[10e1588]47#                                     <- [keyid:alpha].role:team([string:?P])
[2c01913]48# Credential 1
[10e1588]49creddy --attribute \
50       --issuer Alpha_ID.pem --key Alpha_private.pem --role "$access_qFqP" \
51       --subject-cert Alpha_ID.pem --subject-role "$team_qP" \
52       --out Alpha_access_qFqP__alpha_team_qP_attr.der
53
54
[9502c50]55# Credential 2
[10e1588]56#[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA']
57creddy --attribute \
58        --issuer Alpha_ID.pem --key Alpha_private.pem \
59        --oset "documents([string:'proj1'])" \
60        --subject-obj "[urn:'file//fileA']" \
61        --out Alpha_documents_proj1__fileA_attr.der
62
[9502c50]63# Credential 3
[10e1588]64# [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob]
65creddy --attribute \
66        --issuer Alpha_ID.pem --key Alpha_private.pem \
67        --role "team([string:'proj1'])" \
68        --subject-cert Bob_ID.pem \
69        --out Alpha_team_proj1__Bob_attr.der
70
[9502c50]71# Credential 4
[10e1588]72# [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe]
73creddy --attribute \
74        --issuer Alpha_ID.pem --key Alpha_private.pem \
75        --role "team([string:'proj2'])" \
76        --subject-cert Joe_ID.pem \
77        --out Alpha_team_proj2__Joe_attr.der
78
79
80#####################################################################
[9806e76]81# alpha.access(Read,?F:alpha.documents(?proj)) <- alpha.team(?proj)
82# [keyid:alpha].role:access([string:'Read'],
[da5afdf]83#                    [urn:?F[keyid:alpha].oset:documents([string:?P])])
[10e1588]84#                                     <- [keyid:alpha].role:team([string:?P])
85#
[9806e76]86# [keyid:alpha].role:access([string:'Read'], [urn:?F])<- [principal:?B]
[440ba20]87#                [keyid:alpha].oset:documents([string:?P]) <- [urn:?F]
[10e1588]88#                [keyid:alpha].role:team([string:?P]) <- [principal:?B]
89#
90#
91# alpha.documents(proj1)<-fileA
92# [keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA']
93# isMember('file//fileA', oset(alpha,documents,'proj1'))
94#
95# alpha.team(proj1)<-bob
96# [keyid:alpha].role:team([string:'proj1'])<-[keyid:bob]
97# isMember(bob,role(alpha,team,'proj1'))
98#
99# query,
[9806e76]100# alpha.access(Read,fileA)<-?-bob  good
101# [keyid:alpha].role:access([string:'Read'],[urn:'file//fileA']) <- [keyid:bob]
102# isMember(bob, role(alpha, access, 'Read', 'file//fileA')).
[10e1588]103#
Note: See TracBrowser for help on using the repository browser.