source: examples/creddy_prover_tests/file_read_rt2/README @ 2c03e57

#!/bin/sh
#
#####################################################################
# This example demonstrates using a parameters to control access to files based
# on the attributes of the principals.  The script creates three principals
# Alpha, Bob, Maryann and Joe and sets out the access policy.
# 
# files are named by URNs and are not principals.
# 
# A principal's access rights are controlled by the Alpha principal.  If a
# principal has the role role::read(urn:filename) that
# principal can read filename.  The policy is that the manager of the owner of
# a file can read it. (Presumably the owner can, too, but that is not encoded
# here.)
# 
# The example below lays out the policy that the manager of the owner of a file
# can read it in Credential 1. Credential 2 establishes Bob as the manager of
# Joe. and Credential 3 establishes Joe as the owner of the file.
#
# The attached ./run_query file runs 2 queries.  First it confirms that Bob can read
# fileA, then it confirms that Maryann cannot. 

# file_read_rt2

# alpha.read(fileA) <-?- Bob
#[keyid:Alpha].role:read([urn:'file://fileA']) <-?- [keyid:Bob] (yes)
#[keyid:Alpha].role:read([urn:'file://fileA']) <-?- [keyid:Maryann] (yes)

creddy --generate --cn Alpha
creddy --generate --cn Bob
creddy --generate --cn Maryann
creddy --generate --cn Joe

alpha_keyid=`creddy --keyid --cert Alpha_ID.pem`
bob_keyid=`creddy --keyid --cert Bob_ID.pem`
maryann_keyid=`creddy --keyid --cert Maryann_ID.pem`
joe_keyid=`creddy --keyid --cert Joe_ID.pem`

read_fileA="read([urn:'file://fileA'])"
managerof_joe="managerOf([keyid:$joe_keyid])"
ownerof_fileA="ownerOf([urn:'file://fileA'])"
managerof_qE="managerOf([principal:?E[keyid:$alpha_keyid].role:ownerOf([urn:?F])])"

# alpha.read(?F) <- alpha.managerOf(?E:alpha.ownerOf(?F))
# [keyid:alpha].role:read([urn:?F])<-
#    [keyid:alpha].role:managerOf([principal:?E[keyid:alpha].role:ownerOf([urn:?F])]
# Credential 1
creddy --attribute \
       --issuer Alpha_ID.pem --key Alpha_private.pem --role "read([urn:?F])" \
       --subject-cert Alpha_ID.pem --subject-role "$managerof_qE" \
       --out Alpha_read_qF__alpha_managerof_qE_attr.der

# Credential 2
#[keyid:Alpha].role:managerOf([Keyid:Joe]) <- [keyid:Bob]
creddy --attribute \
        --issuer Alpha_ID.pem --key Alpha_private.pem --role "$managerof_joe" \
        --subject-cert Bob_ID.pem \
        --out Alpha_managerof_Joe__Bob_attr.der

# Credential 3
#[keyid:Alpha].role:ownerOf([urn:'file://fileA']) <- [keyid:Joe]
creddy --attribute \
        --issuer Alpha_ID.pem --key Alpha_private.pem --role "$ownerof_fileA" \
        --subject-cert Joe_ID.pem \
        --out Alpha_ownerof_fileA__Joe_attr.der

####################################################################################
# note:
# 
# alpha.read(?F) <- alpha.manager(?E:alpha.owner(?F))
# [keyid:alpha].role:read([urn:?F])<-
#       #[keyid:alpha].role:manager([principal:?E[keyid:alpha].role:owner([urn:?F])])
# 
# alpha.read(?F) <- alpha.manager(?E) 
# and alpha.owner(?F) <- ?E
# 
# [keyid:alpha].role:read([urn:?F])<-[keyid:?M]
#     [keyid:alpha].role:manager([principal:?E])<-[keyid:?M]
#     [keyid:alpha].role:owner([urn:?F])<-[keyid:?E]
# 
# isMember(M,role(alpha,read,F)) :-
#       isMember(M, role(alpha,manager,E)),
#       isMember(E, role(alpha,owner,F))  <-- constraining rule
# 
# alpha.read(?F) <- alpha.manager(?E)
# alpha.owner(?F) <- ?E
# 
# condition like this,
#          ?E:A.r  needs to be translate into constraining rule,  A.r<-?E
# 
# query,
# alpha.read(fileA) <-?- Bob
# needs
# alpha.manager(Joe)<-Bob
# alpha.owner(fileA)<-Joe