source: examples/creddy_prover_tests/file_read_rt2/README @ 340bd01

mei_rt2mei_rt2_fix_1
Last change on this file since 340bd01 was f824a9e, checked in by Mei <mei@…>, 13 years ago

1) add more doc to python_tests

  • Property mode set to 100755
File size: 3.5 KB
RevLine 
[10e1588]1#!/bin/sh
[9502c50]2#
[2c01913]3#####################################################################
4# This example demonstrates using a parameters to control access to files based
5# on the attributes of the principals.  The script creates three principals
6# Alpha, Bob, Maryann and Joe and sets out the access policy.
7#
8# files are named by URNs and are not principals.
9#
10# A principal's access rights are controlled by the Alpha principal.  If a
11# principal has the role role::read(urn:filename) that
12# principal can read filename.  The policy is that the manager of the owner of
13# a file can read it. (Presumably the owner can, too, but that is not encoded
14# here.)
15#
16# The example below lays out the policy that the manager of the owner of a file
17# can read it in Credential 1. Credential 2 establishes Bob as the manager of
[9502c50]18# Joe. and Credential 3 establishes Joe as the owner of the file.
[2c01913]19#
[9502c50]20# The attached ./run_query file runs 2 queries.  First it confirms that Bob can read
[2c01913]21# fileA, then it confirms that Maryann cannot.
22
[f824a9e]23# file_read_rt2
[10e1588]24
25# alpha.read(fileA) <-?- Bob
26#[keyid:Alpha].role:read([urn:'file://fileA']) <-?- [keyid:Bob] (yes)
27#[keyid:Alpha].role:read([urn:'file://fileA']) <-?- [keyid:Maryann] (yes)
28
29creddy --generate --cn Alpha
30creddy --generate --cn Bob
31creddy --generate --cn Maryann
32creddy --generate --cn Joe
33
34alpha_keyid=`creddy --keyid --cert Alpha_ID.pem`
35bob_keyid=`creddy --keyid --cert Bob_ID.pem`
36maryann_keyid=`creddy --keyid --cert Maryann_ID.pem`
37joe_keyid=`creddy --keyid --cert Joe_ID.pem`
38
39read_fileA="read([urn:'file://fileA'])"
40managerof_joe="managerOf([keyid:$joe_keyid])"
41ownerof_fileA="ownerOf([urn:'file://fileA'])"
[da5afdf]42managerof_qE="managerOf([principal:?E[keyid:$alpha_keyid].role:ownerOf([urn:?F])])"
[10e1588]43
44# alpha.read(?F) <- alpha.managerOf(?E:alpha.ownerOf(?F))
45# [keyid:alpha].role:read([urn:?F])<-
[da5afdf]46#    [keyid:alpha].role:managerOf([principal:?E[keyid:alpha].role:ownerOf([urn:?F])]
[9502c50]47# Credential 1
[10e1588]48creddy --attribute \
49       --issuer Alpha_ID.pem --key Alpha_private.pem --role "read([urn:?F])" \
50       --subject-cert Alpha_ID.pem --subject-role "$managerof_qE" \
51       --out Alpha_read_qF__alpha_managerof_qE_attr.der
52
[9502c50]53# Credential 2
[10e1588]54#[keyid:Alpha].role:managerOf([Keyid:Joe]) <- [keyid:Bob]
55creddy --attribute \
56        --issuer Alpha_ID.pem --key Alpha_private.pem --role "$managerof_joe" \
57        --subject-cert Bob_ID.pem \
58        --out Alpha_managerof_Joe__Bob_attr.der
59
[9502c50]60# Credential 3
[10e1588]61#[keyid:Alpha].role:ownerOf([urn:'file://fileA']) <- [keyid:Joe]
62creddy --attribute \
63        --issuer Alpha_ID.pem --key Alpha_private.pem --role "$ownerof_fileA" \
64        --subject-cert Joe_ID.pem \
65        --out Alpha_ownerof_fileA__Joe_attr.der
66
67####################################################################################
68# note:
69#
70# alpha.read(?F) <- alpha.manager(?E:alpha.owner(?F))
71# [keyid:alpha].role:read([urn:?F])<-
[da5afdf]72#       #[keyid:alpha].role:manager([principal:?E[keyid:alpha].role:owner([urn:?F])])
[10e1588]73#
74# alpha.read(?F) <- alpha.manager(?E)
75# and alpha.owner(?F) <- ?E
76#
77# [keyid:alpha].role:read([urn:?F])<-[keyid:?M]
78#     [keyid:alpha].role:manager([principal:?E])<-[keyid:?M]
79#     [keyid:alpha].role:owner([urn:?F])<-[keyid:?E]
80#
81# isMember(M,role(alpha,read,F)) :-
82#       isMember(M, role(alpha,manager,E)),
83#       isMember(E, role(alpha,owner,F))  <-- constraining rule
84#
85# alpha.read(?F) <- alpha.manager(?E)
86# alpha.owner(?F) <- ?E
87#
88# condition like this,
89#          ?E:A.r  needs to be translate into constraining rule,  A.r<-?E
90#
91# query,
92# alpha.read(fileA) <-?- Bob
93# needs
94# alpha.manager(Joe)<-Bob
95# alpha.owner(fileA)<-Joe
96
Note: See TracBrowser for help on using the repository browser.