[10e1588] | 1 | #!/bin/sh |
---|
[9502c50] | 2 | # |
---|
[2c01913] | 3 | ##################################################################### |
---|
| 4 | # This example demonstrates using a parameters to control access to files based |
---|
| 5 | # on the attributes of the principals. The script creates three principals |
---|
| 6 | # Alpha, Bob, Maryann and Joe and sets out the access policy. |
---|
| 7 | # |
---|
| 8 | # files are named by URNs and are not principals. |
---|
| 9 | # |
---|
| 10 | # A principal's access rights are controlled by the Alpha principal. If a |
---|
| 11 | # principal has the role role::read(urn:filename) that |
---|
| 12 | # principal can read filename. The policy is that the manager of the owner of |
---|
| 13 | # a file can read it. (Presumably the owner can, too, but that is not encoded |
---|
| 14 | # here.) |
---|
| 15 | # |
---|
| 16 | # The example below lays out the policy that the manager of the owner of a file |
---|
| 17 | # can read it in Credential 1. Credential 2 establishes Bob as the manager of |
---|
[9502c50] | 18 | # Joe. and Credential 3 establishes Joe as the owner of the file. |
---|
[2c01913] | 19 | # |
---|
[9502c50] | 20 | # The attached ./run_query file runs 2 queries. First it confirms that Bob can read |
---|
[2c01913] | 21 | # fileA, then it confirms that Maryann cannot. |
---|
| 22 | |
---|
[9502c50] | 23 | # file_read_rt2_typed |
---|
[10e1588] | 24 | |
---|
| 25 | # alpha.read(fileA) <-?- Bob |
---|
| 26 | #[keyid:Alpha].role:read([urn:'file://fileA']) <-?- [keyid:Bob] (yes) |
---|
| 27 | #[keyid:Alpha].role:read([urn:'file://fileA']) <-?- [keyid:Maryann] (yes) |
---|
| 28 | |
---|
| 29 | creddy --generate --cn Alpha |
---|
| 30 | creddy --generate --cn Bob |
---|
| 31 | creddy --generate --cn Maryann |
---|
| 32 | creddy --generate --cn Joe |
---|
| 33 | |
---|
| 34 | alpha_keyid=`creddy --keyid --cert Alpha_ID.pem` |
---|
| 35 | bob_keyid=`creddy --keyid --cert Bob_ID.pem` |
---|
| 36 | maryann_keyid=`creddy --keyid --cert Maryann_ID.pem` |
---|
| 37 | joe_keyid=`creddy --keyid --cert Joe_ID.pem` |
---|
| 38 | |
---|
| 39 | read_fileA="read([urn:'file://fileA'])" |
---|
| 40 | managerof_joe="managerOf([keyid:$joe_keyid])" |
---|
| 41 | ownerof_fileA="ownerOf([urn:'file://fileA'])" |
---|
[da5afdf] | 42 | managerof_qE="managerOf([principal:?E[keyid:$alpha_keyid].role:ownerOf([urn:?F])])" |
---|
[10e1588] | 43 | |
---|
| 44 | # alpha.read(?F) <- alpha.managerOf(?E:alpha.ownerOf(?F)) |
---|
| 45 | # [keyid:alpha].role:read([urn:?F])<- |
---|
[da5afdf] | 46 | # [keyid:alpha].role:managerOf([principal:?E[keyid:alpha].role:ownerOf([urn:?F])] |
---|
[9502c50] | 47 | # Credential 1 |
---|
[10e1588] | 48 | creddy --attribute \ |
---|
| 49 | --issuer Alpha_ID.pem --key Alpha_private.pem --role "read([urn:?F])" \ |
---|
| 50 | --subject-cert Alpha_ID.pem --subject-role "$managerof_qE" \ |
---|
| 51 | --out Alpha_read_qF__alpha_managerof_qE_attr.der |
---|
| 52 | |
---|
[9502c50] | 53 | # Credential 2 |
---|
[10e1588] | 54 | #[keyid:Alpha].role:managerOf([Keyid:Joe]) <- [keyid:Bob] |
---|
| 55 | creddy --attribute \ |
---|
| 56 | --issuer Alpha_ID.pem --key Alpha_private.pem --role "$managerof_joe" \ |
---|
| 57 | --subject-cert Bob_ID.pem \ |
---|
| 58 | --out Alpha_managerof_Joe__Bob_attr.der |
---|
| 59 | |
---|
[9502c50] | 60 | # Credential 3 |
---|
[10e1588] | 61 | #[keyid:Alpha].role:ownerOf([urn:'file://fileA']) <- [keyid:Joe] |
---|
| 62 | creddy --attribute \ |
---|
| 63 | --issuer Alpha_ID.pem --key Alpha_private.pem --role "$ownerof_fileA" \ |
---|
| 64 | --subject-cert Joe_ID.pem \ |
---|
| 65 | --out Alpha_ownerof_fileA__Joe_attr.der |
---|
| 66 | |
---|
| 67 | #################################################################################### |
---|
| 68 | # note: |
---|
| 69 | # |
---|
| 70 | # alpha.read(?F) <- alpha.manager(?E:alpha.owner(?F)) |
---|
| 71 | # [keyid:alpha].role:read([urn:?F])<- |
---|
[da5afdf] | 72 | # #[keyid:alpha].role:manager([principal:?E[keyid:alpha].role:owner([urn:?F])]) |
---|
[10e1588] | 73 | # |
---|
| 74 | # alpha.read(?F) <- alpha.manager(?E) |
---|
| 75 | # and alpha.owner(?F) <- ?E |
---|
| 76 | # |
---|
| 77 | # [keyid:alpha].role:read([urn:?F])<-[keyid:?M] |
---|
| 78 | # [keyid:alpha].role:manager([principal:?E])<-[keyid:?M] |
---|
| 79 | # [keyid:alpha].role:owner([urn:?F])<-[keyid:?E] |
---|
| 80 | # |
---|
| 81 | # isMember(M,role(alpha,read,F)) :- |
---|
| 82 | # isMember(M, role(alpha,manager,E)), |
---|
| 83 | # isMember(E, role(alpha,owner,F)) <-- constraining rule |
---|
| 84 | # |
---|
| 85 | # alpha.read(?F) <- alpha.manager(?E) |
---|
| 86 | # alpha.owner(?F) <- ?E |
---|
| 87 | # |
---|
| 88 | # condition like this, |
---|
| 89 | # ?E:A.r needs to be translate into constraining rule, A.r<-?E |
---|
| 90 | # |
---|
| 91 | # query, |
---|
| 92 | # alpha.read(fileA) <-?- Bob |
---|
| 93 | # needs |
---|
| 94 | # alpha.manager(Joe)<-Bob |
---|
| 95 | # alpha.owner(fileA)<-Joe |
---|
| 96 | |
---|