source: examples/example_scripts/python/abac_attr.py @ f89b991

mei_rt2
Last change on this file since f89b991 was 2e9455f, checked in by Mei <mei@…>, 11 years ago

1) added namespace
2) tweak ?This,
3) allowing linking role/oset as constraining conditions
4) adding access_tests regression testing that uses GENI's access policy
5) added couple multi contexts regression tests
6) add compression/uncompression calls to abac_encode_string/abac_decode_string
(libstrongwan only allows 512 char for attribute rule storage)
7) add attribute_now option to creddy that takes a whole char string for attribute
rule
  • Property mode set to 100755
File size: 2.6 KB
RevLine 
[ba6027a]1#!/usr/bin/env python
2
[bea18ef]3"""
4     abac_attr.py
5
6     To demonstrate how to use ABAC's api in python
7 
8     call:   attr_abac IceCream_ID.pem IceCream_private.pem IceCream_attr.der Chocolate_ID.pem
9 
10     pre-conditions: generate IceCream_ID.pem and IceCream_private.pem with
11             creddy --generate --cn IceCream
12                     generate Chocolate_ID.pem and Chocolate_private.pem with
13             creddy --generate --cn Chocolate
14 
15     This program will generate an attribute rule, write it out to an external
16             file and also load it into the context (prolog db)
17             [keyid:IceCream].delicious <- [Keyid:Chocolate]
18 
19     Then, a query is made against the context to see if it is populated correctly.
20 
21     Note: Chocolate's principal is loaded without it private key. It does not
22           need to because it is not being used to generate attribute credential
23 
24"""
[ba6027a]25
26from sys import argv, exit
27from ABAC import Context
28from ABAC import ID, Attribute, Role
29
30debug=0
31
32## initial context
33ctxt = Context()
34
[bea18ef]35print len(argv)
36
[ba6027a]37if len(argv) != 5:
38    print "Usage: abac_attr.py <cert.pem> <key.pem> <attr.der> <pcert.pem>"
39    exit(1)
40
41# load the ID and its key
42id = None
[bea18ef]43cid = None
44
[ba6027a]45try:
46    id = ID(argv[1])
47    id.id_load_privkey_file(argv[2])
[bea18ef]48    cid = ID(argv[4])
[ba6027a]49except Exception, e:
50    print "Problem loading ID cert: %s" % e
51    exit(1)
52
53if debug :
54    print "before the load"
55    id.print_key_chunk()
56
57# load the id into the context
58ctxt.load_id_chunks(id.id_cert_chunk(), id.id_privkey_chunk())
59# another way to load the id into the context
[bea18ef]60ctxt.load_id(cid)
[2e9455f]61#ctxt.load_id_chunks(cid.id_cert_chunk(), cid.id_privkey_chunk())
[ba6027a]62
63if debug :
64    print "after the load"
65    print "old,"
66    id.print_key_chunk()
67
68nid=ctxt.lookup_principal(id.id_keyid())
69if debug :
70    print "new,"
71    nid.print_key_chunk()
72
[2e9455f]73#out = ctxt.context_principals()
74#print "\n...final principal set..."
75#for x in out[1]:
76#    print "%s " % x.string()
[ba6027a]77
78
79# create an attribute cert
80# iceCream.delicous <- chocolate
81head= Role(id.id_keyid(),"delicious")
[bea18ef]82tail= Role(cid.id_keyid())
[ba6027a]83
84attr = Attribute(head, 1800)
85attr.attribute_add_tail(tail)
86attr.attribute_bake()
87
88# load attribute cert into the context
89ctxt.load_attribute_chunk(attr.cert_chunk())
90
91# another way to load the attribute cert into the context,
[2e9455f]92#ctxt.load_attribute(attr)
[ba6027a]93
94# yet another way to load the attribute cert into the context,
95attr.attribute_write_cert(argv[3])
96# ctxt.load_attribute_file(argv[3])
97
98# what is in prolog db
99# ctxt.dump_yap_db()
100
101# run a proof
102role = Role(id.id_keyid(),"delicious")
[bea18ef]103p=Role(cid.id_keyid())
[ba6027a]104
105out = ctxt.query(role, p)
106for c in out[1]:
107    print "%s <- %s" % (c.head_string(), c.tail_string())
108
Note: See TracBrowser for help on using the repository browser.