| 1 | #!/usr/bin/env python |
|---|
| 2 | |
|---|
| 3 | /** |
|---|
| 4 | abac_attr.py |
|---|
| 5 | |
|---|
| 6 | To demonstrate how to use ABAC's api in C |
|---|
| 7 | |
|---|
| 8 | call: attr_abac IceCream_ID.pem IceCream_private.pem IceCream_attr.der Chocolate_ID.pem |
|---|
| 9 | |
|---|
| 10 | pre-conditions: generate IceCream_ID.pem and IceCream_private.pem with |
|---|
| 11 | creddy --generate --cn IceCream |
|---|
| 12 | generate Chocolate_ID.pem and Chocolate_private.pem with |
|---|
| 13 | creddy --generate --cn Chocolate |
|---|
| 14 | |
|---|
| 15 | This program will generate an attribute rule, write it out to an external |
|---|
| 16 | file and also load it into the context (prolog db) |
|---|
| 17 | [keyid:IceCream].delicious <- [Keyid:Chocolate] |
|---|
| 18 | |
|---|
| 19 | Then, a query is made against the context to see if it is populated correctly. |
|---|
| 20 | |
|---|
| 21 | Note: Chocolate's principal is loaded without it private key. It does not |
|---|
| 22 | need to because it is not being used to generate attribute credential |
|---|
| 23 | |
|---|
| 24 | **/ |
|---|
| 25 | |
|---|
| 26 | |
|---|
| 27 | from sys import argv, exit |
|---|
| 28 | from ABAC import Context |
|---|
| 29 | from ABAC import ID, Attribute, Role |
|---|
| 30 | |
|---|
| 31 | debug=0 |
|---|
| 32 | |
|---|
| 33 | ## initial context |
|---|
| 34 | ctxt = Context() |
|---|
| 35 | |
|---|
| 36 | if len(argv) != 5: |
|---|
| 37 | print "Usage: abac_attr.py <cert.pem> <key.pem> <attr.der> <pcert.pem>" |
|---|
| 38 | exit(1) |
|---|
| 39 | |
|---|
| 40 | # load the ID and its key |
|---|
| 41 | id = None |
|---|
| 42 | try: |
|---|
| 43 | id = ID(argv[1]) |
|---|
| 44 | id.id_load_privkey_file(argv[2]) |
|---|
| 45 | chocolate_id = ID(argv[4]) |
|---|
| 46 | except Exception, e: |
|---|
| 47 | print "Problem loading ID cert: %s" % e |
|---|
| 48 | exit(1) |
|---|
| 49 | |
|---|
| 50 | if debug : |
|---|
| 51 | print "before the load" |
|---|
| 52 | id.print_key_chunk() |
|---|
| 53 | |
|---|
| 54 | # load the id into the context |
|---|
| 55 | ctxt.load_id_chunks(id.id_cert_chunk(), id.id_privkey_chunk()) |
|---|
| 56 | # another way to load the id into the context |
|---|
| 57 | #ctxt.load_id(id) |
|---|
| 58 | ctxt.load_id(chocolate_id) |
|---|
| 59 | |
|---|
| 60 | if debug : |
|---|
| 61 | print "after the load" |
|---|
| 62 | print "old," |
|---|
| 63 | id.print_key_chunk() |
|---|
| 64 | |
|---|
| 65 | nid=ctxt.lookup_principal(id.id_keyid()) |
|---|
| 66 | if debug : |
|---|
| 67 | print "new," |
|---|
| 68 | nid.print_key_chunk() |
|---|
| 69 | |
|---|
| 70 | out = ctxt.context_principals() |
|---|
| 71 | print "\n...final principal set..." |
|---|
| 72 | for x in out[1]: |
|---|
| 73 | print "%s " % x.string() |
|---|
| 74 | |
|---|
| 75 | |
|---|
| 76 | # create an attribute cert |
|---|
| 77 | # iceCream.delicous <- chocolate |
|---|
| 78 | head= Role(id.id_keyid(),"delicious") |
|---|
| 79 | tail= Role(chocolate_id.id_keyid()) |
|---|
| 80 | |
|---|
| 81 | attr = Attribute(head, 1800) |
|---|
| 82 | attr.attribute_add_tail(tail) |
|---|
| 83 | attr.attribute_bake() |
|---|
| 84 | |
|---|
| 85 | # load attribute cert into the context |
|---|
| 86 | ctxt.load_attribute_chunk(attr.cert_chunk()) |
|---|
| 87 | |
|---|
| 88 | # another way to load the attribute cert into the context, |
|---|
| 89 | # ctxt.load_attribute(attr) |
|---|
| 90 | |
|---|
| 91 | # yet another way to load the attribute cert into the context, |
|---|
| 92 | attr.attribute_write_cert(argv[3]) |
|---|
| 93 | # ctxt.load_attribute_file(argv[3]) |
|---|
| 94 | |
|---|
| 95 | # what is in prolog db |
|---|
| 96 | # ctxt.dump_yap_db() |
|---|
| 97 | |
|---|
| 98 | # run a proof |
|---|
| 99 | role = Role(id.id_keyid(),"delicious") |
|---|
| 100 | p=Role(chocolate_id.id_keyid()) |
|---|
| 101 | |
|---|
| 102 | out = ctxt.query(role, p) |
|---|
| 103 | for c in out[1]: |
|---|
| 104 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
|---|
| 105 | |
|---|
