| 1 | #!/usr/bin/env python |
|---|
| 2 | |
|---|
| 3 | """ |
|---|
| 4 | abac_e_attr.py |
|---|
| 5 | |
|---|
| 6 | To demonstrate how to use ABAC's api in python with principal credential that uses |
|---|
| 7 | encrypted private key |
|---|
| 8 | |
|---|
| 9 | call: attr_e_abac Soda_ID.pem Soda_private.pem Soda_attr.der pfile Cream_ID.pem |
|---|
| 10 | |
|---|
| 11 | pre-conditions: make a passpphrase file and |
|---|
| 12 | generate a Soda_private.pem with passphrase with openssl |
|---|
| 13 | generate Soda_ID.pem with creddy with supplied private key |
|---|
| 14 | generate Cream_ID.pem and clear Cream_private.pem with |
|---|
| 15 | creddy --generate --cn Cream |
|---|
| 16 | |
|---|
| 17 | This program will generate an attribute rule, write it out to an external |
|---|
| 18 | file and also load it into the context |
|---|
| 19 | Soda.delicious <- Cream |
|---|
| 20 | |
|---|
| 21 | Then, a query is made against the context to see if it is populated correctly. |
|---|
| 22 | |
|---|
| 23 | Note: Cream's principal is loaded without it private key. It does not |
|---|
| 24 | need to because it is not being used to generate attribute credential |
|---|
| 25 | |
|---|
| 26 | """ |
|---|
| 27 | |
|---|
| 28 | |
|---|
| 29 | |
|---|
| 30 | |
|---|
| 31 | from sys import argv, exit |
|---|
| 32 | from ABAC import Context |
|---|
| 33 | from ABAC import ID, Attribute, Role |
|---|
| 34 | |
|---|
| 35 | debug=0 |
|---|
| 36 | |
|---|
| 37 | ## initial context |
|---|
| 38 | ctxt = Context() |
|---|
| 39 | |
|---|
| 40 | if len(argv) != 6: |
|---|
| 41 | print "Usage: abac_attr.py <cert.pem> <key.pem> <attr.xml> <pfile> <c_cert.pem>" |
|---|
| 42 | exit(1) |
|---|
| 43 | |
|---|
| 44 | # load the ID and its key |
|---|
| 45 | id = None |
|---|
| 46 | try: |
|---|
| 47 | id = ID(argv[1]) |
|---|
| 48 | id.load_privkey(argv[2]) |
|---|
| 49 | cream_id = ID(argv[5]) |
|---|
| 50 | except Exception, e: |
|---|
| 51 | print "Problem loading ID cert: %s" % e |
|---|
| 52 | exit(1) |
|---|
| 53 | |
|---|
| 54 | # load the id into the context |
|---|
| 55 | ctxt.load_id_chunk(id.cert_chunk()) |
|---|
| 56 | # another way to load the id into the context |
|---|
| 57 | # ctxt.load_id(cream_id), not implemented |
|---|
| 58 | ctxt.load_id_chunk(cream_id.cert_chunk()) |
|---|
| 59 | |
|---|
| 60 | # create an attribute cert |
|---|
| 61 | attr = Attribute(id, "delicious", 1000) |
|---|
| 62 | attr.principal(cream_id.keyid()) |
|---|
| 63 | attr.bake() |
|---|
| 64 | |
|---|
| 65 | # load attribute cert into the context |
|---|
| 66 | ctxt.load_attribute_chunk(attr.cert_chunk()) |
|---|
| 67 | |
|---|
| 68 | # another way to load the attribute cert into the context, |
|---|
| 69 | # ctxt.load_attribute(attr) |
|---|
| 70 | |
|---|
| 71 | # yet another way to load the attribute cert into the context, |
|---|
| 72 | attr.write_file(argv[3]) |
|---|
| 73 | # ctxt.load_attribute_file(argv[3]) |
|---|
| 74 | |
|---|
| 75 | print '---------' |
|---|
| 76 | (credentials) = ctxt.credentials() |
|---|
| 77 | for credential in credentials: |
|---|
| 78 | print "credential %s <- %s" % (credential.head().string(), credential.tail().string()) |
|---|
| 79 | print '---------' |
|---|
| 80 | |
|---|
| 81 | |
|---|
| 82 | (success, credentials) = ctxt.query("%s.delicious" % id.keyid(), cream_id.keyid()) |
|---|
| 83 | if success: |
|---|
| 84 | print "success!" |
|---|
| 85 | for credential in credentials: |
|---|
| 86 | print "credential %s <- %s" % (credential.head().string(), credential.tail().string()) |
|---|
| 87 | |
|---|
