[2e9455f] | 1 | #!/usr/bin/env python |
---|
| 2 | |
---|
| 3 | """ |
---|
| 4 | Run the queries described in README |
---|
| 5 | |
---|
| 6 | cmd1:env keystore=`pwd` ./query.py |
---|
| 7 | cmd2:env ABAC_CN=1 keystore=`pwd` ./query.py |
---|
| 8 | |
---|
| 9 | """ |
---|
| 10 | |
---|
| 11 | import os |
---|
| 12 | import ABAC |
---|
| 13 | |
---|
| 14 | |
---|
| 15 | ########################################## |
---|
| 16 | # dump the loaded principals/policies |
---|
| 17 | # |
---|
| 18 | def dumpCred(CTXT, STRING): |
---|
| 19 | out = CTXT.context_principals() |
---|
| 20 | print "\n...%s principals" %STRING |
---|
| 21 | for x in out[1]: |
---|
| 22 | print "%s " % x.string() |
---|
| 23 | out = CTXT.context_credentials() |
---|
| 24 | print "\n...%s attributes" %STRING |
---|
| 25 | for c in out[1]: |
---|
| 26 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
| 27 | return |
---|
| 28 | |
---|
| 29 | ########################################## |
---|
| 30 | # role =[keyid:WHOM].role:access([string:'Read'],[urn:FILE]) |
---|
| 31 | # p = "[keyid:WHO]" |
---|
| 32 | def askAbout(CTXT,WHOM,WHO,FILE,STRING): |
---|
| 33 | print "\n%s" %STRING |
---|
| 34 | param1=ABAC.DataTerm("string", "'Read'") |
---|
| 35 | param2=ABAC.DataTerm("urn",FILE) |
---|
| 36 | # bad -- seg faults |
---|
| 37 | # param2=ABAC.DataTerm("urn","file://fileA") -- seg faults |
---|
| 38 | role = ABAC.Role(WHOM,"access") |
---|
| 39 | role.role_add_data_term(param1) |
---|
| 40 | role.role_add_data_term(param2) |
---|
| 41 | p = ABAC.Role(WHO) |
---|
| 42 | # print role.typed_string() |
---|
| 43 | # print p.typed_string() |
---|
| 44 | out = CTXT.query(role, p) |
---|
| 45 | for c in out[1]: |
---|
| 46 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
| 47 | return |
---|
| 48 | |
---|
| 49 | ############################### |
---|
| 50 | ctxtA = ABAC.Context() |
---|
| 51 | ctxtA.set_no_partial_proof() |
---|
| 52 | |
---|
| 53 | ctxtC = ABAC.Context() |
---|
| 54 | ctxtC.set_no_partial_proof() |
---|
| 55 | ############################### |
---|
| 56 | |
---|
| 57 | # retrieve principals' keyid value from local credential files |
---|
| 58 | alphaUID=ABAC.ID("Alpha_ID.pem") |
---|
| 59 | alphaUID.id_load_privkey_file("Alpha_private.pem") |
---|
| 60 | alpha=alphaUID.id_keyid() |
---|
| 61 | |
---|
| 62 | bobID=ABAC.ID("Bob_ID.pem") |
---|
| 63 | bob=bobID.id_keyid() |
---|
| 64 | |
---|
| 65 | joeID=ABAC.ID("Joe_ID.pem") |
---|
| 66 | joe=joeID.id_keyid() |
---|
| 67 | |
---|
| 68 | ########################################################################## |
---|
| 69 | ## ctxtA - credential 1-7 |
---|
| 70 | ## ctxtB - credential 1, no2, 3-7 |
---|
| 71 | ## ctxtC - credential 1-3, no4, 6-7 |
---|
| 72 | ctxtA.load_id(alphaUID) |
---|
| 73 | ctxtA.load_id(bobID) |
---|
| 74 | ctxtA.load_id(joeID) |
---|
| 75 | |
---|
| 76 | ctxtC.load_id(alphaUID) |
---|
| 77 | ctxtC.load_id(bobID) |
---|
| 78 | ctxtC.load_id(joeID) |
---|
| 79 | |
---|
| 80 | #1 |
---|
| 81 | ctxtA.load_attribute_file("Alpha_access_qFqP__alpha_team_qP_attr.der"); |
---|
| 82 | ctxtC.load_attribute_file("Alpha_access_qFqP__alpha_team_qP_attr.der"); |
---|
| 83 | #2 |
---|
| 84 | ctxtC.load_attribute_file("Alpha_team_proj1__fileA_attr.der"); |
---|
| 85 | #3 |
---|
| 86 | ctxtA.load_attribute_file("Alpha_team_proj2__fileB_attr.der"); |
---|
| 87 | ctxtC.load_attribute_file("Alpha_team_proj2__fileB_attr.der"); |
---|
| 88 | #4 |
---|
| 89 | ctxtA.load_attribute_file("Alpha_team_proj2__fileC_attr.der"); |
---|
| 90 | #5 |
---|
| 91 | ctxtA.load_attribute_file("Alpha_team_proj1__fileC_attr.der"); |
---|
| 92 | ctxtC.load_attribute_file("Alpha_team_proj1__fileC_attr.der"); |
---|
| 93 | #6 |
---|
| 94 | ctxtA.load_attribute_file("Alpha_team_proj1__Bob_attr.der"); |
---|
| 95 | ctxtC.load_attribute_file("Alpha_team_proj1__Bob_attr.der"); |
---|
| 96 | #7 |
---|
| 97 | ctxtA.load_attribute_file("Alpha_team_proj2__Joe_attr.der"); |
---|
| 98 | ctxtC.load_attribute_file("Alpha_team_proj2__Joe_attr.der"); |
---|
| 99 | |
---|
| 100 | ctxtB = ABAC.Context(ctxtA) |
---|
| 101 | ctxtB.set_no_partial_proof() |
---|
| 102 | |
---|
| 103 | # add 2 |
---|
| 104 | ctxtA.load_attribute_file("Alpha_team_proj1__fileA_attr.der"); |
---|
| 105 | |
---|
| 106 | ########################################################################## |
---|
| 107 | # Construct and run the queries. In each case we create a role object and a |
---|
| 108 | # principal and call the query method on the context. The contents of the |
---|
| 109 | # proof are printed for successful queries. |
---|
| 110 | # role is the role to look for |
---|
| 111 | # p is the principal to check. |
---|
| 112 | ########################################################################## |
---|
| 113 | |
---|
| 114 | dumpCred(ctxtA, "ctxtA") |
---|
| 115 | dumpCred(ctxtB, "ctxtB") |
---|
| 116 | dumpCred(ctxtC, "ctxtC") |
---|
| 117 | |
---|
| 118 | askAbout(ctxtA,alpha,bob,"'file//fileA'","\n===good============ ctxtA,Alpha.access(Read,fileA)<-?-Bob") |
---|
| 119 | askAbout(ctxtB,alpha,bob,"'file//fileA'","\n===bad============ ctxtB,Alpha.access(Read,fileA)<-?-Bob") |
---|
| 120 | askAbout(ctxtC,alpha,bob,"'file//fileA'","\n===good============ ctxtC,Alpha.access(Read,fileA)<-?-Bob") |
---|
| 121 | |
---|
| 122 | askAbout(ctxtA,alpha,joe,"'file//fileA'","\n===bad============ ctxtA,Alpha.access(Read,fileA)<-?-Joe") |
---|
| 123 | askAbout(ctxtB,alpha,joe,"'file//fileA'","\n===bad============ ctxtB,Alpha.access(Read,fileA)<-?-Joe") |
---|
| 124 | askAbout(ctxtC,alpha,joe,"'file//fileA'","\n===bad============ ctxtC,Alpha.access(Read,fileA)<-?-Joe") |
---|
| 125 | |
---|
| 126 | askAbout(ctxtA,alpha,joe,"'file//fileC'","\n===good============ ctxtA,Alpha.access(Read,fileC)<-?-Joe") |
---|
| 127 | askAbout(ctxtB,alpha,joe,"'file//fileC'","\n===good============ ctxtB,Alpha.access(Read,fileC)<-?-Joe") |
---|
| 128 | askAbout(ctxtC,alpha,joe,"'file//fileC'","\n===bad============ ctxtC,Alpha.access(Read,fileC)<-?-Joe") |
---|