source: examples/python_tests/access_ctxt_rt2/query.py @ 7f04233

mei_rt2
Last change on this file since 7f04233 was 2e9455f, checked in by Mei <mei@…>, 11 years ago

1) added namespace
2) tweak ?This,
3) allowing linking role/oset as constraining conditions
4) adding access_tests regression testing that uses GENI's access policy
5) added couple multi contexts regression tests
6) add compression/uncompression calls to abac_encode_string/abac_decode_string
(libstrongwan only allows 512 char for attribute rule storage)
7) add attribute_now option to creddy that takes a whole char string for attribute
rule
  • Property mode set to 100755
File size: 4.2 KB
RevLine 
[2e9455f]1#!/usr/bin/env python
2
3"""
4Run the queries described in README
5
6cmd1:env keystore=`pwd` ./query.py
7cmd2:env ABAC_CN=1 keystore=`pwd` ./query.py
8
9"""
10
11import os
12import ABAC
13
14
15##########################################
16# dump the loaded principals/policies
17#
18def dumpCred(CTXT, STRING):
19   out = CTXT.context_principals()
20   print "\n...%s principals" %STRING
21   for x in out[1]:
22       print "%s " % x.string()
23   out = CTXT.context_credentials()
24   print "\n...%s attributes" %STRING
25   for c in out[1]:
26       print "%s <- %s" % (c.head_string(), c.tail_string())
27   return
28
29##########################################
30# role =[keyid:WHOM].role:access([string:'Read'],[urn:FILE])
31# p = "[keyid:WHO]"
32def askAbout(CTXT,WHOM,WHO,FILE,STRING):
33   print "\n%s" %STRING
34   param1=ABAC.DataTerm("string", "'Read'")
35   param2=ABAC.DataTerm("urn",FILE)
36# bad -- seg faults
37#   param2=ABAC.DataTerm("urn","file://fileA") -- seg faults
38   role = ABAC.Role(WHOM,"access")
39   role.role_add_data_term(param1)
40   role.role_add_data_term(param2)
41   p = ABAC.Role(WHO)
42#   print role.typed_string()
43#   print p.typed_string()
44   out = CTXT.query(role, p)
45   for c in out[1]:
46       print "%s <- %s" % (c.head_string(), c.tail_string())
47   return
48
49###############################
50ctxtA = ABAC.Context()
51ctxtA.set_no_partial_proof()
52
53ctxtC = ABAC.Context()
54ctxtC.set_no_partial_proof()
55###############################
56
57# retrieve principals' keyid value from local credential files
58alphaUID=ABAC.ID("Alpha_ID.pem")
59alphaUID.id_load_privkey_file("Alpha_private.pem")
60alpha=alphaUID.id_keyid()
61
62bobID=ABAC.ID("Bob_ID.pem")
63bob=bobID.id_keyid()
64
65joeID=ABAC.ID("Joe_ID.pem")
66joe=joeID.id_keyid()
67
68##########################################################################
69## ctxtA  - credential 1-7
70## ctxtB  - credential 1, no2, 3-7
71## ctxtC  - credential 1-3, no4, 6-7
72ctxtA.load_id(alphaUID)
73ctxtA.load_id(bobID)
74ctxtA.load_id(joeID)
75
76ctxtC.load_id(alphaUID)
77ctxtC.load_id(bobID)
78ctxtC.load_id(joeID)
79
80#1
81ctxtA.load_attribute_file("Alpha_access_qFqP__alpha_team_qP_attr.der");
82ctxtC.load_attribute_file("Alpha_access_qFqP__alpha_team_qP_attr.der");
83#2
84ctxtC.load_attribute_file("Alpha_team_proj1__fileA_attr.der");
85#3
86ctxtA.load_attribute_file("Alpha_team_proj2__fileB_attr.der");
87ctxtC.load_attribute_file("Alpha_team_proj2__fileB_attr.der");
88#4
89ctxtA.load_attribute_file("Alpha_team_proj2__fileC_attr.der");
90#5
91ctxtA.load_attribute_file("Alpha_team_proj1__fileC_attr.der");
92ctxtC.load_attribute_file("Alpha_team_proj1__fileC_attr.der");
93#6
94ctxtA.load_attribute_file("Alpha_team_proj1__Bob_attr.der");
95ctxtC.load_attribute_file("Alpha_team_proj1__Bob_attr.der");
96#7
97ctxtA.load_attribute_file("Alpha_team_proj2__Joe_attr.der");
98ctxtC.load_attribute_file("Alpha_team_proj2__Joe_attr.der");
99
100ctxtB = ABAC.Context(ctxtA)
101ctxtB.set_no_partial_proof()
102
103# add 2
104ctxtA.load_attribute_file("Alpha_team_proj1__fileA_attr.der");
105
106##########################################################################
107# Construct and run the queries.  In each case we create a role object and a
108# principal and call the query method on the context.  The contents of the
109# proof are printed for successful queries.
110# role is the role to look for
111# p is the principal to check.
112##########################################################################
113
114dumpCred(ctxtA, "ctxtA")
115dumpCred(ctxtB, "ctxtB")
116dumpCred(ctxtC, "ctxtC")
117
118askAbout(ctxtA,alpha,bob,"'file//fileA'","\n===good============ ctxtA,Alpha.access(Read,fileA)<-?-Bob")
119askAbout(ctxtB,alpha,bob,"'file//fileA'","\n===bad============ ctxtB,Alpha.access(Read,fileA)<-?-Bob")
120askAbout(ctxtC,alpha,bob,"'file//fileA'","\n===good============ ctxtC,Alpha.access(Read,fileA)<-?-Bob")
121
122askAbout(ctxtA,alpha,joe,"'file//fileA'","\n===bad============ ctxtA,Alpha.access(Read,fileA)<-?-Joe")
123askAbout(ctxtB,alpha,joe,"'file//fileA'","\n===bad============ ctxtB,Alpha.access(Read,fileA)<-?-Joe")
124askAbout(ctxtC,alpha,joe,"'file//fileA'","\n===bad============ ctxtC,Alpha.access(Read,fileA)<-?-Joe")
125
126askAbout(ctxtA,alpha,joe,"'file//fileC'","\n===good============ ctxtA,Alpha.access(Read,fileC)<-?-Joe")
127askAbout(ctxtB,alpha,joe,"'file//fileC'","\n===good============ ctxtB,Alpha.access(Read,fileC)<-?-Joe")
128askAbout(ctxtC,alpha,joe,"'file//fileC'","\n===bad============ ctxtC,Alpha.access(Read,fileC)<-?-Joe")
Note: See TracBrowser for help on using the repository browser.