#!/usr/bin/env python """ Run the queries described in README cmd1:env keystore=`pwd` ./query.py cmd2:env ABAC_CN=1 keystore=`pwd` ./query.py """ import os import ABAC ########################################## # dump the loaded principals/policies # def dumpCred(CTXT, STRING): out = CTXT.context_principals() print "\n...%s principals" %STRING for x in out[1]: print "%s " % x.string() out = CTXT.context_credentials() print "\n...%s attributes" %STRING for c in out[1]: print "%s <- %s" % (c.head_string(), c.tail_string()) return ########################################## # role =[keyid:WHOM].role:access([string:'Read'],[urn:FILE]) # p = "[keyid:WHO]" def askAbout(CTXT,WHOM,WHO,FILE,STRING): print "\n%s" %STRING param1=ABAC.DataTerm("string", "'Read'") param2=ABAC.DataTerm("urn",FILE) # bad -- seg faults # param2=ABAC.DataTerm("urn","file://fileA") -- seg faults role = ABAC.Role(WHOM,"access") role.role_add_data_term(param1) role.role_add_data_term(param2) p = ABAC.Role(WHO) # print role.typed_string() # print p.typed_string() out = CTXT.query(role, p) for c in out[1]: print "%s <- %s" % (c.head_string(), c.tail_string()) return ############################### ctxtA = ABAC.Context() ctxtA.set_no_partial_proof() ctxtC = ABAC.Context() ctxtC.set_no_partial_proof() ############################### # retrieve principals' keyid value from local credential files alphaUID=ABAC.ID("Alpha_ID.pem") alphaUID.id_load_privkey_file("Alpha_private.pem") alpha=alphaUID.id_keyid() bobID=ABAC.ID("Bob_ID.pem") bob=bobID.id_keyid() joeID=ABAC.ID("Joe_ID.pem") joe=joeID.id_keyid() ########################################################################## ## ctxtA - credential 1-7 ## ctxtB - credential 1, no2, 3-7 ## ctxtC - credential 1-3, no4, 6-7 ctxtA.load_id(alphaUID) ctxtA.load_id(bobID) ctxtA.load_id(joeID) ctxtC.load_id(alphaUID) ctxtC.load_id(bobID) ctxtC.load_id(joeID) #1 ctxtA.load_attribute_file("Alpha_access_qFqP__alpha_team_qP_attr.der"); ctxtC.load_attribute_file("Alpha_access_qFqP__alpha_team_qP_attr.der"); #2 ctxtC.load_attribute_file("Alpha_team_proj1__fileA_attr.der"); #3 ctxtA.load_attribute_file("Alpha_team_proj2__fileB_attr.der"); ctxtC.load_attribute_file("Alpha_team_proj2__fileB_attr.der"); #4 ctxtA.load_attribute_file("Alpha_team_proj2__fileC_attr.der"); #5 ctxtA.load_attribute_file("Alpha_team_proj1__fileC_attr.der"); ctxtC.load_attribute_file("Alpha_team_proj1__fileC_attr.der"); #6 ctxtA.load_attribute_file("Alpha_team_proj1__Bob_attr.der"); ctxtC.load_attribute_file("Alpha_team_proj1__Bob_attr.der"); #7 ctxtA.load_attribute_file("Alpha_team_proj2__Joe_attr.der"); ctxtC.load_attribute_file("Alpha_team_proj2__Joe_attr.der"); ctxtB = ABAC.Context(ctxtA) ctxtB.set_no_partial_proof() # add 2 ctxtA.load_attribute_file("Alpha_team_proj1__fileA_attr.der"); ########################################################################## # Construct and run the queries. In each case we create a role object and a # principal and call the query method on the context. The contents of the # proof are printed for successful queries. # role is the role to look for # p is the principal to check. ########################################################################## dumpCred(ctxtA, "ctxtA") dumpCred(ctxtB, "ctxtB") dumpCred(ctxtC, "ctxtC") askAbout(ctxtA,alpha,bob,"'file//fileA'","\n===good============ ctxtA,Alpha.access(Read,fileA)<-?-Bob") askAbout(ctxtB,alpha,bob,"'file//fileA'","\n===bad============ ctxtB,Alpha.access(Read,fileA)<-?-Bob") askAbout(ctxtC,alpha,bob,"'file//fileA'","\n===good============ ctxtC,Alpha.access(Read,fileA)<-?-Bob") askAbout(ctxtA,alpha,joe,"'file//fileA'","\n===bad============ ctxtA,Alpha.access(Read,fileA)<-?-Joe") askAbout(ctxtB,alpha,joe,"'file//fileA'","\n===bad============ ctxtB,Alpha.access(Read,fileA)<-?-Joe") askAbout(ctxtC,alpha,joe,"'file//fileA'","\n===bad============ ctxtC,Alpha.access(Read,fileA)<-?-Joe") askAbout(ctxtA,alpha,joe,"'file//fileC'","\n===good============ ctxtA,Alpha.access(Read,fileC)<-?-Joe") askAbout(ctxtB,alpha,joe,"'file//fileC'","\n===good============ ctxtB,Alpha.access(Read,fileC)<-?-Joe") askAbout(ctxtC,alpha,joe,"'file//fileC'","\n===bad============ ctxtC,Alpha.access(Read,fileC)<-?-Joe")