1 | #!/usr/bin/env python |
---|
2 | |
---|
3 | """ |
---|
4 | Run the queries described in README |
---|
5 | |
---|
6 | cmd1:env keystore=`pwd` ./query.py |
---|
7 | cmd2:env ABAC_CN=1 keystore=`pwd` ./query.py |
---|
8 | |
---|
9 | """ |
---|
10 | |
---|
11 | import os |
---|
12 | import ABAC |
---|
13 | |
---|
14 | |
---|
15 | ########################################## |
---|
16 | # dump the loaded principals/policies |
---|
17 | # |
---|
18 | def dumpCred(CTXT, STRING): |
---|
19 | out = CTXT.context_principals() |
---|
20 | print "\n...%s principals" %STRING |
---|
21 | for x in out[1]: |
---|
22 | print "%s " % x.string() |
---|
23 | out = CTXT.context_credentials() |
---|
24 | print "\n...%s attributes" %STRING |
---|
25 | for c in out[1]: |
---|
26 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
27 | return |
---|
28 | |
---|
29 | ########################################## |
---|
30 | # role =[keyid:WHOM].role:access([string:'Read'],[urn:FILE]) |
---|
31 | # p = "[keyid:WHO]" |
---|
32 | def askAbout(CTXT,WHOM,WHO,FILE,STRING): |
---|
33 | print "\n%s" %STRING |
---|
34 | param1=ABAC.DataTerm("string", "'Read'") |
---|
35 | param2=ABAC.DataTerm("urn",FILE) |
---|
36 | # bad -- seg faults |
---|
37 | # param2=ABAC.DataTerm("urn","file://fileA") -- seg faults |
---|
38 | role = ABAC.Role(WHOM,"access") |
---|
39 | role.role_add_data_term(param1) |
---|
40 | role.role_add_data_term(param2) |
---|
41 | p = ABAC.Role(WHO) |
---|
42 | # print role.typed_string() |
---|
43 | # print p.typed_string() |
---|
44 | out = CTXT.query(role, p) |
---|
45 | for c in out[1]: |
---|
46 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
47 | return |
---|
48 | |
---|
49 | ############################### |
---|
50 | ctxtA = ABAC.Context() |
---|
51 | ctxtA.set_no_partial_proof() |
---|
52 | |
---|
53 | ctxtC = ABAC.Context() |
---|
54 | ctxtC.set_no_partial_proof() |
---|
55 | ############################### |
---|
56 | |
---|
57 | # retrieve principals' keyid value from local credential files |
---|
58 | alphaUID=ABAC.ID("Alpha_ID.pem") |
---|
59 | alphaUID.id_load_privkey_file("Alpha_private.pem") |
---|
60 | alpha=alphaUID.id_keyid() |
---|
61 | |
---|
62 | bobID=ABAC.ID("Bob_ID.pem") |
---|
63 | bob=bobID.id_keyid() |
---|
64 | |
---|
65 | joeID=ABAC.ID("Joe_ID.pem") |
---|
66 | joe=joeID.id_keyid() |
---|
67 | |
---|
68 | ########################################################################## |
---|
69 | ## ctxtA - credential 1-7 |
---|
70 | ## ctxtB - credential 1, no2, 3-7 |
---|
71 | ## ctxtC - credential 1-3, no4, 6-7 |
---|
72 | ctxtA.load_id(alphaUID) |
---|
73 | ctxtA.load_id(bobID) |
---|
74 | ctxtA.load_id(joeID) |
---|
75 | |
---|
76 | ctxtC.load_id(alphaUID) |
---|
77 | ctxtC.load_id(bobID) |
---|
78 | ctxtC.load_id(joeID) |
---|
79 | |
---|
80 | #1 |
---|
81 | ctxtA.load_attribute_file("Alpha_access_qFqP__alpha_team_qP_attr.der"); |
---|
82 | ctxtC.load_attribute_file("Alpha_access_qFqP__alpha_team_qP_attr.der"); |
---|
83 | #2 |
---|
84 | ctxtC.load_attribute_file("Alpha_team_proj1__fileA_attr.der"); |
---|
85 | #3 |
---|
86 | ctxtA.load_attribute_file("Alpha_team_proj2__fileB_attr.der"); |
---|
87 | ctxtC.load_attribute_file("Alpha_team_proj2__fileB_attr.der"); |
---|
88 | #4 |
---|
89 | ctxtA.load_attribute_file("Alpha_team_proj2__fileC_attr.der"); |
---|
90 | #5 |
---|
91 | ctxtA.load_attribute_file("Alpha_team_proj1__fileC_attr.der"); |
---|
92 | ctxtC.load_attribute_file("Alpha_team_proj1__fileC_attr.der"); |
---|
93 | #6 |
---|
94 | ctxtA.load_attribute_file("Alpha_team_proj1__Bob_attr.der"); |
---|
95 | ctxtC.load_attribute_file("Alpha_team_proj1__Bob_attr.der"); |
---|
96 | #7 |
---|
97 | ctxtA.load_attribute_file("Alpha_team_proj2__Joe_attr.der"); |
---|
98 | ctxtC.load_attribute_file("Alpha_team_proj2__Joe_attr.der"); |
---|
99 | |
---|
100 | ctxtB = ABAC.Context(ctxtA) |
---|
101 | ctxtB.set_no_partial_proof() |
---|
102 | |
---|
103 | # add 2 |
---|
104 | ctxtA.load_attribute_file("Alpha_team_proj1__fileA_attr.der"); |
---|
105 | |
---|
106 | ########################################################################## |
---|
107 | # Construct and run the queries. In each case we create a role object and a |
---|
108 | # principal and call the query method on the context. The contents of the |
---|
109 | # proof are printed for successful queries. |
---|
110 | # role is the role to look for |
---|
111 | # p is the principal to check. |
---|
112 | ########################################################################## |
---|
113 | |
---|
114 | dumpCred(ctxtA, "ctxtA") |
---|
115 | dumpCred(ctxtB, "ctxtB") |
---|
116 | dumpCred(ctxtC, "ctxtC") |
---|
117 | |
---|
118 | askAbout(ctxtA,alpha,bob,"'file//fileA'","\n===good============ ctxtA,Alpha.access(Read,fileA)<-?-Bob") |
---|
119 | askAbout(ctxtB,alpha,bob,"'file//fileA'","\n===bad============ ctxtB,Alpha.access(Read,fileA)<-?-Bob") |
---|
120 | askAbout(ctxtC,alpha,bob,"'file//fileA'","\n===good============ ctxtC,Alpha.access(Read,fileA)<-?-Bob") |
---|
121 | |
---|
122 | askAbout(ctxtA,alpha,joe,"'file//fileA'","\n===bad============ ctxtA,Alpha.access(Read,fileA)<-?-Joe") |
---|
123 | askAbout(ctxtB,alpha,joe,"'file//fileA'","\n===bad============ ctxtB,Alpha.access(Read,fileA)<-?-Joe") |
---|
124 | askAbout(ctxtC,alpha,joe,"'file//fileA'","\n===bad============ ctxtC,Alpha.access(Read,fileA)<-?-Joe") |
---|
125 | |
---|
126 | askAbout(ctxtA,alpha,joe,"'file//fileC'","\n===good============ ctxtA,Alpha.access(Read,fileC)<-?-Joe") |
---|
127 | askAbout(ctxtB,alpha,joe,"'file//fileC'","\n===good============ ctxtB,Alpha.access(Read,fileC)<-?-Joe") |
---|
128 | askAbout(ctxtC,alpha,joe,"'file//fileC'","\n===bad============ ctxtC,Alpha.access(Read,fileC)<-?-Joe") |
---|