| [5110d42] | 1 | #!/usr/bin/env python |
|---|
| 2 | |
|---|
| 3 | """ |
|---|
| [f824a9e] | 4 | See README in this directory for the semantics of the example. This file |
|---|
| 5 | creates a principal(Joe) and constructs the credentials described and puts |
|---|
| 6 | copies into this directory |
|---|
| [5110d42] | 7 | |
|---|
| 8 | cmd1:env keystore=`pwd` ./attr.py |
|---|
| 9 | """ |
|---|
| 10 | |
|---|
| 11 | import os |
|---|
| 12 | import ABAC |
|---|
| 13 | |
|---|
| 14 | ctxt = ABAC.Context() |
|---|
| 15 | print "ABAC version %s" % ctxt.version() |
|---|
| 16 | |
|---|
| [f824a9e] | 17 | # Keystore is the directory containing the principal credentials. |
|---|
| 18 | # Load existing principals and/or policy credentials |
|---|
| 19 | if (os.environ.has_key("keystore")) : |
|---|
| 20 | keystore=os.environ["keystore"] |
|---|
| 21 | ctxt.load_directory(keystore) |
|---|
| [646e57e] | 22 | else: |
|---|
| 23 | print("keystore is not set...") |
|---|
| 24 | exit(1) |
|---|
| [5110d42] | 25 | |
|---|
| [47d5cf9] | 26 | # Print the principals and credentials in the keystore |
|---|
| [5110d42] | 27 | out = ctxt.context_principals() |
|---|
| 28 | print "...initial principal set..." |
|---|
| 29 | for x in out[1]: |
|---|
| 30 | print "%s " % x.string() |
|---|
| 31 | print "\n" |
|---|
| 32 | |
|---|
| 33 | out = ctxt.context_credentials() |
|---|
| 34 | print "...initial policy attribute set..." |
|---|
| 35 | for c in out[1]: |
|---|
| 36 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
|---|
| 37 | print "\n" |
|---|
| 38 | |
|---|
| [47d5cf9] | 39 | # Construct a "Joe" principal and load it into the ABAC context |
|---|
| [5110d42] | 40 | joeID=ABAC.ID("Joe", 0) |
|---|
| 41 | ctxt.load_id(joeID) |
|---|
| [47d5cf9] | 42 | # Write out the Joe Principal to 2 files - one for the key and one for the |
|---|
| 43 | # identity. The identity can be shared, but the key must be kept secret. |
|---|
| [5d06689] | 44 | joeID.id_write_privkey("Joe_private.pem") |
|---|
| 45 | joeID.id_write_cert("Joe_ID.pem") |
|---|
| [f824a9e] | 46 | # Keep a copy of Joe's key identifier as a string. |
|---|
| [5d06689] | 47 | joe=joeID.id_keyid() |
|---|
| [5110d42] | 48 | |
|---|
| [f824a9e] | 49 | # Load alpha and bob from local files (created by ./setup.py) |
|---|
| [5110d42] | 50 | alphaID=ABAC.ID("Alpha_ID.pem") |
|---|
| [5d06689] | 51 | alphaID.id_load_privkey_file("Alpha_private.pem"); |
|---|
| 52 | alpha=alphaID.id_keyid() |
|---|
| [5110d42] | 53 | |
|---|
| 54 | bobID=ABAC.ID("Bob_ID.pem") |
|---|
| [5d06689] | 55 | bobID.id_load_privkey_file("Bob_private.pem"); |
|---|
| 56 | bob=bobID.id_keyid() |
|---|
| [5110d42] | 57 | |
|---|
| 58 | ################################################ |
|---|
| [47d5cf9] | 59 | # Create the credential |
|---|
| [5110d42] | 60 | # [keyid:alpha].role:access([string:'Read'],[urn:'file//fileB']) <- [keyid:bob] |
|---|
| 61 | param1=ABAC.DataTerm("string", "'Read'") |
|---|
| 62 | param2=ABAC.DataTerm("urn","'file//fileB'") |
|---|
| [669b481] | 63 | head = ABAC.Role(alpha,"access") |
|---|
| [47d5cf9] | 64 | |
|---|
| 65 | # Attach the parameters to the access role |
|---|
| [669b481] | 66 | head.role_add_data_term(param1) |
|---|
| 67 | head.role_add_data_term(param2) |
|---|
| 68 | tail = ABAC.Role(bob) |
|---|
| [47d5cf9] | 69 | |
|---|
| 70 | # Hook the head to the tail |
|---|
| [669b481] | 71 | attr=ABAC.Attribute(head, 1800) |
|---|
| 72 | attr.attribute_add_tail(tail) |
|---|
| [47d5cf9] | 73 | |
|---|
| 74 | # create the credential |
|---|
| [5d06689] | 75 | attr.attribute_bake() |
|---|
| [47d5cf9] | 76 | |
|---|
| 77 | # Save a copy and add the credential to the context |
|---|
| [5d06689] | 78 | attr.attribute_write_cert("Alpha_access_fileB__Bob_attr.der") |
|---|
| [2e9455f] | 79 | #XXX |
|---|
| 80 | ##Xctxt.load_attribute_file("Alpha_access_fileB__Bob_attr.der") |
|---|
| 81 | ctxt.load_attribute(attr) |
|---|
| [5110d42] | 82 | print attr.string() |
|---|
| 83 | print attr.typed_string() |
|---|
| 84 | print "\n" |
|---|
| 85 | |
|---|
| [47d5cf9] | 86 | # Constructing the others are similar |
|---|
| 87 | |
|---|
| [5110d42] | 88 | ################################################# |
|---|
| 89 | ## [keyid:alpha].role:team([string:'proj1'])<-[keyid:bob] |
|---|
| 90 | param1=ABAC.DataTerm("string", "'proj1'") |
|---|
| [669b481] | 91 | head = ABAC.Role(alpha,"team") |
|---|
| 92 | head.role_add_data_term(param1) |
|---|
| [5110d42] | 93 | tail = ABAC.Role(bob) |
|---|
| [669b481] | 94 | attr=ABAC.Attribute(head, 1800) |
|---|
| [5d06689] | 95 | attr.attribute_add_tail(tail) |
|---|
| 96 | attr.attribute_bake() |
|---|
| 97 | attr.attribute_write_cert("Alpha_team_proj1__Bob_attr.der") |
|---|
| [5110d42] | 98 | ctxt.load_attribute_file("Alpha_team_proj1__Bob_attr.der") |
|---|
| 99 | print attr.string() |
|---|
| 100 | print attr.typed_string() |
|---|
| 101 | print "\n" |
|---|
| 102 | |
|---|
| 103 | ################################################# |
|---|
| 104 | ## [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe] |
|---|
| 105 | param1=ABAC.DataTerm("string", "'proj2'") |
|---|
| [669b481] | 106 | head = ABAC.Role(alpha,"team") |
|---|
| 107 | head.role_add_data_term(param1) |
|---|
| [5110d42] | 108 | tail = ABAC.Role(joe) |
|---|
| [669b481] | 109 | attr=ABAC.Attribute(head, 1800) |
|---|
| [5d06689] | 110 | attr.attribute_add_tail(tail) |
|---|
| 111 | attr.attribute_bake() |
|---|
| 112 | attr.attribute_write_cert("Alpha_team_proj2__Joe_attr.der") |
|---|
| [5110d42] | 113 | ctxt.load_attribute_file("Alpha_team_proj2__Joe_attr.der") |
|---|
| 114 | print attr.string() |
|---|
| 115 | print attr.typed_string() |
|---|
| 116 | print "\n" |
|---|
| 117 | |
|---|
| 118 | ################################################ |
|---|
| 119 | # [keyid:alpha].role:access([string:'Read', |
|---|
| 120 | # [urn:?F[keyid:alpha].oset:documents([string:?P])]) |
|---|
| 121 | # <- [keyid:alpha].role:team([string:?P]) |
|---|
| 122 | param=ABAC.DataTerm("string", "P") |
|---|
| 123 | oset=ABAC.Oset(alpha,"documents") |
|---|
| [5d06689] | 124 | oset.oset_add_data_term(param) |
|---|
| [5110d42] | 125 | cond=ABAC.Constraint(oset) |
|---|
| 126 | param2=ABAC.DataTerm("urn", "F", cond) |
|---|
| 127 | param1=ABAC.DataTerm("string", "'Read'") |
|---|
| 128 | head = ABAC.Role(alpha,"access") |
|---|
| [5d06689] | 129 | head.role_add_data_term(param1) |
|---|
| 130 | head.role_add_data_term(param2) |
|---|
| [5110d42] | 131 | param3=ABAC.DataTerm("string", "P") |
|---|
| 132 | tail = ABAC.Role(alpha,"team") |
|---|
| [5d06689] | 133 | tail.role_add_data_term(param3) |
|---|
| [5110d42] | 134 | attr=ABAC.Attribute(head, 1800) |
|---|
| [5d06689] | 135 | attr.attribute_add_tail(tail) |
|---|
| 136 | attr.attribute_bake() |
|---|
| 137 | attr.attribute_write_cert("Alpha_access_qFqP__alpha_team_qP_attr.der") |
|---|
| [5110d42] | 138 | ctxt.load_attribute(attr) |
|---|
| [f824a9e] | 139 | print attr.string() |
|---|
| 140 | print attr.typed_string() |
|---|
| 141 | print "\n" |
|---|
| [5110d42] | 142 | |
|---|
| 143 | |
|---|
| 144 | ################################################# |
|---|
| 145 | ## [keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] |
|---|
| 146 | param1=ABAC.DataTerm("string", "'proj1'") |
|---|
| [669b481] | 147 | head = ABAC.Oset(alpha,"documents") |
|---|
| 148 | head.oset_add_data_term(param1) |
|---|
| [5110d42] | 149 | obj = ABAC.DataTerm("urn", "'file//fileA'") |
|---|
| 150 | tail= ABAC.Oset(obj) |
|---|
| [669b481] | 151 | attr=ABAC.Attribute(head, 1800) |
|---|
| [5d06689] | 152 | attr.attribute_add_tail(tail) |
|---|
| 153 | attr.attribute_bake() |
|---|
| 154 | attr.attribute_write_cert("Alpha_team_proj1__fileA_attr.der") |
|---|
| 155 | ctxt.load_attribute(attr) |
|---|
| [5110d42] | 156 | print attr.string() |
|---|
| 157 | print attr.typed_string() |
|---|
| 158 | print "\n" |
|---|
| 159 | |
|---|
