source: examples/python_tests/access_rt2/attr.py @ 11ca336

mei_rt2
Last change on this file since 11ca336 was 2e9455f, checked in by Mei <mei@…>, 11 years ago

1) added namespace
2) tweak ?This,
3) allowing linking role/oset as constraining conditions
4) adding access_tests regression testing that uses GENI's access policy
5) added couple multi contexts regression tests
6) add compression/uncompression calls to abac_encode_string/abac_decode_string
(libstrongwan only allows 512 char for attribute rule storage)
7) add attribute_now option to creddy that takes a whole char string for attribute
rule
  • Property mode set to 100755
File size: 4.8 KB
Line 
1#!/usr/bin/env python
2
3"""
4See README in this directory for the semantics of the example.  This file
5creates a principal(Joe) and constructs the credentials described and puts
6copies into this directory
7
8cmd1:env keystore=`pwd` ./attr.py
9"""
10
11import os
12import ABAC
13
14ctxt = ABAC.Context()
15print "ABAC version %s" % ctxt.version()
16
17# Keystore is the directory containing the principal credentials.
18# Load existing principals and/or policy credentials
19if (os.environ.has_key("keystore")) :
20    keystore=os.environ["keystore"]
21    ctxt.load_directory(keystore)
22else:
23    print("keystore is not set...")
24    exit(1)
25
26# Print the principals and credentials in the keystore
27out = ctxt.context_principals()
28print "...initial principal set..."
29for x in out[1]:
30    print "%s " % x.string()
31print "\n" 
32
33out = ctxt.context_credentials()
34print "...initial policy attribute set..."
35for c in out[1]:
36    print "%s <- %s" % (c.head_string(), c.tail_string())
37print "\n"
38
39# Construct a "Joe" principal and load it into the ABAC context
40joeID=ABAC.ID("Joe", 0)
41ctxt.load_id(joeID)
42# Write out the Joe Principal to 2 files - one for the key and one for the
43# identity.  The identity can be shared, but the key must be kept secret.
44joeID.id_write_privkey("Joe_private.pem")
45joeID.id_write_cert("Joe_ID.pem")
46# Keep a copy of Joe's key identifier as a string.
47joe=joeID.id_keyid()
48
49# Load alpha and bob from local files (created by ./setup.py)
50alphaID=ABAC.ID("Alpha_ID.pem")
51alphaID.id_load_privkey_file("Alpha_private.pem");
52alpha=alphaID.id_keyid()
53
54bobID=ABAC.ID("Bob_ID.pem")
55bobID.id_load_privkey_file("Bob_private.pem");
56bob=bobID.id_keyid()
57
58################################################
59# Create the credential
60# [keyid:alpha].role:access([string:'Read'],[urn:'file//fileB']) <- [keyid:bob]
61param1=ABAC.DataTerm("string", "'Read'")
62param2=ABAC.DataTerm("urn","'file//fileB'")
63head = ABAC.Role(alpha,"access")
64
65# Attach the parameters to the access role
66head.role_add_data_term(param1)
67head.role_add_data_term(param2)
68tail = ABAC.Role(bob)
69
70# Hook the head to the tail
71attr=ABAC.Attribute(head, 1800)
72attr.attribute_add_tail(tail)
73
74# create the credential
75attr.attribute_bake()
76
77# Save a copy and add the credential to the context
78attr.attribute_write_cert("Alpha_access_fileB__Bob_attr.der")
79#XXX
80##Xctxt.load_attribute_file("Alpha_access_fileB__Bob_attr.der")
81ctxt.load_attribute(attr)
82print attr.string() 
83print attr.typed_string()
84print "\n"
85
86# Constructing the others are similar
87
88#################################################
89## [keyid:alpha].role:team([string:'proj1'])<-[keyid:bob]
90param1=ABAC.DataTerm("string", "'proj1'")
91head = ABAC.Role(alpha,"team")
92head.role_add_data_term(param1)
93tail = ABAC.Role(bob)
94attr=ABAC.Attribute(head, 1800)
95attr.attribute_add_tail(tail)
96attr.attribute_bake()
97attr.attribute_write_cert("Alpha_team_proj1__Bob_attr.der")
98ctxt.load_attribute_file("Alpha_team_proj1__Bob_attr.der")
99print attr.string() 
100print attr.typed_string()
101print "\n"
102
103#################################################
104## [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe]
105param1=ABAC.DataTerm("string", "'proj2'")
106head = ABAC.Role(alpha,"team")
107head.role_add_data_term(param1)
108tail = ABAC.Role(joe)
109attr=ABAC.Attribute(head, 1800)
110attr.attribute_add_tail(tail)
111attr.attribute_bake()
112attr.attribute_write_cert("Alpha_team_proj2__Joe_attr.der")
113ctxt.load_attribute_file("Alpha_team_proj2__Joe_attr.der")
114print attr.string() 
115print attr.typed_string()
116print "\n"
117
118################################################
119# [keyid:alpha].role:access([string:'Read',
120#                [urn:?F[keyid:alpha].oset:documents([string:?P])])
121#                                 <- [keyid:alpha].role:team([string:?P])
122param=ABAC.DataTerm("string", "P")
123oset=ABAC.Oset(alpha,"documents")
124oset.oset_add_data_term(param)
125cond=ABAC.Constraint(oset)
126param2=ABAC.DataTerm("urn", "F", cond)
127param1=ABAC.DataTerm("string", "'Read'")
128head = ABAC.Role(alpha,"access")
129head.role_add_data_term(param1)
130head.role_add_data_term(param2)
131param3=ABAC.DataTerm("string", "P")
132tail = ABAC.Role(alpha,"team")
133tail.role_add_data_term(param3)
134attr=ABAC.Attribute(head, 1800)
135attr.attribute_add_tail(tail)
136attr.attribute_bake()
137attr.attribute_write_cert("Alpha_access_qFqP__alpha_team_qP_attr.der")
138ctxt.load_attribute(attr)
139print attr.string() 
140print attr.typed_string()
141print "\n"
142
143
144#################################################
145## [keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA']
146param1=ABAC.DataTerm("string", "'proj1'")
147head = ABAC.Oset(alpha,"documents")
148head.oset_add_data_term(param1)
149obj = ABAC.DataTerm("urn", "'file//fileA'")
150tail= ABAC.Oset(obj)
151attr=ABAC.Attribute(head, 1800)
152attr.attribute_add_tail(tail)
153attr.attribute_bake()
154attr.attribute_write_cert("Alpha_team_proj1__fileA_attr.der")
155ctxt.load_attribute(attr)
156print attr.string() 
157print attr.typed_string()
158print "\n"
159
Note: See TracBrowser for help on using the repository browser.