#!/usr/bin/env python """ Run the queries described in README cmd1:env keystore=`pwd` ./query.py cmd2: env ABAC_CN=1 keystore=`pwd` ./query.py """ import os import ABAC ctxt = ABAC.Context() # Keystore is the directory containing the principal credentials. # Load existing principals and/or policy credentials if (os.environ.has_key("keystore")) : keystore=os.environ["keystore"] ctxt.load_directory(keystore) else: print("keystore is not set...") exit(1) # Load the principals created in ./attr.py and ./setup.py. Each has an # identity and private key. alphaID=ABAC.ID("Alpha_ID.pem"); alphaID.id_load_privkey_file("Alpha_private.pem"); alpha=alphaID.id_keyid() bobID=ABAC.ID("Bob_ID.pem"); bobID.id_load_privkey_file("Bob_private.pem"); bob=bobID.id_keyid() joeID=ABAC.ID("Joe_ID.pem"); joeID.id_load_privkey_file("Joe_private.pem"); joe=joeID.id_keyid() ########################################################################## # dump the loaded principals/policies # out = ctxt.context_principals() print "\n...final principal set..." for x in out[1]: print "%s " % x.string() out = ctxt.context_credentials() print "\n...final policy attribute set..." for c in out[1]: print "%s <- %s" % (c.head_string(), c.tail_string()) ########################################################################## # Construct and run the queries. In each case we create a role object and a # principal and call the query method on the context. The contents of the # proof are printed for successful queries. # role is the role to look for # p is the principal to check. ########################################################################## # role =[keyid:alpha].role:access([string:'Read'],[urn:'file//fileA']) # p = "[keyid:bob]" param1=ABAC.DataTerm("string", "'Read'") param2=ABAC.DataTerm("urn","'file//fileA'") role = ABAC.Role(alpha,"access") role.role_add_data_term(param1) role.role_add_data_term(param2) p = ABAC.Role(bob) print "\n===good============ Alpha.access(Read,fileA)<-?-Bob" out = ctxt.query(role, p) for c in out[1]: print "%s <- %s" % (c.head_string(), c.tail_string()) ########################################################################## # role =[keyid:alpha].role:access([string:'Read'],[urn:'file//fileA']) # p = "[keyid:joe]" param1=ABAC.DataTerm("string", "'Read'") param2=ABAC.DataTerm("urn","'file//fileA'") role = ABAC.Role(alpha,"access") role.role_add_data_term(param1) role.role_add_data_term(param2) p = ABAC.Role(joe) print "\n===bad============ Alpha.access(Read,fileA)<-?-Joe" out = ctxt.query(role,p) for c in out[1]: print "%s <- %s" % (c.head_string(), c.tail_string()) ########################################################################## # role =[keyid:alpha].role:team([string:'proj2']) # p = "[keyid:joe]" param=ABAC.DataTerm("string", "'proj2'") role = ABAC.Role(alpha,"team") role.role_add_data_term(param) p = ABAC.Role(joe) print "\n===good============ Alpha.team(proj2)<-?-Joe" out = ctxt.query(role,p) for c in out[1]: print "%s <- %s" % (c.head_string(), c.tail_string()) ## ctxt.dump_yap_db()