[7211a95] | 1 | #!/usr/bin/env python |
---|
| 2 | |
---|
| 3 | """ |
---|
[f824a9e] | 4 | Run the queries described in README |
---|
[7211a95] | 5 | |
---|
| 6 | cmd1:env keystore=`pwd` ./query.py |
---|
| 7 | cmd2: env ABAC_CN=1 keystore=`pwd` ./query.py |
---|
| 8 | """ |
---|
| 9 | |
---|
| 10 | import os |
---|
| 11 | import ABAC |
---|
| 12 | |
---|
| 13 | ctxt = ABAC.Context() |
---|
[646e57e] | 14 | ctxt.set_no_partial_proof() |
---|
[7211a95] | 15 | |
---|
[f824a9e] | 16 | # Keystore is the directory containing the principal credentials. |
---|
| 17 | # Load existing principals and/or policy credentials |
---|
| 18 | if (os.environ.has_key("keystore")) : |
---|
| 19 | keystore=os.environ["keystore"] |
---|
| 20 | ctxt.load_directory(keystore) |
---|
| 21 | else: |
---|
| 22 | print("keystore is not set...") |
---|
| 23 | exit(1) |
---|
[7211a95] | 24 | |
---|
[f824a9e] | 25 | # extract principal's keyid from local principal cert files |
---|
[7211a95] | 26 | acmeID=ABAC.ID("Acme_ID.pem") |
---|
| 27 | acmeID.id_load_privkey_file("Acme_private.pem"); |
---|
| 28 | acme=acmeID.id_keyid() |
---|
| 29 | |
---|
| 30 | coyoteID=ABAC.ID("Coyote_ID.pem") |
---|
| 31 | coyoteID.id_load_privkey_file("Coyote_private.pem"); |
---|
| 32 | coyote=coyoteID.id_keyid() |
---|
| 33 | |
---|
| 34 | roadrunnerID=ABAC.ID("Roadrunner_ID.pem") |
---|
| 35 | roadrunnerID.id_load_privkey_file("Roadrunner_private.pem"); |
---|
| 36 | roadrunner=roadrunnerID.id_keyid() |
---|
| 37 | |
---|
| 38 | jackrabbitID=ABAC.ID("Jackrabbit_ID.pem") |
---|
| 39 | jackrabbitID.id_load_privkey_file("Jackrabbit_private.pem"); |
---|
| 40 | jackrabbit=jackrabbitID.id_keyid() |
---|
| 41 | |
---|
| 42 | ########################################################################## |
---|
[f824a9e] | 43 | # dump the loaded principals/policies |
---|
| 44 | # |
---|
| 45 | out = ctxt.context_principals() |
---|
| 46 | print "\n...final principal set..." |
---|
| 47 | for x in out[1]: |
---|
| 48 | print "%s " % x.string() |
---|
| 49 | out = ctxt.context_credentials() |
---|
| 50 | print "\n...final policy attribute set..." |
---|
| 51 | for c in out[1]: |
---|
| 52 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
| 53 | |
---|
| 54 | ########################################################################## |
---|
| 55 | # is coyote a friend of roadrunner? |
---|
[7211a95] | 56 | # role =[keyid:Acme].role:friendof([keyid:Roadrunner]) |
---|
| 57 | # p= [keyid:Coyote] |
---|
| 58 | param=ABAC.DataTerm(roadrunnerID) |
---|
| 59 | role = ABAC.Role(acme,"friendof") |
---|
| 60 | role.role_add_data_term(param) |
---|
| 61 | p = ABAC.Role(coyote) |
---|
| 62 | print "\n===bad============ Acme.friendOf(Roadrunner) <- Coyote" |
---|
| 63 | out = ctxt.query(role, p) |
---|
| 64 | |
---|
| 65 | for c in out[1]: |
---|
| 66 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
| 67 | |
---|
| 68 | ########################################################################## |
---|
[f824a9e] | 69 | # is jackrabbit a friend of roadrunner ? |
---|
[7211a95] | 70 | # role =[keyid:Acme].role:friendof([keyid:Roadrunner]) |
---|
| 71 | # p= [keyid:Jackrabbit] |
---|
| 72 | param=ABAC.DataTerm(roadrunnerID) |
---|
| 73 | role = ABAC.Role(acme,"friendof") |
---|
| 74 | role.role_add_data_term(param) |
---|
| 75 | p = ABAC.Role(jackrabbit) |
---|
| 76 | print "\n===good============ Acme.friendOf(Roadrunner) <- Jackrabbit" |
---|
| 77 | out = ctxt.query(role, p) |
---|
| 78 | |
---|
| 79 | for c in out[1]: |
---|
| 80 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
| 81 | |
---|
| 82 | |
---|
| 83 | ########################################################################## |
---|
[f824a9e] | 84 | # is jackrabbit a preferred_customer of Acme ? |
---|
[7211a95] | 85 | # role =[keyid:Acme].role:preferred_customer |
---|
| 86 | # p =[keyid:Jackrabbit] |
---|
| 87 | role = ABAC.Role(acme,"preferred_customer") |
---|
| 88 | p = ABAC.Role(jackrabbit) |
---|
| 89 | print "\n===good============ Acme.preferred_customer <- Jackrabbit" |
---|
| 90 | out = ctxt.query(role, p) |
---|
| 91 | |
---|
| 92 | for c in out[1]: |
---|
| 93 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
| 94 | |
---|
| 95 | ########################################################################## |
---|
[f824a9e] | 96 | # is coyote a preferred_customer of Acme ? |
---|
[7211a95] | 97 | # role =[keyid:Acme].role:preferred_customer |
---|
| 98 | # p =[keyid:Coyote] |
---|
| 99 | role = ABAC.Role(acme,"preferred_customer") |
---|
| 100 | p = ABAC.Role(coyote) |
---|
| 101 | print "\n===good============ Acme.preferred_customer <- Coyote" |
---|
| 102 | out = ctxt.query(role, p) |
---|
| 103 | |
---|
| 104 | for c in out[1]: |
---|
| 105 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
| 106 | |
---|
| 107 | |
---|
| 108 | ########################################################################## |
---|
[f824a9e] | 109 | # is blah_blah a preferred_customer of Acme ? |
---|
| 110 | # role =[keyid:Acme].role:preferred_customer |
---|
| 111 | # p =[keyid:badCoyote] |
---|
| 112 | role = ABAC.Role(acme,"preferred_customer") |
---|
| 113 | # some random SHA keyid value |
---|
| 114 | badcoyote="1fb66793d453226f0b93a48c7f6ae0d51632e628" |
---|
| 115 | p = ABAC.Role(badcoyote) |
---|
| 116 | print "\n===bad============ Acme.preferred_customer <- badcoyote" |
---|
| 117 | out = ctxt.query(role, p) |
---|
| 118 | |
---|
[7211a95] | 119 | for c in out[1]: |
---|
| 120 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
---|
[f824a9e] | 121 | |
---|