| [5f551d3] | 1 | #!/usr/bin/env python |
|---|
| 2 | |
|---|
| 3 | """ |
|---|
| [f824a9e] | 4 | See README in this directory for the semantics of the example. This file |
|---|
| 5 | constructs the credentials described and puts copies into this directory |
|---|
| [5f551d3] | 6 | |
|---|
| 7 | cmd1:env keystore=`pwd` ./attr.py |
|---|
| 8 | """ |
|---|
| 9 | |
|---|
| 10 | import os |
|---|
| 11 | import ABAC |
|---|
| 12 | |
|---|
| 13 | ctxt = ABAC.Context() |
|---|
| 14 | print "ABAC version %s" % ctxt.version() |
|---|
| 15 | |
|---|
| [f824a9e] | 16 | # Keystore is the directory containing the principal credentials. |
|---|
| 17 | # Load existing principals and/or policy credentials |
|---|
| 18 | if (os.environ.has_key("keystore")) : |
|---|
| 19 | keystore=os.environ["keystore"] |
|---|
| 20 | ctxt.load_directory(keystore) |
|---|
| [646e57e] | 21 | else: |
|---|
| 22 | print("keystore is not set...") |
|---|
| 23 | exit(1) |
|---|
| 24 | |
|---|
| [5f551d3] | 25 | |
|---|
| 26 | out = ctxt.context_principals() |
|---|
| 27 | print "...initial principal set..." |
|---|
| 28 | for x in out[1]: |
|---|
| 29 | print "%s " % x.string() |
|---|
| 30 | print "\n" |
|---|
| 31 | |
|---|
| 32 | out = ctxt.context_credentials() |
|---|
| 33 | print "...initial policy attribute set..." |
|---|
| 34 | for c in out[1]: |
|---|
| 35 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
|---|
| 36 | print "\n" |
|---|
| 37 | |
|---|
| [f824a9e] | 38 | # retrieve principals' keyid value from local credential files |
|---|
| [5f551d3] | 39 | alphaID=ABAC.ID("Alpha_ID.pem") |
|---|
| 40 | alphaID.id_load_privkey_file("Alpha_private.pem"); |
|---|
| 41 | alpha=alphaID.id_keyid() |
|---|
| 42 | |
|---|
| 43 | bobID=ABAC.ID("Bob_ID.pem") |
|---|
| 44 | bobID.id_load_privkey_file("Bob_private.pem"); |
|---|
| 45 | bob=bobID.id_keyid() |
|---|
| 46 | |
|---|
| 47 | maryannID=ABAC.ID("Maryann_ID.pem") |
|---|
| 48 | maryannID.id_load_privkey_file("Maryann_private.pem") |
|---|
| 49 | maryann=maryannID.id_keyid() |
|---|
| 50 | |
|---|
| 51 | joeID=ABAC.ID("Joe_ID.pem") |
|---|
| 52 | joeID.id_load_privkey_file("Joe_private.pem") |
|---|
| 53 | joe=joeID.id_keyid() |
|---|
| 54 | |
|---|
| 55 | |
|---|
| 56 | ################################################ |
|---|
| [f824a9e] | 57 | # Credential 1, demostrates role constraint on a file, |
|---|
| 58 | # manager of the owner of a file can also read that file |
|---|
| [5f551d3] | 59 | # [keyid:alpha].role:read([urn:?F])<- |
|---|
| 60 | # [keyid:alpha].role:managerOf([principal:?E[keyid:alpha].role:ownerOf([urn:?F])] |
|---|
| 61 | param=ABAC.DataTerm("urn", "F") |
|---|
| 62 | head = ABAC.Role(alpha,"read") |
|---|
| 63 | head.role_add_data_term(param) |
|---|
| [f824a9e] | 64 | |
|---|
| 65 | # create variable data term |
|---|
| [5f551d3] | 66 | param=ABAC.DataTerm("urn", "F") |
|---|
| [f824a9e] | 67 | |
|---|
| 68 | # create the constraining role structure |
|---|
| 69 | condrole=ABAC.Role(alpha,"ownerOf") |
|---|
| 70 | condrole.role_add_data_term(param) |
|---|
| 71 | |
|---|
| 72 | # create the constraint |
|---|
| 73 | cond=ABAC.Constraint(condrole) |
|---|
| 74 | |
|---|
| 75 | # build the parameter with constraint |
|---|
| [5f551d3] | 76 | param=ABAC.DataTerm("principal", "E", cond) |
|---|
| 77 | tail = ABAC.Role(alpha,"managerOf") |
|---|
| 78 | tail.role_add_data_term(param) |
|---|
| [f824a9e] | 79 | |
|---|
| 80 | # compose attribute policy |
|---|
| [5f551d3] | 81 | attr=ABAC.Attribute(head, 1800) |
|---|
| 82 | attr.attribute_add_tail(tail) |
|---|
| [f824a9e] | 83 | |
|---|
| 84 | # finalize the policy |
|---|
| [5f551d3] | 85 | attr.attribute_bake() |
|---|
| [f824a9e] | 86 | |
|---|
| 87 | # write out to external file |
|---|
| [5f551d3] | 88 | attr.attribute_write_cert("Alpha_read_qF__alpha_managerof_qE_attr.der") |
|---|
| 89 | ctxt.load_attribute_file("Alpha_read_qF__alpha_managerof_qE_attr.der") |
|---|
| 90 | print attr.string() |
|---|
| 91 | print attr.typed_string() |
|---|
| 92 | print "\n" |
|---|
| 93 | |
|---|
| 94 | ################################################# |
|---|
| [f824a9e] | 95 | # Credential 2, Bob is Joe's manager |
|---|
| [5f551d3] | 96 | # [keyid:Alpha].role:managerOf([Keyid:Joe]) <- [keyid:Bob] |
|---|
| 97 | # |
|---|
| 98 | param=ABAC.DataTerm(joeID) |
|---|
| 99 | role = ABAC.Role(alpha,"managerOf") |
|---|
| 100 | role.role_add_data_term(param) |
|---|
| 101 | tail = ABAC.Role(bob) |
|---|
| 102 | attr=ABAC.Attribute(role, 1800) |
|---|
| 103 | attr.attribute_add_tail(tail) |
|---|
| 104 | attr.attribute_bake() |
|---|
| 105 | attr.attribute_write_cert("Alpha_managerof_Joe__Bob_attr.der") |
|---|
| 106 | ctxt.load_attribute_file("Alpha_managerof_Joe__Bob_attr.der") |
|---|
| 107 | print attr.string() |
|---|
| 108 | print attr.typed_string() |
|---|
| 109 | print "\n" |
|---|
| 110 | |
|---|
| 111 | ################################################# |
|---|
| [f824a9e] | 112 | # Credential 3, Joe is file's owner |
|---|
| [5f551d3] | 113 | #[keyid:Alpha].role:ownerOf([urn:'file://fileA']) <- [keyid:Joe] |
|---|
| 114 | # |
|---|
| 115 | param=ABAC.DataTerm("urn", "'file://fileA'") |
|---|
| 116 | role = ABAC.Role(alpha,"ownerOf") |
|---|
| 117 | role.role_add_data_term(param) |
|---|
| 118 | tail = ABAC.Role(joe) |
|---|
| 119 | attr=ABAC.Attribute(role, 1800) |
|---|
| 120 | attr.attribute_add_tail(tail) |
|---|
| 121 | attr.attribute_bake() |
|---|
| 122 | attr.attribute_write_cert("Alpha_ownerof_fileA__Joe_attr.der") |
|---|
| 123 | ctxt.load_attribute_file("Alpha_ownerof_fileA__Joe_attr.der") |
|---|
| 124 | print attr.string() |
|---|
| 125 | print attr.typed_string() |
|---|
| 126 | print "\n" |
|---|
| 127 | |
|---|
