| [5f551d3] | 1 | #!/usr/bin/env python |
|---|
| 2 | |
|---|
| 3 | """ |
|---|
| [f824a9e] | 4 | See README in this directory for the semantics of the example. This file |
|---|
| 5 | constructs the credentials described and puts copies into this directory |
|---|
| [5f551d3] | 6 | |
|---|
| 7 | cmd1:env keystore=`pwd` ./attr.py |
|---|
| 8 | """ |
|---|
| 9 | |
|---|
| 10 | import os |
|---|
| 11 | import ABAC |
|---|
| 12 | |
|---|
| 13 | ctxt = ABAC.Context() |
|---|
| 14 | print "ABAC version %s" % ctxt.version() |
|---|
| 15 | |
|---|
| [f824a9e] | 16 | # Keystore is the directory containing the principal credentials. |
|---|
| 17 | # Load existing principals and/or policy credentials |
|---|
| 18 | if (os.environ.has_key("keystore")) : |
|---|
| 19 | keystore=os.environ["keystore"] |
|---|
| 20 | ctxt.load_directory(keystore) |
|---|
| [5f551d3] | 21 | |
|---|
| 22 | out = ctxt.context_principals() |
|---|
| 23 | print "...initial principal set..." |
|---|
| 24 | for x in out[1]: |
|---|
| 25 | print "%s " % x.string() |
|---|
| 26 | print "\n" |
|---|
| 27 | |
|---|
| 28 | out = ctxt.context_credentials() |
|---|
| 29 | print "...initial policy attribute set..." |
|---|
| 30 | for c in out[1]: |
|---|
| 31 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
|---|
| 32 | print "\n" |
|---|
| 33 | |
|---|
| [f824a9e] | 34 | # retrieve principals' keyid value from local credential files |
|---|
| [5f551d3] | 35 | alphaID=ABAC.ID("Alpha_ID.pem") |
|---|
| 36 | alphaID.id_load_privkey_file("Alpha_private.pem"); |
|---|
| 37 | alpha=alphaID.id_keyid() |
|---|
| 38 | |
|---|
| 39 | bobID=ABAC.ID("Bob_ID.pem") |
|---|
| 40 | bobID.id_load_privkey_file("Bob_private.pem"); |
|---|
| 41 | bob=bobID.id_keyid() |
|---|
| 42 | |
|---|
| 43 | maryannID=ABAC.ID("Maryann_ID.pem") |
|---|
| 44 | maryannID.id_load_privkey_file("Maryann_private.pem") |
|---|
| 45 | maryann=maryannID.id_keyid() |
|---|
| 46 | |
|---|
| 47 | joeID=ABAC.ID("Joe_ID.pem") |
|---|
| 48 | joeID.id_load_privkey_file("Joe_private.pem") |
|---|
| 49 | joe=joeID.id_keyid() |
|---|
| 50 | |
|---|
| 51 | |
|---|
| 52 | ################################################ |
|---|
| [f824a9e] | 53 | # Credential 1, demostrates role constraint on a file, |
|---|
| 54 | # manager of the owner of a file can also read that file |
|---|
| [5f551d3] | 55 | # [keyid:alpha].role:read([urn:?F])<- |
|---|
| 56 | # [keyid:alpha].role:managerOf([principal:?E[keyid:alpha].role:ownerOf([urn:?F])] |
|---|
| 57 | param=ABAC.DataTerm("urn", "F") |
|---|
| 58 | head = ABAC.Role(alpha,"read") |
|---|
| 59 | head.role_add_data_term(param) |
|---|
| [f824a9e] | 60 | |
|---|
| 61 | # create variable data term |
|---|
| [5f551d3] | 62 | param=ABAC.DataTerm("urn", "F") |
|---|
| [f824a9e] | 63 | |
|---|
| 64 | # create the constraining role structure |
|---|
| 65 | condrole=ABAC.Role(alpha,"ownerOf") |
|---|
| 66 | condrole.role_add_data_term(param) |
|---|
| 67 | |
|---|
| 68 | # create the constraint |
|---|
| 69 | cond=ABAC.Constraint(condrole) |
|---|
| 70 | |
|---|
| 71 | # build the parameter with constraint |
|---|
| [5f551d3] | 72 | param=ABAC.DataTerm("principal", "E", cond) |
|---|
| 73 | tail = ABAC.Role(alpha,"managerOf") |
|---|
| 74 | tail.role_add_data_term(param) |
|---|
| [f824a9e] | 75 | |
|---|
| 76 | # compose attribute policy |
|---|
| [5f551d3] | 77 | attr=ABAC.Attribute(head, 1800) |
|---|
| 78 | attr.attribute_add_tail(tail) |
|---|
| [f824a9e] | 79 | |
|---|
| 80 | # finalize the policy |
|---|
| [5f551d3] | 81 | attr.attribute_bake() |
|---|
| [f824a9e] | 82 | |
|---|
| 83 | # write out to external file |
|---|
| [5f551d3] | 84 | attr.attribute_write_cert("Alpha_read_qF__alpha_managerof_qE_attr.der") |
|---|
| 85 | ctxt.load_attribute_file("Alpha_read_qF__alpha_managerof_qE_attr.der") |
|---|
| 86 | print attr.string() |
|---|
| 87 | print attr.typed_string() |
|---|
| 88 | print "\n" |
|---|
| 89 | |
|---|
| 90 | ################################################# |
|---|
| [f824a9e] | 91 | # Credential 2, Bob is Joe's manager |
|---|
| [5f551d3] | 92 | # [keyid:Alpha].role:managerOf([Keyid:Joe]) <- [keyid:Bob] |
|---|
| 93 | # |
|---|
| 94 | param=ABAC.DataTerm(joeID) |
|---|
| 95 | role = ABAC.Role(alpha,"managerOf") |
|---|
| 96 | role.role_add_data_term(param) |
|---|
| 97 | tail = ABAC.Role(bob) |
|---|
| 98 | attr=ABAC.Attribute(role, 1800) |
|---|
| 99 | attr.attribute_add_tail(tail) |
|---|
| 100 | attr.attribute_bake() |
|---|
| 101 | attr.attribute_write_cert("Alpha_managerof_Joe__Bob_attr.der") |
|---|
| 102 | ctxt.load_attribute_file("Alpha_managerof_Joe__Bob_attr.der") |
|---|
| 103 | print attr.string() |
|---|
| 104 | print attr.typed_string() |
|---|
| 105 | print "\n" |
|---|
| 106 | |
|---|
| 107 | ################################################# |
|---|
| [f824a9e] | 108 | # Credential 3, Joe is file's owner |
|---|
| [5f551d3] | 109 | #[keyid:Alpha].role:ownerOf([urn:'file://fileA']) <- [keyid:Joe] |
|---|
| 110 | # |
|---|
| 111 | param=ABAC.DataTerm("urn", "'file://fileA'") |
|---|
| 112 | role = ABAC.Role(alpha,"ownerOf") |
|---|
| 113 | role.role_add_data_term(param) |
|---|
| 114 | tail = ABAC.Role(joe) |
|---|
| 115 | attr=ABAC.Attribute(role, 1800) |
|---|
| 116 | attr.attribute_add_tail(tail) |
|---|
| 117 | attr.attribute_bake() |
|---|
| 118 | attr.attribute_write_cert("Alpha_ownerof_fileA__Joe_attr.der") |
|---|
| 119 | ctxt.load_attribute_file("Alpha_ownerof_fileA__Joe_attr.der") |
|---|
| 120 | print attr.string() |
|---|
| 121 | print attr.typed_string() |
|---|
| 122 | print "\n" |
|---|
| 123 | |
|---|
