#!/usr/bin/env python """ See README in this directory for the semantics of the example. This file constructs the credentials described and puts copies into this directory cmd1:env keystore=`pwd` ./attr.py """ import os import ABAC ctxt = ABAC.Context() print "ABAC version %s" % ctxt.version() # Keystore is the directory containing the principal credentials. # Load existing principals and/or policy credentials if (os.environ.has_key("keystore")) : keystore=os.environ["keystore"] ctxt.load_directory(keystore) else: print("keystore is not set...") exit(1) out = ctxt.context_principals() print "...initial principal set..." for x in out[1]: print "%s " % x.string() print "\n" out = ctxt.context_credentials() print "...initial policy attribute set..." for c in out[1]: print "%s <- %s" % (c.head_string(), c.tail_string()) print "\n" # retrieve principals' keyid value from local credential files alphaID=ABAC.ID("Alpha_ID.pem") alphaID.id_load_privkey_file("Alpha_private.pem"); alpha=alphaID.id_keyid() bobID=ABAC.ID("Bob_ID.pem") bobID.id_load_privkey_file("Bob_private.pem"); bob=bobID.id_keyid() maryannID=ABAC.ID("Maryann_ID.pem") maryannID.id_load_privkey_file("Maryann_private.pem") maryann=maryannID.id_keyid() joeID=ABAC.ID("Joe_ID.pem") joeID.id_load_privkey_file("Joe_private.pem") joe=joeID.id_keyid() ################################################ # Credential 1, demostrates role constraint on a file, # manager of the owner of a file can also read that file # [keyid:alpha].role:read([urn:?F])<- # [keyid:alpha].role:managerOf([principal:?E[keyid:alpha].role:ownerOf([urn:?F])] param=ABAC.DataTerm("urn", "F") head = ABAC.Role(alpha,"read") head.role_add_data_term(param) # create variable data term param=ABAC.DataTerm("urn", "F") # create the constraining role structure condrole=ABAC.Role(alpha,"ownerOf") condrole.role_add_data_term(param) # create the constraint cond=ABAC.Constraint(condrole) # build the parameter with constraint param=ABAC.DataTerm("principal", "E", cond) tail = ABAC.Role(alpha,"managerOf") tail.role_add_data_term(param) # compose attribute policy attr=ABAC.Attribute(head, 1800) attr.attribute_add_tail(tail) # finalize the policy attr.attribute_bake() # write out to external file attr.attribute_write_cert("Alpha_read_qF__alpha_managerof_qE_attr.der") ctxt.load_attribute_file("Alpha_read_qF__alpha_managerof_qE_attr.der") print attr.string() print attr.typed_string() print "\n" ################################################# # Credential 2, Bob is Joe's manager # [keyid:Alpha].role:managerOf([Keyid:Joe]) <- [keyid:Bob] # param=ABAC.DataTerm(joeID) role = ABAC.Role(alpha,"managerOf") role.role_add_data_term(param) tail = ABAC.Role(bob) attr=ABAC.Attribute(role, 1800) attr.attribute_add_tail(tail) attr.attribute_bake() attr.attribute_write_cert("Alpha_managerof_Joe__Bob_attr.der") ctxt.load_attribute_file("Alpha_managerof_Joe__Bob_attr.der") print attr.string() print attr.typed_string() print "\n" ################################################# # Credential 3, Joe is file's owner #[keyid:Alpha].role:ownerOf([urn:'file://fileA']) <- [keyid:Joe] # param=ABAC.DataTerm("urn", "'file://fileA'") role = ABAC.Role(alpha,"ownerOf") role.role_add_data_term(param) tail = ABAC.Role(joe) attr=ABAC.Attribute(role, 1800) attr.attribute_add_tail(tail) attr.attribute_bake() attr.attribute_write_cert("Alpha_ownerof_fileA__Joe_attr.der") ctxt.load_attribute_file("Alpha_ownerof_fileA__Joe_attr.der") print attr.string() print attr.typed_string() print "\n"