source: examples/python_tests/file_read_rt2/attr.py @ 20eaefe

#!/usr/bin/env python

"""
See README in this directory for the semantics of the example.  This file
constructs the credentials described and puts copies into this directory

cmd1:env keystore=`pwd` ./attr.py 
"""

import os
import ABAC

ctxt = ABAC.Context()
print "ABAC version %s" % ctxt.version()

# Keystore is the directory containing the principal credentials.
# Load existing principals and/or policy credentials
if (os.environ.has_key("keystore")) :
    keystore=os.environ["keystore"]
    ctxt.load_directory(keystore)
else:
    print("keystore is not set...")
    exit(1)


out = ctxt.context_principals()
print "...initial principal set..."
for x in out[1]:
    print "%s " % x.string()
print "\n" 

out = ctxt.context_credentials()
print "...initial policy attribute set..."
for c in out[1]:
    print "%s <- %s" % (c.head_string(), c.tail_string())
print "\n"

# retrieve principals' keyid value from local credential files
alphaID=ABAC.ID("Alpha_ID.pem")
alphaID.id_load_privkey_file("Alpha_private.pem");
alpha=alphaID.id_keyid()

bobID=ABAC.ID("Bob_ID.pem")
bobID.id_load_privkey_file("Bob_private.pem");
bob=bobID.id_keyid()

maryannID=ABAC.ID("Maryann_ID.pem")
maryannID.id_load_privkey_file("Maryann_private.pem")
maryann=maryannID.id_keyid()

joeID=ABAC.ID("Joe_ID.pem")
joeID.id_load_privkey_file("Joe_private.pem")
joe=joeID.id_keyid()


################################################
# Credential 1, demostrates role constraint on a file, 
#               manager of the owner of a file can also read that file
# [keyid:alpha].role:read([urn:?F])<-
#    [keyid:alpha].role:managerOf([principal:?E[keyid:alpha].role:ownerOf([urn:?F])]
param=ABAC.DataTerm("urn", "F")
head = ABAC.Role(alpha,"read")
head.role_add_data_term(param)

# create variable data term
param=ABAC.DataTerm("urn", "F")

# create the constraining role structure
condrole=ABAC.Role(alpha,"ownerOf")
condrole.role_add_data_term(param)

# create the constraint
cond=ABAC.Constraint(condrole)

# build the parameter with constraint
param=ABAC.DataTerm("principal", "E", cond)
tail = ABAC.Role(alpha,"managerOf")
tail.role_add_data_term(param)

# compose attribute policy
attr=ABAC.Attribute(head, 1800)
attr.attribute_add_tail(tail)

# finalize the policy
attr.attribute_bake()

# write out to external file
attr.attribute_write_cert("Alpha_read_qF__alpha_managerof_qE_attr.der")
ctxt.load_attribute_file("Alpha_read_qF__alpha_managerof_qE_attr.der")
print attr.string() 
print attr.typed_string()
print "\n"

#################################################
# Credential 2, Bob is Joe's manager
# [keyid:Alpha].role:managerOf([Keyid:Joe]) <- [keyid:Bob]
#
param=ABAC.DataTerm(joeID)
role = ABAC.Role(alpha,"managerOf")
role.role_add_data_term(param)
tail = ABAC.Role(bob)
attr=ABAC.Attribute(role, 1800)
attr.attribute_add_tail(tail)
attr.attribute_bake()
attr.attribute_write_cert("Alpha_managerof_Joe__Bob_attr.der")
ctxt.load_attribute_file("Alpha_managerof_Joe__Bob_attr.der")
print attr.string() 
print attr.typed_string()
print "\n"

#################################################
# Credential 3, Joe is file's owner
#[keyid:Alpha].role:ownerOf([urn:'file://fileA']) <- [keyid:Joe]
#
param=ABAC.DataTerm("urn", "'file://fileA'")
role = ABAC.Role(alpha,"ownerOf")
role.role_add_data_term(param)
tail = ABAC.Role(joe)
attr=ABAC.Attribute(role, 1800)
attr.attribute_add_tail(tail)
attr.attribute_bake()
attr.attribute_write_cert("Alpha_ownerof_fileA__Joe_attr.der")
ctxt.load_attribute_file("Alpha_ownerof_fileA__Joe_attr.der")
print attr.string() 
print attr.typed_string()
print "\n"