| 1 | #!/usr/bin/env python |
|---|
| 2 | |
|---|
| 3 | """ |
|---|
| 4 | See README in this directory for the semantics of the example. This file |
|---|
| 5 | constructs the credentials described and puts copies into this directory |
|---|
| 6 | |
|---|
| 7 | cmd1:env keystore=`pwd` ./attr.py |
|---|
| 8 | """ |
|---|
| 9 | |
|---|
| 10 | import os |
|---|
| 11 | import ABAC |
|---|
| 12 | |
|---|
| 13 | ctxt = ABAC.Context() |
|---|
| 14 | print "ABAC version %s" % ctxt.version() |
|---|
| 15 | |
|---|
| 16 | # Keystore is the directory containing the principal credentials. |
|---|
| 17 | # Load existing principals and/or policy credentials |
|---|
| 18 | if (os.environ.has_key("keystore")) : |
|---|
| 19 | keystore=os.environ["keystore"] |
|---|
| 20 | ctxt.load_directory(keystore) |
|---|
| 21 | else: |
|---|
| 22 | print("keystore is not set...") |
|---|
| 23 | exit(1) |
|---|
| 24 | |
|---|
| 25 | |
|---|
| 26 | out = ctxt.context_principals() |
|---|
| 27 | print "...initial principal set..." |
|---|
| 28 | for x in out[1]: |
|---|
| 29 | print "%s " % x.string() |
|---|
| 30 | print "\n" |
|---|
| 31 | |
|---|
| 32 | out = ctxt.context_credentials() |
|---|
| 33 | print "...initial policy attribute set..." |
|---|
| 34 | for c in out[1]: |
|---|
| 35 | print "%s <- %s" % (c.head_string(), c.tail_string()) |
|---|
| 36 | print "\n" |
|---|
| 37 | |
|---|
| 38 | # retrieve principals' keyid value from local credential files |
|---|
| 39 | geniID=ABAC.ID("Geni_ID.pem"); |
|---|
| 40 | geniID.id_load_privkey_file("Geni_private.pem"); |
|---|
| 41 | geni=geniID.id_keyid() |
|---|
| 42 | |
|---|
| 43 | bobID=ABAC.ID("Bob_ID.pem"); |
|---|
| 44 | bobID.id_load_privkey_file("Bob_private.pem"); |
|---|
| 45 | bob=bobID.id_keyid() |
|---|
| 46 | |
|---|
| 47 | jackID=ABAC.ID("Jack_ID.pem"); |
|---|
| 48 | jackID.id_load_privkey_file("Jack_private.pem"); |
|---|
| 49 | jack=jackID.id_keyid() |
|---|
| 50 | |
|---|
| 51 | joeID=ABAC.ID("Joe_ID.pem"); |
|---|
| 52 | joeID.id_load_privkey_file("Joe_private.pem"); |
|---|
| 53 | joe=joeID.id_keyid() |
|---|
| 54 | |
|---|
| 55 | ################################################ |
|---|
| 56 | # Credential 1, |
|---|
| 57 | # [keyid:geni].role:leader |
|---|
| 58 | # <- [keyid:geni].role:equivalent([principal:?P[keyid:geni].role:leader]) |
|---|
| 59 | head=ABAC.Role(geni,"leader") |
|---|
| 60 | |
|---|
| 61 | # initialize the role constraint on a principlal |
|---|
| 62 | condrole=ABAC.Role(geni,"leader") |
|---|
| 63 | cond=ABAC.Constraint(condrole) |
|---|
| 64 | |
|---|
| 65 | # make the data term with the role constraint |
|---|
| 66 | param=ABAC.DataTerm("principal","P", cond) |
|---|
| 67 | tail = ABAC.Role(geni,"equivalent") |
|---|
| 68 | tail.role_add_data_term(param) |
|---|
| 69 | |
|---|
| 70 | # build he attribute policy |
|---|
| 71 | attr=ABAC.Attribute(head, 1800) |
|---|
| 72 | attr.attribute_add_tail(tail) |
|---|
| 73 | |
|---|
| 74 | # finalize the policy |
|---|
| 75 | attr.attribute_bake() |
|---|
| 76 | |
|---|
| 77 | # write the policy out to a credential file |
|---|
| 78 | attr.attribute_write_cert("geni_leader__geni_leader_qP_attr.der") |
|---|
| 79 | |
|---|
| 80 | # load the policy into the context using the credential file |
|---|
| 81 | ctxt.load_attribute_file("geni_leader__geni_leader_qP_attr.der") |
|---|
| 82 | print attr.string() |
|---|
| 83 | print attr.typed_string() |
|---|
| 84 | print "\n" |
|---|
| 85 | |
|---|
| 86 | ################################################# |
|---|
| 87 | # Credential 2 |
|---|
| 88 | # [keyid:geni].role:leader <- [keyid:bob] |
|---|
| 89 | head=ABAC.Role(geni,"leader") |
|---|
| 90 | tail = ABAC.Role(bob) |
|---|
| 91 | attr=ABAC.Attribute(head, 1800) |
|---|
| 92 | attr.attribute_add_tail(tail) |
|---|
| 93 | attr.attribute_bake() |
|---|
| 94 | attr.attribute_write_cert("geni_leader__Bob_attr.der") |
|---|
| 95 | ctxt.load_attribute_file("geni_leader__Bob_attr.der") |
|---|
| 96 | print attr.string() |
|---|
| 97 | print attr.typed_string() |
|---|
| 98 | print "\n" |
|---|
| 99 | |
|---|
| 100 | ################################################# |
|---|
| 101 | # Credential 3 |
|---|
| 102 | # [keyid:geni].role:equivalent([keyid:bob]) <- [keyid:Joe] |
|---|
| 103 | param=ABAC.DataTerm(bobID) |
|---|
| 104 | head = ABAC.Role(geni,"equivalent") |
|---|
| 105 | head.role_add_data_term(param) |
|---|
| 106 | tail = ABAC.Role(joe) |
|---|
| 107 | attr=ABAC.Attribute(head, 1800) |
|---|
| 108 | attr.attribute_add_tail(tail) |
|---|
| 109 | attr.attribute_bake() |
|---|
| 110 | attr.attribute_write_cert("geni_equivalent_Bob__Joe_attr.der") |
|---|
| 111 | ctxt.load_attribute_file("geni_equivalent_Bob__Joe_attr.der") |
|---|
| 112 | print attr.string() |
|---|
| 113 | print attr.typed_string() |
|---|
| 114 | print "\n" |
|---|
| 115 | |
|---|
| 116 | ################################################# |
|---|
| 117 | # Credential 4 |
|---|
| 118 | # [keyid:geni].role:equivalent([keyid:Joe]) <- [keyid:Bob] |
|---|
| 119 | param=ABAC.DataTerm(joeID) |
|---|
| 120 | head = ABAC.Role(geni,"equivalent") |
|---|
| 121 | head.role_add_data_term(param) |
|---|
| 122 | tail = ABAC.Role(bob) |
|---|
| 123 | attr=ABAC.Attribute(head, 1800) |
|---|
| 124 | attr.attribute_add_tail(tail) |
|---|
| 125 | attr.attribute_bake() |
|---|
| 126 | attr.attribute_write_cert("geni_equivalent_Joe__Bob_attr.der") |
|---|
| 127 | ctxt.load_attribute_file("geni_equivalent_Joe__Bob_attr.der") |
|---|
| 128 | print attr.string() |
|---|
| 129 | print attr.typed_string() |
|---|
| 130 | print "\n" |
|---|
