This directory contains various ABAC scenarios that exercise
various feature of the current RT2 implmentation using YAP prolog.

The frontend query client is abac_prover_yap. 

Each subdirectory has a README script which includes a description
of the scenario, and the calls that generate the needed credentials. 
There is a run_query script which sets up and runs couple of typical 
query using abac_prover_yap.

runall, is the top level script that will cleanup and setup the
credentials needed in each subdirectories 

runcheck, is the top level script that initiates the run_query scripts
within each subdirectory with ABAC_CN mode (see below); captures the
result and compares with the baseline result stored in allout.save. 
runcheck also makes a complete run_query run without ABAC_CN enabled as
a regression testing and runs a query using python in one of the 
subdirectory

abac_prover_yap

Usage: abac_prover_yap 
        --keystore <keystore> 
        --role <keyid.role> --principal <keyid>
        --oset <keyid.oset> --object <otype>
    loads the keystore and runs the query role <-?- principal
                                the query oset <-?- object
        --dump <file> 
    extracts all credentials from the prolog db

keystore is the location where the prover will search to load credentials.
All accessible identity credentials and attribute credentials will be 
picked up one file at a time.

role, oset, principal, and object are specified with principal's SHA1 
value extracted from the credentials that are loaded from keystore location
using creddy. Example can be found in the run_queryscript.

An actual example from balltime_rt2_typed,

abac_prover_yap --keystore /home/mei/Deter/abac/examples/balltime_rt2_typed 
  --role [keyid:212146063d65264e8f27c31f0da592e386fc59aa].role:stadium
                 ([string:'access'],[boolean:true],[time:20120228T130000]) 
  --principal [keyid:49bdcd1278fce71d7c5cb3ee9138c22f7379e8e0]

Currently, the dump option might fail if not enough information is
stored in the backend db. It will be reimplemented in the near future.

Two useful environment variables,

DUMP_DB, extract the complete yap db to stdout
ABAC_CN, use CN instead of SHA1 value for identifying the principals. This
is useful for debugging purpose but will not resolve conflict when CN is not
uniquely associated with each principal's SHA1 value.

env ABAC_CN=1 runall run
or
env DUMP_DB=1 ABAC_CN=1 run_query