| 28 | | The server takes an optional argument, {{{--cert}}} and a certificate with which to identify itself under SSL/https. If omitted, the server will run under http, unencrypted and unauthenticated. If run under SSL, the server expects clients to supply a certificate, but does not vaildate it's authorization chain. This is for future expansion using ABAC authorization to the server and self-certifying identities. |
| | 28 | The server takes an optional argument, {{{--cert}}} and a certificate with which to identify itself under SSL/https. If omitted, the server will run under http, unencrypted and unauthenticated. If run under SSL, the server expects clients to supply a certificate, but does not vaildate it's authorization chain. This is for future expansion using ABAC authorization to the server and self-certifying identities. The directions for [http://fedd.deterlab.net/wiki/FeddConfig#MakingaFedidCertificate making a fedid certificate] will also create a valid certificate for this use. |
| | 60 | The client is primarily to demonstrate the server functionality, but may prove useful itself. It takes 2 optional parameters and a list of filenames, and prints the decoded credentials on the standard output. |
| | 61 | |
| | 62 | The {{{--url}}} option points to the server. By default it is {{{http://localhost:13232}}}. It can be set explicitly by setting this option, or by setting the {{{CRED_URL}}} environment variable. Using an https URL without the {{{--cert}}} option will fail. |
| | 63 | |
| | 64 | The {{{--cert}}} option specifies a file to use for an https exchange. If the option is given, any URL will be traeted as https; if omitted any URL will be treated as http. The directions for [http://fedd.deterlab.net/wiki/FeddConfig#MakingaFedidCertificate making a fedid certificate] will also create a valid certificate for this use. |
| | 65 | |
| | 66 | To try the client, start the server as an http server on the default port: |
| | 67 | |
| | 68 | {{{ |
| | 69 | $ cred_server.py |
| | 70 | }}} |
| | 71 | |
| | 72 | and run the client with the contents of the [source:examples/experiment_create examples/experiment_create directory] from the [http://abac.deterlab.net/src/abac-0.1.3.tgz abac distribution]. Assuming that that directory is {{{examples/experiment_create}}}: |
| | 73 | |
| | 74 | {{{ |
| | 75 | $ cred_client.py examples/experiment_create/* |
| | 76 | }}} |
| | 77 | |
| | 78 | produces: |
| | 79 | |
| | 80 | {{{ |
| | 81 | 000: identity 9b47d3669b99a4ce1d3a0055be002ea6a580041a Acme |
| | 82 | 001: attribute 9b47d3669b99a4ce1d3a0055be002ea6a580041a.experiment_create <- 9b47d3669b99a4ce1d3a0055be002ea6a580041a.partner.experiment_create Acme.experiment_create <- Acme.partner.experiment_create |
| | 83 | 002: attribute 9b47d3669b99a4ce1d3a0055be002ea6a580041a.partner <- f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7 Acme.partner <- Globotron |
| | 84 | 003: Error, code -1 |
| | 85 | 004: identity 001f3599bafb755e97855b9ee0b3487830a4ecc7 Alice |
| | 86 | 005: attribute 001f3599bafb755e97855b9ee0b3487830a4ecc7.power_user <- b9cdabc274fa38390c26829efed68eaa527b8d00 Alice.power_user <- Bob |
| | 87 | 006: Error, code -1 |
| | 88 | 007: identity b9cdabc274fa38390c26829efed68eaa527b8d00 Bob |
| | 89 | 008: Error, code -1 |
| | 90 | 009: identity f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7 Globotron |
| | 91 | 010: attribute f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7.admin <- 001f3599bafb755e97855b9ee0b3487830a4ecc7 Globotron.admin <- Alice |
| | 92 | 011: attribute f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7.experiment_create <- f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7.admin.power_user Globotron.experiment_create <- Globotron.admin.power_user |
| | 93 | 012: Error, code -1 |
| | 94 | 013: Error, code -1 |
| | 95 | }}} |
| | 96 | |
| | 97 | Credentials that represent identities, such as the first entry (001) above are marked as identity certificates and both the keyid (a SHA1 hash of the key as described in [http://www.ietf.org/rfc/rfc3280.txt RFC 3280], and the certificate CN (common name) are displayed. Certificates created through [Creddy Creddy] and [source:doc/creddy_API libCreddy] put a human-readable name in the certificate CN. |
| | 98 | |
| | 99 | Credentials that represent attribute assignments are rendered as in line 002. The attribute identifier is printed and the certificate presented in RT0 format both with keyids and human-readable names. |
| | 100 | |
| | 101 | For data that does not represent either an identity or an attribute, the error line is printed. The code is a [source:doc/API libabac return code]. The errors in this example come from the private key files and README files in that example directory. |
| | 102 | |
| | 103 | |
