28 | | The server takes an optional argument, {{{--cert}}} and a certificate with which to identify itself under SSL/https. If omitted, the server will run under http, unencrypted and unauthenticated. If run under SSL, the server expects clients to supply a certificate, but does not vaildate it's authorization chain. This is for future expansion using ABAC authorization to the server and self-certifying identities. |
| 28 | The server takes an optional argument, {{{--cert}}} and a certificate with which to identify itself under SSL/https. If omitted, the server will run under http, unencrypted and unauthenticated. If run under SSL, the server expects clients to supply a certificate, but does not vaildate it's authorization chain. This is for future expansion using ABAC authorization to the server and self-certifying identities. The directions for [http://fedd.deterlab.net/wiki/FeddConfig#MakingaFedidCertificate making a fedid certificate] will also create a valid certificate for this use. |
| 60 | The client is primarily to demonstrate the server functionality, but may prove useful itself. It takes 2 optional parameters and a list of filenames, and prints the decoded credentials on the standard output. |
| 61 | |
| 62 | The {{{--url}}} option points to the server. By default it is {{{http://localhost:13232}}}. It can be set explicitly by setting this option, or by setting the {{{CRED_URL}}} environment variable. Using an https URL without the {{{--cert}}} option will fail. |
| 63 | |
| 64 | The {{{--cert}}} option specifies a file to use for an https exchange. If the option is given, any URL will be traeted as https; if omitted any URL will be treated as http. The directions for [http://fedd.deterlab.net/wiki/FeddConfig#MakingaFedidCertificate making a fedid certificate] will also create a valid certificate for this use. |
| 65 | |
| 66 | To try the client, start the server as an http server on the default port: |
| 67 | |
| 68 | {{{ |
| 69 | $ cred_server.py |
| 70 | }}} |
| 71 | |
| 72 | and run the client with the contents of the [source:examples/experiment_create examples/experiment_create directory] from the [http://abac.deterlab.net/src/abac-0.1.3.tgz abac distribution]. Assuming that that directory is {{{examples/experiment_create}}}: |
| 73 | |
| 74 | {{{ |
| 75 | $ cred_client.py examples/experiment_create/* |
| 76 | }}} |
| 77 | |
| 78 | produces: |
| 79 | |
| 80 | {{{ |
| 81 | 000: identity 9b47d3669b99a4ce1d3a0055be002ea6a580041a Acme |
| 82 | 001: attribute 9b47d3669b99a4ce1d3a0055be002ea6a580041a.experiment_create <- 9b47d3669b99a4ce1d3a0055be002ea6a580041a.partner.experiment_create Acme.experiment_create <- Acme.partner.experiment_create |
| 83 | 002: attribute 9b47d3669b99a4ce1d3a0055be002ea6a580041a.partner <- f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7 Acme.partner <- Globotron |
| 84 | 003: Error, code -1 |
| 85 | 004: identity 001f3599bafb755e97855b9ee0b3487830a4ecc7 Alice |
| 86 | 005: attribute 001f3599bafb755e97855b9ee0b3487830a4ecc7.power_user <- b9cdabc274fa38390c26829efed68eaa527b8d00 Alice.power_user <- Bob |
| 87 | 006: Error, code -1 |
| 88 | 007: identity b9cdabc274fa38390c26829efed68eaa527b8d00 Bob |
| 89 | 008: Error, code -1 |
| 90 | 009: identity f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7 Globotron |
| 91 | 010: attribute f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7.admin <- 001f3599bafb755e97855b9ee0b3487830a4ecc7 Globotron.admin <- Alice |
| 92 | 011: attribute f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7.experiment_create <- f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7.admin.power_user Globotron.experiment_create <- Globotron.admin.power_user |
| 93 | 012: Error, code -1 |
| 94 | 013: Error, code -1 |
| 95 | }}} |
| 96 | |
| 97 | Credentials that represent identities, such as the first entry (001) above are marked as identity certificates and both the keyid (a SHA1 hash of the key as described in [http://www.ietf.org/rfc/rfc3280.txt RFC 3280], and the certificate CN (common name) are displayed. Certificates created through [Creddy Creddy] and [source:doc/creddy_API libCreddy] put a human-readable name in the certificate CN. |
| 98 | |
| 99 | Credentials that represent attribute assignments are rendered as in line 002. The attribute identifier is printed and the certificate presented in RT0 format both with keyids and human-readable names. |
| 100 | |
| 101 | For data that does not represent either an identity or an attribute, the error line is printed. The code is a [source:doc/API libabac return code]. The errors in this example come from the private key files and README files in that example directory. |
| 102 | |
| 103 | |