175 | | |
| 175 | }}} |
| 176 | |
| 177 | Libabac generates self-signed certificates and does not check the signatures of imported certificates. Use an external library to do that. |
| 178 | |
| 179 | === Attributes === |
| 180 | |
| 181 | Attributes are the signed ABAC statements that make up proofs. libabac can import them from files and generate new ones. This section describes creating them. |
| 182 | |
| 183 | [http://groups.geni.net/geni/wiki/TIEDABACModel As we have seen], an ABAC statement assigns an attribute (signed by an identity) to another identity or set of identities with a given attribute. Here is how libabac constructs an attribute encoding {{{A.admin <- B}}}. That attirbute means that identity A is assigning identity B the {{{admin}}} attribute for use in later proofs. |
| 184 | |
| 185 | {{{ |
| 186 | import ABAC |
| 187 | |
| 188 | a = ABAC.ID("A", 24 * 3600 * 365 * 20) |
| 189 | b = ABAC.ID("B", 24 * 3600 * 365 * 20) |
| 190 | |
| 191 | attr = ABAC.Attribute(a, "admin", 24 * 3600 * 365 * 20) |
| 192 | attr.principal(b.keyid()) |
| 193 | attr.bake() |
| 194 | |
| 195 | attr.write_name("attr.xml") |
| 196 | }}} |
| 197 | |
| 198 | The Attribute constructor takes the issuing identity, the attribute being assigned and the validity period of the assertion (in seconds). This code assigns a principal to that class using the {{{principal}}} member. The {{{role}}} member and {{{linking_role}}} members can be used to construct the other kinds of attributes. |
| 199 | |
| 200 | The {{{bake}}} member finalizes the attribute and creates a signed format for export, which one can write using the {{{write}}} and {{{write_name}}} members, that are analogous to {{{write_cert}}} and {{{write_cert_name}}} members of identities. |
| 201 | |
| 202 | The {{{bake}}} method exists so that Attributes can contain conjunctions. If identity A wants to state that friendly admins are admins who are friendly ({{{A.friendly_admin <- A.friendly & A.admin}}}), this code will it: |
| 203 | |
| 204 | {{{ |
| 205 | import ABAC |
| 206 | |
| 207 | a = ABAC.ID("A", 24 * 3600 * 365 * 20) |
| 208 | |
| 209 | attr = ABAC.Attribute(a, "friendly_admin", 24 * 3600 * 365 * 20) |
| 210 | attr.role(a.keyid(), "friendly") |
| 211 | attr.role(a.keyid(), "admin") |
| 212 | attr.bake() |
| 213 | |
| 214 | attr.write_name("attr.xml") |