编程实现基于属性点访问控制模型ABAC,条件:创建主体S,客体O,环境E,操作O的集合并写入文本数据库,创建访问控制策略,可信应用监控器启用,接收用户对权限的访问请求,进行决策,决策结果为拒绝或运行,出现冲突时拒绝优先,缺乏匹配的策略时默认决策为拒绝,主体,客体,环境属性各有10个元素,每一个策略中的主客体,环境相关规则由3-5个属性点布尔表达式组成(随机生成),每个用户请求中,主客体,环境相关属性3-5个(随机生成),策略数共10000个(5000正授权,5000负授权)随机生成,随机生成10000个请求,进行决策,记录结果
时间: 2024-01-04 19:02:48 浏览: 29
好的,基于您的要求,我可以使用Python语言实现基于属性点访问控制模型ABAC的访问控制系统。
首先,我们需要创建主体S、客体O、环境E和操作O的集合,并将其写入到文本数据库中:
```python
import random
# 创建主体、客体、环境和操作集合
subjects = ['S' + str(i) for i in range(1, 11)]
objects = ['O' + str(i) for i in range(1, 11)]
environments = ['E' + str(i) for i in range(1, 11)]
operations = ['read', 'write', 'execute']
# 将集合写入文本数据库
with open('database.txt', 'w') as f:
f.write('Subjects:\n')
f.write('\n'.join(subjects))
f.write('\n\nObjects:\n')
f.write('\n'.join(objects))
f.write('\n\nEnvironments:\n')
f.write('\n'.join(environments))
f.write('\n\nOperations:\n')
f.write('\n'.join(operations))
```
接下来,我们需要随机生成策略和访问请求。根据您的要求,我们需要随机生成10000个访问策略,其中5000个为正授权,5000个为负授权。每个策略中的主客体、环境相关规则由3-5个属性点布尔表达式组成。
```python
# 定义属性点列表
attributes = ['attr1', 'attr2', 'attr3', 'attr4', 'attr5', 'attr6', 'attr7', 'attr8', 'attr9', 'attr10']
# 随机生成10000个访问控制策略
policies = []
for i in range(10000):
policy = {}
policy['target'] = {}
policy['target']['subject'] = random.sample(subjects, 1)[0]
policy['target']['object'] = random.sample(objects, 1)[0]
policy['target']['environment'] = random.sample(environments, 1)[0]
policy['rules'] = []
for j in range(random.randint(3, 5)):
rule = {}
rule['subject'] = random.sample(attributes, 1)[0]
rule['object'] = random.sample(attributes, 1)[0]
rule['environment'] = random.sample(attributes, 1)[0]
rule['value'] = random.choice([True, False])
policy['rules'].append(rule)
policy['decision'] = random.choice(['Permit', 'Deny'])
policies.append(policy)
# 将正授权和负授权策略分别存储到不同的文件中
with open('positive_policies.txt', 'w') as f:
for policy in policies[:5000]:
f.write(str(policy) + '\n')
with open('negative_policies.txt', 'w') as f:
for policy in policies[5000:]:
f.write(str(policy) + '\n')
# 随机生成10000个访问请求
requests = []
for i in range(10000):
request = {}
request['subject'] = {}
for j in range(random.randint(3, 5)):
request['subject'][random.sample(attributes, 1)[0]] = random.choice([True, False])
request['object'] = {}
for j in range(random.randint(3, 5)):
request['object'][random.sample(attributes, 1)[0]] = random.choice([True, False])
request['environment'] = {}
for j in range(random.randint(3, 5)):
request['environment'][random.sample(attributes, 1)[0]] = random.choice([True, False])
request['operation'] = random.sample(operations, 1)[0]
requests.append(request)
```
接下来,我们需要定义一个访问控制函数,该函数接收一个访问请求和一组访问策略,返回访问决策结果。在访问决策时,我们需要考虑以下几点:
- 当出现冲突时,拒绝优先。
- 当缺乏匹配的策略时,默认决策为拒绝。
```python
def access_control(request, policies):
# 记录所有Permit和Deny策略的决策结果
permit_results = []
deny_results = []
# 遍历所有访问策略
for policy in policies:
# 判断访问请求是否匹配该策略
if (request['subject'].items() <= policy['target']['subject'].items() and
request['object'].items() <= policy['target']['object'].items() and
request['environment'].items() <= policy['target']['environment'].items()):
# 计算策略规则的匹配程度
match_count = 0
for rule in policy['rules']:
if (rule['subject'] in request['subject'] and
rule['object'] in request['object'] and
rule['environment'] in request['environment'] and
request['subject'][rule['subject']] == rule['value'] and
request['object'][rule['object']] == rule['value'] and
request['environment'][rule['environment']] == rule['value']):
match_count += 1
# 根据策略决策结果,将策略加入Permit或Deny列表
if match_count == len(policy['rules']) and policy['decision'] == 'Permit':
permit_results.append(policy)
elif match_count == len(policy['rules']) and policy['decision'] == 'Deny':
deny_results.append(policy)
# 如果有Permit结果,则返回Permit
if len(permit_results) > 0:
return 'Permit'
# 如果有Deny结果,则返回Deny
elif len(deny_results) > 0:
return 'Deny'
# 否则返回缺省决策Deny
else:
return 'Deny'
```
最后,对于每个访问请求,我们依次进行访问控制决策,并将结果记录到文件中:
```python
# 读取正授权和负授权策略
with open('positive_policies.txt', 'r') as f:
positive_policies = eval(f.read())
with open('negative_policies.txt', 'r') as f:
negative_policies = eval(f.read())
# 记录访问控制决策结果
results = []
# 对于每个访问请求,进行访问控制决策
for request in requests:
# 先进行正授权策略的决策
decision = access_control(request, positive_policies)
# 如果是Deny决策,再进行负授权策略的决策
if decision == 'Deny':
decision = access_control(request, negative_policies)
# 记录访问控制决策结果
results.append((request, decision))
# 将访问控制决策结果写入文件
with open('results.txt', 'w') as f:
for result in results:
f.write(str(result[0]) + ': ' + result[1] + '\n')
```
这样,就实现了基于属性点访问控制模型ABAC的访问控制系统。需要注意的是,为了简化实现,我们使用了eval函数来读取文本文件中的策略,实际上在实际应用中应该采用更加安全可靠的方式来读取和解析策略文件。