[718ad924] | 1 | #!/bin/sh |
---|
| 2 | # |
---|
[2c01913] | 3 | # This example demonstrates intersections. An intersection is a logical and of |
---|
| 4 | # roles or osets. An intersection succeeds if the principal is in the |
---|
| 5 | # intersection of the sets defined by the roles. |
---|
| 6 | # |
---|
| 7 | # The policy set by Acme is that a character must both a preferred customer and |
---|
| 8 | # a WarnerBrothers character to buy rockets. Each of those attributes is |
---|
| 9 | # specified by a role. |
---|
| 10 | # |
---|
| 11 | # This example defines 4 principals, Acme, WarnerBrothers, Coyote and Batman. |
---|
| 12 | # Credential 1 defines the policy requiring both roles to get the buy_rockets |
---|
| 13 | # role. Credential 2 gives the Coyote a preferred_customer role. Credential 3 |
---|
| 14 | # gives Batman the preferred_customer role and Credential 4 recognizes the |
---|
| 15 | # Coyote as a Warner Brothers character. |
---|
[718ad924] | 16 | # |
---|
| 17 | #In order to buy rockets from Acme, you must be BOTH a preferred customer |
---|
| 18 | #AND a WarnerBros character. In this example, the following query will be |
---|
| 19 | #successful: |
---|
| 20 | # |
---|
| 21 | # Acme.buy_rockets <-?- Coyote |
---|
| 22 | # |
---|
| 23 | #The following query will fail (because Batman does not have the |
---|
| 24 | #attribute WarnerBros.character): |
---|
| 25 | # |
---|
| 26 | # Acme.buy_rockets <-?- Batman |
---|
[2c01913] | 27 | # |
---|
[9502c50] | 28 | # The attached ./run_query file carries out these queries. As well as 2 queries for |
---|
[2c01913] | 29 | # non-existant certificates (which fail). |
---|
[718ad924] | 30 | # |
---|
| 31 | #Acme.buy_rockets <- Acme.preferred_customer & WarnerBros.character |
---|
| 32 | #Acme.preferred_customer <- Coyote |
---|
| 33 | #Acme.preferred_customer <- Batman |
---|
| 34 | #WarnerBros.character <- Coyote |
---|
| 35 | # |
---|
[6180394] | 36 | |
---|
[9502c50] | 37 | # acme_rockets_intersection_rt0_typed |
---|
| 38 | |
---|
[6180394] | 39 | creddy --generate --cn Acme |
---|
| 40 | creddy --generate --cn WarnerBros |
---|
| 41 | creddy --generate --cn Coyote |
---|
| 42 | creddy --generate --cn Batman |
---|
| 43 | |
---|
[718ad924] | 44 | #[keyid:Acme].role:buy_rockets <- [keyid:Acme].role:preferred_customer & [keyid:WarnerBros].role:charater |
---|
[2c01913] | 45 | # Credential 1 |
---|
[6180394] | 46 | creddy --attribute \ |
---|
| 47 | --issuer Acme_ID.pem --key Acme_private.pem --role buy_rockets \ |
---|
| 48 | --subject-cert Acme_ID.pem --subject-role preferred_customer \ |
---|
| 49 | --subject-cert WarnerBros_ID.pem --subject-role character \ |
---|
| 50 | --out Acme_buy_rockets__Acme_preferred_customer_and_WarnerBros_character_attr.der |
---|
| 51 | |
---|
[718ad924] | 52 | #[keyid:Acme].role:preferred_customer <- [keyid:Coyote] |
---|
[2c01913] | 53 | # Credential 2 |
---|
[6180394] | 54 | creddy --attribute \ |
---|
| 55 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
---|
| 56 | --subject-cert Coyote_ID.pem \ |
---|
| 57 | --out Acme_preferred_customer__Coyote_attr.der |
---|
| 58 | |
---|
[718ad924] | 59 | #[keyid:Acme].role:preferred_customer <- [keyid:Batman] |
---|
[2c01913] | 60 | # Credential 3 |
---|
[6180394] | 61 | creddy --attribute \ |
---|
| 62 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
---|
| 63 | --subject-cert Batman_ID.pem \ |
---|
| 64 | --out Acme_preferred_customer__Batman_attr.der |
---|
| 65 | |
---|
[718ad924] | 66 | #[keyid:WarnerBros].role:character <- [keyid:Coyote] |
---|
[2c01913] | 67 | # Credential 4 |
---|
[6180394] | 68 | creddy --attribute \ |
---|
| 69 | --issuer WarnerBros_ID.pem --key WarnerBros_private.pem --role character \ |
---|
| 70 | --subject-cert Coyote_ID.pem \ |
---|
| 71 | --out WarnerBros_character__Coyote_attr.der |
---|