1 | #!/bin/sh |
---|
2 | # |
---|
3 | # This example demonstrates intersections. An intersection is a logical and of |
---|
4 | # roles or osets. An intersection succeeds if the principal is in the |
---|
5 | # intersection of the sets defined by the roles. |
---|
6 | # |
---|
7 | # The policy set by Acme is that a character must both a preferred customer and |
---|
8 | # a WarnerBrothers character to buy rockets. Each of those attributes is |
---|
9 | # specified by a role. |
---|
10 | # |
---|
11 | # This example defines 4 principals, Acme, WarnerBrothers, Coyote and Batman. |
---|
12 | # Credential 1 defines the policy requiring both roles to get the buy_rockets |
---|
13 | # role. Credential 2 gives the Coyote a preferred_customer role. Credential 3 |
---|
14 | # gives Batman the preferred_customer role and Credential 4 recognizes the |
---|
15 | # Coyote as a Warner Brothers character. |
---|
16 | # |
---|
17 | #In order to buy rockets from Acme, you must be BOTH a preferred customer |
---|
18 | #AND a WarnerBros character. In this example, the following query will be |
---|
19 | #successful: |
---|
20 | # |
---|
21 | # Acme.buy_rockets <-?- Coyote |
---|
22 | # |
---|
23 | #The following query will fail (because Batman does not have the |
---|
24 | #attribute WarnerBros.character): |
---|
25 | # |
---|
26 | # Acme.buy_rockets <-?- Batman |
---|
27 | # |
---|
28 | # The attached ./run_query file carries out these queries. As well as 2 queries for |
---|
29 | # non-existant certificates (which fail). |
---|
30 | # |
---|
31 | #Acme.buy_rockets <- Acme.preferred_customer & WarnerBros.character |
---|
32 | #Acme.preferred_customer <- Coyote |
---|
33 | #Acme.preferred_customer <- Batman |
---|
34 | #WarnerBros.character <- Coyote |
---|
35 | # |
---|
36 | |
---|
37 | # acme_rockets_intersection_rt0 |
---|
38 | |
---|
39 | creddy --generate --cn Acme |
---|
40 | creddy --generate --cn WarnerBros |
---|
41 | creddy --generate --cn Coyote |
---|
42 | creddy --generate --cn Batman |
---|
43 | |
---|
44 | #[keyid:Acme].role:buy_rockets <- [keyid:Acme].role:preferred_customer & [keyid:WarnerBros].role:charater |
---|
45 | # Credential 1 |
---|
46 | creddy --attribute \ |
---|
47 | --issuer Acme_ID.pem --key Acme_private.pem --role buy_rockets \ |
---|
48 | --subject-cert Acme_ID.pem --subject-role preferred_customer \ |
---|
49 | --subject-cert WarnerBros_ID.pem --subject-role character \ |
---|
50 | --out Acme_buy_rockets__Acme_preferred_customer_and_WarnerBros_character_attr.der |
---|
51 | |
---|
52 | #[keyid:Acme].role:preferred_customer <- [keyid:Coyote] |
---|
53 | # Credential 2 |
---|
54 | creddy --attribute \ |
---|
55 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
---|
56 | --subject-cert Coyote_ID.pem \ |
---|
57 | --out Acme_preferred_customer__Coyote_attr.der |
---|
58 | |
---|
59 | #[keyid:Acme].role:preferred_customer <- [keyid:Batman] |
---|
60 | # Credential 3 |
---|
61 | creddy --attribute \ |
---|
62 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
---|
63 | --subject-cert Batman_ID.pem \ |
---|
64 | --out Acme_preferred_customer__Batman_attr.der |
---|
65 | |
---|
66 | #[keyid:WarnerBros].role:character <- [keyid:Coyote] |
---|
67 | # Credential 4 |
---|
68 | creddy --attribute \ |
---|
69 | --issuer WarnerBros_ID.pem --key WarnerBros_private.pem --role character \ |
---|
70 | --subject-cert Coyote_ID.pem \ |
---|
71 | --out WarnerBros_character__Coyote_attr.der |
---|