| 1 | #!/bin/sh |
|---|
| 2 | # |
|---|
| 3 | # This example shows a way to allow an user with multiple keyid identities |
|---|
| 4 | # to be 'reasoned' as one within a single scope. There are 4 principals |
|---|
| 5 | # Geni, Bob, Jack, and Joe. Bob and Joe are actually the same person but |
|---|
| 6 | # not Jack. |
|---|
| 7 | # |
|---|
| 8 | # Credentials 1 is the policy that says a principal is a group leader |
|---|
| 9 | # at Geni if it is equivalent to another principal who is a group |
|---|
| 10 | # leader at Geni. |
|---|
| 11 | # |
|---|
| 12 | # Credentials 2 establishes Bob as a group leader at Geni while |
|---|
| 13 | # credential 3 and 4 are the equivalent rules between Bob and Joe. |
|---|
| 14 | # |
|---|
| 15 | # The attached ./run_query file asks if Joe is also an group leader which |
|---|
| 16 | # he is because there is a equivalent rule from Bob to him. It also asks |
|---|
| 17 | # if Jack is a group leader which he isn't because there is no equivalent |
|---|
| 18 | # rule from Bob to him. |
|---|
| 19 | |
|---|
| 20 | # leader_rt1 |
|---|
| 21 | |
|---|
| 22 | # [keyid:geni].role:leader <-?- [keyid:Bob] (yes) |
|---|
| 23 | # [keyid:geni].role:leader <-?- [keyid:Jack] (no) |
|---|
| 24 | # [keyid:geni].role:leader <-?- [keyid:Joe] (yes) |
|---|
| 25 | |
|---|
| 26 | creddy --generate --cn Geni |
|---|
| 27 | creddy --generate --cn Bob |
|---|
| 28 | creddy --generate --cn Jack |
|---|
| 29 | creddy --generate --cn Joe |
|---|
| 30 | |
|---|
| 31 | geni_keyid=`creddy --keyid --cert Geni_ID.pem` |
|---|
| 32 | bob_keyid=`creddy --keyid --cert Bob_ID.pem` |
|---|
| 33 | jack_keyid=`creddy --keyid --cert Jack_ID.pem` |
|---|
| 34 | joe_keyid=`creddy --keyid --cert Joe_ID.pem` |
|---|
| 35 | |
|---|
| 36 | leader_qP="equivalent([principal:?P[keyid:$geni_keyid].role:leader])" |
|---|
| 37 | equivalent_bob="equivalent([keyid:$bob_keyid])" |
|---|
| 38 | equivalent_joe="equivalent([keyid:$joe_keyid])" |
|---|
| 39 | |
|---|
| 40 | # [keyid:geni].role:leader |
|---|
| 41 | # <- [keyid:geni].role:equivalent([principal:?P[keyid:geni].role:leader]) |
|---|
| 42 | # Credential 1 |
|---|
| 43 | creddy --attribute \ |
|---|
| 44 | --issuer Geni_ID.pem --key Geni_private.pem --role "leader" \ |
|---|
| 45 | --subject-cert Geni_ID.pem --subject-role "$leader_qP" \ |
|---|
| 46 | --out geni_leader__geni_leader_qP_attr.der |
|---|
| 47 | |
|---|
| 48 | # [keyid:geni].role:leader <- [keyid:bob] |
|---|
| 49 | # Credential 2 |
|---|
| 50 | creddy --attribute \ |
|---|
| 51 | --issuer Geni_ID.pem --key Geni_private.pem --role "leader" \ |
|---|
| 52 | --subject-cert Bob_ID.pem \ |
|---|
| 53 | --out geni_leader__Bob_attr.der |
|---|
| 54 | |
|---|
| 55 | # [keyid:geni].role:equivalent([keyid:bob]) <- [keyid:Joe] |
|---|
| 56 | # Credential 3 |
|---|
| 57 | creddy --attribute \ |
|---|
| 58 | --issuer Geni_ID.pem --key Geni_private.pem --role "$equivalent_bob" \ |
|---|
| 59 | --subject-cert Joe_ID.pem \ |
|---|
| 60 | --out geni_equivalent_Bob__Joe_attr.der |
|---|
| 61 | |
|---|
| 62 | # [keyid:geni].role:equivalent([keyid:Joe]) <- [keyid:Bob] |
|---|
| 63 | # Credential 4 |
|---|
| 64 | creddy --attribute \ |
|---|
| 65 | --issuer Geni_ID.pem --key Geni_private.pem --role "$equivalent_joe" \ |
|---|
| 66 | --subject-cert Bob_ID.pem \ |
|---|
| 67 | --out geni_equivalent_Joe__Bob_attr.der |
|---|
| 68 | |
|---|
