| [4f79997] | 1 | #!/usr/bin/env sh |
|---|
| [92661b4] | 2 | # |
|---|
| 3 | # This example demonstrates intersections. An intersection is a logical and of |
|---|
| 4 | # roles or osets. An intersection succeeds if the principal is in the |
|---|
| 5 | # intersection of the sets defined by the roles. |
|---|
| 6 | # |
|---|
| 7 | # The policy set by Acme is that a character must both a preferred customer and |
|---|
| 8 | # a WarnerBrothers character to buy rockets. Each of those attributes is |
|---|
| 9 | # specified by a role. |
|---|
| 10 | # |
|---|
| 11 | # This example defines 4 principals, Acme, WarnerBrothers, Coyote and Batman. |
|---|
| 12 | # Credential 1 defines the policy requiring both roles to get the buy_rockets |
|---|
| 13 | # role. Credential 2 gives the Coyote a preferred_customer role. Credential 3 |
|---|
| 14 | # gives Batman the preferred_customer role and Credential 4 recognizes the |
|---|
| 15 | # Coyote as a Warner Brothers character. |
|---|
| [461541a] | 16 | # |
|---|
| 17 | #In order to buy rockets from Acme, you must be BOTH a preferred customer |
|---|
| 18 | #AND a WarnerBros character. In this example, the following query will be |
|---|
| 19 | #successful: |
|---|
| 20 | # |
|---|
| 21 | # Acme.buy_rockets <-?- Coyote |
|---|
| 22 | # |
|---|
| 23 | #The following query will fail (because Batman does not have the |
|---|
| 24 | #attribute WarnerBros.character): |
|---|
| 25 | # |
|---|
| 26 | # Acme.buy_rockets <-?- Batman |
|---|
| 27 | # |
|---|
| 28 | #Acme.buy_rockets <- Acme.preferred_customer & WarnerBros.character |
|---|
| 29 | #Acme.preferred_customer <- Coyote |
|---|
| 30 | #Acme.preferred_customer <- Batman |
|---|
| 31 | #WarnerBros.character <- Coyote |
|---|
| 32 | # |
|---|
| 33 | |
|---|
| 34 | rm -rf *.xml *.pem |
|---|
| [6180394] | 35 | |
|---|
| [4f79997] | 36 | if [ -z "${TESTDIR}" ] ; then |
|---|
| 37 | TESTDIR=../.. |
|---|
| 38 | fi |
|---|
| [3c30b59] | 39 | . ${TESTDIR}/test_util.sh |
|---|
| [6180394] | 40 | |
|---|
| [3c30b59] | 41 | $eloc/creddy --generate --cn Acme |
|---|
| [6180394] | 42 | |
|---|
| [3c30b59] | 43 | $eloc/creddy --generate --cn WarnerBros |
|---|
| [6180394] | 44 | |
|---|
| [3c30b59] | 45 | $eloc/creddy --generate --cn Coyote |
|---|
| [6180394] | 46 | |
|---|
| [3c30b59] | 47 | $eloc/creddy --generate --cn Batman |
|---|
| 48 | |
|---|
| 49 | $eloc/creddy --attribute \ |
|---|
| [6180394] | 50 | --issuer Acme_ID.pem --key Acme_private.pem --role buy_rockets \ |
|---|
| 51 | --subject-cert Acme_ID.pem --subject-role preferred_customer \ |
|---|
| 52 | --subject-cert WarnerBros_ID.pem --subject-role character \ |
|---|
| [461541a] | 53 | --out Acme_buy_rockets__Acme_preferred_customer_and_WarnerBros_character_attr.xml |
|---|
| [6180394] | 54 | |
|---|
| [3c30b59] | 55 | $eloc/creddy --attribute \ |
|---|
| [6180394] | 56 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
|---|
| 57 | --subject-cert Coyote_ID.pem \ |
|---|
| [461541a] | 58 | --out Acme_preferred_customer__Coyote_attr.xml |
|---|
| [6180394] | 59 | |
|---|
| [3c30b59] | 60 | $eloc/creddy --attribute \ |
|---|
| [6180394] | 61 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
|---|
| 62 | --subject-cert Batman_ID.pem \ |
|---|
| [461541a] | 63 | --out Acme_preferred_customer__Batman_attr.xml |
|---|
| [6180394] | 64 | |
|---|
| [3c30b59] | 65 | $eloc/creddy --attribute \ |
|---|
| [6180394] | 66 | --issuer WarnerBros_ID.pem --key WarnerBros_private.pem --role character \ |
|---|
| 67 | --subject-cert Coyote_ID.pem \ |
|---|
| [461541a] | 68 | --out WarnerBros_character__Coyote_attr.xml |
|---|
| 69 | |
|---|
