| 1 | #!/bin/sh |
|---|
| 2 | # |
|---|
| 3 | # This example demonstrates intersections. An intersection is a logical and of |
|---|
| 4 | # roles or osets. An intersection succeeds if the principal is in the |
|---|
| 5 | # intersection of the sets defined by the roles. |
|---|
| 6 | # |
|---|
| 7 | # The policy set by Acme is that a character must both a preferred customer and |
|---|
| 8 | # a WarnerBrothers character to buy rockets. Each of those attributes is |
|---|
| 9 | # specified by a role. |
|---|
| 10 | # |
|---|
| 11 | # This example defines 4 principals, Acme, WarnerBrothers, Coyote and Batman. |
|---|
| 12 | # Credential 1 defines the policy requiring both roles to get the buy_rockets |
|---|
| 13 | # role. Credential 2 gives the Coyote a preferred_customer role. Credential 3 |
|---|
| 14 | # gives Batman the preferred_customer role and Credential 4 recognizes the |
|---|
| 15 | # Coyote as a Warner Brothers character. |
|---|
| 16 | # |
|---|
| 17 | #In order to buy rockets from Acme, you must be BOTH a preferred customer |
|---|
| 18 | #AND a WarnerBros character. In this example, the following query will be |
|---|
| 19 | #successful: |
|---|
| 20 | # |
|---|
| 21 | # Acme.buy_rockets <-?- Coyote |
|---|
| 22 | # |
|---|
| 23 | #The following query will fail (because Batman does not have the |
|---|
| 24 | #attribute WarnerBros.character): |
|---|
| 25 | # |
|---|
| 26 | # Acme.buy_rockets <-?- Batman |
|---|
| 27 | # |
|---|
| 28 | #Acme.buy_rockets <- Acme.preferred_customer & WarnerBros.character |
|---|
| 29 | #Acme.preferred_customer <- Coyote |
|---|
| 30 | #Acme.preferred_customer <- Batman |
|---|
| 31 | #WarnerBros.character <- Coyote |
|---|
| 32 | # |
|---|
| 33 | |
|---|
| 34 | rm -rf *.xml *.pem |
|---|
| 35 | |
|---|
| 36 | . ${TESTDIR}/test_util.sh |
|---|
| 37 | |
|---|
| 38 | $eloc/creddy --generate --cn Acme |
|---|
| 39 | |
|---|
| 40 | $eloc/creddy --generate --cn WarnerBros |
|---|
| 41 | |
|---|
| 42 | $eloc/creddy --generate --cn Coyote |
|---|
| 43 | |
|---|
| 44 | $eloc/creddy --generate --cn Batman |
|---|
| 45 | |
|---|
| 46 | $eloc/creddy --attribute \ |
|---|
| 47 | --issuer Acme_ID.pem --key Acme_private.pem --role buy_rockets \ |
|---|
| 48 | --subject-cert Acme_ID.pem --subject-role preferred_customer \ |
|---|
| 49 | --subject-cert WarnerBros_ID.pem --subject-role character \ |
|---|
| 50 | --out Acme_buy_rockets__Acme_preferred_customer_and_WarnerBros_character_attr.xml |
|---|
| 51 | |
|---|
| 52 | $eloc/creddy --attribute \ |
|---|
| 53 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
|---|
| 54 | --subject-cert Coyote_ID.pem \ |
|---|
| 55 | --out Acme_preferred_customer__Coyote_attr.xml |
|---|
| 56 | |
|---|
| 57 | $eloc/creddy --attribute \ |
|---|
| 58 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
|---|
| 59 | --subject-cert Batman_ID.pem \ |
|---|
| 60 | --out Acme_preferred_customer__Batman_attr.xml |
|---|
| 61 | |
|---|
| 62 | $eloc/creddy --attribute \ |
|---|
| 63 | --issuer WarnerBros_ID.pem --key WarnerBros_private.pem --role character \ |
|---|
| 64 | --subject-cert Coyote_ID.pem \ |
|---|
| 65 | --out WarnerBros_character__Coyote_attr.xml |
|---|
| 66 | |
|---|
