#
# This example shows how a parameterized role can be used to infer a role and
# that the same role can also be directly assigned.  The example has 4
# principals, the Acme company, a Coyote, a RoadRunner and a Jackrabbit.
#
# The policy of the Acme company is that anyone the Acme company thinks is a
# friend of the Roadrunner is a preferred customer.  A friend of the roadrunner
# has the [keyid:Acme}.role:friendOf([keyid:Roadrunner]) role, and a preferred
# customer has the [keyid:Acme].role:preferred_customer role.
#
# setup.py script creates the 4 principal: Acme, Coyote, Roadrunner and 
# Jackrabbit.
# attr.py script creates 3 policy credentials,  Credential 1 lays out the rule
# that friends of the Roadrunner are preferred customers.  Credential 2
# directly makes the Coyote a preferred customer.  Credential 3 recognizes that
# Acme thinks that the Jackrabbit is the Roadrunner's friend.
# 
# The query.py script tests whether the coyote is a friend of the
# Roadrunner (which fails), whether the Jackrabbit is a friend of the
# Roadrunner (which succeeds), whether the Jackrabbit is a preferred customer
# (which succeeds), whether the Coyote is a prefered customer (succeeds for a
# different reason) and whether the system fails to load a bad certificate (it
# does).
#
# acme_friend_rt1
#
# Credential 1
#[keyid:Acme].role:preferred_customer <- [keyid:Acme].role:friendOf([keyid:Roadrunner])

# Credential 2
#[keyid:Acme].role:prefered_customer <- [keyid:Coyote]

# Credential 3
#[keyid:Acme].role:friendOf([keyid:Roadrunner]) <- [keyid:Jackrabbit]