#!/bin/sh
#
# This example shows how a parameterized role can be used to infer a role and
# that the same role can also be directly assigned.  The example has 4
# principals, the Acme company, a Coyote, a RoadRUnner and a Jackrabbit.
#
# The policy of the Acme company is that anyone the Acme company thinks is a
# friend of the Roadrunner is a preferred customer.  A friend of the roadrunner
# has the [keyid:Acme}.role:friendOf([keyid:Roadrunner]) role, and a preferred
# customer has the [keyid:Acme].role:preferred_customer role.
#
# This script creates the 4 and 3 credentials.  Credential 1 lays out the rule
# that friends of the Roadrunner are preferred customers.  Credential 2
# directly makes the Coyote a preferred customer.  Credential 3 recognizes that
# Acme thinks that the Jackrabbit is the Roadrunner's friend.
# 
# The attached ./run_query script tests whether the coyote is a friend of the
# Roadrunner (which fails), whether the Jackrabbit is a friend of teh
# Roadrunner (which succeeds), whether the Jackrabbit is a preferred customer
# (which succeeds), whether the Coyote is a prefered customer (succeeds for a
# different reason) and whether the system fails to load a bad certificate (it
# does).

# acme_friend_rt1

#[keyid:Acme].role:friendof([keyid:Roadrunner]) <-?- [keyid:Coyote] (no)
#[keyid:Acme].role:preferred_customer <-?- [keyid:Jackrabbit] (yes)

creddy --generate --cn Acme
creddy --generate --cn Coyote
creddy --generate --cn Roadrunner
creddy --generate --cn Jackrabbit

roadrunner_keyid=`creddy --keyid --cert Roadrunner_ID.pem`
friendof_roadrunner="friendOf([keyid:$roadrunner_keyid])"

#[keyid:Acme].role:preferred_customer <- [keyid:Acme].role:friendOf([keyid:Roadrunner])
# Credential 1
creddy --attribute \
       --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \
       --subject-cert Acme_ID.pem --subject-role  $friendof_roadrunner \
       --out Acme_preferred_customer__Acme_friendof_Roadrunner_attr.der

#[keyid:Acme].role:prefered_customer <- [keyid:Coyote]
# Credential 2
creddy --attribute \
       --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \
       --subject-cert Coyote_ID.pem \
       --out Acme_preferred_customer__Coyote_attr.der

#[keyid:Acme].role:friendOf([keyid:Roadrunner]) <- [keyid:Jackrabbit]
# Credential 3
creddy --attribute \
       --issuer Acme_ID.pem --key Acme_private.pem --role $friendof_roadrunner \
       --subject-cert Jackrabbit_ID.pem \
       --out Acme_friendof_Roadrunner__Jackrabbit_attr.der