#!/bin/sh
#
#####################################################################
# This example demonstrates using an oset (object set) to control access
# to files based on the attributes of the principals.  The script creates
# three principals League, John and Mark and sets out the access policy.
# 
# files are named by URNs and are not principals.
# 
# A principal's access rights are controlled by the League principal.  If a 
# principal has the role role::stadium(string:'access',boolean:true,time:now)
# that  principal can go into stadium if principal's team has a scheduled 
# gametime.  A principal is in team's roster if it is in
# the oset of players(team) defined by League, written
# [keyid:League].oset:players(string:'north'))
# 
# The example below lays out the policy that players of a given team can
# go to the stadium when it is their team's gametime -- credential 1.
# or any player of a team that is controlled by the League principal can
# go to the stadium during stadium's free for all time -- credential 2.
#
# Credentials 3 & 4 establish the afernoon gametimes for team(north) 
# and for team(south)
# Credentials 5 & 6 establish John as player of team(north) and Mark as
# a player for team(south)
#
# The attached ./run_query file runs 3 queries.  First it confirms that John can 
# go to stadium at his team's gametime, then it confirms that Mark cannot
# go because it is not his gametime, but Mark can go to the stadium during
# stadium's free-for-all early morning time

# balltime_rt2

creddy --generate --cn League
creddy --generate --cn John
creddy --generate --cn Mark

league_keyid=`creddy --keyid --cert League_ID.pem`
john_keyid=`creddy --keyid --cert John_ID.pem`
mark_keyid=`creddy --keyid --cert Mark_ID.pem`

stadium_qFqT="stadium([string:'access'],[boolean:true],[time:?F[keyid:$league_keyid].oset:gametime([string:?T])])"
stadium_qR="stadium([string:'access'],[boolean:?B:[true]],[time:?F:[20120228T080000..20120228T090000]])"

players_qT="players([string:?T])" 

#[keyid:league].role:stadium([string:'access'],[boolean:true],
#          [time:?F:[keyid:league].oset.gametime([string:?T])])
#                <-[keyid:league].role:players([string:?T])
# Credential 1
creddy --attribute \
       --issuer League_ID.pem --key League_private.pem --role "$stadium_qFqT" \
       --subject-cert League_ID.pem --subject-role "$players_qT" \
       --out League_access_qFqT__League_players_qT_attr.der

#[keyid:league].role:stadium([string:'access'],[boolean:?B:[true],
#              [time:?F:[20120228T080000..20120228T090000]])
#               <- [keyid:league].role:players(string:?T) 
# Credential 2 
creddy --attribute \
       --issuer League_ID.pem --key League_private.pem --role "$stadium_qR" \
       --subject-cert League_ID.pem --subject-role "$players_qT" \
       --out League_access_qR__League_players_qT_attr.der


# [keyid:league].oset:gametime(string:'north')
#                                <- [time:20120228T130000]
# Credential 3
creddy --attribute \
        --issuer League_ID.pem --key League_private.pem \
        --oset "gametime([string:'north'])" \
        --subject-obj "[time:20120228T130000]" \
        --out League_gametime_north__timeT_attr.der

# [keyid:league].oset:gametime(string:'south')
#                                <- [time:20120228T140000]
# Credential 4 
creddy --attribute \
        --issuer League_ID.pem --key League_private.pem \
        --oset "gametime([string:'south'])" \
        --subject-obj "[time:20120228T140000]" \
        --out League_gametime_south__time2T_attr.der

# [keyid:league].role:players([string:'north'])<-[keyid:John]
creddy --attribute \
        --issuer League_ID.pem --key League_private.pem \
        --role "players([string:'north'])" \
        --subject-cert John_ID.pem \
        --out League_players_north__John_attr.der

# [keyid:league].role:players([string:'south'])<-[keyid:Mark]
creddy --attribute \
        --issuer League_ID.pem --key League_private.pem \
        --role "players([string:'south'])" \
        --subject-cert Mark_ID.pem \
        --out League_players_south__Mark_attr.der

#####################################################################
#league allows member of a team to access stadium at their team's designed time
#
#[keyid:league].role:stadium([string:'access'],[boolean:true],
#          [time:?F:[keyid:league].oset.gametime([string:?T])])
#                <-[keyid:league].role:players([string:?T])
#
#[keyid:league].role:stadium([string:'access'],[time:?Tm]) <- [principal:?P]
#[keyid:league].oset:gametime(string:?Team) <- [time:?Tm]
#[keyid:league].role:player(string:?Team) <- [principal:?P]
#
#
#league.stadium(access,?Time:league.gametime(?Team)) <- league.players(?Teams)
#              league.player(north) <- john
#              league.player(south) <- mark 
#              league.gametime(north) <- [time:'20120228T130000']
#              league.gametime(south) <- [time:'20120228T140000']
#
#league.statdium(access,?FreeTime:[20120228T080000..20120228T090000]) 
#                  <- league.players(_).
#
#[keyid:league].role:stadium([string:'access'],[boolean:?B:[true]],
#              [time:?F:['20120228T080000'..'20120228T090000']])
#               <- [keyid:league].role:players(string:?T)