#!/bin/sh
#
# This example demonstrates linking parameterized roles and delegating across
# institutions.  There are 4 principals USC, ISI, John, and Maryann.  USC and
# ISI are companies, and USC owns ISI.  USC sets the policy that the manager of
# a principal (an employee) has the role of evaluating that employee (and no
# others).  That policy is expressed in Credential 1.  Credential 2 says that
# ISI's assignment of manager roles is accepted by USC.  Similarly Credential 4
# says that any ISI employee is a USC employee.
#
# Credential 3 encodes ISI asserting that John is the manager of Maryann and
# credentials 5 and 6 idicate that John and Maryann are ISI employees.
# 
# the attached ./run_query script queries that USC grants John the role of evaluator
# of Maryann, that ISI asserts John is Maryann's manager and that John is an
# ISI employee.

# evaluator_rt1

#[keyid:USC].role:employee <-?- [keyid:John]
#[keyid:USC].role:evaluatorOf([keyid:Maryann])<-?- [keyid:John]

creddy --generate --cn ISI
creddy --generate --cn USC
creddy --generate --cn Maryann
creddy --generate --cn John

isi_keyid=`creddy --keyid --cert ISI_ID.pem`
usc_keyid=`creddy --keyid --cert USC_ID.pem`
maryann_keyid=`creddy --keyid --cert Maryann_ID.pem`
john_keyid=`creddy --keyid --cert John_ID.pem`

managerof_maryann="managerOf([keyid:$maryann_keyid])"

#[keyid:USC].role:evaluatorOf([principal:?K])<-[keyid:USC].role:managerOf([principal:?K])
# Credential 1
creddy --attribute \
       --issuer USC_ID.pem --key USC_private.pem --role 'evaluatorOf([principal:?K])' \
       --subject-cert USC_ID.pem --subject-role 'managerOf([principal:?K])' \
       --out USC_evaluatorof_qK__USC_managerof_qK_attr.der

#[keyid:USC].role:managerOf([principal:?K])<-[keyid:ISI].role:managerOf([principal:?K])
# Credential 2
creddy --attribute \
       --issuer USC_ID.pem --key USC_private.pem --role 'managerOf([principal:?K])' \
       --subject-cert ISI_ID.pem --subject-role 'managerOf([principal:?K])' \
       --out USC_managerof_qK__USC_employee_attr.der

#[keyid:ISI].role:managerOf([keyid:Maryann]) <- [keyid:John]
# Credential 3
creddy --attribute \
       --issuer ISI_ID.pem --key ISI_private.pem --role "$managerof_maryann" \
       --subject-cert John_ID.pem \
       --out ISI_manageof_Maryann__John_attr.der

#[keyid:USC].role:employee <- [keyid:ISI].role:employee
# Credential 4
creddy --attribute \
       --issuer USC_ID.pem --key USC_private.pem --role employee \
       --subject-cert ISI_ID.pem --subject-role employee \
       --out USC_employee__ISI_employee_attr.der

#[keyid:ISI].role:employee  <- [keyid:Maryann]
# Credential 5
creddy --attribute \
       --issuer ISI_ID.pem --key ISI_private.pem --role employee \
       --subject-cert Maryann_ID.pem \
       --out ISI_employee__Maryann_attr.der

#[keyid:ISI].role:employee <- [keyid:John]
# Credential 6
creddy --attribute \
       --issuer ISI_ID.pem --key ISI_private.pem --role employee \
       --subject-cert John_ID.pem \
       --out ISI_employee__John_attr.der