#!/bin/sh
#
# This example shows a way to allow an user with multiple keyid identities 
# to be 'reasoned' as one within a single scope.  There are 4 principals 
# Geni, Bob, Jack, and Joe. Bob and Joe are actually the same person but 
# not Jack.
#
# Credentials 1 is the policy that says a principal is a group leader
# at Geni if it is equivalent to another principal who is a group 
# leader at Geni. 
#
# Credentials 2 establishes Bob as a group leader at Geni while
# credential 3 and 4 are the equivalent rules between Bob and Joe.
#
# The attached ./run_query file asks if Joe is also an group leader which
# he is because there is a equivalent rule from Bob to him. It also asks
# if Jack is a group leader which he isn't because there is no equivalent
# rule from Bob to him.

# leader_rt1

# [keyid:geni].role:leader <-?- [keyid:Bob] (yes)
# [keyid:geni].role:leader <-?- [keyid:Jack] (no)
# [keyid:geni].role:leader <-?- [keyid:Joe] (yes)

creddy --generate --cn Geni
creddy --generate --cn Bob
creddy --generate --cn Jack
creddy --generate --cn Joe

geni_keyid=`creddy --keyid --cert Geni_ID.pem`
bob_keyid=`creddy --keyid --cert Bob_ID.pem`
jack_keyid=`creddy --keyid --cert Jack_ID.pem`
joe_keyid=`creddy --keyid --cert Joe_ID.pem`

leader_qP="equivalent([principal:?P[keyid:$geni_keyid].role:leader])"
equivalent_bob="equivalent([keyid:$bob_keyid])"
equivalent_joe="equivalent([keyid:$joe_keyid])"

# [keyid:geni].role:leader 
#         <- [keyid:geni].role:equivalent([principal:?P[keyid:geni].role:leader])
# Credential 1
creddy --attribute \
       --issuer Geni_ID.pem --key Geni_private.pem --role "leader" \
       --subject-cert Geni_ID.pem --subject-role "$leader_qP" \
       --out geni_leader__geni_leader_qP_attr.der

# [keyid:geni].role:leader <- [keyid:bob]
# Credential 2
creddy --attribute \
        --issuer Geni_ID.pem --key Geni_private.pem --role "leader" \
        --subject-cert Bob_ID.pem \
        --out geni_leader__Bob_attr.der

# [keyid:geni].role:equivalent([keyid:bob]) <- [keyid:Joe]
# Credential 3
creddy --attribute \
        --issuer Geni_ID.pem --key Geni_private.pem --role "$equivalent_bob" \
        --subject-cert Joe_ID.pem \
        --out geni_equivalent_Bob__Joe_attr.der

# [keyid:geni].role:equivalent([keyid:Joe]) <- [keyid:Bob]
# Credential 4
creddy --attribute \
        --issuer Geni_ID.pem --key Geni_private.pem --role "$equivalent_joe" \
        --subject-cert Bob_ID.pem \
        --out geni_equivalent_Joe__Bob_attr.der