summaryrefslogtreecommitdiffstats
path: root/keystone-moon/examples
diff options
context:
space:
mode:
authorWuKong <rebirthmonkey@gmail.com>2015-06-30 18:47:29 +0200
committerWuKong <rebirthmonkey@gmail.com>2015-06-30 18:47:29 +0200
commitb8c756ecdd7cced1db4300935484e8c83701c82e (patch)
tree87e51107d82b217ede145de9d9d59e2100725bd7 /keystone-moon/examples
parentc304c773bae68fb854ed9eab8fb35c4ef17cf136 (diff)
migrate moon code from github to opnfv
Change-Id: Ice53e368fd1114d56a75271aa9f2e598e3eba604 Signed-off-by: WuKong <rebirthmonkey@gmail.com>
Diffstat (limited to 'keystone-moon/examples')
-rw-r--r--keystone-moon/examples/moon/__init__.py4
-rw-r--r--keystone-moon/examples/moon/policies/mls_conf/authz/assignment.json25
-rw-r--r--keystone-moon/examples/moon/policies/mls_conf/authz/metadata.json18
-rw-r--r--keystone-moon/examples/moon/policies/mls_conf/authz/metarule.json12
-rw-r--r--keystone-moon/examples/moon/policies/mls_conf/authz/rules.json13
-rw-r--r--keystone-moon/examples/moon/policies/mls_conf/authz/scope.json24
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_admin/assignment.json37
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_admin/metadata.json18
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_admin/metarule.json12
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_admin/perimeter.json29
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_admin/rules.json20
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_admin/scope.json35
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json23
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json19
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json12
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json16
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/rules.json13
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/scope.json24
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json37
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json18
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json12
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json29
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/rules.json20
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json35
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_authz/assignment.json28
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_authz/metadata.json19
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_authz/metarule.json12
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_authz/perimeter.json16
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_authz/rules.json6
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_authz/scope.json24
-rw-r--r--keystone-moon/examples/moon/super_extension/policy/assignment.json26
-rw-r--r--keystone-moon/examples/moon/super_extension/policy/configuration.json43
-rw-r--r--keystone-moon/examples/moon/super_extension/policy/metadata.json26
-rw-r--r--keystone-moon/examples/moon/super_extension/policy/perimeter.json10
-rw-r--r--keystone-moon/examples/pki/certs/cacert.pem23
-rw-r--r--keystone-moon/examples/pki/certs/middleware.pem50
-rw-r--r--keystone-moon/examples/pki/certs/signing_cert.pem22
-rw-r--r--keystone-moon/examples/pki/certs/ssl_cert.pem22
-rw-r--r--keystone-moon/examples/pki/cms/auth_token_revoked.json85
-rw-r--r--keystone-moon/examples/pki/cms/auth_token_revoked.pem44
-rw-r--r--keystone-moon/examples/pki/cms/auth_token_scoped.json85
-rw-r--r--keystone-moon/examples/pki/cms/auth_token_scoped.pem44
-rw-r--r--keystone-moon/examples/pki/cms/auth_token_unscoped.json23
-rw-r--r--keystone-moon/examples/pki/cms/auth_token_unscoped.pem19
-rw-r--r--keystone-moon/examples/pki/cms/revocation_list.json8
-rw-r--r--keystone-moon/examples/pki/cms/revocation_list.pem15
-rwxr-xr-xkeystone-moon/examples/pki/gen_pki.sh221
-rw-r--r--keystone-moon/examples/pki/private/cakey.pem28
-rw-r--r--keystone-moon/examples/pki/private/signing_key.pem28
-rw-r--r--keystone-moon/examples/pki/private/ssl_key.pem28
50 files changed, 1460 insertions, 0 deletions
diff --git a/keystone-moon/examples/moon/__init__.py b/keystone-moon/examples/moon/__init__.py
new file mode 100644
index 00000000..1b678d53
--- /dev/null
+++ b/keystone-moon/examples/moon/__init__.py
@@ -0,0 +1,4 @@
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/assignment.json b/keystone-moon/examples/moon/policies/mls_conf/authz/assignment.json
new file mode 100644
index 00000000..c917638c
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/mls_conf/authz/assignment.json
@@ -0,0 +1,25 @@
+{
+ "subject_assignments": {
+ "subject_security_level":{
+ "user1": ["low"],
+ "user2": ["medium"],
+ "user3": ["high"]
+ }
+ },
+
+ "action_assignments": {
+ "computing_action":{
+ "pause": ["vm_admin"],
+ "unpause": ["vm_admin"],
+ "start": ["vm_admin"],
+ "stop": ["vm_admin"]
+ }
+ },
+
+ "object_assignments": {
+ "object_security_level": {
+ "vm1": ["low"],
+ "vm2": ["medium"]
+ }
+ }
+} \ No newline at end of file
diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/metadata.json b/keystone-moon/examples/moon/policies/mls_conf/authz/metadata.json
new file mode 100644
index 00000000..0c21f178
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/mls_conf/authz/metadata.json
@@ -0,0 +1,18 @@
+{
+ "name": "MLS_metadata",
+ "model": "MLS",
+ "genre": "authz",
+ "description": "",
+
+ "subject_categories": [
+ "subject_security_level"
+ ],
+
+ "action_categories": [
+ "computing_action"
+ ],
+
+ "object_categories": [
+ "object_security_level"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/metarule.json b/keystone-moon/examples/moon/policies/mls_conf/authz/metarule.json
new file mode 100644
index 00000000..0f717458
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/mls_conf/authz/metarule.json
@@ -0,0 +1,12 @@
+{
+ "sub_meta_rules": {
+ "relation_super": {
+ "subject_categories": ["subject_security_level"],
+ "action_categories": ["computing_action"],
+ "object_categories": ["object_security_level"],
+ "relation": "relation_super"
+ }
+ },
+ "aggregation": "and_true_aggregation"
+}
+
diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/rules.json b/keystone-moon/examples/moon/policies/mls_conf/authz/rules.json
new file mode 100644
index 00000000..7badb6f5
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/mls_conf/authz/rules.json
@@ -0,0 +1,13 @@
+{
+ "relation_super":[
+ ["high", "vm_admin", "medium"],
+ ["high", "vm_admin", "low"],
+ ["medium", "vm_admin", "low"],
+ ["high", "vm_access", "high"],
+ ["high", "vm_access", "medium"],
+ ["high", "vm_access", "low"],
+ ["medium", "vm_access", "medium"],
+ ["medium", "vm_access", "low"],
+ ["low", "vm_access", "low"]
+ ]
+} \ No newline at end of file
diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/scope.json b/keystone-moon/examples/moon/policies/mls_conf/authz/scope.json
new file mode 100644
index 00000000..f07b0071
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/mls_conf/authz/scope.json
@@ -0,0 +1,24 @@
+{
+ "subject_category_scope": {
+ "subject_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ },
+
+ "action_category_scope": {
+ "computing_action": [
+ "vm_admin",
+ "vm_access"
+ ]
+ },
+
+ "object_category_scope": {
+ "object_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_mls_admin/assignment.json
new file mode 100644
index 00000000..e1c208df
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_admin/assignment.json
@@ -0,0 +1,37 @@
+{
+ "subject_assignments": {
+ "role":{
+ "admin": ["admin" ]
+ }
+ },
+
+ "action_assignments": {
+ "ie_action":{
+ "read": ["ie_admin", "ie_access"],
+ "write": ["ie_admin"],
+ "create": ["ie_admin"],
+ "delete": ["ie_admin"]
+ }
+ },
+
+ "object_assignments": {
+ "id": {
+ "subjects": ["subjects"],
+ "objects": ["objects"],
+ "actions": ["actions"],
+ "subject_categories": ["subject_categories"],
+ "object_categories": ["object_categories"],
+ "action_categories": ["action_categories"],
+ "subject_category_scope": ["subject_category_scope"],
+ "object_category_scope": ["object_category_scope"],
+ "action_category_scope": ["action_category_scope"],
+ "sub_rules": ["sub_rules"],
+ "sub_meta_rule": ["sub_meta_rule"],
+ "subject_assignments": ["subject_assignments"],
+ "object_assignments": ["object_assignments"],
+ "action_assignments": ["action_assignments"],
+ "sub_meta_rule_relations": ["sub_meta_rule_relations"],
+ "aggregation_algorithms": ["aggregation_algorithms"]
+ }
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_mls_admin/metadata.json
new file mode 100644
index 00000000..f65cb271
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_admin/metadata.json
@@ -0,0 +1,18 @@
+{
+ "name": "RBAC_metadata",
+ "model": "RBAC",
+ "genre": "authz",
+ "description": "Role Based access Control authorization policy",
+
+ "subject_categories": [
+ "role"
+ ],
+
+ "action_categories": [
+ "ie_action"
+ ],
+
+ "object_categories": [
+ "id"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_mls_admin/metarule.json
new file mode 100644
index 00000000..3a2c7b75
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_admin/metarule.json
@@ -0,0 +1,12 @@
+{
+ "sub_meta_rules": {
+ "relation_super": {
+ "subject_categories": ["role"],
+ "action_categories": ["ie_action"],
+ "object_categories": ["id"],
+ "relation": "relation_super"
+ }
+ },
+ "aggregation": "and_true_aggregation"
+}
+
diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_mls_admin/perimeter.json
new file mode 100644
index 00000000..e570aae1
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_admin/perimeter.json
@@ -0,0 +1,29 @@
+{
+ "subjects": [
+ "admin"
+ ],
+ "actions": [
+ "read",
+ "write",
+ "create",
+ "delete"
+ ],
+ "objects": [
+ "subjects",
+ "objects",
+ "actions",
+ "subject_categories",
+ "object_categories",
+ "action_categories",
+ "subject_category_scope",
+ "object_category_scope",
+ "action_category_scope",
+ "sub_rules",
+ "subject_assignments",
+ "object_assignments",
+ "action_assignments",
+ "sub_meta_rule_relations",
+ "aggregation_algorithms",
+ "sub_meta_rule"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/rules.json b/keystone-moon/examples/moon/policies/policy_mls_admin/rules.json
new file mode 100644
index 00000000..e17ba8f3
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_admin/rules.json
@@ -0,0 +1,20 @@
+{
+ "relation_super":[
+ ["admin", "ie_admin", "subjects"],
+ ["admin", "ie_admin", "objects"],
+ ["admin", "ie_admin", "actions"],
+ ["admin", "ie_admin", "subject_categories"],
+ ["admin", "ie_admin", "object_categories"],
+ ["admin", "ie_admin", "action_categories"],
+ ["admin", "ie_admin", "subject_category_scope"],
+ ["admin", "ie_admin", "object_category_scope"],
+ ["admin", "ie_admin", "action_category_scope"],
+ ["admin", "ie_admin", "sub_rules"],
+ ["admin", "ie_admin", "sub_meta_rule"],
+ ["admin", "ie_admin", "subject_assignments"],
+ ["admin", "ie_admin", "object_assignments"],
+ ["admin", "ie_admin", "action_assignments"],
+ ["admin", "ie_admin", "sub_meta_rule_relations"],
+ ["admin", "ie_admin", "aggregation_algorithms"]
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/scope.json b/keystone-moon/examples/moon/policies/policy_mls_admin/scope.json
new file mode 100644
index 00000000..faf06d2c
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_admin/scope.json
@@ -0,0 +1,35 @@
+{
+ "subject_category_scope": {
+ "role": [
+ "admin"
+ ]
+ },
+
+ "action_category_scope": {
+ "ie_action": [
+ "ie_access",
+ "ie_admin"
+ ]
+ },
+
+ "object_category_scope": {
+ "id": [
+ "subjects",
+ "objects",
+ "actions",
+ "subject_categories",
+ "object_categories",
+ "action_categories",
+ "subject_category_scope",
+ "object_category_scope",
+ "action_category_scope",
+ "sub_rules",
+ "sub_meta_rule",
+ "subject_assignments",
+ "object_assignments",
+ "action_assignments",
+ "sub_meta_rule_relations",
+ "aggregation_algorithms"
+ ]
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json
new file mode 100644
index 00000000..e2a244b3
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json
@@ -0,0 +1,23 @@
+{
+ "subject_assignments": {
+ "subject_security_level":{
+ }
+ },
+
+ "action_assignments": {
+ "computing_action":{
+ "pause": ["vm_admin"],
+ "unpause": ["vm_admin"],
+ "start": ["vm_admin"],
+ "stop": ["vm_admin"],
+ "list": ["vm_access", "vm_admin"],
+ "create": ["vm_admin"]
+ }
+ },
+
+ "object_assignments": {
+ "object_security_level": {
+ "servers": ["low"]
+ }
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json
new file mode 100644
index 00000000..56dc57df
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json
@@ -0,0 +1,19 @@
+{
+ "name": "MLS_metadata",
+ "model": "MLS",
+ "genre": "authz",
+ "description": "Multi Layer Security authorization policy",
+
+ "subject_categories": [
+ "subject_security_level"
+ ],
+
+ "action_categories": [
+ "computing_action",
+ "storage_action"
+ ],
+
+ "object_categories": [
+ "object_security_level"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json
new file mode 100644
index 00000000..0f717458
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json
@@ -0,0 +1,12 @@
+{
+ "sub_meta_rules": {
+ "relation_super": {
+ "subject_categories": ["subject_security_level"],
+ "action_categories": ["computing_action"],
+ "object_categories": ["object_security_level"],
+ "relation": "relation_super"
+ }
+ },
+ "aggregation": "and_true_aggregation"
+}
+
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json
new file mode 100644
index 00000000..4bf88de7
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json
@@ -0,0 +1,16 @@
+{
+ "subjects": [
+ "admin"
+ ],
+ "actions": [
+ "pause",
+ "unpause",
+ "start",
+ "stop",
+ "create",
+ "list"
+ ],
+ "objects": [
+ "servers"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/rules.json b/keystone-moon/examples/moon/policies/policy_mls_authz/rules.json
new file mode 100644
index 00000000..f018a6fc
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/rules.json
@@ -0,0 +1,13 @@
+{
+ "relation_super":[
+ ["high", "vm_admin", "medium"],
+ ["high", "vm_admin", "low"],
+ ["medium", "vm_admin", "low"],
+ ["high", "vm_access", "high"],
+ ["high", "vm_access", "medium"],
+ ["high", "vm_access", "low"],
+ ["medium", "vm_access", "medium"],
+ ["medium", "vm_access", "low"],
+ ["low", "vm_access", "low"]
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json
new file mode 100644
index 00000000..d3146acb
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json
@@ -0,0 +1,24 @@
+{
+ "subject_category_scope": {
+ "subject_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ },
+
+ "action_category_scope": {
+ "computing_action": [
+ "vm_access",
+ "vm_admin"
+ ]
+ },
+
+ "object_category_scope": {
+ "object_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json
new file mode 100644
index 00000000..e1c208df
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json
@@ -0,0 +1,37 @@
+{
+ "subject_assignments": {
+ "role":{
+ "admin": ["admin" ]
+ }
+ },
+
+ "action_assignments": {
+ "ie_action":{
+ "read": ["ie_admin", "ie_access"],
+ "write": ["ie_admin"],
+ "create": ["ie_admin"],
+ "delete": ["ie_admin"]
+ }
+ },
+
+ "object_assignments": {
+ "id": {
+ "subjects": ["subjects"],
+ "objects": ["objects"],
+ "actions": ["actions"],
+ "subject_categories": ["subject_categories"],
+ "object_categories": ["object_categories"],
+ "action_categories": ["action_categories"],
+ "subject_category_scope": ["subject_category_scope"],
+ "object_category_scope": ["object_category_scope"],
+ "action_category_scope": ["action_category_scope"],
+ "sub_rules": ["sub_rules"],
+ "sub_meta_rule": ["sub_meta_rule"],
+ "subject_assignments": ["subject_assignments"],
+ "object_assignments": ["object_assignments"],
+ "action_assignments": ["action_assignments"],
+ "sub_meta_rule_relations": ["sub_meta_rule_relations"],
+ "aggregation_algorithms": ["aggregation_algorithms"]
+ }
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json
new file mode 100644
index 00000000..f65cb271
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json
@@ -0,0 +1,18 @@
+{
+ "name": "RBAC_metadata",
+ "model": "RBAC",
+ "genre": "authz",
+ "description": "Role Based access Control authorization policy",
+
+ "subject_categories": [
+ "role"
+ ],
+
+ "action_categories": [
+ "ie_action"
+ ],
+
+ "object_categories": [
+ "id"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json
new file mode 100644
index 00000000..3a2c7b75
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json
@@ -0,0 +1,12 @@
+{
+ "sub_meta_rules": {
+ "relation_super": {
+ "subject_categories": ["role"],
+ "action_categories": ["ie_action"],
+ "object_categories": ["id"],
+ "relation": "relation_super"
+ }
+ },
+ "aggregation": "and_true_aggregation"
+}
+
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json
new file mode 100644
index 00000000..e570aae1
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json
@@ -0,0 +1,29 @@
+{
+ "subjects": [
+ "admin"
+ ],
+ "actions": [
+ "read",
+ "write",
+ "create",
+ "delete"
+ ],
+ "objects": [
+ "subjects",
+ "objects",
+ "actions",
+ "subject_categories",
+ "object_categories",
+ "action_categories",
+ "subject_category_scope",
+ "object_category_scope",
+ "action_category_scope",
+ "sub_rules",
+ "subject_assignments",
+ "object_assignments",
+ "action_assignments",
+ "sub_meta_rule_relations",
+ "aggregation_algorithms",
+ "sub_meta_rule"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/rules.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/rules.json
new file mode 100644
index 00000000..e17ba8f3
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/rules.json
@@ -0,0 +1,20 @@
+{
+ "relation_super":[
+ ["admin", "ie_admin", "subjects"],
+ ["admin", "ie_admin", "objects"],
+ ["admin", "ie_admin", "actions"],
+ ["admin", "ie_admin", "subject_categories"],
+ ["admin", "ie_admin", "object_categories"],
+ ["admin", "ie_admin", "action_categories"],
+ ["admin", "ie_admin", "subject_category_scope"],
+ ["admin", "ie_admin", "object_category_scope"],
+ ["admin", "ie_admin", "action_category_scope"],
+ ["admin", "ie_admin", "sub_rules"],
+ ["admin", "ie_admin", "sub_meta_rule"],
+ ["admin", "ie_admin", "subject_assignments"],
+ ["admin", "ie_admin", "object_assignments"],
+ ["admin", "ie_admin", "action_assignments"],
+ ["admin", "ie_admin", "sub_meta_rule_relations"],
+ ["admin", "ie_admin", "aggregation_algorithms"]
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json
new file mode 100644
index 00000000..faf06d2c
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json
@@ -0,0 +1,35 @@
+{
+ "subject_category_scope": {
+ "role": [
+ "admin"
+ ]
+ },
+
+ "action_category_scope": {
+ "ie_action": [
+ "ie_access",
+ "ie_admin"
+ ]
+ },
+
+ "object_category_scope": {
+ "id": [
+ "subjects",
+ "objects",
+ "actions",
+ "subject_categories",
+ "object_categories",
+ "action_categories",
+ "subject_category_scope",
+ "object_category_scope",
+ "action_category_scope",
+ "sub_rules",
+ "sub_meta_rule",
+ "subject_assignments",
+ "object_assignments",
+ "action_assignments",
+ "sub_meta_rule_relations",
+ "aggregation_algorithms"
+ ]
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/assignment.json
new file mode 100644
index 00000000..e804b56a
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/assignment.json
@@ -0,0 +1,28 @@
+{
+ "subject_assignments": {
+ "role":{
+ "admin": ["admin" ]
+ }
+ },
+
+ "action_assignments": {
+ "computing_action":{
+ "pause": ["vm_admin"],
+ "unpause": ["vm_admin"],
+ "start": ["vm_admin"],
+ "stop": ["vm_admin"],
+ "list": ["vm_access", "vm_admin"],
+ "create": ["vm_admin"]
+ },
+ "storage_action":{
+ "get": ["vm_access"],
+ "set": ["vm_access", "vm_admin"]
+ }
+ },
+
+ "object_assignments": {
+ "id": {
+ "servers": ["servers"]
+ }
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/metadata.json
new file mode 100644
index 00000000..7f34ed7a
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/metadata.json
@@ -0,0 +1,19 @@
+{
+ "name": "MLS_metadata",
+ "model": "MLS",
+ "genre": "authz",
+ "description": "Multi Layer Security authorization policy",
+
+ "subject_categories": [
+ "role"
+ ],
+
+ "action_categories": [
+ "computing_action",
+ "storage_action"
+ ],
+
+ "object_categories": [
+ "id"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/metarule.json
new file mode 100644
index 00000000..ce828339
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/metarule.json
@@ -0,0 +1,12 @@
+{
+ "sub_meta_rules": {
+ "relation_super": {
+ "subject_categories": ["role"],
+ "action_categories": ["computing_action", "storage_action"],
+ "object_categories": ["id"],
+ "relation": "relation_super"
+ }
+ },
+ "aggregation": "and_true_aggregation"
+}
+
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/perimeter.json
new file mode 100644
index 00000000..4bf88de7
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/perimeter.json
@@ -0,0 +1,16 @@
+{
+ "subjects": [
+ "admin"
+ ],
+ "actions": [
+ "pause",
+ "unpause",
+ "start",
+ "stop",
+ "create",
+ "list"
+ ],
+ "objects": [
+ "servers"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/rules.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/rules.json
new file mode 100644
index 00000000..7f9dc3bb
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/rules.json
@@ -0,0 +1,6 @@
+{
+ "relation_super":[
+ ["admin", "vm_admin", "vm_admin", "servers"],
+ ["admin", "vm_access", "vm_access", "servers"]
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/scope.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/scope.json
new file mode 100644
index 00000000..34c5350a
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/scope.json
@@ -0,0 +1,24 @@
+{
+ "subject_category_scope": {
+ "role": [
+ "admin"
+ ]
+ },
+
+ "action_category_scope": {
+ "computing_action": [
+ "vm_access",
+ "vm_admin"
+ ],
+ "storage_action": [
+ "vm_access",
+ "vm_admin"
+ ]
+ },
+
+ "object_category_scope": {
+ "id": [
+ "servers"
+ ]
+ }
+}
diff --git a/keystone-moon/examples/moon/super_extension/policy/assignment.json b/keystone-moon/examples/moon/super_extension/policy/assignment.json
new file mode 100644
index 00000000..352d3928
--- /dev/null
+++ b/keystone-moon/examples/moon/super_extension/policy/assignment.json
@@ -0,0 +1,26 @@
+{
+ "subject_category_assignments": {
+ "role":{
+ "admin": [
+ "super_user",
+ "super_admin",
+ "super_root",
+ "inter_extension_user",
+ "inter_extension_admin",
+ "inter_extension_root"
+ ]
+ }
+ },
+ "object_category_assignments": {
+ "action": {
+ "intra_extension": [],
+ "mapping": [],
+ "inter_extension": []
+ },
+ "object_id": {
+ "intra_extension": ["intra_extension"],
+ "mapping": ["mapping"],
+ "inter_extension": ["inter_extension"]
+ }
+ }
+}
diff --git a/keystone-moon/examples/moon/super_extension/policy/configuration.json b/keystone-moon/examples/moon/super_extension/policy/configuration.json
new file mode 100644
index 00000000..18918e7f
--- /dev/null
+++ b/keystone-moon/examples/moon/super_extension/policy/configuration.json
@@ -0,0 +1,43 @@
+{
+ "subject_category_values": {
+ "role": [
+ "super_user",
+ "super_admin",
+ "super_root",
+ "inter_extension_user",
+ "inter_extension_admin",
+ "inter_extension_root"
+ ]
+ },
+
+ "object_category_values": {
+ "action": [
+ "list",
+ "create",
+ "destroy",
+ "delegate"
+ ],
+ "object_id": [
+ "intra_extension",
+ "mapping",
+ "inter_extension"
+ ]
+ },
+
+ "rules":{
+ "permission": [
+ ["super_user", "intra_extension", "list"],
+ ["super_admin", "intra_extension", "create"],
+ ["super_admin", "intra_extension", "destroy"],
+ ["super_root", "intra_extension", "delegate"],
+ ["super_user", "mapping", "list"],
+ ["super_admin", "mapping", "create"],
+ ["super_admin", "mapping", "destroy"],
+ ["super_root", "mapping", "delegate"],
+ ["inter_extension_user", "inter_extension", "list"],
+ ["inter_extension_admin", "inter_extension", "create"],
+ ["inter_extension_admin", "inter_extension", "destroy"],
+ ["inter_extension_root", "inter_extension", "delegate"]
+ ]
+ }
+} \ No newline at end of file
diff --git a/keystone-moon/examples/moon/super_extension/policy/metadata.json b/keystone-moon/examples/moon/super_extension/policy/metadata.json
new file mode 100644
index 00000000..316bfcb7
--- /dev/null
+++ b/keystone-moon/examples/moon/super_extension/policy/metadata.json
@@ -0,0 +1,26 @@
+{
+ "name": "RBAC_metadata",
+ "model": "RBAC",
+ "genre": "super",
+ "description": "",
+
+ "subject_categories": [
+ "role"
+ ],
+
+ "object_categories": [
+ "object_id",
+ "action"
+ ],
+
+ "meta_rule": {
+ "sub_meta_rules": {
+ "permission": {
+ "subject_categories": ["role"],
+ "object_categories": ["object_id", "action"],
+ "relation": "permission"
+ }
+ },
+ "aggregation": "and_true_aggregation"
+ }
+}
diff --git a/keystone-moon/examples/moon/super_extension/policy/perimeter.json b/keystone-moon/examples/moon/super_extension/policy/perimeter.json
new file mode 100644
index 00000000..5d511654
--- /dev/null
+++ b/keystone-moon/examples/moon/super_extension/policy/perimeter.json
@@ -0,0 +1,10 @@
+{
+ "subjects": [
+ "admin"
+ ],
+ "objects": [
+ "intra_extension",
+ "mapping",
+ "inter_extension"
+ ]
+} \ No newline at end of file
diff --git a/keystone-moon/examples/pki/certs/cacert.pem b/keystone-moon/examples/pki/certs/cacert.pem
new file mode 100644
index 00000000..2f31d126
--- /dev/null
+++ b/keystone-moon/examples/pki/certs/cacert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1jCCAr6gAwIBAgIJAKiIU3dYUGKeMA0GCSqGSIb3DQEBBQUAMIGeMQowCAYD
+VQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55
+dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMG
+CSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2Vs
+ZiBTaWduZWQwIBcNMTMwNzA5MTYyNTAwWhgPMjA3MjAxMDExNjI1MDBaMIGeMQow
+CAYDVQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1
+bm55dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTEl
+MCMGCSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxML
+U2VsZiBTaWduZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCh1U+N
+3g2cjFi7GeVf21FIv8MDhughFCey9rysAuqFONSFYo2rectLgpDtVy4BFFUFlxmh
+8Ci9TEZ5LiA31tbc4584GxvlLt4dg8aFsUJRBKq0L9i7W5v9uFpHrY1Zr+P4vwG+
+v7IWOuzw19f517eGpp6LLcj2vrpN9Yb63rrydKOqr0KJodMd+vFKmi+euFcPqs6s
+w1OiC5DpJN479CGl2Fs1WzMoKDedRNiXG7ysrVrYQIkfMBABBPIwilq1xXZz9Ybo
+0PbNgOu6xpSsy9hq+IzxcwYsr5CwIcbqW6Ju+Ti2iBEaff20lW7dFzO4kwrcqOr9
+Jnn7qE8YfJo9Hyj3AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADggEBAGWFTQTe2FwvwGWa/Bx3Ypc8pJ05ucmGDm8XZiUHj1mOvFHTcveL
+Iofb+vR2lynr+MwF9Dn1szGteVNn/QxrHJIoxsgf1n/9fdyYqjoKWXblNBMt5jhr
+IlMGdQMqHSDzlkZKbcXg5vzHnG5mrwh0rojcZItZznXTSo/XnujEtHwIvCo6rk9c
+tRRzpkcDkg+/SZf2izchsLoEQVsJsIZMnWl0hUGFHaDfx2JQn7bnAcC84wPVhRJ+
+Xa3kDok1r7Nd7Vr/Wf0hCNRxyv2dySD/bq5iCEl1HNik3KCq4eUicTtkGe5N+Was
+ucf1RhPD3oZbxlTX4QDN7grSCdrTESyuhfc=
+-----END CERTIFICATE-----
diff --git a/keystone-moon/examples/pki/certs/middleware.pem b/keystone-moon/examples/pki/certs/middleware.pem
new file mode 100644
index 00000000..6546753e
--- /dev/null
+++ b/keystone-moon/examples/pki/certs/middleware.pem
@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIDpjCCAo4CARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
+EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
+ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
+MzA3MDkxNjI1MDBaGA8yMDcyMDEwMTE2MjUwMFowgZAxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh
+Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv
+cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC5dpW18l3bs+Mcj/JdhaAa+qw1RJwShm06g+q38ZoC
+cCmRO3/XyHghgHWdVa+FKVm2ug923dE2PW4GSI1pZa3iqbT9Yj70nxN+0l94iym+
+v9/P7irolvo5OWBbBIJT1Ubjps5fJ//gz6BdmwS0FuOy2qfKPnPhyBDH2VawtOgY
+MLk+PSG3YQh7vM2YvDALPTPz/f4qPmhQpb69KBJQElFXPQ9Nu0ABCPWWC2tN87L5
+pakFw5zq46pttSJ7Izc8MXh3KQrh9FvjmiQuRnkMvQ/g887Sp6nEJ22ABPEFhuRr
+89aup6wRD2CkA/8L3zSB5BV7tTK4hQiq07cTnV9Dv6bfAgMBAAEwDQYJKoZIhvcN
+AQEFBQADggEBAIVz3ZwxSUF/y5ABmjnVIQaVVxH97bu07smFQUe0AB2I9R4xnBJ9
+jn93DpeixZvArCZuDuJEJvNER8S6L3r/OPMPrVzayxibXATaZRE8khMWEJpsnyeW
+8paA5NuZJwN2NjlPOmT47J1m7ZjLgkrVwjhwQZPMnh5kG9690TBJNhg9x3Z8f6p3
+iKj2AfZWGhp9Xr2xOZCpfvAZmyvKOMeuHVrRZ2VWGuzojQd7fjSEDw/+Tg8Gw1LV
+BQXjXiKQHsD1YID2a9Pe9yrBjO00ZMxMw8+wN9qrh+8vxfmwTO8tEkmcpvM4ivO3
+/oGGhQh6nSncERVI7rx+wBDnIHKBz6MU2Ow=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5dpW18l3bs+Mc
+j/JdhaAa+qw1RJwShm06g+q38ZoCcCmRO3/XyHghgHWdVa+FKVm2ug923dE2PW4G
+SI1pZa3iqbT9Yj70nxN+0l94iym+v9/P7irolvo5OWBbBIJT1Ubjps5fJ//gz6Bd
+mwS0FuOy2qfKPnPhyBDH2VawtOgYMLk+PSG3YQh7vM2YvDALPTPz/f4qPmhQpb69
+KBJQElFXPQ9Nu0ABCPWWC2tN87L5pakFw5zq46pttSJ7Izc8MXh3KQrh9FvjmiQu
+RnkMvQ/g887Sp6nEJ22ABPEFhuRr89aup6wRD2CkA/8L3zSB5BV7tTK4hQiq07cT
+nV9Dv6bfAgMBAAECggEBAIB1K5L/kZUITulMptGyKUgmkjq/D98g7u0Vy/CmTkcc
+Cx6F+LGsL9D8mfplDBKOpo4S530sfKk1+Uwu2ovDGqKhazQJ5ZMnz6gK7Ieg1ERD
+wDDURTIeyKf0HtJMGD0av2QU+GIeYXQEO446PhLCu+n42zkQ8tDS8xSJbCsu0odV
+ok6+i7nEg9sP4uDfAAtM8CUJbRpFTha+m2a7pOz3ylU7/ZV4FDIgJ+FEynaphXAo
+bZE4MX5I7A4DDBp7/9g9HsgefByY4xiABuk7Rsyztyf2TrJEtcsVhiV4sCIIHsow
+u60KGEcTQWj4npBIMgW1QUdrwmAAh/35gOjt9ZndgTkCgYEA2yT5DmihjVaNF65B
+8VtdFcpESr8rr6FBmJ7z31m7MufeV1Inc5GqCK9agRmpr5sTYcgFB9it2IhW2WsA
+xHv+7J04bd9DBtgTv58GWrISsCR/abMZnJrm+F5Rafk77jwjCx/SwFj79ybI83Ia
+VJYMd7jqkxc00+DZT/3QWZqRrlsCgYEA2KeBBqUVdCpwNiJpgFM18HWjJx36HRk7
+YoFapXot/6R6A/rYmS+/goBZt2CWqqGtnXqWEZvH+v4L+WlUmYQrWwtoxpdR1oXz
+EmlCxN7D9MbRVR7QVW24h5zdwPOlbCTGoKzowOs8UEjMfQ81zoMinLmcJgHQSyzs
+OawgSF+DmM0CgYBQz26EELNaMktvKxQoE3/c9CyAv8Q1TKqqxBq8BxPP7s7/tkzU
+AigIcdlW+Aapue7IxQCN5yocShJ0tE+hJPRZfpR7d7P4xx9pLxQhx766c4sEiEXu
+iPSZK/artHuUG1r01DRcN7QabJP3qeDpxjcswuTFfu49H5IjPD5jfGsyNwKBgFjh
+bvdQ5lo/xsUOnQV+HZTGTeaQT7l8TnZ85rkYRKKp0TysvgsqIYDiMuwd/fGGXnlK
+fyI+LG51pmftpD1OkZLKPXOrRHGjhjK5aCDn2rAimGI5P/KsDpXj7r1ntyeEdtAX
+32y1lIrDMtDjWomcFqkBJGQbPl540Xhfeub1+EDJAoGAUZGPT2itKnxEFsa1SKHW
+yLeEsag/a9imAVyizo1WJn2WJaUhi1aHK49w6JRowIAzXXb7zLQt7BL8v+ydPVw3
+eySpXGqFuN/Prm3So0SeWllWcPsKFAzjgE0CWjNuB0GlAZGOaJOcWUNoOZjX/SDC
+FpolIoaSad28tGc8tbEk3fU=
+-----END PRIVATE KEY-----
diff --git a/keystone-moon/examples/pki/certs/signing_cert.pem b/keystone-moon/examples/pki/certs/signing_cert.pem
new file mode 100644
index 00000000..3129e508
--- /dev/null
+++ b/keystone-moon/examples/pki/certs/signing_cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpTCCAo0CAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
+EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
+ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
+MzA3MDkxNjI1MDBaGA8yMDcyMDEwMTE2MjUwMFowgY8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh
+Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv
+cGVuc3RhY2sub3JnMREwDwYDVQQDEwhLZXlzdG9uZTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMTC6IdNd9Cg1DshcrT5gRVRF36nEmjSA9QWdik7B925
+PK70U4F6j4pz/5JL7plIo/8rJ4jJz9ccE7m0iA+IuABtEhEwXkG9rj47Oy0J4ZyD
+GSh2K1Bl78PA9zxXSzysUTSjBKdAh29dPYbJY7cgZJ0uC3AtfVceYiAOIi14SdFe
+Z0LZLDXBuLaqUmSMrmKwJ9wAMOCb/jbBP9/3Ycd0GYjlvrSBU4Bqb8/NHasyO4Dp
+PN68OAoyD5r5jUtV8QZN03UjIsoux8e0lrL6+MVtJo0OfWvlSrlzS5HKSryY+uqq
+QEuxtZKpJM2MV85ujvjc8eDSChh2shhDjBem3FIlHKUCAwEAATANBgkqhkiG9w0B
+AQUFAAOCAQEAed9fHgdJrk+gZcO5gsqq6uURfDOuYD66GsSdZw4BqHjYAcnyWq2d
+a+iw7Uxkqu7iLf2k4+Hu3xjDFrce479OwZkSnbXmqB7XspTGOuM8MgT7jB/ypKTO
+Z6qaZKSWK1Hta995hMrVVlhUNBLh0MPGqoVWYA4d7mblujgH9vp+4mpCciJagHks
+8K5FBmI+pobB+uFdSYDoRzX9LTpStspK4e3IoY8baILuGcdKimRNBv6ItG4hMrnt
+Ae1/nWMJyUu5rDTGf2V/vAaS0S/faJBwQSz1o38QHMTWHNspfwIdX3yMqI9u7/vY
+lz3rLy5WdBdUgZrZ3/VLmJTiJVZu5Owq4Q==
+-----END CERTIFICATE-----
diff --git a/keystone-moon/examples/pki/certs/ssl_cert.pem b/keystone-moon/examples/pki/certs/ssl_cert.pem
new file mode 100644
index 00000000..0b0877eb
--- /dev/null
+++ b/keystone-moon/examples/pki/certs/ssl_cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpjCCAo4CARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
+EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
+ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
+MzA3MDkxNjI1MDBaGA8yMDcyMDEwMTE2MjUwMFowgZAxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh
+Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv
+cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC5dpW18l3bs+Mcj/JdhaAa+qw1RJwShm06g+q38ZoC
+cCmRO3/XyHghgHWdVa+FKVm2ug923dE2PW4GSI1pZa3iqbT9Yj70nxN+0l94iym+
+v9/P7irolvo5OWBbBIJT1Ubjps5fJ//gz6BdmwS0FuOy2qfKPnPhyBDH2VawtOgY
+MLk+PSG3YQh7vM2YvDALPTPz/f4qPmhQpb69KBJQElFXPQ9Nu0ABCPWWC2tN87L5
+pakFw5zq46pttSJ7Izc8MXh3KQrh9FvjmiQuRnkMvQ/g887Sp6nEJ22ABPEFhuRr
+89aup6wRD2CkA/8L3zSB5BV7tTK4hQiq07cTnV9Dv6bfAgMBAAEwDQYJKoZIhvcN
+AQEFBQADggEBAIVz3ZwxSUF/y5ABmjnVIQaVVxH97bu07smFQUe0AB2I9R4xnBJ9
+jn93DpeixZvArCZuDuJEJvNER8S6L3r/OPMPrVzayxibXATaZRE8khMWEJpsnyeW
+8paA5NuZJwN2NjlPOmT47J1m7ZjLgkrVwjhwQZPMnh5kG9690TBJNhg9x3Z8f6p3
+iKj2AfZWGhp9Xr2xOZCpfvAZmyvKOMeuHVrRZ2VWGuzojQd7fjSEDw/+Tg8Gw1LV
+BQXjXiKQHsD1YID2a9Pe9yrBjO00ZMxMw8+wN9qrh+8vxfmwTO8tEkmcpvM4ivO3
+/oGGhQh6nSncERVI7rx+wBDnIHKBz6MU2Ow=
+-----END CERTIFICATE-----
diff --git a/keystone-moon/examples/pki/cms/auth_token_revoked.json b/keystone-moon/examples/pki/cms/auth_token_revoked.json
new file mode 100644
index 00000000..57d35280
--- /dev/null
+++ b/keystone-moon/examples/pki/cms/auth_token_revoked.json
@@ -0,0 +1,85 @@
+{
+ "access": {
+ "serviceCatalog": [
+ {
+ "endpoints": [
+ {
+ "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a",
+ "region": "RegionOne",
+ "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a",
+ "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a"
+ }
+ ],
+ "endpoints_links": [],
+ "type": "volume",
+ "name": "volume"
+ },
+ {
+ "endpoints": [
+ {
+ "adminURL": "http://127.0.0.1:9292/v1",
+ "region": "RegionOne",
+ "internalURL": "http://127.0.0.1:9292/v1",
+ "publicURL": "http://127.0.0.1:9292/v1"
+ }
+ ],
+ "endpoints_links": [],
+ "type": "image",
+ "name": "glance"
+ },
+ {
+ "endpoints": [
+ {
+ "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a",
+ "region": "RegionOne",
+ "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a",
+ "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a"
+ }
+ ],
+ "endpoints_links": [],
+ "type": "compute",
+ "name": "nova"
+ },
+ {
+ "endpoints": [
+ {
+ "adminURL": "http://127.0.0.1:35357/v2.0",
+ "region": "RegionOne",
+ "internalURL": "http://127.0.0.1:35357/v2.0",
+ "publicURL": "http://127.0.0.1:5000/v2.0"
+ }
+ ],
+ "endpoints_links": [],
+ "type": "identity",
+ "name": "keystone"
+ }
+ ],
+ "token": {
+ "expires": "2012-06-02T14:47:34Z",
+ "id": "placeholder",
+ "tenant": {
+ "enabled": true,
+ "description": null,
+ "name": "tenant_name1",
+ "id": "tenant_id1"
+ }
+ },
+ "user": {
+ "username": "revoked_username1",
+ "roles_links": [
+ "role1",
+ "role2"
+ ],
+ "id": "revoked_user_id1",
+ "roles": [
+ {
+ "name": "role1"
+ },
+ {
+ "name": "role2"
+ }
+ ],
+ "name": "revoked_username1"
+ }
+ }
+}
diff --git a/keystone-moon/examples/pki/cms/auth_token_revoked.pem b/keystone-moon/examples/pki/cms/auth_token_revoked.pem
new file mode 100644
index 00000000..1435c1e9
--- /dev/null
+++ b/keystone-moon/examples/pki/cms/auth_token_revoked.pem
@@ -0,0 +1,44 @@
+-----BEGIN CMS-----
+MIIH1wYJKoZIhvcNAQcCoIIHyDCCB8QCAQExCTAHBgUrDgMCGjCCBeQGCSqGSIb3
+DQEHAaCCBdUEggXReyJhY2Nlc3MiOiB7InNlcnZpY2VDYXRhbG9nIjogW3siZW5k
+cG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx
+LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInJlZ2lvbiI6ICJy
+ZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2
+L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInB1YmxpY1VS
+TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzYvdjEvNjRiNmYzZmJjYzUzNDM1ZThh
+NjBmY2Y4OWJiNjYxN2EifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUi
+OiAidm9sdW1lIiwgIm5hbWUiOiAidm9sdW1lIn0sIHsiZW5kcG9pbnRzIjogW3si
+YWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3YxIiwgInJlZ2lvbiI6
+ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5
+MjkyL3YxIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjkyOTIvdjEi
+fV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaW1hZ2UiLCAibmFt
+ZSI6ICJnbGFuY2UifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRw
+Oi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5
+YmI2NjE3YSIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjog
+Imh0dHA6Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYw
+ZmNmODliYjY2MTdhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3
+NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSJ9XSwgImVu
+ZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJjb21wdXRlIiwgIm5hbWUiOiAi
+bm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMjcu
+MC4wLjE6MzUzNTcvdjIuMCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVy
+bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUzNTcvdjIuMCIsICJwdWJsaWNV
+UkwiOiAiaHR0cDovLzEyNy4wLjAuMTo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNf
+bGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9u
+ZSJ9XSwidG9rZW4iOiB7ImV4cGlyZXMiOiAiMjAxMi0wNi0wMlQxNDo0NzozNFoi
+LCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJlbmFibGVkIjogdHJ1
+ZSwgImRlc2NyaXB0aW9uIjogbnVsbCwgIm5hbWUiOiAidGVuYW50X25hbWUxIiwg
+ImlkIjogInRlbmFudF9pZDEifX0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJyZXZv
+a2VkX3VzZXJuYW1lMSIsICJyb2xlc19saW5rcyI6IFsicm9sZTEiLCJyb2xlMiJd
+LCAiaWQiOiAicmV2b2tlZF91c2VyX2lkMSIsICJyb2xlcyI6IFt7Im5hbWUiOiAi
+cm9sZTEifSwgeyJuYW1lIjogInJvbGUyIn1dLCAibmFtZSI6ICJyZXZva2VkX3Vz
+ZXJuYW1lMSJ9fX0NCjGCAcowggHGAgEBMIGkMIGeMQowCAYDVQQFEwE1MQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55dmFsZTESMBAGA1UE
+ChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMGCSqGSIb3DQEJARYW
+a2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2VsZiBTaWduZWQCAREw
+BwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAXY8JvllpyctcNlJByPLxhgLyRfFo
+Ew+8Yq3O4FxOyfVkINvOz4EHTipY0M/K8OLwfxpRt7o/iGLGRDBTI6Dd+erXsus8
+NecnNxcWN9RUE2CZhoGj/0nhnNEGF+9Mlv3tMBngwoUJg2paSw/Vn2Q7RaqbOC05
+aZOSDoSX7Zf0DIS/T0ZPnmOUb9+N25M20ctMHksPMEq0qyf2oove0O+WMa/cA8JT
+c2EAhew4WSD0Zv0GOAP30GS+hkNfA1GZTrvCQrpRs9jXhK4dR2bBsnUFVix1BEZ0
+sDhI8cXLvm16IpOO8ov6002ZoZhPn6Qo+0J8QOfdnjiwNnxLOEbuOIwPeQ==
+-----END CMS-----
diff --git a/keystone-moon/examples/pki/cms/auth_token_scoped.json b/keystone-moon/examples/pki/cms/auth_token_scoped.json
new file mode 100644
index 00000000..31b1044b
--- /dev/null
+++ b/keystone-moon/examples/pki/cms/auth_token_scoped.json
@@ -0,0 +1,85 @@
+{
+ "access": {
+ "serviceCatalog": [
+ {
+ "endpoints": [
+ {
+ "adminURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a",
+ "region": "RegionOne",
+ "internalURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a",
+ "publicURL": "http://127.0.0.1:8776/v1/64b6f3fbcc53435e8a60fcf89bb6617a"
+ }
+ ],
+ "endpoints_links": [],
+ "type": "volume",
+ "name": "volume"
+ },
+ {
+ "endpoints": [
+ {
+ "adminURL": "http://127.0.0.1:9292/v1",
+ "region": "RegionOne",
+ "internalURL": "http://127.0.0.1:9292/v1",
+ "publicURL": "http://127.0.0.1:9292/v1"
+ }
+ ],
+ "endpoints_links": [],
+ "type": "image",
+ "name": "glance"
+ },
+ {
+ "endpoints": [
+ {
+ "adminURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a",
+ "region": "RegionOne",
+ "internalURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a",
+ "publicURL": "http://127.0.0.1:8774/v1.1/64b6f3fbcc53435e8a60fcf89bb6617a"
+ }
+ ],
+ "endpoints_links": [],
+ "type": "compute",
+ "name": "nova"
+ },
+ {
+ "endpoints": [
+ {
+ "adminURL": "http://127.0.0.1:35357/v2.0",
+ "region": "RegionOne",
+ "internalURL": "http://127.0.0.1:35357/v2.0",
+ "publicURL": "http://127.0.0.1:5000/v2.0"
+ }
+ ],
+ "endpoints_links": [],
+ "type": "identity",
+ "name": "keystone"
+ }
+ ],
+ "token": {
+ "expires": "2012-06-02T14:47:34Z",
+ "id": "placeholder",
+ "tenant": {
+ "enabled": true,
+ "description": null,
+ "name": "tenant_name1",
+ "id": "tenant_id1"
+ }
+ },
+ "user": {
+ "username": "user_name1",
+ "roles_links": [
+ "role1",
+ "role2"
+ ],
+ "id": "user_id1",
+ "roles": [
+ {
+ "name": "role1"
+ },
+ {
+ "name": "role2"
+ }
+ ],
+ "name": "user_name1"
+ }
+ }
+}
diff --git a/keystone-moon/examples/pki/cms/auth_token_scoped.pem b/keystone-moon/examples/pki/cms/auth_token_scoped.pem
new file mode 100644
index 00000000..5c02c954
--- /dev/null
+++ b/keystone-moon/examples/pki/cms/auth_token_scoped.pem
@@ -0,0 +1,44 @@
+-----BEGIN CMS-----
+MIIHwQYJKoZIhvcNAQcCoIIHsjCCB64CAQExCTAHBgUrDgMCGjCCBc4GCSqGSIb3
+DQEHAaCCBb8EggW7eyJhY2Nlc3MiOiB7InNlcnZpY2VDYXRhbG9nIjogW3siZW5k
+cG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx
+LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInJlZ2lvbiI6ICJy
+ZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2
+L3YxLzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInB1YmxpY1VS
+TCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3NzYvdjEvNjRiNmYzZmJjYzUzNDM1ZThh
+NjBmY2Y4OWJiNjYxN2EifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUi
+OiAidm9sdW1lIiwgIm5hbWUiOiAidm9sdW1lIn0sIHsiZW5kcG9pbnRzIjogW3si
+YWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5MjkyL3YxIiwgInJlZ2lvbiI6
+ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo5
+MjkyL3YxIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjkyOTIvdjEi
+fV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaW1hZ2UiLCAibmFt
+ZSI6ICJnbGFuY2UifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRw
+Oi8vMTI3LjAuMC4xOjg3NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5
+YmI2NjE3YSIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjog
+Imh0dHA6Ly8xMjcuMC4wLjE6ODc3NC92MS4xLzY0YjZmM2ZiY2M1MzQzNWU4YTYw
+ZmNmODliYjY2MTdhIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTI3LjAuMC4xOjg3
+NzQvdjEuMS82NGI2ZjNmYmNjNTM0MzVlOGE2MGZjZjg5YmI2NjE3YSJ9XSwgImVu
+ZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJjb21wdXRlIiwgIm5hbWUiOiAi
+bm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMjcu
+MC4wLjE6MzUzNTcvdjIuMCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVy
+bmFsVVJMIjogImh0dHA6Ly8xMjcuMC4wLjE6MzUzNTcvdjIuMCIsICJwdWJsaWNV
+UkwiOiAiaHR0cDovLzEyNy4wLjAuMTo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNf
+bGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9u
+ZSJ9XSwidG9rZW4iOiB7ImV4cGlyZXMiOiAiMjAxMi0wNi0wMlQxNDo0NzozNFoi
+LCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJlbmFibGVkIjogdHJ1
+ZSwgImRlc2NyaXB0aW9uIjogbnVsbCwgIm5hbWUiOiAidGVuYW50X25hbWUxIiwg
+ImlkIjogInRlbmFudF9pZDEifX0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJ1c2Vy
+X25hbWUxIiwgInJvbGVzX2xpbmtzIjogWyJyb2xlMSIsInJvbGUyIl0sICJpZCI6
+ICJ1c2VyX2lkMSIsICJyb2xlcyI6IFt7Im5hbWUiOiAicm9sZTEifSwgeyJuYW1l
+IjogInJvbGUyIn1dLCAibmFtZSI6ICJ1c2VyX25hbWUxIn19fQ0KMYIByjCCAcYC
+AQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTES
+MBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3RhY2sxETAPBgNVBAsT
+CEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVuc3RhY2sub3Jn
+MRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAHBgUrDgMCGjANBgkqhkiG9w0BAQEF
+AASCAQCAtuVtqTU9h1uaRrYU1eusSnHwD6jizp/xltTrYTyFPfYjhJdglS+bjSeS
+Iau9pN3Tfug98ozUTJ5ByNepAQtxBxPz5bDXhBmAbU6ywaolqRAG+b/s2ShNGQ2a
+tn80NeZmDNbtoqdHVAkD3EZXjsEKr2w+3JTTF2indzczyGe5EeSfNUaT+ZhNEmPR
+Urob62t8atW+zehCSurpaa8pC5m1NcbK8Uu6Y+qO2m08KU9w5kmbOQtWAGCmtpIx
+F2yM1AbSgd90yzen7dv5mNkgZyzQ6SYgRUvkKOKnCyBb97EZK3ZR4qUxQzRYM++8
+g8HdaIfoYVPoPHqODet8Xmhw/Wtp
+-----END CMS-----
diff --git a/keystone-moon/examples/pki/cms/auth_token_unscoped.json b/keystone-moon/examples/pki/cms/auth_token_unscoped.json
new file mode 100644
index 00000000..5c6d1f85
--- /dev/null
+++ b/keystone-moon/examples/pki/cms/auth_token_unscoped.json
@@ -0,0 +1,23 @@
+{
+ "access": {
+ "token": {
+ "expires": "2012-08-17T15:35:34Z",
+ "id": "01e032c996ef4406b144335915a41e79"
+ },
+ "serviceCatalog": {},
+ "user": {
+ "username": "user_name1",
+ "roles_links": [],
+ "id": "c9c89e3be3ee453fbf00c7966f6d3fbd",
+ "roles": [
+ {
+ "name": "role1"
+ },
+ {
+ "name": "role2"
+ }
+ ],
+ "name": "user_name1"
+ }
+ }
+}
diff --git a/keystone-moon/examples/pki/cms/auth_token_unscoped.pem b/keystone-moon/examples/pki/cms/auth_token_unscoped.pem
new file mode 100644
index 00000000..60649090
--- /dev/null
+++ b/keystone-moon/examples/pki/cms/auth_token_unscoped.pem
@@ -0,0 +1,19 @@
+-----BEGIN CMS-----
+MIIDKAYJKoZIhvcNAQcCoIIDGTCCAxUCAQExCTAHBgUrDgMCGjCCATUGCSqGSIb3
+DQEHAaCCASYEggEieyJhY2Nlc3MiOiB7InRva2VuIjogeyJleHBpcmVzIjogIjIw
+MTItMDgtMTdUMTU6MzU6MzRaIiwgImlkIjogIjAxZTAzMmM5OTZlZjQ0MDZiMTQ0
+MzM1OTE1YTQxZTc5In0sICJzZXJ2aWNlQ2F0YWxvZyI6IHt9LCAidXNlciI6IHsi
+dXNlcm5hbWUiOiAidXNlcl9uYW1lMSIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQi
+OiAiYzljODllM2JlM2VlNDUzZmJmMDBjNzk2NmY2ZDNmYmQiLCAicm9sZXMiOiBb
+eyduYW1lJzogJ3JvbGUxJ30seyduYW1lJzogJ3JvbGUyJ30sXSwgIm5hbWUiOiAi
+dXNlcl9uYW1lMSJ9fX0xggHKMIIBxgIBATCBpDCBnjEKMAgGA1UEBRMBNTELMAkG
+A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNV
+BAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0BCQEW
+FmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYgU2lnbmVkAgER
+MAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIIBAFyD9IH2bXsafCTyHEWS28zBuq03
+ZNWXV4+0BfdMbX1ONkaQ7mLGRmfabLHwfE5RaSASFh/Doq7KTc8XrBVfTm9HQPGr
+TLZUawdYlyBFVq0PEE1cPvO9Blz4X/2Awcp/Q67YRd/oLCY2dFWMClMroXu1fy3P
+oFlpWPPhURrbU1GjhUgPIz0IxNGjfWEHVsb5kz7Bo4E8J3pgIkccm97XZZtiCwf7
+DVNj+Eb5mRegGG6IgSSRpZULgnCmSofQ3RnW3jSCkDxLXDQm9IsaaLJsuUFLylGs
+mB/98w9mP192IGl5MVr8/tANXwb5ok2VatUp/Ww1U0IlWbhN374PbK76vcE=
+-----END CMS-----
diff --git a/keystone-moon/examples/pki/cms/revocation_list.json b/keystone-moon/examples/pki/cms/revocation_list.json
new file mode 100644
index 00000000..9ad97287
--- /dev/null
+++ b/keystone-moon/examples/pki/cms/revocation_list.json
@@ -0,0 +1,8 @@
+{
+ "revoked": [
+ {
+ "id": "7acfcfdaf6a14aebe97c61c5947bc4d3",
+ "expires": "2012-08-14T17:58:48Z"
+ }
+ ]
+}
diff --git a/keystone-moon/examples/pki/cms/revocation_list.pem b/keystone-moon/examples/pki/cms/revocation_list.pem
new file mode 100644
index 00000000..bd22d3f2
--- /dev/null
+++ b/keystone-moon/examples/pki/cms/revocation_list.pem
@@ -0,0 +1,15 @@
+-----BEGIN CMS-----
+MIICWgYJKoZIhvcNAQcCoIICSzCCAkcCAQExCTAHBgUrDgMCGjBpBgkqhkiG9w0B
+BwGgXARaeyJyZXZva2VkIjpbeyJpZCI6IjdhY2ZjZmRhZjZhMTRhZWJlOTdjNjFj
+NTk0N2JjNGQzIiwiZXhwaXJlcyI6IjIwMTItMDgtMTRUMTc6NTg6NDhaIn1dfQ0K
+MYIByjCCAcYCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYD
+VQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3RhY2sx
+ETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVu
+c3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAHBgUrDgMCGjANBgkq
+hkiG9w0BAQEFAASCAQC2f05VHM7zjNT3TBO80AmZ00n7AEWUjbFe5nqIM8kWGM83
+01Bi3uU/nQ0daAd3tqCmDL2EfETAjD+xnIzjlN6eIA74Vy51wFD/KiyWYPWzw8mH
+WcATHmE4E8kLdt8NhUodCY9TCFxcHJNDR1Eai/U7hH+5O4p9HcmMjv/GWegZL6HB
+Up9Cxu6haxvPFmYylzM6Qt0Ad/WiO/JZLPTA4qXJEJSa9EMFMb0c2wSDSn30swJe
+7J79VTFktTr2djv8KFvaHr4vLFYv2Y3ZkTeHqam0m91vllxLZJUP5QTSHjjY6LFE
+5eEjIlOv9wOOm1uTtPIq6pxCugU1Wm7gstkqr55R
+-----END CMS-----
diff --git a/keystone-moon/examples/pki/gen_pki.sh b/keystone-moon/examples/pki/gen_pki.sh
new file mode 100755
index 00000000..65550265
--- /dev/null
+++ b/keystone-moon/examples/pki/gen_pki.sh
@@ -0,0 +1,221 @@
+#!/bin/bash
+
+# Copyright 2012 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# This script generates the crypto necessary for the SSL tests.
+
+DIR=`dirname "$0"`
+CURRENT_DIR=`cd "$DIR" && pwd`
+CERTS_DIR=$CURRENT_DIR/certs
+PRIVATE_DIR=$CURRENT_DIR/private
+CMS_DIR=$CURRENT_DIR/cms
+
+
+function rm_old {
+ rm -rf $CERTS_DIR/*.pem
+ rm -rf $PRIVATE_DIR/*.pem
+}
+
+function cleanup {
+ rm -rf *.conf > /dev/null 2>&1
+ rm -rf index* > /dev/null 2>&1
+ rm -rf *.crt > /dev/null 2>&1
+ rm -rf newcerts > /dev/null 2>&1
+ rm -rf *.pem > /dev/null 2>&1
+ rm -rf serial* > /dev/null 2>&1
+}
+
+function generate_ca_conf {
+ echo '
+[ req ]
+default_bits = 2048
+default_keyfile = cakey.pem
+default_md = default
+
+prompt = no
+distinguished_name = ca_distinguished_name
+
+x509_extensions = ca_extensions
+
+[ ca_distinguished_name ]
+serialNumber = 5
+countryName = US
+stateOrProvinceName = CA
+localityName = Sunnyvale
+organizationName = OpenStack
+organizationalUnitName = Keystone
+emailAddress = keystone@openstack.org
+commonName = Self Signed
+
+[ ca_extensions ]
+basicConstraints = critical,CA:true
+' > ca.conf
+}
+
+function generate_ssl_req_conf {
+ echo '
+[ req ]
+default_bits = 2048
+default_keyfile = keystonekey.pem
+default_md = default
+
+prompt = no
+distinguished_name = distinguished_name
+
+[ distinguished_name ]
+countryName = US
+stateOrProvinceName = CA
+localityName = Sunnyvale
+organizationName = OpenStack
+organizationalUnitName = Keystone
+commonName = localhost
+emailAddress = keystone@openstack.org
+' > ssl_req.conf
+}
+
+function generate_cms_signing_req_conf {
+ echo '
+[ req ]
+default_bits = 2048
+default_keyfile = keystonekey.pem
+default_md = default
+
+prompt = no
+distinguished_name = distinguished_name
+
+[ distinguished_name ]
+countryName = US
+stateOrProvinceName = CA
+localityName = Sunnyvale
+organizationName = OpenStack
+organizationalUnitName = Keystone
+commonName = Keystone
+emailAddress = keystone@openstack.org
+' > cms_signing_req.conf
+}
+
+function generate_signing_conf {
+ echo '
+[ ca ]
+default_ca = signing_ca
+
+[ signing_ca ]
+dir = .
+database = $dir/index.txt
+new_certs_dir = $dir/newcerts
+
+certificate = $dir/certs/cacert.pem
+serial = $dir/serial
+private_key = $dir/private/cakey.pem
+
+default_days = 21360
+default_crl_days = 30
+default_md = default
+
+policy = policy_any
+
+[ policy_any ]
+countryName = supplied
+stateOrProvinceName = supplied
+localityName = optional
+organizationName = supplied
+organizationalUnitName = supplied
+emailAddress = supplied
+commonName = supplied
+' > signing.conf
+}
+
+function setup {
+ touch index.txt
+ echo '10' > serial
+ generate_ca_conf
+ mkdir newcerts
+}
+
+function check_error {
+ if [ $1 != 0 ] ; then
+ echo "Failed! rc=${1}"
+ echo 'Bailing ...'
+ cleanup
+ exit $1
+ else
+ echo 'Done'
+ fi
+}
+
+function generate_ca {
+ echo 'Generating New CA Certificate ...'
+ openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
+ check_error $?
+}
+
+function ssl_cert_req {
+ echo 'Generating SSL Certificate Request ...'
+ generate_ssl_req_conf
+ openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
+ check_error $?
+ #openssl req -in req.pem -text -noout
+}
+
+function cms_signing_cert_req {
+ echo 'Generating CMS Signing Certificate Request ...'
+ generate_cms_signing_req_conf
+ openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
+ check_error $?
+ #openssl req -in req.pem -text -noout
+}
+
+function issue_certs {
+ generate_signing_conf
+ echo 'Issuing SSL Certificate ...'
+ openssl ca -in ssl_req.pem -config signing.conf -batch
+ check_error $?
+ openssl x509 -in $CURRENT_DIR/newcerts/10.pem -out $CERTS_DIR/ssl_cert.pem
+ check_error $?
+ echo 'Issuing CMS Signing Certificate ...'
+ openssl ca -in cms_signing_req.pem -config signing.conf -batch
+ check_error $?
+ openssl x509 -in $CURRENT_DIR/newcerts/11.pem -out $CERTS_DIR/signing_cert.pem
+ check_error $?
+}
+
+function create_middleware_cert {
+ cp $CERTS_DIR/ssl_cert.pem $CERTS_DIR/middleware.pem
+ cat $PRIVATE_DIR/ssl_key.pem >> $CERTS_DIR/middleware.pem
+}
+
+function check_openssl {
+ echo 'Checking openssl availability ...'
+ which openssl
+ check_error $?
+}
+
+function gen_sample_cms {
+ for json_file in "${CMS_DIR}/auth_token_revoked.json" "${CMS_DIR}/auth_token_unscoped.json" "${CMS_DIR}/auth_token_scoped.json" "${CMS_DIR}/revocation_list.json"; do
+ openssl cms -sign -in $json_file -nosmimecap -signer $CERTS_DIR/signing_cert.pem -inkey $PRIVATE_DIR/signing_key.pem -outform PEM -nodetach -nocerts -noattr -out ${json_file/.json/.pem}
+ done
+}
+
+check_openssl
+rm_old
+cleanup
+setup
+generate_ca
+ssl_cert_req
+cms_signing_cert_req
+issue_certs
+create_middleware_cert
+gen_sample_cms
+cleanup
diff --git a/keystone-moon/examples/pki/private/cakey.pem b/keystone-moon/examples/pki/private/cakey.pem
new file mode 100644
index 00000000..86ff4cfa
--- /dev/null
+++ b/keystone-moon/examples/pki/private/cakey.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCh1U+N3g2cjFi7
+GeVf21FIv8MDhughFCey9rysAuqFONSFYo2rectLgpDtVy4BFFUFlxmh8Ci9TEZ5
+LiA31tbc4584GxvlLt4dg8aFsUJRBKq0L9i7W5v9uFpHrY1Zr+P4vwG+v7IWOuzw
+19f517eGpp6LLcj2vrpN9Yb63rrydKOqr0KJodMd+vFKmi+euFcPqs6sw1OiC5Dp
+JN479CGl2Fs1WzMoKDedRNiXG7ysrVrYQIkfMBABBPIwilq1xXZz9Ybo0PbNgOu6
+xpSsy9hq+IzxcwYsr5CwIcbqW6Ju+Ti2iBEaff20lW7dFzO4kwrcqOr9Jnn7qE8Y
+fJo9Hyj3AgMBAAECggEAPeEVaTaF190mNGyDczKmEv4X8CpOag+N2nVT0SXQTJ5d
+TJ9RckbAwB+tkMLr+Uev9tI+39e3jCI1NDK56QAB6jYy9D4RXYGdNoXji80qgVYa
+e4lsAr/Vlp8+DfhDew6xSbSnUytzSeLAJJsznvmn2Bmvt6ILHKXzEMoYEabGrtvk
+0n31mmd6sszW6i1cYEhr3gK/VXaO4gM1oWit9aeIJDg3/D3UNUW7aoCTeCz91Gif
+87/JH3UIPEIt960jb3oV7ltajRSpiSOfefJFwz/2n09+/P/Sg1+SWAraqkqaLqhO
+zoslYSYUuOQv+j97iD/tDVBjiWR1TrzQjf/3noOl+QKBgQDTExaIe0YYI8KdBNZ6
+1cG3vztNWDh0PaP1n0n/bJYAGmAfxfn/gSrABXfeIAjy01f76EK2lPa/i8+DR7vL
+dJnUMO10OxaIZKr+OtR1XrMM6kREj6H5yHTNz0sJ3hDEfwJ1BndqwrXlCLAe7upe
+veXI9LVfPjPVmf8t9UwyxtaNiwKBgQDERzCGEuyKIeSfgytcdknJ0W+AbdkshC92
+tZQPbI35YOLac2/y7GMjjf5Xg5VJRIYwXAG8ha+61Tvd7+qCVdzNyYfyOoBEE69B
+Gc9UdpXRfIjxokfidqh7mIIfjFNSI/UyVmvL9wrregXPcM+s7OlLC/0O82gOcNxU
+GKF3oP5XxQKBgQCPZEZIjcZ+m7yYQzMZ26FwnL9Cug4QGdgLAx2YIkJ8624l568A
+ftV2AcD+67Boll8NSSoZM3W1htuAifjwLNRcLKkD7yhNnGX1tC2lVqI4weWC1jjp
+od6H+q01lOC7PLWEntH9ey1q3M4ZFaGunz89l9CnVXCNScLri9sqG56iJQKBgHOc
+50UiInhe7HbU4ZauClq5Za9FhRXGqtqGrDbFn38UBavdMUTq3p6Txgwwcp/coBoe
+J9uu90razU+2QPESuGPy4IPa17DB04pKNKiwzSC+9T83cpY/hJCAzazdkDqi+Yv0
+Abz7wE/h6Ug+T+WxCt3sqtvCnjlbWzyh4YJAr3BtAoGBAIibPCEfVOwOfMOXkhIb
+liRVVGNxXQa6MwGVVfyR9gmlM85IjcBjh+Tf5+v3Mo286OlzLXQjfYW5pXR5Mgaw
+bKe+z5AqJlOsA+lJGTyCNnPKwaXAYHt8dZ41WhgzekibHCx7EQ+8jH1jkz2Gwou6
+MDbnRu+e0FCyRFSuhB9Cim/K
+-----END PRIVATE KEY-----
diff --git a/keystone-moon/examples/pki/private/signing_key.pem b/keystone-moon/examples/pki/private/signing_key.pem
new file mode 100644
index 00000000..acf84761
--- /dev/null
+++ b/keystone-moon/examples/pki/private/signing_key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDEwuiHTXfQoNQ7
+IXK0+YEVURd+pxJo0gPUFnYpOwfduTyu9FOBeo+Kc/+SS+6ZSKP/KyeIyc/XHBO5
+tIgPiLgAbRIRMF5Bva4+OzstCeGcgxkoditQZe/DwPc8V0s8rFE0owSnQIdvXT2G
+yWO3IGSdLgtwLX1XHmIgDiIteEnRXmdC2Sw1wbi2qlJkjK5isCfcADDgm/42wT/f
+92HHdBmI5b60gVOAam/PzR2rMjuA6TzevDgKMg+a+Y1LVfEGTdN1IyLKLsfHtJay
++vjFbSaNDn1r5Uq5c0uRykq8mPrqqkBLsbWSqSTNjFfObo743PHg0goYdrIYQ4wX
+ptxSJRylAgMBAAECggEBAIDQPVz/CXarI+ZGQotaYPisqx3+kN3QyDLcNaVOgRrW
+P3UmfVjh/QEeae3ECkONu9e8z9gMjyX7uqo0F3NcBWI6Bb79FGgjnuQc8OPOeUZ2
+yUyk+DxdT/eu5+04FQh2o387TjuU0lXFDBem1sI30cbZMyHQliMnwAPOXO+5tVH8
+PusGNBMVvoCyfnj52uVjmAjPqLXyOMcKEhuJFbhnUURKvzkHRf43SWQsb081eh2m
+ACQ7uNzX7vg3aPXxSZXY2+hHX67POdqosjddu6CfoXcEHAOAUujvTOFvd1gGRkRo
+uOi5hNQqcN5uaqeq9enVThINDyFMzngZBhMCzRTWeK0CgYEA4qUhB7lJZLt9niDW
+4Fudda1Pzu3XfxHsSG4D+xx5LunKb3ChG5x7PSLJvusfvnkm5fqhEEhbSVARo6Vn
+AAA52u5SPDDNwyk1ttvBR/Fc7eGwpbRQry2I6ui6baKiIOSV2K3vJlsSK8/GMQqu
+j0fstJuSvQR7Y6NUYxlWi+VNussCgYEA3j7tFAdGFc5JkeTHSzsU4h2+17uVDSSi
+yr7Duc9+9fwAbsO4go9x1CAOvV2r0WX10jPsTGg1d31pWLvJrS6QsAffmM+A0QIT
+eBX+umcavXWy69VExWa0xKU9wTE/nQvX9Fr8A+Klh/WfMcvoomK2zgOKoRSmes04
+WKYlHWsSaE8CgYBUYcZ6abG5n1SVmwRlY7asKWqdUE/7L2EZVlyFEYTMwp5r/zL8
+ZLY9fMZAHqoi8FhbJ4Tv2wChuv3WP66pgWwI5tIXNtRk5OLqwcakUmiW6IAsMYYY
+sotXam5+gx55wKFJmvh+/0k0ppbTi3aSQeUPGRz44sJNxnGUs8pVK3pVIQKBgQDD
+ga+lEtEAlbv6b7sx3wN79pbPyOBR84yRtkcPygzx74Gh7uL9V5rW9GyDAUgIqR0a
+kTqp7HI8b0KhIHFFu9TkRcjY8JFtS9o8pXy0FcdcK5H+DFq3HKag5ovwy5YeXTDY
+cMGJ2XOsqtIkSDCZySTvDgaBtVzOYoHS2jWEL5C92QKBgGmL2juXIB+HAi7UuKPg
+nWkVTikt5Zr2GNgYtso75E7+ljaRuf4D9eEBiOD1qYKQm8KvsiVzEs71BSmT1p1C
+b2hlM/5Crb7KumIkHTARQFr5NPwuBZ6NA6RLnd++vKi0WgOJtDAlR3bgwugfQdzZ
+4Isaq9Rgfa/EHCKB2weQ7c3r
+-----END PRIVATE KEY-----
diff --git a/keystone-moon/examples/pki/private/ssl_key.pem b/keystone-moon/examples/pki/private/ssl_key.pem
new file mode 100644
index 00000000..e2e68379
--- /dev/null
+++ b/keystone-moon/examples/pki/private/ssl_key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5dpW18l3bs+Mc
+j/JdhaAa+qw1RJwShm06g+q38ZoCcCmRO3/XyHghgHWdVa+FKVm2ug923dE2PW4G
+SI1pZa3iqbT9Yj70nxN+0l94iym+v9/P7irolvo5OWBbBIJT1Ubjps5fJ//gz6Bd
+mwS0FuOy2qfKPnPhyBDH2VawtOgYMLk+PSG3YQh7vM2YvDALPTPz/f4qPmhQpb69
+KBJQElFXPQ9Nu0ABCPWWC2tN87L5pakFw5zq46pttSJ7Izc8MXh3KQrh9FvjmiQu
+RnkMvQ/g887Sp6nEJ22ABPEFhuRr89aup6wRD2CkA/8L3zSB5BV7tTK4hQiq07cT
+nV9Dv6bfAgMBAAECggEBAIB1K5L/kZUITulMptGyKUgmkjq/D98g7u0Vy/CmTkcc
+Cx6F+LGsL9D8mfplDBKOpo4S530sfKk1+Uwu2ovDGqKhazQJ5ZMnz6gK7Ieg1ERD
+wDDURTIeyKf0HtJMGD0av2QU+GIeYXQEO446PhLCu+n42zkQ8tDS8xSJbCsu0odV
+ok6+i7nEg9sP4uDfAAtM8CUJbRpFTha+m2a7pOz3ylU7/ZV4FDIgJ+FEynaphXAo
+bZE4MX5I7A4DDBp7/9g9HsgefByY4xiABuk7Rsyztyf2TrJEtcsVhiV4sCIIHsow
+u60KGEcTQWj4npBIMgW1QUdrwmAAh/35gOjt9ZndgTkCgYEA2yT5DmihjVaNF65B
+8VtdFcpESr8rr6FBmJ7z31m7MufeV1Inc5GqCK9agRmpr5sTYcgFB9it2IhW2WsA
+xHv+7J04bd9DBtgTv58GWrISsCR/abMZnJrm+F5Rafk77jwjCx/SwFj79ybI83Ia
+VJYMd7jqkxc00+DZT/3QWZqRrlsCgYEA2KeBBqUVdCpwNiJpgFM18HWjJx36HRk7
+YoFapXot/6R6A/rYmS+/goBZt2CWqqGtnXqWEZvH+v4L+WlUmYQrWwtoxpdR1oXz
+EmlCxN7D9MbRVR7QVW24h5zdwPOlbCTGoKzowOs8UEjMfQ81zoMinLmcJgHQSyzs
+OawgSF+DmM0CgYBQz26EELNaMktvKxQoE3/c9CyAv8Q1TKqqxBq8BxPP7s7/tkzU
+AigIcdlW+Aapue7IxQCN5yocShJ0tE+hJPRZfpR7d7P4xx9pLxQhx766c4sEiEXu
+iPSZK/artHuUG1r01DRcN7QabJP3qeDpxjcswuTFfu49H5IjPD5jfGsyNwKBgFjh
+bvdQ5lo/xsUOnQV+HZTGTeaQT7l8TnZ85rkYRKKp0TysvgsqIYDiMuwd/fGGXnlK
+fyI+LG51pmftpD1OkZLKPXOrRHGjhjK5aCDn2rAimGI5P/KsDpXj7r1ntyeEdtAX
+32y1lIrDMtDjWomcFqkBJGQbPl540Xhfeub1+EDJAoGAUZGPT2itKnxEFsa1SKHW
+yLeEsag/a9imAVyizo1WJn2WJaUhi1aHK49w6JRowIAzXXb7zLQt7BL8v+ydPVw3
+eySpXGqFuN/Prm3So0SeWllWcPsKFAzjgE0CWjNuB0GlAZGOaJOcWUNoOZjX/SDC
+FpolIoaSad28tGc8tbEk3fU=
+-----END PRIVATE KEY-----