git://git.onelab.eu / sfa.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
validate credential against XSD schema instead of RelaxNG
[sfa.git] / sfa / trust / credential.xsd
diff --git a/sfa/trust/credential.xsd b/sfa/trust/credential.xsd
new file mode 100644 (file)
index 0000000..c115211
--- /dev/null
+++ b/sfa/trust/credential.xsd
@@ -0,0 +1,214 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  
+  GENIPUBLIC-COPYRIGHT
+  Copyright (c) 2008-2009 University of Utah and the Flux Group.
+  All rights reserved.
+  
+-->
+<!--
+  ProtoGENI credential and privilege specification. The key points:
+  
+  * A credential is a set of privileges or a Ticket, each with a flag
+    to indicate delegation is permitted.
+  * A credential is signed and the signature included in the body of the
+    document.
+  * To support delegation, a credential will include its parent, and that
+    blob will be signed. So, there will be multiple signatures in the
+    document, each with a reference to the credential it signs.
+  
+  default namespace = "http://www.protogeni.net/resources/credential/0.1"
+-->
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
+  <xs:include schemaLocation="protogeni-rspec-common.xsd"/>
+  <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
+  <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
+  <xs:group name="anyelementbody">
+    <xs:sequence>
+      <xs:any minOccurs="0" maxOccurs="unbounded" processContents="skip"/>
+    </xs:sequence>
+  </xs:group>
+  <xs:attributeGroup name="anyelementbody">
+    <xs:anyAttribute processContents="skip"/>
+  </xs:attributeGroup>
+  <!-- This is where we get the definition of RSpec from -->
+  <xs:element name="privilege">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element ref="name"/>
+        <xs:element name="can_delegate" type="xs:boolean"/>
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="name">
+    <xs:simpleType>
+      <xs:restriction base="xs:string">
+        <xs:minLength value="1"/>
+      </xs:restriction>
+    </xs:simpleType>
+  </xs:element>
+  <xs:element name="privileges">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element minOccurs="0" maxOccurs="unbounded" ref="privilege"/>
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="capability">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element ref="name"/>
+        <xs:element name="can_delegate">
+          <xs:simpleType>
+            <xs:restriction base="xs:token">
+              <xs:enumeration value="0"/>
+              <xs:enumeration value="1"/>
+            </xs:restriction>
+          </xs:simpleType>
+        </xs:element>
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="capabilities">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element minOccurs="0" maxOccurs="unbounded" ref="capability"/>
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="ticket">
+    <xs:complexType mixed="true">
+      <xs:sequence>
+        <xs:element name="can_delegate" type="xs:boolean">
+          <xs:annotation>
+            <xs:documentation>Can the ticket be delegated?</xs:documentation>
+          </xs:annotation>
+        </xs:element>
+        <xs:element ref="redeem_before"/>
+        <xs:group ref="anyelementbody">
+          <xs:annotation>
+            <xs:documentation>A desciption of the resources that are being promised</xs:documentation>
+          </xs:annotation>
+        </xs:group>
+      </xs:sequence>
+      <xs:attributeGroup ref="anyelementbody"/>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="redeem_before" type="xs:dateTime">
+    <xs:annotation>
+      <xs:documentation>The ticket must be "cashed in" by this date </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="signatures">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element maxOccurs="unbounded" ref="sig:Signature"/>
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+  <xs:complexType name="credentials">
+    <xs:annotation>
+      <xs:documentation>A credential granting privileges or a ticket.</xs:documentation>
+    </xs:annotation>
+    <xs:sequence>
+      <xs:element ref="credential"/>
+    </xs:sequence>
+  </xs:complexType>
+  <xs:element name="credential">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element ref="type"/>
+        <xs:element ref="serial"/>
+        <xs:element ref="owner_gid"/>
+        <xs:element minOccurs="0" ref="owner_urn"/>
+        <xs:element ref="target_gid"/>
+        <xs:element minOccurs="0" ref="target_urn"/>
+        <xs:element ref="uuid"/>
+        <xs:element ref="expires"/>
+        <xs:choice>
+          <xs:annotation>
+            <xs:documentation>Privileges or a ticket</xs:documentation>
+          </xs:annotation>
+          <xs:element ref="privileges"/>
+          <xs:element ref="ticket"/>
+          <xs:element ref="capabilities"/>
+        </xs:choice>
+        <xs:element minOccurs="0" maxOccurs="unbounded" ref="extensions"/>
+        <xs:element minOccurs="0" ref="parent"/>
+      </xs:sequence>
+      <xs:attribute ref="xml:id" use="required"/>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="type">
+    <xs:annotation>
+      <xs:documentation>The type of this credential. Currently a Privilege set or a Ticket.</xs:documentation>
+    </xs:annotation>
+    <xs:simpleType>
+      <xs:restriction base="xs:token">
+        <xs:enumeration value="privilege"/>
+        <xs:enumeration value="ticket"/>
+        <xs:enumeration value="capability"/>
+      </xs:restriction>
+    </xs:simpleType>
+  </xs:element>
+  <xs:element name="serial" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>A serial number.</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="owner_gid" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>GID of the owner of this credential. </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="owner_urn" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>URN of the owner. Not everyone can parse DER</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="target_gid" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>GID of the target of this credential. </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="target_urn" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>URN of the target.</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="uuid" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>UUID of this credential</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="expires" type="xs:dateTime">
+    <xs:annotation>
+      <xs:documentation>Expires on</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="extensions">
+    <xs:annotation>
+      <xs:documentation>Optional Extensions</xs:documentation>
+    </xs:annotation>
+    <xs:complexType mixed="true">
+      <xs:group ref="anyelementbody"/>
+      <xs:attributeGroup ref="anyelementbody"/>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="parent" type="credentials">
+    <xs:annotation>
+      <xs:documentation>Parent that delegated to us</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="signed-credential">
+    <xs:complexType>
+      <xs:complexContent>
+        <xs:extension base="credentials">
+          <xs:sequence>
+            <xs:element minOccurs="0" ref="signatures"/>
+          </xs:sequence>
+        </xs:extension>
+      </xs:complexContent>
+    </xs:complexType>
+  </xs:element>
+</xs:schema>
sfa