From: Tony Mack Date: Mon, 22 Nov 2010 17:07:19 +0000 (-0500) Subject: validate credential against RelaxNG schema X-Git-Tag: sfa-1.0-9~18 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=0a66778726ca275748674740f4334aea731eb84c;p=sfa.git validate credential against RelaxNG schema --- diff --git a/sfa/trust/credential.rnc b/sfa/trust/credential.rnc new file mode 100644 index 00000000..b61012c8 --- /dev/null +++ b/sfa/trust/credential.rnc @@ -0,0 +1,98 @@ +# +# EMULAB-COPYRIGHT +# Copyright (c) 2008 University of Utah and the Flux Group. +# All rights reserved. +# + +# ProtoGENI credential and privilege specification. The key points: +# +# * A credential is a set of privileges or a Ticket, each with a flag +# to indicate delegation is permitted. +# * A credential is signed and the signature included in the body of the +# document. +# * To support delegation, a credential will include its parent, and that +# blob will be signed. So, there will be multiple signatures in the +# document, each with a reference to the credential it signs. +# +#default namespace = "http://www.protogeni.net/resources/credential/0.1" + +namespace sig = "http://www.w3.org/2000/09/xmldsig#" +datatypes xs = "http://www.w3.org/2001/XMLSchema-datatypes" +anyelementbody = (attribute * {text} | text | element * {anyelementbody} )* + +# This is where we get the definition of RSpec from +include "../rspec/protogeni-rspec-common.rnc" + +## Representation of a single privileges. +PrivilegeSpec = element privilege { + # Name of the privilege. + element name { xsd:string { minLength = "1" }}, + # Flag indicating this privilege can be delegated + element can_delegate { xsd:boolean } +} + +## A set of privileges. +PrivilegesSpec = element privileges { + PrivilegeSpec* +} + +## Backwards compat my original credential spec. +CapabilitySpec = element capability { + # Name of the capability. + element name { xsd:string { minLength = "1" }}, + # Flag indicating this capability can be delegated + element can_delegate { "0" | "1" } +} +## Backwards compat my original credential spec. +CapabilitiesSpec = element capabilities { + CapabilitySpec* +} + +## Define a stub for future ticket. +TicketSpec = element ticket { + ## Can the ticket be delegated? + element can_delegate { xsd:boolean }, + ## The ticket must be "cashed in" by this date + element redeem_before { xsd:dateTime }, + ## A desciption of the resources that are being promised + # Note: What I really want to do here is reference RSpec as being + # in a separate namespace. But, it's not clear to me how to do this, + # so we basically just use by inclusion + anyelementbody +} + +## A list of signatures. +signatures = element signatures { + element sig:Signature { anyelementbody }+ +} + +## A credential granting privileges or a ticket. +credentials = element credential { + ## The ID for signature referencing. + attribute xml:id {xs:ID}, + ## The type of this credential. Currently a Privilege set or a Ticket. + element type { "privilege" | "ticket" | "capability" }, + ## A serial number. + element serial { xsd:string }, + ## GID of the owner of this credential. + element owner_gid { xsd:string }, + ## GID of the target of this credential. + element target_gid { xsd:string }, + ## UUID of this credential + element uuid { xsd:string }, + ## Expires on + element expires { xsd:dateTime }, + ## Privileges or a ticket + (PrivilegesSpec | TicketSpec | CapabilitiesSpec), + ## Optional Extensions + element extensions { anyelementbody }*, + ## Parent that delegated to us + element parent { credentials }? +} + +SignedCredential = element signed-credential { + credentials, + signatures? +} + +start = SignedCredential