credential.xsd 4.9 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150
<?xml version="1.0" encoding="UTF-8"?>
<!--
  
  EMULAB-COPYRIGHT
  Copyright (c) 2008 University of Utah and the Flux Group.
  All rights reserved.
  
-->
<!--
  ProtoGENI credential and capability specification. The key points:
  
  * A credential is a set of capabilities or a Ticket, each with a flag
    to indicate delegation is permitted.
  * A credential is signed and the signature included in the body of the
    document.
  * To support delegation, a credential will include its parent, and that
    blob will be signed. So, there will be multiple signatures in the
    document, each with a reference to the credential it signs.
  
-->
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
  <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
  <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
  <xs:group name="anyelementbody">
    <xs:sequence>
      <xs:any minOccurs="0" maxOccurs="unbounded" processContents="skip"/>
    </xs:sequence>
  </xs:group>
  <xs:attributeGroup name="anyelementbody">
    <xs:anyAttribute processContents="skip"/>
  </xs:attributeGroup>
  <xs:element name="capability">
    <xs:complexType>
      <xs:sequence>
        <xs:element ref="capability_name"/>
        <xs:element name="can_delegate">
          <xs:simpleType>
            <xs:restriction base="xs:token">
              <xs:enumeration value="0"/>
              <xs:enumeration value="1"/>
            </xs:restriction>
          </xs:simpleType>
        </xs:element>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
  <xs:element name="capability_name">
    <xs:simpleType>
      <xs:restriction base="xs:string">
        <xs:minLength value="1"/>
      </xs:restriction>
    </xs:simpleType>
  </xs:element>
  <xs:element name="capabilities">
    <xs:complexType>
      <xs:sequence>
        <xs:element minOccurs="0" maxOccurs="unbounded" ref="capability"/>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
  <xs:element name="ticket">
    <xs:complexType mixed="true">
      <xs:sequence>
        <xs:element name="can_delegate">
          <xs:annotation>
            <xs:documentation>Can the ticket be delegated?</xs:documentation>
          </xs:annotation>
          <xs:simpleType>
            <xs:restriction base="xs:token">
              <xs:enumeration value="0"/>
              <xs:enumeration value="1"/>
            </xs:restriction>
          </xs:simpleType>
        </xs:element>
        <xs:group ref="anyelementbody"/>
      </xs:sequence>
      <xs:attributeGroup ref="anyelementbody"/>
    </xs:complexType>
  </xs:element>
  <xs:element name="signatures">
    <xs:complexType>
      <xs:sequence>
        <xs:element maxOccurs="unbounded" ref="sig:Signature"/>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
  <xs:complexType name="credentials">
    <xs:annotation>
      <xs:documentation>A credential granting capabilities or a ticket.</xs:documentation>
    </xs:annotation>
    <xs:sequence>
      <xs:element ref="credential"/>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="credential">
    <xs:complexType>
      <xs:sequence>
        <xs:element ref="type"/>
        <xs:element ref="owner_uuid"/>
        <xs:element ref="this_uuid"/>
        <xs:choice>
          <xs:annotation>
            <xs:documentation>Capabilities or a ticket</xs:documentation>
          </xs:annotation>
          <xs:element ref="capabilities"/>
          <xs:element ref="ticket"/>
        </xs:choice>
        <xs:element minOccurs="0" ref="parent"/>
      </xs:sequence>
      <xs:attribute ref="xml:id" use="required"/>
    </xs:complexType>
  </xs:element>
  <xs:element name="type">
    <xs:annotation>
      <xs:documentation>The type of this credential. Currently a Capability set or a Ticket.</xs:documentation>
    </xs:annotation>
    <xs:simpleType>
      <xs:restriction base="xs:token">
        <xs:enumeration value="capability"/>
        <xs:enumeration value="ticket"/>
      </xs:restriction>
    </xs:simpleType>
  </xs:element>
  <xs:element name="owner_uuid" type="xs:string">
    <xs:annotation>
      <xs:documentation>UUID of the owner of this credential. </xs:documentation>
    </xs:annotation>
  </xs:element>
  <xs:element name="this_uuid" type="xs:string">
    <xs:annotation>
      <xs:documentation>UUID of this credential</xs:documentation>
    </xs:annotation>
  </xs:element>
  <xs:element name="parent" type="credentials">
    <xs:annotation>
      <xs:documentation>Parent that delegated to us</xs:documentation>
    </xs:annotation>
  </xs:element>
  <xs:element name="signed-credential">
    <xs:complexType>
      <xs:complexContent>
        <xs:extension base="credentials">
          <xs:sequence>
            <xs:element ref="signatures"/>
          </xs:sequence>
        </xs:extension>
      </xs:complexContent>
    </xs:complexType>
  </xs:element>
</xs:schema>