From 746fe9d80e49c934d138356122f697a123c5d6ee Mon Sep 17 00:00:00 2001
From: "Leigh B. Stoller" <stoller@flux.utah.edu>
Date: Mon, 22 Sep 2008 15:54:14 +0000
Subject: [PATCH] Sync up with the trunk wrt credential.rnc (I had been on
 revision 1.2 for a while). I am still not using the actual rspec definition
 yet, still using my adhoc one.

---
 protogeni/etc/protogeni.sql                   |  13 +-
 protogeni/lib/GeniCredential.pm.in            |  69 ++++++++--
 protogeni/lib/GeniSliver.pm.in                |  10 +-
 protogeni/lib/GeniTicket.pm.in                |  44 ++++++-
 protogeni/protogeni.sql                       |  13 +-
 protogeni/security/GNUmakefile.in             |   3 +-
 protogeni/security/credential.rnc             |  28 +++-
 protogeni/security/credential.xsd             |  88 ++++++++++---
 protogeni/security/protogeni-rspec-common.xsd |  22 ++--
 protogeni/security/sig.xsd                    |  11 +-
 protogeni/security/top.xsd                    | 124 ++++++++----------
 protogeni/security/xml.xsd                    |   4 +-
 12 files changed, 288 insertions(+), 141 deletions(-)

diff --git a/protogeni/etc/protogeni.sql b/protogeni/etc/protogeni.sql
index a5102a034..dea30c8b9 100644
--- a/protogeni/etc/protogeni.sql
+++ b/protogeni/etc/protogeni.sql
@@ -100,6 +100,7 @@ CREATE TABLE `geni_slices` (
   `hrn` varchar(256) NOT NULL default '',
   `idx` mediumint(8) unsigned NOT NULL default '0',
   `uuid` varchar(40) NOT NULL default '',
+  `exptidx` int(11) default NULL,
   `created` datetime default NULL,
   `creator_uuid` varchar(40) NOT NULL default '',
   `name` tinytext,
@@ -117,6 +118,8 @@ DROP TABLE IF EXISTS `geni_slivers`;
 CREATE TABLE `geni_slivers` (
   `idx` mediumint(8) unsigned NOT NULL default '0',
   `uuid` varchar(40) NOT NULL default '',
+  `hrn` varchar(256) NOT NULL default '',
+  `name` varchar(256) NOT NULL default '',
   `slice_uuid` varchar(40) NOT NULL default '',
   `creator_uuid` varchar(40) NOT NULL default '',
   `resource_uuid` varchar(40) NOT NULL default '',
@@ -125,7 +128,7 @@ CREATE TABLE `geni_slivers` (
   `credential_idx` int(10) unsigned default NULL,
   `component_uuid` varchar(40) default NULL,
   `aggregate_uuid` varchar(40) default NULL,
-  `status` enum('ready','broken') NOT NULL default 'ready',
+  `status` enum('created','ready','broken') NOT NULL default 'created',
   `rspec_string` text,
   PRIMARY KEY  (`idx`),
   UNIQUE KEY `uuid` (`uuid`),
@@ -138,6 +141,8 @@ CREATE TABLE `geni_slivers` (
 DROP TABLE IF EXISTS `geni_aggregates`;
 CREATE TABLE `geni_aggregates` (
   `idx` mediumint(8) unsigned NOT NULL default '0',
+  `hrn` varchar(256) NOT NULL default '',
+  `name` varchar(256) NOT NULL default '',
   `uuid` varchar(40) NOT NULL default '',
   `type` varchar(40) NOT NULL default '',
   `slice_uuid` varchar(40) NOT NULL default '',
@@ -147,7 +152,7 @@ CREATE TABLE `geni_aggregates` (
   `ticket_idx` int(10) unsigned default NULL,
   `component_idx` int(10) unsigned NOT NULL default '0',
   `aggregate_idx` int(10) unsigned default NULL,
-  `status` enum('ready','broken') NOT NULL default 'ready',
+  `status` enum('created','ready','broken') NOT NULL default 'created',
   PRIMARY KEY  (`idx`),
   UNIQUE KEY `uuid` (`uuid`),
   INDEX `slice_uuid` (`slice_uuid`)
@@ -159,12 +164,13 @@ CREATE TABLE `geni_aggregates` (
 DROP TABLE IF EXISTS `geni_tickets`;
 CREATE TABLE `geni_tickets` (
   `idx` mediumint(8) unsigned NOT NULL default '0',
+  `ticket_uuid` varchar(40) NOT NULL default '',
   `owner_uuid` varchar(40) NOT NULL default '',
   `slice_uuid` varchar(40) NOT NULL default '',
   `created` datetime default NULL,
   `redeem_before` datetime default NULL,
   `valid_until` datetime default NULL,
-  `component_idx` int(10) unsigned NOT NULL default '0',
+  `component_uuid` varchar(40) NOT NULL default '',
   `seqno` int(10) unsigned NOT NULL default '0',
   `ticket_string` text,
   PRIMARY KEY  (`idx`), 
@@ -179,6 +185,7 @@ CREATE TABLE `geni_tickets` (
 DROP TABLE IF EXISTS `geni_credentials`;
 CREATE TABLE `geni_credentials` (
   `idx` mediumint(8) unsigned NOT NULL default '0',
+  `uuid` varchar(40) NOT NULL default '',
   `owner_uuid` varchar(40) NOT NULL default '',
   `this_uuid` varchar(40) NOT NULL default '',
   `created` datetime default NULL,
diff --git a/protogeni/lib/GeniCredential.pm.in b/protogeni/lib/GeniCredential.pm.in
index a2c7a5b0f..05744ddd4 100644
--- a/protogeni/lib/GeniCredential.pm.in
+++ b/protogeni/lib/GeniCredential.pm.in
@@ -112,6 +112,8 @@ sub Create($$$$)
     my $self = {};
     $self->{'target'}        = $target;
     $self->{'owner'}         = $owner;
+    $self->{'uuid'}          = undef;
+    $self->{'cert'}          = undef;
     $self->{'target_uuid'}   = $target->uuid();
     $self->{'target_cert'}   = $target->cert();
     $self->{'owner_uuid'}    = $owner->uuid();
@@ -126,6 +128,8 @@ sub Create($$$$)
 # accessors
 sub field($$)           { return ($_[0]->{$_[1]}); }
 sub idx($)		{ return field($_[0], "idx"); }
+sub uuid($)		{ return field($_[0], "uuid"); }
+sub cert($)		{ return field($_[0], "cert"); }
 sub hrn($)		{ return field($_[0], "hrn"); }
 sub target($)		{ return field($_[0], "target"); }
 sub owner($)		{ return field($_[0], "owner"); }
@@ -208,14 +212,13 @@ sub CreateFromSigned($$;$)
     }
 
     # Dig out the capabilities
-    my ($cap_node) = $doc->getElementsByTagName("capabilities");
+    my ($cap_node) = $doc->getElementsByTagName("privileges");
     return undef
 	if (!defined($cap_node));
     my $capabilities = XMLin($cap_node->toString(), ForceArray => 0);
 
-    # Dig out the slice uuid. Locally, I am not sure if we bother to
-    # keep slices in the DB (they are in the DB at geni central).
-    my ($uuid_node) = $doc->getElementsByTagName("this_uuid");
+    # UUID of the credential.
+    my ($uuid_node) = $doc->getElementsByTagName("uuid");
     return undef
 	if (!defined($uuid_node));
     my $this_cert = $uuid_node->to_literal();
@@ -228,6 +231,21 @@ sub CreateFromSigned($$;$)
 	return undef;
     }
 
+    # Dig out the slice uuid. Locally, I am not sure if we bother to
+    # keep slices in the DB (they are in the DB at geni central).
+    ($uuid_node) = $doc->getElementsByTagName("target_uuid");
+    return undef
+	if (!defined($uuid_node));
+    my $target_cert = $uuid_node->to_literal();
+    my $target_uuid;
+    GeniCertificate->CertificateInfo($target_cert, \$target_uuid) == 0
+	or return undef;
+
+    if (! ($target_uuid =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/)) {
+	print STDERR "Invalid target_uuid in credential\n";
+	return undef;
+    }
+
     # Dig out the hrn.
     my ($hrn_node) = $doc->getElementsByTagName("hrn");
     return undef
@@ -251,8 +269,10 @@ sub CreateFromSigned($$;$)
 
     my $self = {};
     $self->{'capabilities'}  = $capabilities;
-    $self->{'target_uuid'}   = $this_uuid;
-    $self->{'target_cert'}   = $this_cert;
+    $self->{'uuid'}          = $this_uuid;
+    $self->{'cert'}          = $this_cert;
+    $self->{'target_uuid'}   = $target_uuid;
+    $self->{'target_cert'}   = $target_cert;
     $self->{'owner_uuid'}    = $owner_uuid;
     $self->{'hrn'}	     = $hrn;
     $self->{'string'}        = $string;
@@ -275,8 +295,11 @@ sub Delete($)
 	if (! ref($self));
 
     if (defined($self->idx())) {
-	my $idx = $self->idx();
+	my $idx  = $self->idx();
+	my $uuid = $self->uuid();
 	
+	DBQueryWarn("delete from geni_certificates where uuid='$uuid'")
+	    or return -1;
 	DBQueryWarn("delete from geni_credentials where idx='$idx'")
 	    or return -1;
     }
@@ -298,14 +321,32 @@ sub Sign($$)
 	$self->AddCapability("*", 0);
     }
     # This little wrapup is for xmlout.
-    my $capabilities = {"capability" => $self->capabilities()};
-    my $cap_xml = XMLout($capabilities, "NoAttr" => 1);
-    $cap_xml =~ s/opt\>/capabilities\>/g;
+    my $cap_xml = "<privileges>\n";
+    foreach my $cap (keys(%{ $self->capabilities() })) {
+	my $can_delegate = $self->capabilities()->{$cap}->{'can_delegate'};
+	$cap_xml .= "<privilege>";
+	$cap_xml .= "<name>$cap</name>";
+	$cap_xml .= "<can_delegate>$can_delegate</can_delegate>";
+	$cap_xml .= "</privilege>\n";
+    }
+    $cap_xml .= "</privileges>\n";
 
     # Every one gets a new unique index, which is used in the xml:id below.
     my $idx = TBGetUniqueIndex('next_ticket', 1);
     my $hrn = $self->hrn();
 
+    #
+    # Every ticket/credential its own uuid (certificate).
+    #
+    my $certificate = GeniCertificate->Create("credential");
+    if (!defined($certificate)) {
+	print STDERR "Could not generate new certificate for $self!\n";
+	return -1;
+    }
+    $self->{'cert'} = $certificate->cert();
+    $self->{'uuid'} = $certificate->uuid();
+    my $cred_cert   = $certificate->cert();
+
     #
     # Need the certificates for target and owner of the credential.
     #
@@ -327,11 +368,11 @@ sub Sign($$)
     my $template =
 	"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n".
 	"<credential xml:id=\"ref1\">\n".
-	" <type>capability</type>\n".
+	" <type>privilege</type>\n".
 	" <serial>$idx</serial>\n".
 	" <owner_uuid>$owner_cert</owner_uuid>\n".
 	" <target_uuid>$target_cert</target_uuid>\n".
-	" <this_uuid>$target_cert</this_uuid>\n".
+	" <uuid>$cred_cert</uuid>\n".
 	" <hrn>$hrn</hrn>\n".
 	" <expires>2008-05-10T09:00:00</expires>\n".
 	"  $cap_xml\n".
@@ -409,14 +450,16 @@ sub Store($)
     # Every credential store gets a new unique index.
     my $idx = TBGetUniqueIndex('next_ticket', 1);
     
-    my $this_uuid  = $self->this_uuid();
+    my $this_uuid  = $self->target_uuid();
     my $owner_uuid = $self->owner_uuid();
+    my $uuid       = $self->uuid();
 
     # Now tack on other stuff we need.
     push(@insert_data, "created=now()");
     push(@insert_data, "idx='$idx'");
     push(@insert_data, "this_uuid='$this_uuid'");
     push(@insert_data, "owner_uuid='$owner_uuid'");
+    push(@insert_data, "uuid='$uuid'");
     
     my $safe_credential = DBQuoteSpecial($self->asString());
     push(@insert_data, "credential_string=$safe_credential");
diff --git a/protogeni/lib/GeniSliver.pm.in b/protogeni/lib/GeniSliver.pm.in
index dae5ba7fe..79e04ed24 100644
--- a/protogeni/lib/GeniSliver.pm.in
+++ b/protogeni/lib/GeniSliver.pm.in
@@ -678,7 +678,7 @@ sub Create($$$$$)
     my $experiment = $slice->GetExperiment();
     if (!defined($experiment)) {
 	print STDERR "Could not map $slice to its experiment\n";
-	return -1;
+	return undef;
     }
 
     #
@@ -689,17 +689,17 @@ sub Create($$$$$)
     my $node = Node->Lookup($resource_uuid);
     if (!defined($node)) {
 	print STDERR "Could not map node $resource_uuid to its object\n";
-	return -1;
+	return undef;
     }
     my $reservation = $node->Reservation();
     if (!defined($reservation)) {
 	print STDERR "$node was already released from $slice\n";
-	return -1;
+	return undef;
     }
     if (! $reservation->SameExperiment($experiment)) {
 	print STDERR "$node is reserved to another, not $reservation\n";
 	# Signal error so we can look at what happened.
-	return -1;
+	return undef;
     }
     
     #
@@ -719,7 +719,7 @@ sub Create($$$$$)
 				"nodeid"   => $node->node_id(),
 				"verbose"  => 1 }) < 0) {
 	    print STDERR "Could not create fake jail node on $node\n";
-	    return -1;
+	    return undef;
 	}
 	my $vnode = Node->Lookup($vnodes[0]);
 	$uuid = $vnode->uuid();
diff --git a/protogeni/lib/GeniTicket.pm.in b/protogeni/lib/GeniTicket.pm.in
index c27db9c00..134aa40e4 100644
--- a/protogeni/lib/GeniTicket.pm.in
+++ b/protogeni/lib/GeniTicket.pm.in
@@ -98,6 +98,8 @@ sub Create($$$$)
     
     my $self = {};
     $self->{'rspec'}         = $rspec;
+    $self->{'ticket_cert'}   = undef;
+    $self->{'ticket_uuid'}   = undef;
     $self->{'slice_uuid'}    = $slice->uuid();
     $self->{'owner_uuid'}    = $owner->uuid();
     $self->{'slice_cert'}    = $slice->cert();
@@ -129,6 +131,8 @@ sub slice_uuid($)	{ return field($_[0], "slice_uuid"); }
 sub owner_uuid($)	{ return field($_[0], "owner_uuid"); }
 sub slice_cert($)	{ return field($_[0], "slice_cert"); }
 sub owner_cert($)	{ return field($_[0], "owner_cert"); }
+sub ticket_cert($)	{ return field($_[0], "ticket_cert"); }
+sub ticket_uuid($)	{ return field($_[0], "ticket_uuid"); }
 sub ticket($)		{ return field($_[0], "ticket"); }
 sub asString($)		{ return field($_[0], "ticket_string"); }
 sub ticket_string($)	{ return field($_[0], "ticket_string"); }
@@ -200,9 +204,23 @@ sub CreateFromSignedTicket($$;$$)
     my $rspec = XMLin($rspec_node->toString(), ForceArray => ["node",
 							      "link"]);
 
+    # Dig out the ticket uuid.
+    my ($uuid_node) = $doc->getElementsByTagName("uuid");
+    return undef
+	if (!defined($uuid_node));
+    my $ticket_cert = $uuid_node->to_literal();
+    my $ticket_uuid;
+    GeniCertificate->CertificateInfo($ticket_cert, \$ticket_uuid) == 0
+	or return undef;
+
+    if (! ($ticket_uuid =~ /^\w+\-\w+\-\w+\-\w+\-\w+$/)) {
+	print STDERR "Invalid uuid in ticket\n";
+	return undef;
+    }
+
     # Dig out the slice uuid. Locally, I am not sure if we bother to
     # keep slices in the DB (they are in the DB at geni central).
-    my ($uuid_node) = $doc->getElementsByTagName("this_uuid");
+    my ($uuid_node) = $doc->getElementsByTagName("target_uuid");
     return undef
 	if (!defined($uuid_node));
     my $slice_cert = $uuid_node->to_literal();
@@ -243,6 +261,8 @@ sub CreateFromSignedTicket($$;$$)
     my $self = {};
     $self->{'idx'}           = undef;
     $self->{'rspec'}         = $rspec;
+    $self->{'ticket_cert'}   = $ticket_cert;
+    $self->{'ticket_uuid'}   = $ticket_uuid;
     $self->{'slice_uuid'}    = $slice_uuid;
     $self->{'owner_uuid'}    = $owner_uuid;
     $self->{'slice_cert'}    = $slice_cert;
@@ -284,8 +304,11 @@ sub Delete($)
 	if (! ref($self));
 
     if ($self->stored()) {
-	my $idx = $self->idx();
+	my $idx  = $self->idx();
+	my $uuid = $self->ticket_uuid();
 	
+	DBQueryWarn("delete from geni_certificates where uuid='$uuid'")
+	    or return -1;
 	DBQueryWarn("delete from geni_tickets where idx='$idx'")
 	    or return -1;
 	
@@ -323,6 +346,7 @@ sub Store($)
     my $seqno      = $self->seqno();
     my $slice_uuid = $self->slice_uuid();
     my $owner_uuid = $self->owner_uuid();
+    my $ticket_uuid= $self->ticket_uuid();
 
     #
     # For a locally created/signed ticket, seqno=idx. For a ticket from
@@ -341,6 +365,7 @@ sub Store($)
     push(@insert_data, "created=now()");
     push(@insert_data, "idx='$idx'");
     push(@insert_data, "seqno='$seqno'");
+    push(@insert_data, "ticket_uuid='$ticket_uuid'");
     push(@insert_data, "slice_uuid='$slice_uuid'");
     push(@insert_data, "owner_uuid='$owner_uuid'");
     
@@ -374,6 +399,18 @@ sub Sign($)
     my $rspec_xml  = XMLout($self->rspec(), "NoAttr" => 1);
     $rspec_xml =~ s/opt\>/rspec\>/g;
 
+    #
+    # Every ticket/credential its own uuid (certificate).
+    #
+    my $certificate = GeniCertificate->Create("ticket");
+    if (!defined($certificate)) {
+	print STDERR "Could not generate new certificate for $self!\n";
+	return -1;
+    }
+    $self->{'ticket_cert'}   = $certificate->cert();
+    $self->{'ticket_uuid'}   = $certificate->uuid();
+    my $ticket_cert = $certificate->cert();
+
     #
     # Create a template xml file to sign.
     #
@@ -384,11 +421,12 @@ sub Sign($)
 	" <serial>$idx</serial>\n".
 	" <owner_uuid>$owner_cert</owner_uuid>\n".
 	" <target_uuid>$slice_cert</target_uuid>\n".
-	" <this_uuid>$slice_cert</this_uuid>\n".
+	" <uuid>$ticket_cert</uuid>\n".
 	" <hrn>$hrn</hrn>\n".
 	" <expires>2008-05-10T09:00:00</expires>\n".
 	" <ticket>\n".
 	"  <can_delegate>1</can_delegate>\n".
+	"  <redeem_before>2008-05-10T09:00:00</redeem_before>\n".
 	"  $rspec_xml\n".
 	" </ticket>\n".	
         "</credential>\n";
diff --git a/protogeni/protogeni.sql b/protogeni/protogeni.sql
index a5102a034..dea30c8b9 100644
--- a/protogeni/protogeni.sql
+++ b/protogeni/protogeni.sql
@@ -100,6 +100,7 @@ CREATE TABLE `geni_slices` (
   `hrn` varchar(256) NOT NULL default '',
   `idx` mediumint(8) unsigned NOT NULL default '0',
   `uuid` varchar(40) NOT NULL default '',
+  `exptidx` int(11) default NULL,
   `created` datetime default NULL,
   `creator_uuid` varchar(40) NOT NULL default '',
   `name` tinytext,
@@ -117,6 +118,8 @@ DROP TABLE IF EXISTS `geni_slivers`;
 CREATE TABLE `geni_slivers` (
   `idx` mediumint(8) unsigned NOT NULL default '0',
   `uuid` varchar(40) NOT NULL default '',
+  `hrn` varchar(256) NOT NULL default '',
+  `name` varchar(256) NOT NULL default '',
   `slice_uuid` varchar(40) NOT NULL default '',
   `creator_uuid` varchar(40) NOT NULL default '',
   `resource_uuid` varchar(40) NOT NULL default '',
@@ -125,7 +128,7 @@ CREATE TABLE `geni_slivers` (
   `credential_idx` int(10) unsigned default NULL,
   `component_uuid` varchar(40) default NULL,
   `aggregate_uuid` varchar(40) default NULL,
-  `status` enum('ready','broken') NOT NULL default 'ready',
+  `status` enum('created','ready','broken') NOT NULL default 'created',
   `rspec_string` text,
   PRIMARY KEY  (`idx`),
   UNIQUE KEY `uuid` (`uuid`),
@@ -138,6 +141,8 @@ CREATE TABLE `geni_slivers` (
 DROP TABLE IF EXISTS `geni_aggregates`;
 CREATE TABLE `geni_aggregates` (
   `idx` mediumint(8) unsigned NOT NULL default '0',
+  `hrn` varchar(256) NOT NULL default '',
+  `name` varchar(256) NOT NULL default '',
   `uuid` varchar(40) NOT NULL default '',
   `type` varchar(40) NOT NULL default '',
   `slice_uuid` varchar(40) NOT NULL default '',
@@ -147,7 +152,7 @@ CREATE TABLE `geni_aggregates` (
   `ticket_idx` int(10) unsigned default NULL,
   `component_idx` int(10) unsigned NOT NULL default '0',
   `aggregate_idx` int(10) unsigned default NULL,
-  `status` enum('ready','broken') NOT NULL default 'ready',
+  `status` enum('created','ready','broken') NOT NULL default 'created',
   PRIMARY KEY  (`idx`),
   UNIQUE KEY `uuid` (`uuid`),
   INDEX `slice_uuid` (`slice_uuid`)
@@ -159,12 +164,13 @@ CREATE TABLE `geni_aggregates` (
 DROP TABLE IF EXISTS `geni_tickets`;
 CREATE TABLE `geni_tickets` (
   `idx` mediumint(8) unsigned NOT NULL default '0',
+  `ticket_uuid` varchar(40) NOT NULL default '',
   `owner_uuid` varchar(40) NOT NULL default '',
   `slice_uuid` varchar(40) NOT NULL default '',
   `created` datetime default NULL,
   `redeem_before` datetime default NULL,
   `valid_until` datetime default NULL,
-  `component_idx` int(10) unsigned NOT NULL default '0',
+  `component_uuid` varchar(40) NOT NULL default '',
   `seqno` int(10) unsigned NOT NULL default '0',
   `ticket_string` text,
   PRIMARY KEY  (`idx`), 
@@ -179,6 +185,7 @@ CREATE TABLE `geni_tickets` (
 DROP TABLE IF EXISTS `geni_credentials`;
 CREATE TABLE `geni_credentials` (
   `idx` mediumint(8) unsigned NOT NULL default '0',
+  `uuid` varchar(40) NOT NULL default '',
   `owner_uuid` varchar(40) NOT NULL default '',
   `this_uuid` varchar(40) NOT NULL default '',
   `created` datetime default NULL,
diff --git a/protogeni/security/GNUmakefile.in b/protogeni/security/GNUmakefile.in
index b7d05a947..e2ce341db 100644
--- a/protogeni/security/GNUmakefile.in
+++ b/protogeni/security/GNUmakefile.in
@@ -14,7 +14,8 @@ include $(OBJDIR)/Makeconf
 SBIN_STUFF	= signgenicred verifygenicred
 LIBEXEC_STUFF	= 
 CTRLSBIN_STUFF  =
-LIBFILES        = credential.xsd sig.xsd xml.xsd
+LIBFILES        = credential.xsd sig.xsd xml.xsd top.xsd \
+		  protogeni-rspec-common.xsd
 
 # These scripts installed setuid, with sudo. 
 SETUID_BIN_SCRIPTS   = 
diff --git a/protogeni/security/credential.rnc b/protogeni/security/credential.rnc
index 6af250e21..4f3b54353 100644
--- a/protogeni/security/credential.rnc
+++ b/protogeni/security/credential.rnc
@@ -14,7 +14,7 @@
 #   blob will be signed. So, there will be multiple signatures in the
 #   document, each with a reference to the credential it signs.
 #
-default namespace = "http://www.protogeni.net/resources/credential/0.1"
+#default namespace = "http://www.protogeni.net/resources/credential/0.1"
 
 namespace sig  = "http://www.w3.org/2000/09/xmldsig#"
 datatypes xs   = "http://www.w3.org/2001/XMLSchema-datatypes"
@@ -36,6 +36,18 @@ PrivilegesSpec = element privileges {
 	PrivilegeSpec*
 }
 
+## Backwards compat my original credential spec.
+CapabilitySpec = element capability {
+	# Name of the capability. 
+	element name { xsd:string { minLength = "1" }},
+	# Flag indicating this capability can be delegated
+        element can_delegate { "0" | "1" }
+}
+## Backwards compat my original credential spec.
+CapabilitiesSpec = element capabilities {
+	CapabilitySpec*
+}
+
 ## Define a stub for future ticket.
 TicketSpec = element ticket {
         ## Can the ticket be delegated?
@@ -46,7 +58,7 @@ TicketSpec = element ticket {
         # Note: What I really want to do here is reference RSpec as being
         # in a separate namespace. But, it's not clear to me how to do this,
         # so we basically just use by inclusion
-        RSpec
+	anyelementbody
 }
 
 ## A list of signatures.
@@ -59,15 +71,21 @@ credentials = element credential {
     ## The ID for signature referencing.
     attribute xml:id {xs:ID},
     ## The type of this credential. Currently a Privilege set or a Ticket.
-    element type { "privilege" | "ticket" },
+    element type { "privilege" | "ticket" | "capability" },
     ## A serial number.
     element serial { xsd:string },
     ## UUID of the owner of this credential. 
     element owner_uuid { xsd:string },
+    ## UUID of the target of this credential. 
+    element target_uuid { xsd:string },
     ## UUID of this credential
-    element this_uuid { xsd:string },
+    element uuid { xsd:string },
+    ## HRN
+    element hrn { xsd:string },
+    ## Expires on
+    element expires { xsd:dateTime },
     ## Privileges or a ticket
-    (PrivilegesSpec | TicketSpec),
+    (PrivilegesSpec | TicketSpec | CapabilitiesSpec),
     ## Parent that delegated to us
     element parent { credentials }?
 }
diff --git a/protogeni/security/credential.xsd b/protogeni/security/credential.xsd
index 1fc90feff..ecb040516 100644
--- a/protogeni/security/credential.xsd
+++ b/protogeni/security/credential.xsd
@@ -17,22 +17,25 @@
     blob will be signed. So, there will be multiple signatures in the
     document, each with a reference to the credential it signs.
   
+  default namespace = "http://www.protogeni.net/resources/credential/0.1"
 -->
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.protogeni.net/resources/credential/0.1" xmlns:sig="http://www.w3.org/2000/09/xmldsig#" xmlns:credential="http://www.protogeni.net/resources/credential/0.1">
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
   <xs:include schemaLocation="protogeni-rspec-common.xsd"/>
   <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
   <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
-  <xs:complexType name="anyelementbody" mixed="true">
+  <xs:group name="anyelementbody">
     <xs:sequence>
       <xs:any minOccurs="0" maxOccurs="unbounded" processContents="skip"/>
     </xs:sequence>
+  </xs:group>
+  <xs:attributeGroup name="anyelementbody">
     <xs:anyAttribute processContents="skip"/>
-  </xs:complexType>
+  </xs:attributeGroup>
   <!-- This is where we get the definition of RSpec from -->
   <xs:element name="privilege">
     <xs:complexType>
       <xs:sequence>
-        <xs:element ref="credential:name"/>
+        <xs:element ref="name"/>
         <xs:element name="can_delegate" type="xs:boolean"/>
       </xs:sequence>
     </xs:complexType>
@@ -47,25 +50,48 @@
   <xs:element name="privileges">
     <xs:complexType>
       <xs:sequence>
-        <xs:element minOccurs="0" maxOccurs="unbounded" ref="credential:privilege"/>
+        <xs:element minOccurs="0" maxOccurs="unbounded" ref="privilege"/>
       </xs:sequence>
     </xs:complexType>
   </xs:element>
-  <xs:element name="ticket">
+  <xs:element name="capability">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element ref="name"/>
+        <xs:element name="can_delegate">
+          <xs:simpleType>
+            <xs:restriction base="xs:token">
+              <xs:enumeration value="0"/>
+              <xs:enumeration value="1"/>
+            </xs:restriction>
+          </xs:simpleType>
+        </xs:element>
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="capabilities">
     <xs:complexType>
+      <xs:sequence>
+        <xs:element minOccurs="0" maxOccurs="unbounded" ref="capability"/>
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="ticket">
+    <xs:complexType mixed="true">
       <xs:sequence>
         <xs:element name="can_delegate" type="xs:boolean">
           <xs:annotation>
             <xs:documentation>Can the ticket be delegated?</xs:documentation>
           </xs:annotation>
         </xs:element>
-        <xs:element ref="credential:redeem_before"/>
-        <xs:element ref="credential:rspec">
+        <xs:element ref="redeem_before"/>
+        <xs:group ref="anyelementbody">
           <xs:annotation>
             <xs:documentation>A desciption of the resources that are being promised</xs:documentation>
           </xs:annotation>
-        </xs:element>
+        </xs:group>
       </xs:sequence>
+      <xs:attributeGroup ref="anyelementbody"/>
     </xs:complexType>
   </xs:element>
   <xs:element name="redeem_before" type="xs:dateTime">
@@ -85,24 +111,28 @@
       <xs:documentation>A credential granting privileges or a ticket.</xs:documentation>
     </xs:annotation>
     <xs:sequence>
-      <xs:element ref="credential:credential"/>
+      <xs:element ref="credential"/>
     </xs:sequence>
   </xs:complexType>
   <xs:element name="credential">
     <xs:complexType>
       <xs:sequence>
-        <xs:element ref="credential:type"/>
-        <xs:element ref="credential:serial"/>
-        <xs:element ref="credential:owner_uuid"/>
-        <xs:element ref="credential:this_uuid"/>
+        <xs:element ref="type"/>
+        <xs:element ref="serial"/>
+        <xs:element ref="owner_uuid"/>
+        <xs:element ref="target_uuid"/>
+        <xs:element ref="uuid"/>
+        <xs:element ref="hrn"/>
+        <xs:element ref="expires"/>
         <xs:choice>
           <xs:annotation>
             <xs:documentation>Privileges or a ticket</xs:documentation>
           </xs:annotation>
-          <xs:element ref="credential:privileges"/>
-          <xs:element ref="credential:ticket"/>
+          <xs:element ref="privileges"/>
+          <xs:element ref="ticket"/>
+          <xs:element ref="capabilities"/>
         </xs:choice>
-        <xs:element minOccurs="0" ref="credential:parent"/>
+        <xs:element minOccurs="0" ref="parent"/>
       </xs:sequence>
       <xs:attribute ref="xml:id" use="required"/>
     </xs:complexType>
@@ -115,6 +145,7 @@
       <xs:restriction base="xs:token">
         <xs:enumeration value="privilege"/>
         <xs:enumeration value="ticket"/>
+        <xs:enumeration value="capability"/>
       </xs:restriction>
     </xs:simpleType>
   </xs:element>
@@ -128,12 +159,27 @@
       <xs:documentation>UUID of the owner of this credential. </xs:documentation>
     </xs:annotation>
   </xs:element>
-  <xs:element name="this_uuid" type="xs:string">
+  <xs:element name="target_uuid" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>UUID of the target of this credential. </xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="uuid" type="xs:string">
     <xs:annotation>
       <xs:documentation>UUID of this credential</xs:documentation>
     </xs:annotation>
   </xs:element>
-  <xs:element name="parent" type="credential:credentials">
+  <xs:element name="hrn" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>HRN</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="expires" type="xs:dateTime">
+    <xs:annotation>
+      <xs:documentation>Expires on</xs:documentation>
+    </xs:annotation>
+  </xs:element>
+  <xs:element name="parent" type="credentials">
     <xs:annotation>
       <xs:documentation>Parent that delegated to us</xs:documentation>
     </xs:annotation>
@@ -141,9 +187,9 @@
   <xs:element name="signed-credential">
     <xs:complexType>
       <xs:complexContent>
-        <xs:extension base="credential:credentials">
+        <xs:extension base="credentials">
           <xs:sequence>
-            <xs:element minOccurs="0" ref="credential:signatures"/>
+            <xs:element minOccurs="0" ref="signatures"/>
           </xs:sequence>
         </xs:extension>
       </xs:complexContent>
diff --git a/protogeni/security/protogeni-rspec-common.xsd b/protogeni/security/protogeni-rspec-common.xsd
index d25cc6ffb..449c80567 100644
--- a/protogeni/security/protogeni-rspec-common.xsd
+++ b/protogeni/security/protogeni-rspec-common.xsd
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.protogeni.net/resources/credential/0.1" xmlns:sig="http://www.w3.org/2000/09/xmldsig#" xmlns:credential="http://www.protogeni.net/resources/credential/0.1">
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
   <xs:include schemaLocation="top.xsd"/>
   <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
   <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
@@ -18,9 +18,9 @@
   <!-- Add some more stuff to nodes -->
   <xs:complexType name="NodeContents">
     <xs:sequence>
-      <xs:group ref="credential:NodeSpec.NodeType"/>
-      <xs:element minOccurs="0" ref="credential:available"/>
-      <xs:element minOccurs="0" ref="credential:component_manager_URL"/>
+      <xs:group ref="NodeSpec.NodeType"/>
+      <xs:element minOccurs="0" ref="available"/>
+      <xs:element minOccurs="0" ref="component_manager_URL"/>
     </xs:sequence>
     <xs:attribute name="uuid" use="required"/>
     <xs:attribute name="name"/>
@@ -38,13 +38,13 @@
   <xs:element name="available" type="xs:boolean"/>
   <xs:complexType name="LinkContents">
     <xs:sequence>
-      <xs:group ref="credential:LinkEndPoints"/>
-      <xs:group ref="credential:LinkCharacteristics">
+      <xs:group ref="LinkEndPoints"/>
+      <xs:group ref="LinkCharacteristics">
         <xs:annotation>
           <xs:documentation>The characteristics (bandwidth, latency, loss) which affect traffic.</xs:documentation>
         </xs:annotation>
       </xs:group>
-      <xs:group ref="credential:LinkSpec.LinkType"/>
+      <xs:group ref="LinkSpec.LinkType"/>
     </xs:sequence>
     <xs:attribute name="uuid" use="required"/>
     <xs:attribute name="name"/>
@@ -52,8 +52,8 @@
   <!-- TODO: Might add a URL for the CM for a link in the future -->
   <xs:complexType name="InterfaceContents">
     <xs:sequence>
-      <xs:element ref="credential:node_uuid"/>
-      <xs:element minOccurs="0" ref="credential:node_name"/>
+      <xs:element ref="node_uuid"/>
+      <xs:element minOccurs="0" ref="node_name"/>
       <xs:element name="interface" type="xs:string"/>
     </xs:sequence>
   </xs:complexType>
@@ -63,8 +63,8 @@
   <xs:element name="rspec">
     <xs:complexType>
       <xs:choice minOccurs="0" maxOccurs="unbounded">
-        <xs:element ref="credential:node"/>
-        <xs:element ref="credential:link"/>
+        <xs:element ref="node"/>
+        <xs:element ref="link"/>
       </xs:choice>
       <xs:attribute name="generated" use="required" type="xs:dateTime"/>
       <xs:attribute name="valid_until" use="required" type="xs:dateTime"/>
diff --git a/protogeni/security/sig.xsd b/protogeni/security/sig.xsd
index 88dc98ab7..e92fcaea2 100644
--- a/protogeni/security/sig.xsd
+++ b/protogeni/security/sig.xsd
@@ -1,6 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.w3.org/2000/09/xmldsig#" xmlns:sig="http://www.w3.org/2000/09/xmldsig#" xmlns:credential="http://www.protogeni.net/resources/credential/0.1">
-  <xs:import namespace="http://www.protogeni.net/resources/credential/0.1" schemaLocation="credential.xsd"/>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.w3.org/2000/09/xmldsig#" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
+  <xs:import schemaLocation="credential.xsd"/>
   <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
-  <xs:element name="Signature" type="credential:anyelementbody"/>
+  <xs:element name="Signature">
+    <xs:complexType mixed="true">
+      <xs:group ref="anyelementbody"/>
+      <xs:attributeGroup ref="anyelementbody"/>
+    </xs:complexType>
+  </xs:element>
 </xs:schema>
diff --git a/protogeni/security/top.xsd b/protogeni/security/top.xsd
index b8fc4fc4b..fa7efe979 100644
--- a/protogeni/security/top.xsd
+++ b/protogeni/security/top.xsd
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.protogeni.net/resources/credential/0.1" xmlns:sig="http://www.w3.org/2000/09/xmldsig#" xmlns:credential="http://www.protogeni.net/resources/credential/0.1">
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
   <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
   <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
   <!--
     
     EMULAB-COPYRIGHT
-    Copyright (c) 2005-2008 University of Utah and the Flux Group.
+    Copyright (c) 2005-2007 University of Utah and the Flux Group.
     All rights reserved.
     
   -->
@@ -25,10 +25,10 @@
           </xs:annotation>
         </xs:element>
         <xs:choice>
-          <xs:element ref="credential:type_slots"/>
-          <xs:element ref="credential:unlimited"/>
+          <xs:element ref="type_slots"/>
+          <xs:element ref="unlimited"/>
         </xs:choice>
-        <xs:element minOccurs="0" ref="credential:static"/>
+        <xs:element minOccurs="0" ref="static"/>
       </xs:sequence>
     </xs:complexType>
   </xs:element>
@@ -45,13 +45,13 @@
   <xs:element name="static">
     <xs:complexType/>
   </xs:element>
-  <xs:element name="node" type="credential:NodeContents"/>
+  <xs:element name="node" type="NodeContents"/>
   <xs:group name="NodeSpec.NodeType">
     <xs:annotation>
       <xs:documentation>A node can (by default) have one or more types</xs:documentation>
     </xs:annotation>
     <xs:sequence>
-      <xs:element maxOccurs="unbounded" ref="credential:node_type"/>
+      <xs:element maxOccurs="unbounded" ref="node_type"/>
     </xs:sequence>
   </xs:group>
   <xs:element name="link_type">
@@ -61,28 +61,28 @@
       </xs:sequence>
     </xs:complexType>
   </xs:element>
-  <xs:element name="link" type="credential:LinkContents"/>
+  <xs:element name="link" type="LinkContents"/>
   <xs:group name="LinkEndPoints">
     <xs:sequence>
-      <xs:element ref="credential:source_interface"/>
-      <xs:element ref="credential:destination_interface"/>
+      <xs:element ref="source_interface"/>
+      <xs:element ref="destination_interface"/>
     </xs:sequence>
   </xs:group>
-  <xs:element name="source_interface" type="credential:InterfaceSpec">
+  <xs:element name="source_interface" type="InterfaceSpec">
     <xs:annotation>
       <xs:documentation>First interface for this link</xs:documentation>
     </xs:annotation>
   </xs:element>
-  <xs:element name="destination_interface" type="credential:InterfaceSpec">
+  <xs:element name="destination_interface" type="InterfaceSpec">
     <xs:annotation>
       <xs:documentation>Second interface for this link</xs:documentation>
     </xs:annotation>
   </xs:element>
   <xs:group name="LinkCharacteristics">
     <xs:sequence>
-      <xs:element ref="credential:bandwidth"/>
-      <xs:element ref="credential:latency"/>
-      <xs:element ref="credential:packet_loss"/>
+      <xs:element ref="bandwidth"/>
+      <xs:element ref="latency"/>
+      <xs:element ref="packet_loss"/>
     </xs:sequence>
   </xs:group>
   <xs:element name="bandwidth">
@@ -117,14 +117,14 @@
       <xs:documentation>A link can (by default) have zero or more types</xs:documentation>
     </xs:annotation>
     <xs:sequence>
-      <xs:element minOccurs="0" maxOccurs="unbounded" ref="credential:link_type"/>
+      <xs:element minOccurs="0" maxOccurs="unbounded" ref="link_type"/>
     </xs:sequence>
   </xs:group>
   <xs:element name="fd">
     <xs:complexType>
       <xs:sequence>
-        <xs:element ref="credential:fd_name"/>
-        <xs:element ref="credential:fd_weight"/>
+        <xs:element ref="fd_name"/>
+        <xs:element ref="fd_weight"/>
         <xs:element minOccurs="0" name="violatable">
           <xs:complexType/>
         </xs:element>
@@ -132,27 +132,8 @@
           <xs:annotation>
             <xs:documentation>Type information expressed in features and desires</xs:documentation>
           </xs:annotation>
-          <xs:sequence>
-            <xs:element ref="credential:global"/>
-            <xs:element name="operator">
-              <xs:simpleType>
-                <xs:restriction base="xs:token">
-                  <xs:enumeration value="OnceOnly"/>
-                  <xs:enumeration value="FirstFree"/>
-                </xs:restriction>
-              </xs:simpleType>
-            </xs:element>
-          </xs:sequence>
-          <xs:sequence>
-            <xs:element ref="credential:local"/>
-            <xs:element name="operator">
-              <xs:simpleType>
-                <xs:restriction base="xs:token">
-                  <xs:enumeration value="+"/>
-                </xs:restriction>
-              </xs:simpleType>
-            </xs:element>
-          </xs:sequence>
+          <xs:element ref="global"/>
+          <xs:element ref="local"/>
         </xs:choice>
       </xs:sequence>
     </xs:complexType>
@@ -168,17 +149,38 @@
     </xs:annotation>
   </xs:element>
   <xs:element name="global">
-    <xs:complexType/>
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="operator">
+          <xs:simpleType>
+            <xs:restriction base="xs:token">
+              <xs:enumeration value="OnceOnly"/>
+              <xs:enumeration value="FirstFree"/>
+            </xs:restriction>
+          </xs:simpleType>
+        </xs:element>
+      </xs:sequence>
+    </xs:complexType>
   </xs:element>
   <xs:element name="local">
-    <xs:complexType/>
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="operator">
+          <xs:simpleType>
+            <xs:restriction base="xs:token">
+              <xs:enumeration value="+"/>
+            </xs:restriction>
+          </xs:simpleType>
+        </xs:element>
+      </xs:sequence>
+    </xs:complexType>
   </xs:element>
   <xs:group name="NodeFlagSpec">
     <xs:sequence>
-      <xs:element minOccurs="0" ref="credential:trivial_bandwidth"/>
-      <xs:element minOccurs="0" ref="credential:subnode_of"/>
-      <xs:element minOccurs="0" ref="credential:unique"/>
-      <xs:element minOccurs="0" ref="credential:disallow_trivial_mix"/>
+      <xs:element minOccurs="0" ref="trivial_bandwidth"/>
+      <xs:element minOccurs="0" ref="subnode_of"/>
+      <xs:element minOccurs="0" ref="unique"/>
+      <xs:element minOccurs="0" ref="disallow_trivial_mix"/>
     </xs:sequence>
   </xs:group>
   <xs:element name="trivial_bandwidth" type="xs:integer"/>
@@ -194,15 +196,15 @@
       <xs:documentation>Interfaces</xs:documentation>
     </xs:annotation>
     <xs:sequence>
-      <xs:element name="interface" type="credential:InterfaceContents"/>
+      <xs:element name="interface" type="InterfaceContents"/>
     </xs:sequence>
   </xs:complexType>
   <xs:element name="property">
     <xs:complexType>
       <xs:sequence>
-        <xs:element ref="credential:property_name"/>
-        <xs:element ref="credential:property_value"/>
-        <xs:element ref="credential:property_penalty"/>
+        <xs:element ref="property_name"/>
+        <xs:element ref="property_value"/>
+        <xs:element ref="property_penalty"/>
         <xs:element minOccurs="0" name="violatable">
           <xs:annotation>
             <xs:documentation>If this flag is present, not having the property is considered a violation</xs:documentation>
@@ -210,28 +212,8 @@
           <xs:complexType/>
         </xs:element>
         <xs:choice minOccurs="0">
-          <xs:sequence>
-            <xs:element ref="credential:global"/>
-            <xs:element name="operator">
-              <xs:simpleType>
-                <xs:restriction base="xs:token">
-                  <xs:enumeration value="OnceOnly"/>
-                  <xs:enumeration value="FirstFree"/>
-                </xs:restriction>
-              </xs:simpleType>
-            </xs:element>
-          </xs:sequence>
-          <xs:sequence>
-            <xs:element ref="credential:local"/>
-            <xs:element name="operator">
-              <xs:simpleType>
-                <xs:restriction base="xs:token">
-                  <xs:enumeration value="="/>
-                  <xs:enumeration value="+"/>
-                </xs:restriction>
-              </xs:simpleType>
-            </xs:element>
-          </xs:sequence>
+          <xs:element ref="global"/>
+          <xs:element ref="local"/>
         </xs:choice>
       </xs:sequence>
     </xs:complexType>
diff --git a/protogeni/security/xml.xsd b/protogeni/security/xml.xsd
index 7dc700493..77a2c2596 100644
--- a/protogeni/security/xml.xsd
+++ b/protogeni/security/xml.xsd
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.w3.org/XML/1998/namespace" xmlns:sig="http://www.w3.org/2000/09/xmldsig#" xmlns:credential="http://www.protogeni.net/resources/credential/0.1">
-  <xs:import namespace="http://www.protogeni.net/resources/credential/0.1" schemaLocation="credential.xsd"/>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.w3.org/XML/1998/namespace" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
+  <xs:import schemaLocation="credential.xsd"/>
   <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
   <xs:attribute name="id" type="xs:ID">
     <xs:annotation>
-- 
GitLab