<xsd:schema xmlns="http://www.ics.uci.edu/pub/arch/xArch/security.xsd" 
	xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
	xmlns:archinst="http://www.ics.uci.edu/pub/arch/xArch/instance.xsd" 
	xmlns:archtypes="http://www.ics.uci.edu/pub/arch/xArch/types.xsd" 
	xmlns:implementation="http://www.ics.uci.edu/pub/arch/xArch/implementation.xsd"
	xmlns:javainitparams="http://www.ics.uci.edu/pub/arch/xArch/javainitparams.xsd" 
	xmlns:messages="http://www.ics.uci.edu/pub/arch/xArch/messages.xsd"
	xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
	targetNamespace="http://www.ics.uci.edu/pub/arch/xArch/security.xsd" 
	elementFormDefault="qualified" attributeFormDefault="qualified">

	<!-- Import namespaces used -->
	<xsd:import namespace="http://www.ics.uci.edu/pub/arch/xArch/instance.xsd" 
		schemaLocation="http://www.isr.uci.edu/projects/xarchuci/core/instance.xsd"/>
	<xsd:import namespace="http://www.ics.uci.edu/pub/arch/xArch/types.xsd" 
		schemaLocation="http://www.isr.uci.edu/projects/xarchuci/ext/types.xsd"/>
	<xsd:import namespace="http://www.ics.uci.edu/pub/arch/xArch/implementation.xsd" 
		schemaLocation="http://www.isr.uci.edu/projects/xarchuci/ext/implementation.xsd" /> 
	<xsd:import namespace="http://www.ics.uci.edu/pub/arch/xArch/javainitparams.xsd" 
		schemaLocation="http://www.isr.uci.edu/projects/xarchuci/ext/javainitparams.xsd" /> 
	<xsd:import namespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
		schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd"/>

	<xsd:annotation>
		<xsd:documentation> 
			xADL 2.0 Security (a.k.a Secure xADL) XML Schema 1.0
			
			This is an extension of xADL to describe security properties of 
			software architecture.
			
			It centers around two concepts: the subjects for which components and
			connectors act for, and the privileges these bricks carry and require
			to act.
			
			The third piece of a usual access control model, the objects, are implicit
			at this level. The regular objects are not explicitly modeled, because 
			they are generally not the focus of modeling this level. The 
			architectural objects are components and connectors, which have been 
			modeled from other schemas. 
		</xsd:documentation>
	</xsd:annotation>

	<!--
    TYPE: ParameterPriority
    
    The Override type specifies how an initialization parameter for a structure 
	should be handled when there is a parameter of the same name for its type.
	"append" keeps both parameters, "replace" chooses the structure parameter, 
	"ignore" keeps the type parameter. The default is "replace", so a more specific
	parameter for a structure takes precedence over a generic parameter for a type.
	-->
	<xsd:simpleType name="ParameterPriority">
		<xsd:restriction base="xsd:string">
			<xsd:enumeration value="replace"/>
			<xsd:enumeration value="append"/>
			<xsd:enumeration value="ignore"/>
		</xsd:restriction>
	</xsd:simpleType>
	
	<!--
    TYPE: Subject
    
    This type describes a subject for which a component or a connecotr acts.
	-->
	<xsd:complexType name="Subject">
		<xsd:simpleContent>
			<xsd:extension base="xsd:string">
				<xsd:attribute name="priority" type="ParameterPriority" 
					use="optional" default="replace" />
			</xsd:extension>
		</xsd:simpleContent>
	</xsd:complexType>
	
	<!--
    TYPE: Principal
    
    This type describes the principals that a component or a connecotr has.
	A principal is a "name" that a subject can take. A subject can take many 
	principals, such as the many roles, or different names for different 
	login contexts. 
	-->
	<xsd:complexType name="Principal">
		<xsd:simpleContent>
			<xsd:extension base="xsd:string"/>
		</xsd:simpleContent>
	</xsd:complexType>

	<!--
	TYPE: Principals
		
	This type collects a set of principals, and decides how the principals
		of the structure should deal with the principals from the type
	-->	
	<xsd:complexType name="Principals">
		<xsd:sequence>
			<xsd:element name="principal" type="Principal" 
				minOccurs="0" maxOccurs="unbounded"/>
		</xsd:sequence>
		<xsd:attribute name="priority" type="ParameterPriority" 
			use="optional" default="replace" />
	</xsd:complexType>
	
	<!--
    TYPE: Privilege
    
    This type describes a privilege. 
	-->
	<xsd:complexType name="Privilege">
		<xsd:simpleContent>
			<xsd:extension base="xsd:string"/>
		</xsd:simpleContent>
	</xsd:complexType>
	
	<!--
	TYPE: Privileges
		
	This type collects a set of privileges, and decides how the privileges
		of the structure should deal with the privileges from the type
	-->	
	<xsd:complexType name="Privileges">
		<xsd:sequence>
			<xsd:element name="privilege" type="Privilege" 
				minOccurs="0" maxOccurs="unbounded"/>
		</xsd:sequence>
		<xsd:attribute name="priority" type="ParameterPriority" 
			use="optional" default="replace" />
	</xsd:complexType>
	
	<!--
	TYPE: Policies
		
	This type collects a set of PolicySets. This is needed to support RBAC 
		XACML, which needs multiple policy sets (RPS and PPS). Otherwise, 
		a single policy set could have been used.
	-->
	<xsd:complexType name="Policies">
		<xsd:sequence>
			<xsd:element ref="xacml:PolicySet" 
				minOccurs="0" maxOccurs="unbounded"/>
		</xsd:sequence>
	</xsd:complexType>
	
	<!--
    TYPE: SecurityProperty
    
    This type describes security property. 
	-->
	<xsd:complexType name="SecurityPropertyType">
		<xsd:sequence>
			<xsd:element name="subject" type="Subject" 
				minOccurs="0" maxOccurs="1"/>
			<xsd:element name="principals" type="Principals" 
				minOccurs="0" maxOccurs="1"/>
			<xsd:element name="privileges" type="Privileges" 
				minOccurs="0" maxOccurs="1"/>
			<!--
				This element describes the security policy, expressed as XACML
				In XACML, PolicySet can contain another PolicySet, but Policy 
				cannot contain another Policy. Since we need to combine the policy
				of a component with the policy of its type, probably also with
				its containing component, we need to use PolicySet as the basic
				building block. This also enables us to reuse existing combining
				algorithms.
			-->
			<xsd:element name="policies" type="Policies" 
				minOccurs="0" maxOccurs="1"/>
		</xsd:sequence>
	</xsd:complexType>

	<!--
		The following declarations attach SecurityPropertyType to types, 
		structures and instances of xADL
	-->	
	<!--
    TYPE: SecureComponentType
    
    This type is an extension to the ComponentType type
    (from the types schema).
	-->
	<xsd:complexType name="SecureComponentType">
		<xsd:complexContent>
			<xsd:extension base="implementation:VariantComponentTypeImpl">
				<xsd:sequence>
					<xsd:element name="security" type="SecurityPropertyType" 
						minOccurs="0" />
				</xsd:sequence>
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
    TYPE: SecureConnectorType
    
    This type is an extension to the ConnectorType type
    (from the types schema).
	-->
	<xsd:complexType name="SecureConnectorType">
		<xsd:complexContent>
			<xsd:extension base="implementation:VariantConnectorTypeImpl">
				<xsd:sequence>
					<xsd:element name="security" type="SecurityPropertyType" 
						minOccurs="0" />
				</xsd:sequence>
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
	TYPE: InitializationParameterStructure
	-->
	<xsd:complexType name="InitializationParameterStructure">
		<xsd:complexContent>
			<xsd:extension base="javainitparams:InitializationParameter">
				<xsd:attribute name="priority" type="ParameterPriority" 
					use="optional" default="replace" />
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
    TYPE: ComponentParams
    
    This type is an extension to the Component element
    (from the types schema), to give it initialization parameters.
		
	The reasons are two folds: 1) so structures can also be assigned 
	initialization parameters, just like their types counterparts. 2)
	this feature is more necessary for security policy, which could 
	vary for different components or connectors
	-->
	<xsd:complexType name="ComponentParams">
		<xsd:complexContent>
			<xsd:extension base="archtypes:Component">
				<xsd:sequence>
					<xsd:element name="initializationParameter" 
						type="InitializationParameterStructure"
                        minOccurs="0" maxOccurs="unbounded"/>
				</xsd:sequence>
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
    TYPE: ConnectorParams
    
    This type is an extension to the Connector element
    (from the types schema), to give it initialization parameters.
	-->
	<xsd:complexType name="ConnectorParams">
		<xsd:complexContent>
			<xsd:extension base="archtypes:Connector">
				<xsd:sequence>
					<xsd:element name="initializationParameter" 
						type="InitializationParameterStructure"
                        minOccurs="0" maxOccurs="unbounded"/>
				</xsd:sequence>
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
    TYPE: SecureComponent
    
    This type is an extension to the ComponentParams, with security property
	-->
	<xsd:complexType name="SecureComponent">
		<xsd:complexContent>
			<xsd:extension base="ComponentParams">
				<xsd:sequence>
					<xsd:element name="security" type="SecurityPropertyType" 
						minOccurs="0" />
				</xsd:sequence>
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
    TYPE: SecureConnector
    
    This type is an extension to the ConnectorParams, with security property
	-->
	<xsd:complexType name="SecureConnector">
		<xsd:complexContent>
			<xsd:extension base="ConnectorParams">
				<xsd:sequence>
					<xsd:element name="security" type="SecurityPropertyType" 
						minOccurs="0" />
				</xsd:sequence>
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
    TYPE: SecureArchStructure
    
    This type is an extension to ArchStructure, with security property
	-->
	<xsd:complexType name="SecureArchStructure">
		<xsd:complexContent>
			<xsd:extension base="archtypes:ArchStructure">
				<xsd:sequence>
					<xsd:element name="security" type="SecurityPropertyType" 
						minOccurs="0" />
				</xsd:sequence>
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
    TYPE: SecureComponentInstance
    
    This type is an extension to the ComponentInstance element
    (from the instance schema).
	-->
	<xsd:complexType name="SecureComponentInstance">
		<xsd:complexContent>
			<xsd:extension base="archtypes:PrescribedComponentInstance">
				<xsd:sequence>
					<xsd:element name="security" type="SecurityPropertyType" 
						minOccurs="0" />
				</xsd:sequence>
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
    TYPE: SecureConnectorInstance
    
    This type is an extension to the ConnectorInstance element
    (from the instance schema).
	-->
	<xsd:complexType name="SecureConnectorInstance">
		<xsd:complexContent>
			<xsd:extension base="archtypes:PrescribedConnectorInstance">
				<xsd:sequence>
					<xsd:element name="security" type="SecurityPropertyType" 
						minOccurs="0" />
				</xsd:sequence>
			</xsd:extension>
		</xsd:complexContent>
	</xsd:complexType>
	
	<!--
		The following declarations attach safeguards(required privileges) to interface types,
		signatures (of component types and connector types), and interfaces (of 
		components and connectors), and interface instances (of component instances
		and connector instances)
	-->
	<!--
	TYPE: Safeguards
		
	This type collects a set of safeguards, and decides how the safeguards
		of the structure should deal with the safeguards from the type
	-->	
	<xsd:complexType name="Safeguards">
		<xsd:sequence>
			<xsd:element name="safeguard" type="Privilege" 
				minOccurs="0" maxOccurs="unbounded"/>
		</xsd:sequence>
		<xsd:attribute name="priority" type="ParameterPriority" 
			use="optional" default="replace" />
	</xsd:complexType>
	
	<!-- 
	TYPE: SecureInterfaceType
		
	Describes a secure interface type, which requires privileges to access
	-->
	<xsd:complexType name="SecureInterfaceType">
		<xsd:complexContent>
			<xsd:extension base="implementation:InterfaceTypeImpl">
				<xsd:sequence>
					<xsd:element name="safeguards" type="Safeguards" 
						minOccurs="0" maxOccurs="1" />
				</xsd:sequence>
			</xsd:extension>
        </xsd:complexContent>
    </xsd:complexType>
	
	<!-- 
	TYPE: SecureSignature
		
	Describes a secure signature, which requires privileges to access
	-->
	<xsd:complexType name="SecureSignature">
		<xsd:complexContent>
			<xsd:extension base="archtypes:Signature">
				<xsd:sequence>
					<xsd:element name="safeguards" type="Safeguards" 
						minOccurs="0" maxOccurs="1" />
				</xsd:sequence>
			</xsd:extension>
        </xsd:complexContent>
    </xsd:complexType>
	
	<!-- 
	TYPE: SecureInterface
		
	Describes a secure interface, which requires privileges to access
	-->
	<xsd:complexType name="SecureInterface">
		<xsd:complexContent>
			<xsd:extension base="archtypes:Interface">
				<xsd:sequence>
					<xsd:element name="safeguards" type="Safeguards" 
						minOccurs="0" maxOccurs="1" />
				</xsd:sequence>
			</xsd:extension>
        </xsd:complexContent>
    </xsd:complexType>
	
	<!-- 
	TYPE: SecureInterfaceInstance
		
	Describes a secure interface instance, which requires privileges to access
	-->
	<xsd:complexType name="SecureInterfaceInstance">
		<xsd:complexContent>
			<xsd:extension base="archinst:InterfaceInstance">
				<xsd:sequence>
					<xsd:element name="safeguards" type="Safeguards" 
						minOccurs="0" maxOccurs="1" />
				</xsd:sequence>
			</xsd:extension>
        </xsd:complexContent>
    </xsd:complexType>
	<!--
		For XACML xADL profile
		Eadier to read, we can use these attribute ids.
		
		// Values for the action-id
		AddBrick, RemoveBrick, AddWeld, RemoveWeld, RouteMessage
		
		// Attribute ids for Resource
		// AddBrick, RemoveBrick
		urn:xadl:ArchTypes:ComponentType:id
		urn:xadl:ArchTypes:ConnectorType:id
		urn:xadl:archStructure:component:id
		urn:xadl:archStructure:connector:id
		
		// AddWeld, RemoveWeld (two of them)
		urn:xadl:archStructure:link:point
		
		// RouteMessage
		urn:xadl:archStructure:link:pointSource
		urn:xadl:archStructure:link:pointDestination
		urn:xadl:archStructure:connector:security:subject		
		urn:xadl:archStructure:connector:security:principal		
		urn:xadl:archStructure:connector:security:privilege		

		An alternative is to base everything on XPath.
		Each action will involve an XML fragment (the xADL fragment for 
		AddBrck/RemoveBrick/AddWeld/RemoveWeld and the message fragment
		for RouteMessage). We can control whether such XML fragments
		should be allowed, based on the contents involved. For example,
		we can select the id of the component that will be created, and 
		decide whether the creation should be allowed. The advantages
		of this method is it has a unified model, and it does not require
		define new resource or action identifiers. The downside, of course,
		is that is has no type safety, and is harder to understand.
	-->
</xsd:schema