<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
    elementFormDefault="qualified" attributeFormDefault="unqualified">

    <xs:element name="dds" type="DomainAccessRulesNode" />

    <xs:complexType name="DomainAccessRulesNode">
        <xs:sequence minOccurs="1" maxOccurs="1">
            <xs:element name="domain_access_rules" type="DomainAccessRules" />
        </xs:sequence>
    </xs:complexType>

    <xs:complexType name="DomainAccessRules">
        <xs:sequence minOccurs="1" maxOccurs="unbounded">
            <xs:element name="domain_rule" type="DomainRule" />
        </xs:sequence>
    </xs:complexType>

    <xs:complexType name="DomainRule">
        <xs:sequence minOccurs="1" maxOccurs="1">
            <!-- DDSSEC12-101 -->
            <xs:element name="domains" type="DomainSet" />
            <xs:element name="allow_unauthenticated_participants" type="xs:boolean" /> 
            <xs:element name="enable_join_access_control" type="xs:boolean" />
            <!-- DDSSEC12-122 -->
            <xs:element name="enable_key_revision" type="xs:boolean" />
            <xs:element name="discovery_protection_kind" type="ProtectionKind" />
            <xs:element name="liveliness_protection_kind" type="ProtectionKind" />
            <xs:element name="rtps_protection_kind" type="ProtectionKind" />
            <!-- DDSSEC12-94 -->
            <xs:element name="rtps_psk_protection_kind" type="BasicProtectionKind" />
            <xs:element name="topic_access_rules" type="TopicAccessRules" />
            <!--  DDSSEC12-90  -->
            <xs:element name="allowed_crypto_algorithms" type="AllowedCryptoAlgorithms" minOccurs="0"/>
        </xs:sequence>
    </xs:complexType>

    <!-- DDSSEC12-101 -->
    <xs:complexType name="DomainSet">
        <xs:sequence>
            <xs:choice minOccurs="1" maxOccurs="unbounded">
                <xs:element name="id" type="DomainId" />
                <xs:element name="id_range" type="DomainIdRange" />
            </xs:choice>
            <xs:choice minOccurs="0" maxOccurs="unbounded">
                <xs:element name="tag" type="DomainTag" />
                <xs:element name="tag_expression" type="DomainTagExpression" />
            </xs:choice>
        </xs:sequence>
    </xs:complexType>

    <xs:simpleType name="DomainId">
        <xs:restriction base="xs:nonNegativeInteger" />
    </xs:simpleType>

    <xs:complexType name="DomainIdRange">
		<xs:choice>
		    <xs:sequence>
				<xs:element name="min" type="DomainId" />
		        <xs:element name="max" type="DomainId" minOccurs="0" />
		    </xs:sequence>
		    <xs:element name="max" type="DomainId" />
		</xs:choice>    
    </xs:complexType>

    <!-- DDSSEC12-101 -->
    <xs:simpleType name="DomainTag">
        <xs:restriction base="xs:string" />
    </xs:simpleType>
    <xs:simpleType name="DomainTagExpression">
        <xs:restriction base="xs:string" />
    </xs:simpleType>

    <xs:simpleType name="ProtectionKind">
        <xs:restriction base="xs:string">
            <xs:enumeration value="ENCRYPT_WITH_ORIGIN_AUTHENTICATION" />
            <xs:enumeration value="SIGN_WITH_ORIGIN_AUTHENTICATION" />
            <xs:enumeration value="ENCRYPT" />
            <xs:enumeration value="SIGN" />
            <xs:enumeration value="NONE" />
        </xs:restriction>
    </xs:simpleType>
    
    <xs:simpleType name="BasicProtectionKind">
        <xs:restriction base="ProtectionKind">
            <xs:enumeration value="ENCRYPT" />
            <xs:enumeration value="SIGN" />
            <xs:enumeration value="NONE" />
        </xs:restriction>
    </xs:simpleType>
  
    <xs:complexType name="TopicAccessRules">
        <xs:sequence minOccurs="1" maxOccurs="unbounded">
            <xs:element name="topic_rule" type="TopicRule" />
        </xs:sequence>
    </xs:complexType>

    <xs:complexType name="TopicRule">
        <xs:sequence minOccurs="1" maxOccurs="1">
            <xs:element name="topic_expression" type="TopicExpression" />
            <xs:element name="enable_discovery_protection" type="xs:boolean" /> 
            <xs:element name="enable_liveliness_protection" type="xs:boolean" />
            <xs:element name="enable_read_access_control" type="xs:boolean" />  
            <xs:element name="enable_write_access_control" type="xs:boolean" /> 
            <xs:element name="metadata_protection_kind" type="ProtectionKind" />
            <xs:element name="data_protection_kind" type="BasicProtectionKind" />
        </xs:sequence>
    </xs:complexType>


    <xs:simpleType name="TopicExpression">
        <xs:restriction base="xs:string" />
    </xs:simpleType>

    <!--  DDSSEC12-90  -->
    <xs:complexType name="AllowedCryptoAlgorithms">
        <xs:sequence minOccurs="1" maxOccurs="1">
            <xs:element name="digital_signature" 
                        type="DigitalSignatureAlgorithms"/>
            <xs:element name="digital_signature_identity_trust_chain" 
                        type="DigitalSignatureAlgorithms" minOccurs="0" />
            <xs:element name="key_establishment" 
                        type="KeyEstablishmentAlgorithms"/>
            <xs:element name="symmetric_cipher" 
                        type="SymmetricCipherAlgorithms"/>
        </xs:sequence>
    </xs:complexType>

    <!--  DDSSEC12-90  -->
    <xs:complexType name="DigitalSignatureAlgorithms">
        <xs:sequence minOccurs="1" maxOccurs="unbounded">
            <xs:element name="algorithm" type="DigitalSignatureKind" />
        </xs:sequence>
    </xs:complexType>

    <!--  DDSSEC12-90  -->
    <xs:complexType name="KeyEstablishmentAlgorithms">
        <xs:sequence minOccurs="1" maxOccurs="unbounded">
            <xs:element name="algorithm" type="KeyEstablishmentKind" />
        </xs:sequence>
    </xs:complexType>

    <!--  DDSSEC12-90  -->
    <xs:complexType name="SymmetricCipherAlgorithms">
        <xs:sequence minOccurs="1" maxOccurs="unbounded">
            <xs:element name="algorithm" type="SymmetricCipherKind" />
        </xs:sequence>
    </xs:complexType>

    <!--  DDSSEC12-90  -->
    <xs:simpleType name="DigitalSignatureKind">
        <xs:restriction base="xs:string">
            <xs:enumeration value="RSASSA-PSS-MGF1SHA256+2048+SHA256" />
            <xs:enumeration value="RSASSA-PKCS1-V1_5+2048+SHA256" />
            <xs:enumeration value="ECDSA+P256+SHA256" />
            <xs:enumeration value="ECDSA+P384+SHA384" />
        </xs:restriction>
    </xs:simpleType>

    <!--  DDSSEC12-90  -->
    <xs:simpleType name="KeyEstablishmentKind">
        <xs:restriction base="xs:string">
            <xs:enumeration value="DHE+MODP-2048-256" />
            <xs:enumeration value="ECDHE-CEUM+P256" />
            <xs:enumeration value="ECDHE-CEUM+P384" />
        </xs:restriction>
    </xs:simpleType>

    <!--  DDSSEC12-90  -->
    <xs:simpleType name="SymmetricCipherKind">
        <xs:restriction base="xs:string">
            <xs:enumeration value="AES128+GCM" />
            <xs:enumeration value="AES256+GCM" />
        </xs:restriction>
    </xs:simpleType>    
</xs:schema>
