module access-control-models {
  prefix acm;
  namespace "urn:opnfv:promise:acm";

  import complex-types { prefix ct; }
  import ietf-yang-types { prefix yang; }
  import ietf-inet-types { prefix inet; }

  typedef password {
    type string {
      length 1..255;
    }
  }

  grouping access-credentials {
    leaf strategy {
      type enumeration {
        enum oauth;
        enum keystone;
      }
      default oauth;
    }
    leaf endpoint {
      type inet:uri;
      description "The target endpoint for authentication";
      mandatory true;
    }
    leaf username {
      type string;
      mandatory true;
    }
    leaf password {
      type acm:password;
      mandatory true;
    }
  }
  
  /*********************************************
   * Identity Models
   *********************************************/

  ct:complex-type Identity {
    ct:abstract true;
    description "Identity represents an administrative access model entity";

    key "id";
    leaf id { type yang:uuid; mandatory true; }
    leaf name { type string; mandatory true; }
    leaf description { type string; }
    leaf enabled { type boolean; default true; }
  }

  ct:complex-type User {
    ct:extends Identity;

    leaf credential {
      //type instance-identifier { ct:instance-type IdentityCredential; }
      type string;
      mandatory true;
    }
    
    container contact {
      leaf fullName { type string; }
      leaf email { type string; }
    }

    leaf-list groups { type instance-identifer { ct:instance-type Group; } }
    leaf domain { type instance-identifier { ct:instance-type Domain; } }
  }

  ct:complex-type Group {
    ct:extends Identity;
    
    leaf-list users { type instance-identifier { ct:instance-type User; } }
    leaf domain { type instance-identifier { ct:instance-type Domain; } }
  }

  ct:complex-type Domain {
    ct:extends Identity;
    description
      "Domain represent a distinct administrative domain across
       collection of users and groups.";

    ct:instance-list users { ct:instance-type User; }
    ct:instance-list groups { ct:instance-type Group; }
  }

  rpc create-user;
  rpc remove-user;
  rpc create-group;
  rpc remove-group;
}