Update policy backend and testserver for the newest policy protocol

chrome/browser/policy/proto/device_management_backend.proto

Index: chrome/browser/policy/proto/device_management_backend.proto
diff --git a/chrome/browser/policy/proto/device_management_backend.proto b/chrome/browser/policy/proto/device_management_backend.proto
index 1a857b62f9d8b529fdca22b0d31e9e200ea51220..e9587a6afc03d292511f885a24d61a5b214bfc26 100644
--- a/chrome/browser/policy/proto/device_management_backend.proto
+++ b/chrome/browser/policy/proto/device_management_backend.proto
@@ -4,18 +4,31 @@
 
 syntax = "proto2";
 
-import "cloud_policy.proto";
-
 option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
-// Protocol buffers for the obsolete protocol:
-// -------------------------------------------
-//    GenericValue, GenericNamedValue, GenericSetting, DevicePolicySetting,
-//    DevicePolicySettingRequest, DevicePolicyRequest, DevicePolicyResponse
-// TODO(gfeher): Remove these when both Chrome and DMServer is switched to
-// using the new protocol.
+// Meta-settings that control how a user receives regular settings
+// (CloudPolicySettings) for Chrome. The name "Initial" indicates that
+// these settings will be downloaded before Chrome starts requesting
+// regular settings.
+message ChromeInitialSettingsProto {
+  enum EnrollmentProvision {
+    // The users's device is not automatically enrolled for policies, but the
+    // user may choose to try to enroll it.
+    UNMANAGED = 0;
+    // The user must enroll its device for policies.
+    MANAGED = 1;
+  }
+  // Chrome will interpret this as UNMANAGED if unset.
+  optional EnrollmentProvision enrollment_provision = 1 [default = UNMANAGED];
+}
+
+// A setting is a set of generic name value pairs.
+// TODO(gfeher): remove this after Chrome OS TT is over.
+message GenericSetting {
+  repeated GenericNamedValue named_value = 1;
+}
 
 // Generic value container.
 message GenericValue {
@@ -51,12 +64,8 @@ message GenericNamedValue {
   optional GenericValue value = 2;
 }
 
-// A setting is a set of generic name value pairs.
-message GenericSetting {
-  repeated GenericNamedValue named_value = 1;
-}
-
 // Identify a single device policy setting key/value pair.
+// TODO(gfeher): remove this after Chrome OS TT is over.
 message DevicePolicySetting {
   // key of the policy setting
   required string policy_key = 1;
@@ -66,189 +75,206 @@ message DevicePolicySetting {
   optional string watermark = 3;
 }
 
-// Request for a setting or with optional watermark on client side.
-message DevicePolicySettingRequest {
-  // setting key
-  required string key = 1;
-  // watermark last read from server if available.
-  optional string watermark = 2;
-}
-
-// Request from device to server to read device policies.
-message DevicePolicyRequest {
-  // identify request scope: CrOS settings or other type of settings.
-  optional string policy_scope = 1;
-  // identify key to the settings: proxy etc.
-  repeated DevicePolicySettingRequest setting_request = 2;
-}
-
-// Response from server to agent for reading policies.
-message DevicePolicyResponse {
-  // the result of the settings.
-  repeated DevicePolicySetting setting = 1;
-}
-
-// Request from device to server to register device. The response will include
-// a device token that can be used to query policies.
+// Request from device to server to register device.
 message DeviceRegisterRequest {
-  // reregister device without erasing server state.
-  // it can be used to refresh dmtoken etc.
+  // Reregister device without erasing server state.  It can be used
+  // to refresh dmtoken etc.  Client MUST set this value to true if it
+  // reuses an existing device id.
   optional bool reregister = 1;
+
+  // Device register type.  This field does not exist for TT release.
+  // When a client requests for policies, server should verify the
+  // client has been registered properly.  For example, a client must
+  // register with type DEVICE in order to retrieve device policies.
+  enum Type {
+    TT   = 0;       // Register for TT release.
+    USER = 1;       // Register for user polices.
+    DEVICE = 2;     // Register for device policies.
+  }
+  // NOTE: we also use this field to detect client version.  If this
+  // field is missing, then the request comes from TT.  We will remove
+  // Chrome OS TT support once it is over.
+  optional Type type = 2 [default = TT];
+
+  // Machine hardware id, such as MEID, Mac adress.
+  // This field is required if register type == DEVICE.
+  optional string machine_id = 3;
+
+  // Machine model name, such as "ZGA", "Cr-48", "Nexus One".  If the
+  // model name is not available, client SHOULD send generic name like
+  // "Android", or "Chrome OS".
+  optional string machine_model = 4;
 }
 
 // Response from server to device register request.
 message DeviceRegisterResponse {
-  // device mangement toke for this registration.
+  // Device mangement token for this registration.  This token MUST be
+  // part of HTTP Authorization header for all future requests from
+  // device to server.
   required string device_management_token = 1;
-}
 
-// Protocol buffers for the new protocol:
-// --------------------------------------
-
-// Request from device to server to get policies for an unregistered user.
-// These are actually "meta-policies", that control the rules for the user
-// about enrolling for real policies.
-message InitialPolicyRequest {
+  // Device display name.  By default, server generates the name in
+  // the format of "Machine Model - Machine Id".  However, domain
+  // admin can update it using CPanel, so do NOT treat it as constant.
+  optional string machine_name = 2;
 }
 
-message InitialPolicySettings {
-  enum EnrollmentRule {
-    // The user must enroll its device for policies.
-    MANAGED = 1;
-    // The users's device is not automatically enrolled for policies, but the
-    // user may choose to try to enroll it.
-    UNMANAGED = 2;
-  }
-
-  optional EnrollmentRule enrollment_rule = 1;
+// Request from device to server to unregister device.
+// GoogleDMToken MUST be in HTTP Authorization header.
+message DeviceUnregisterRequest {
 }
 
-// Response from server to device containing the policies available before
-// registration.
-message InitialPolicyResponse {
-  optional InitialPolicySettings settings = 1;
+// Response from server to device for unregister request.
+message DeviceUnregisterResponse {
 }
 
-// Request from device to server to unregister device management token.
-message DeviceUnregisterRequest {
+// Request for a setting or with optional watermark on client side.
+// TODO(gfeher): remove this after Chrome OS TT is over.
+message DevicePolicySettingRequest {
+  // setting key
+  required string key = 1;
+  // watermark last read from server if available.
+  optional string watermark = 2;
 }
 
-// Response from server to unregister request.
-message DeviceUnregisterResponse {
+message PolicyFetchRequest {
+  // This is the policy type, which maps to D3 policy type internally.
+  // By convention, we use "/" as separator to create policy namespace.
+  // The policy type names are case insensitive.
+  //
+  // Possible values for Chrome OS are:
+  //   google/chromeos/device => ChromeSettingsProto
+  //   google/chromeos/user => ChromeSettingsProto
+  //   google/chromeos/unregistered_user => ChromeInitialSettingsProto
+  optional string policy_type = 1;
+
+  // This is the last policy timestamp that client received from server.
+  optional int64 timestamp = 2;
+
+  // Tell server what kind of security signature is required.
+  enum SignatureType {
+    NONE = 0;
+    X509 = 1;
+  }
+  optional SignatureType signature_type = 3 [default = NONE];
 }
 
-// Request from device to server to register device. The response will include
-// a device token that can be used to query policies.
-message CloudRegisterRequest {
-  enum Type {
-    // Requesting token for user policies.
-    USER = 1;
-    // Requesting token for device policies.
-    DEVICE = 2;
-  }
-  optional Type type = 1;
-  // Unique identifier of the machine. Only set if type == DEVICE.
-  // This won't be sent in later requests, the machine can be identified
-  // by its device token.
-  optional string machine_id = 2;
+// This message is included in serialized form in PolicyFetchResponse
+// below.  It may also be signed, with the signature being created for
+// the serialized form.
+message PolicyData {
+  // See PolicyFetchRequest.policy_type.
+  optional string policy_type = 1;
+
+  // [timestamp] is milli seconds since Epoch in UTC timezone. It is
+  // included here so that the time at which the server issued this
+  // response cannot be faked (as protection against replay attacks).
+  // It is the timestamp generated by DMServer, NOT the time admin
+  // last updated the policy or anything like that.
+  optional int64 timestamp = 2;
+
+  // The DM token that was used by the client in the HTTP POST header
+  // for authenticating the request. It is included here again so that
+  // the client can verify that the response is meant for him (and not
+  // issued by a replay or man-in-the-middle attack).
+  optional string request_token = 3;
+
+  // The serialized value of the actual policy protobuf.  This can be
+  // deserialized to an instance of, for example, ChromeSettingsProto
+  // or ChromeUserSettingsProto.
+  optional bytes policy_value = 4;
+
+  // The device display name assigned by the server.  It is only
+  // filled if the display name is available.
+  //
+  // The display name of the machine as generated by the server or set
+  // by the Administrator in the CPanel GUI. This is the same thing as
+  // |machine_name| in DeviceRegisterResponse but it might have
+  // changed since then.
+  optional string machine_name = 5;
 }
 
-// Response from server to device register request.
-message CloudRegisterResponse {
-  // Token for this registration.
-  required string device_management_token = 1;
+message PolicyFetchResponse {
+  // Since a single policy request may ask for multiple policies, we
+  // provide separate error code for each individual policy fetch.
 
-  // The name of the requesting device, assigned by the server.
-  optional string machine_name = 2;
+  // We will use standard HTTP Status Code as error code.
+  optional int32  error_code = 1;
+
+  // Human readable error message for customer support purpose.
+  optional string error_message = 2;
+
+  // This is a serialized bytes of PolicyData protobuf above.
+  optional bytes policy_data = 3;
+
+  // Signature of the policy data above.
+  optional bytes policy_data_signature = 4;
+
+  // The chain of DER-encoded X.509 certificates of the server's
+  // signing key.  The first element should be the certificate whose
+  // private key was used for signing the response, and each of the
+  // following certificates signs the previous one.
+  //
+  // If this field does not exist, it means the policy_data is not
+  // signed.
+  repeated bytes certificate_chain = 5;
 }
 
-message CloudPolicyRequest {
-  // Identify request scope: chromeos/device for device policies, chromeos/user
-  // for user policies. Only those policy scopes will be served, that are
-  // allowed by the type choice in CloudRegisterRequest.
+// Request from device to server for reading policies.
+message DevicePolicyRequest {
+  // identify request scope: CrOS settings or other type of settings.
+  // TODO(gfeher): remove this after Chrome OS TT is over.
   optional string policy_scope = 1;
+  // identify key to the settings: proxy etc.
+  // TODO(gfeher): remove this after Chrome OS TT is over.
+  repeated DevicePolicySettingRequest setting_request = 2;
 
-  // The token used to query device policies on the device sending the request.
-  // Note, that the token used for actual authentication is sent in an HTTP
-  // header. These two tokens are the same if this request is for querying
-  // device policies and they differ if this request is for querying user
-  // policies. In the second case, the server can use device_policy_token to
-  // identify the device and determine if the user is allowed to get policies
-  // on the given device.
-  optional string device_policy_token = 2;
+  // The policy fetch request.  If this field exists, the request must
+  // comes from a non-TT client.  The repeated field allows client to
+  // request multiple policies for better performance.
+  repeated PolicyFetchRequest request = 3;
 }
 
 // Response from server to device for reading policies.
-message CloudPolicyResponse {
-  // Serialized SignedCloudPolicyResponse.
-  optional bytes signed_response = 1;
-  // RSA signature of the SHA1 hash of the above data.
-  optional bytes signature = 2;
-  // The chain of DER-encoded X.509 certificates of the server's signing key.
-  // The first element should be the certificate whose private key was used
-  // for signing the response, and each of the following certificates signs the
-  // previous one.
-  repeated bytes certificate_chain = 3;
-}
-message SignedCloudPolicyResponse {
-  // The following two are necessary against replay attacks.
-  // |timestamp| is a unix timestamp (seconds since 1970).
-  optional int64 timestamp = 1;
-  // The token that was used for the request.
-  optional string request_token = 2;
-  // The name of the device, assigned by the server.
-  optional string device_name = 3;
-  // CloudPolicySettings is defined in cloud_policy.proto (which is
-  // auto-generated from chrome/app/policy_templates.json).
-  optional CloudPolicySettings settings = 4;
+message DevicePolicyResponse {
+  // the result of the settings.
+  // TODO(gfeher): remove this after Chrome OS TT is over.
+  repeated DevicePolicySetting setting = 1;
+
+  // The policy fetch response.
+  repeated PolicyFetchResponse response = 3;
 }
 
-// Request from the DMAgent on the device to the DMServer.
-// This is container for all requests from client.
+// Request from the DMAgent on the device to the DMServer.  This is
+// container for all requests from device to server.  The overall HTTP
+// request MUST be in the following format:
 //
-// Http Query parameters:
-// Query parameters contain the following information in each request:
-//   request: register/unregister/policy/cloud_policy/cloud_register/
-//            initial_policy
-//   devicetype: CrOS/Android/Iphone etc.
-//   apptype: CrOS/AndroidDM etc.
-//   agent: identify agent on device.
+// * HTTP method is POST
+// * Data mime type is application/x-protobuffer
+//   * See GoogleContentTypeEnum.java

[Mattias Nissler (ping if slow), 2011/03/01 10:25:49]

Hm, this is a reference to internal source which is not helpful here, or is it?

[gfeher, 2011/03/01 15:53:00]

Then I just remove it.

+// * HTTP parameters are (all required, all case sensitive):
+//   * request: MUST BE one of register/unregister/policy/ping
+//   * devicetype: MUST BE "1" for Android or "2" for Chrome OS.

[Mattias Nissler (ping if slow), 2011/03/01 10:25:49]

Ah, I see where the 1 comes from now :)

+//   * apptype: MUST BE Android or Chrome.
+//   * deviceid: MUST BE no more than 64-char in [\x20-\x7E].
+//   * agent: MUST BE no more than 64-char long.

[Mattias Nissler (ping if slow), 2011/03/01 10:25:49]

Should we then make sure our agent string will be only 64 chars? Like limiting
it?

[gfeher, 2011/03/01 15:53:00]

Currently the testserver checks for it and dies in case it's longer.

+// * HTTP Authorization header MUST be in the following formats:
+//   * For register and ping requests
+//     Authorization: GoogleLogin auth=<auth cookie for Mobile Sync>
 //
-// Authorization:
-// 1. If request is initial_policy, client must pass in GoogleLogin
-//    auth  cookie in Authorization header:
-//      Authorization: GoogleLogin auth=<auth cookie>
-//    The response will contain settings that a user can get without
-//    registration. Currently the only such setting is a flag indicating if the
-//    user is in a managed domain or not. (We don't want to expose device ids of
-//    users not in managed domains.)
-// 2. If request is register_request, client must pass in GoogleLogin auth
-//    cookie in Authorization header:
-//      Authorization: GoogleLogin auth=<auth cookie>
-//    The response will contain an unique DMToken for future requests.
-//    Depending on domain policy, the request may need admin approval before
-//    DMToken is issued.
-// 3. For other requests, client must pass in DMToken in Authorization header:
-//    Authorization: GoogleDMToken token=<google dm token>
+//   * For unregister and policy requests
+//      Authorization: GoogleDMToken token=<dm token from register>
 //
+//   * OAuth is NOT supported yet.
 message DeviceManagementRequest {
-  // Register request (old protocol).
+  // Register request.
   optional DeviceRegisterRequest register_request = 1;
 
   // Unregister request.
   optional DeviceUnregisterRequest unregister_request = 2;
 
-  // Data request.
+  // Policy request.
   optional DevicePolicyRequest policy_request = 3;
-
-  // Data request (new protocol).
-  optional CloudPolicyRequest cloud_policy_request = 4;
-
-  // Request for initial (before registration) policies.
-  optional InitialPolicyRequest initial_policy_request = 5;
-
-  // Register request (new protocol).
-  optional CloudRegisterRequest cloud_register_request = 6;
 }
 
 // Response from server to device.
@@ -276,7 +302,7 @@ message DeviceManagementResponse {
   // Error message.
   optional string error_message = 2;
 
-  // Register response (old protocol).
+  // Register response
   optional DeviceRegisterResponse register_response = 3;
 
   // Unregister response
@@ -284,13 +310,4 @@ message DeviceManagementResponse {
 
   // Policy response.
   optional DevicePolicyResponse policy_response = 5;
-
-  // Policy response (new protocol).
-  optional CloudPolicyResponse cloud_policy_response  = 6;
-
-  // Response to initial (before registration) policy request.
-  optional InitialPolicyResponse initial_policy_response = 7;
-
-  // Register response (new protocol).
-  optional CloudRegisterResponse cloud_register_response = 8;
 }