Adding rule frames to the ONC spec.

chromeos/docs/onc_spec.html

 <!DOCTYPE html>
 <html>
 <head>
   <meta charset="utf-8">
   <link rel="stylesheet" href="onc_spec.css" >
   <script src="onc_spec.js"></script>
   <title>Open Network Configuration Format</title>
 </head>
 <body>
 
@@ skipping 196 matching lines @@
     <dt class="field">Certificates</dt>
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">array of Certificate</span>
       </span>
       Contains certificates stored in X.509 or PKCS#12 format.
     </dd>
   </dl>
 
-  <p>
+  <p class="rule">
+    <span class="rule_id"></span>
     At least one array (either <span class="field">NetworkConfigurations</span>
     and/or <span class="field">Certificates</span>) must be present.
   </p>
 
 <section>
   <h1>Network Configuration</h1>
   <p>
     Field <span class="field">NetworkConfigurations</span> is an array
     of <span class="type">NetworkConfiguration</span> typed
     objects. The <span class="type">NetworkConfiguration</span> type contains
@@ skipping 75 matching lines @@
     </dd>
 
     <dt class="field">SearchDomains</dt>
     <dd>
       <span class="field_meta">
         (optional if <span class="field">Remove</span> is
         <span class="value">false</span>, otherwise ignored)
         <span class="type">array of string</span>
       </span>
       Array of strings to append to names for resolution. Items in this array
-      should not start with a
-      dot. Example: <span class="snippet">["corp.acme.org", "acme.org"]</span>. If
-      not specified, DHCP values will be used.
+      should not start with a dot. Example:
+      <span class="snippet">["corp.acme.org", "acme.org"]</span>. If not
+      specified, DHCP values will be used.
     </dd>
 
     <dt class="field">VPN</dt>
     <dd>
       <span class="field_meta">
         (required if <span class="field">Type</span> is
         <span class="value">VPN</span>, otherwise ignored)
         <span class="type">VPN</span>
       </span>
       VPN settings.
     </dd>
 
     <dt class="field">WiFi</dt>
     <dd>
       <span class="field_meta">
         (required if <span class="field">Type</span> is
         <span class="value">WiFi</span>, otherwise ignored)
         <span class="type">WiFi</span>
       </span>
       Wi-Fi settings.
     </dd>
 
     <dt class="field">Type</dt>
     <dd>
       <span class="field_meta">
         (required if <span class="field">Remove</span> is
         <span class="value">false</span>, otherwise ignored)
         <span class="type">string</span>
       </span>
-      Indicates which kind of connection this is. Must be one
-      of <span class="value">Cellular</span>,
-      <span class="value">Ethernet</span>, <span class="value">WiFi</span>, or
-      <span class="value">VPN</span>.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">Cellular</span>,
+        <span class="value">Ethernet</span>, <span class="value">WiFi</span>,
+        and <span class="value">VPN</span>.
+      </span>
+      Indicates which kind of connection this is.
     </dd>
   </dl>
 
 <section>
   <h1>Ethernet networks</h1>
   <p>
     For Ethernet connections, <span class="field">Type</span> must be set to
     <span class="value">Ethernet</span> and the
     field <span class="field">Ethernet</span> must be set to an object of
     type <span class="type">Ethernet</span> containing the following fields:
   </p>
 
   <dl class="field_list">
     <dt class="field">Authentication</dt>
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">string</span>
       </span>
-      Either <span class="value">None</span>
-      or <span class="value">8021X</span>.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">None</span> and
+        <span class="value">8021X</span>.
+      </span>
     </dd>
 
     <dt class="field">EAP</dt>
     <dd>
       <span class="field_meta">
         (required if <span class="field">Authentication</span> is
         <span class="value">8021X</span>, otherwise ignored)
         <span class="type">EAP</span>
       </span>
       EAP settings.
@@ skipping 10 matching lines @@
     particular static IP configuration and contains the following fields:
   </p>
 
   <dl class="field_list">
     <dt class="field">Type</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
-      Must be either <span class="value">IPv4</span>
-      or <span class="value">IPv6</span>, describing the type of configuration
-      this is.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">IPv4</span>
+        and <span class="value">IPv6</span>
+      </span>
+      Describes the type of configuration this is.
     </dd>
 
     <dt class="field">IPAddress</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
       Describes the IPv4 or IPv6 address of a connection, depending on the value
       of <span class="field">Type</span> field. It should not contain the
       routing prefix (i.e. should not end in something like /64).
     </dd>
 
     <dt class="field">RoutingPrefix</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">integer</span>
       </span>
-      Describes the routing prefix. This is a number in the range [1, 32] for
-      IPv4 and [1, 128] for IPv6 addresses.
+      <span class="rule">
+        <span class="rule_id"></span> Must be a number in the range [1, 32] for

[David Roche, 2013/02/13 12:57:09]

Previous lines keep the rule_id span on its own line.  Put it on its own line
here, for consistency?

[pneubeck (no reviews), 2013/02/13 13:09:15]

Done.

+        IPv4 and [1, 128] for IPv6 addresses.
+      </span>
+      Describes the routing prefix.
     </dd>
 
     <dt class="field">Gateway</dt>
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">string</span>
       </span>
       Describes the gateway address to use for the configuration. Must match
-      address type specified in
-      <span class="field">Type</span> field. If not specified, DHCP values will
-      be used. </dd>
+      address type specified in <span class="field">Type</span> field. If not
+      specified, DHCP values will be used.
+    </dd>
 
     <dt class="field">NameServers</dt>
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">array of string</span>
       </span>
       Array of addresses to use for name servers. Address format must match that
       specified in the <span class="field">Type</span> field. Overrides values
       in the top level NameServers field for this configuration. If not
@@ skipping 68 matching lines @@
       must be of the format 0x&lt;hex-number&gt;, where &lt;hex-number&gt; is
       40, 104, 128, or 232 bits.
     </dd>
 
     <dt class="field">Security</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
-      One of <span class="value">None</span>, <span class="value">WEP-PSK</span>,
-      <span class="value">WEP-8021X</span>, <span class="value">WPA-PSK</span>,
-      <span class="value">WPA-EAP</span>.
+      <span class="rule">
+        <span class="rule_id"></span> Allowed values
+        are <span class="value">None</span>, <span class="value">WEP-PSK</span>,

[David Roche, 2013/02/13 12:57:09]

rule_id on own line, and separating the two value here, to be consistent with
the next 3 lines?

[pneubeck (no reviews), 2013/02/13 13:09:15]

Done.

+        <span class="value">WEP-8021X</span>,
+        <span class="value">WPA-PSK</span>, and
+        <span class="value">WPA-EAP</span>.
+      </span>
     </dd>
 
     <dt class="field">SSID</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
       SSID of the network.
     </dd>
@@ skipping 69 matching lines @@
       </span>
       OpenVPN settings.
     </dd>
 
     <dt class="field">Type</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
-      Type of the VPN, one of
-      <span class="value">IPsec</span>, <span class="value">L2TP-IPsec</span>,
-      or <span class="value">OpenVPN</span>.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">IPsec</span>,
+        <span class="value">L2TP-IPsec</span>, and
+        <span class="value">OpenVPN</span>.
+      </span>
+      Type of the VPN.
     </dd>
   </dl>
 
   <section>
     <h1>IPsec-based VPN types</h1>
     <p>
       The <span class="type">IPsec</span> type contains the following:
     </p>
 
     <dl class="field_list">
       <dt class="field">AuthenticationType</dt>
       <dd>
         <span class="field_meta">
           (required)
           <span class="type">string</span>
         </span>
-        Either <span class="value">PSK</span> or <span class="value">Cert</span>
+        <span class="rule">
+          <span class="rule_id"></span>
+          Allowed values are <span class="value">PSK</span> and
+          <span class="value">Cert</span>
+        </span>
       </dd>
 
       <dt class="field">ClientCertPattern</dt>
       <dd>
         <span class="field_meta">
           (required if <span class="field">ClientCertType</span>
           is <span class="value">Pattern</span>, otherwise ignored)
           <span class="type">CertificatePattern</span>
         </span>
         Pattern describing the client certificate.
       </dd>
 
       <dt class="field">ClientCertRef</dt>
       <dd>
         <span class="field_meta">
           (required if <span class="field">ClientCertType</span>
           is <span class="value">Ref</span>, otherwise ignored)
           <span class="type">string</span>
         </span>
         Reference to client certificate stored in certificate section.
       </dd>
 
       <dt class="field">ClientCertType</dt>
       <dd>
         <span class="field_meta">
           (required if <span class="field">AuthenticationType</span>
           is <span class="value">Cert</span>, otherwise ignored)
           <span class="type">string</span>
         </span>
-        Either <span class="value">Ref</span>
-        or <span class="value">Pattern</span>
+        <span class="rule">
+          <span class="rule_id"></span>
+          Allowed values are <span class="value">Ref</span> and
+          <span class="value">Pattern</span>
+        </span>
       </dd>
 
       <dt class="field">EAP</dt>
       <dd>
         <span class="field_meta">
           (optional if <span class="field">IKEVersion</span> is 2, otherwise
           ignored)
           <span class="type">EAP</span>
         </span>
         Indicating that EAP authentication should be used with the provided
@@ skipping 179 matching lines @@
     </li>
     <li>The field <span class="field">L2TP</span> must be present.</li>
   </ul>
 </section>
 
 </section>
 
 <section>
   <h1>OpenVPN connections and types</h1>
   <p>
-    <span class="field">VPN.Type</span> must
-    be <span class="value">OpenVPN</span>.
+    <span class="field">VPN.Type</span> must be
+    <span class="value">OpenVPN</span>.
   </p>
 
   <p>
     <span class="type">OpenVPN</span> type contains the following:
   </p>
 
   <dl class="field_list">
     <dt class="field">Auth</dt>
     <dd>
       <span class="field_meta">
         (optional, defaults to <span class="value">SHA1</span>)
         <span class="type">string</span>
       </span>
     </dd>
 
     <dt class="field">AuthRetry</dt>
     <dd>
       <span class="field_meta">
         (optional, defaults to <span class="value">none</span>)
         <span class="type">string</span>
       </span>
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">none</span>,
+        <span class="value">nointeract</span>, and
+        <span class="value">interact</span>.
+      </span>
       Controls how OpenVPN responds to username/password verification
-      errors. Allowed values are <span class="value">none</span> (fail with
-      error on retry), <span class="value">nointeract</span> (retry without
-      asking for authentication), and <span class="value">interact</span> (ask
-      again for authentication each time).
+      errors:<br> Either fail with error on retry
+      (<span class="value">none</span>), retry without asking for authentication
+      (<span class="value">nointeract</span>), or ask again for authentication
+      each time (<span class="value">interact</span>).
     </dd>
 
     <dt class="field">AuthNoCache</dt>
     <dd>
       <span class="field_meta">
         (optional, defaults to <span class="value">false</span>)
         <span class="type">boolean</span>
       </span>
       Disable caching of credentials in memory.
     </dd>
@@ skipping 26 matching lines @@
       </span>
       Pattern to use to find the client certificate.
     </dd>
 
     <dt class="field">ClientCertType</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
-      Either <span class="value">Ref</span>, <span class="value">Pattern</span>,
-      or <span class="value">None</span>. <span class="value">None</span>
-      implies that the server is configured to not require client certificates.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">Ref</span>,
+        <span class="value">Pattern</span>, and <span class="value">None</span>.
+      </span>
+      <span class="value">None</span> implies that the server is configured to
+      not require client certificates.
     </dd>
 
     <dt class="field">CompLZO</dt>
     <dd>
       <span class="field_meta">
         (optional, defaults to <span class="value">adaptive</span>)
         <span class="type">string</span>
       </span>
       Decides to fast LZO compression with <span class="value">true</span>
       and <span class="value">false</span> as other values.
@@ skipping 81 matching lines @@
       Require the given array of key usage numbers. These are strings that are
       hex encoded numbers.
     </dd>
 
     <dt class="field">RemoteCertTLS</dt>
     <dd>
       <span class="field_meta">
         (optional, defaults to <span class="value">server</span>)
         <span class="type">string</span>
       </span>
-      Require peer certificate signing based on RFC3280 TLS rules. May
-      be <span class="value">none</span> or <span class="value">server</span>.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">none</span> and
+        <span class="value">server</span>.
+      </span>
+      Require peer certificate signing based on RFC3280 TLS rules.
     </dd>
 
     <dt class="field">RenegSec</dt>
     <dd>
       <span class="field_meta">
         (optional, defaults to <span class="value">3600</span>)
         <span class="type">integer</span>
       </span>
       Renegotiate data channel key after this number of seconds.
     </dd>
@@ skipping 97 matching lines @@
   </dl>
 </section>
 
 </section>
 
 <section>
   <h1>Client certificate patterns</h1>
   <p>
     In order to allow clients to securely key their private keys and request
     certificates through PKCS#10 format or through a web flow, we provide
-    alternative CertificatePattern
-    types. The <span class="type">CertificatePattern</span> type contains the
-    following:
+    alternative CertificatePattern types. The
+    <span class="type">CertificatePattern</span> type contains the following:
   </p>
 
   <dl class="field_list">
     <dt class="field">IssuerCARef</dt>
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">array of string</span>
       </span>
       Array of references to certificates. At least one must have signed the
@@ skipping 78 matching lines @@
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">string</span>
       </span>
       At least one of certificate subject's organizational units must match this
       string if present.
     </dd>
   </dl>
 
-  <p>
-    One field
-    in <span class="field">Subject</span>, <span class="field">Issuer</span>,
-    or <span class="field">IssuerCARef</span> must be given for a
-    <span class="type">CertificatePattern</span> typed field to be valid. For a
-    certificate to be considered matching, it must match all the fields in the
-    certificate pattern. If multiple certificates match, the certificate with
-    the latest issue date that is still in the past, and hence valid, will be
-    used.
+  <p class="rule">
+    <span class="rule_id"></span>
+    One field in <span class="field">Subject</span>,
+    <span class="field">Issuer</span>, or <span class="field">IssuerCARef</span>
+    must be given for a <span class="type">CertificatePattern</span> typed field
+    to be valid.
   </p>
 
   <p>
+    For a certificate to be considered matching, it must match all
+    the fields in the certificate pattern. If multiple certificates match, the
+    certificate with the latest issue date that is still in the past, and hence
+    valid, will be used.
+  </p>
+
+  <p>
     If <span class="field">EnrollmentURI</span> is not given and no match is
     found to this pattern, the importing tool may show an error to the user.
   </p>
 </section>
 
 <section>
   <h1>Proxy settings</h1>
   <p>
     Every network can be configured to use a
     proxy. The <span class="type">ProxySettings</span> type contains the
     following:
   </p>
 
   <dl class="field_list">
     <dt class="field">Type</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
-      One
-      of <span class="value">Direct</span>, <span class="value">Manual</span>,
-      <span class="value">PAC</span>, or <span class="value">WPAD</span>.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">Direct</span>,
+        <span class="value">Manual</span>, <span class="value">PAC</span>, and
+        <span class="value">WPAD</span>.
+      </span>
       <span class="value">PAC</span> indicates Proxy Auto-Configuration.
       <span class="value">WPAD</span> indicates Web Proxy Autodiscovery.
     </dd>
 
     <dt class="field">Manual</dt>
     <dd>
       <span class="field_meta">
         (required if <span class="field">Type</span>
         is <span class="value">Manual</span>, otherwise ignored)
         <span class="type">ManualProxySettings</span>
@@ skipping 131 matching lines @@
         <span class="type">string</span>
       </span>
       Reference to client certificate stored in certificate section.
     </dd>
 
     <dt class="field">ClientCertType</dt>
     <dd>
       <span class="field_meta">
         (optional) <span class="type">string</span>
       </span>
-      Must be either <span class="value">Ref</span>
-      or <span class="value">Pattern</span>.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">Ref</span>, and
+        <span class="value">Pattern</span>.
+      </span>
     </dd>
 
     <dt class="field">Identity</dt>
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">string</span>
       </span>
       Identity of user. For tunneling outer protocols
       (<span class="value">PEAP</span>, <span class="value">EAP-TTLS</span>, and
       <span class="value">EAP-FAST</span>), this is used to authenticate inside
       the tunnel, and <span class="field">AnonymousIdentity</span> is used for
       the EAP identity outside the tunnel. For non-tunneling outer protocols,
       this is used for the EAP identity. This value is subject to string
       expansions.
     </dd>
 
     <dt class="field">Inner</dt>
     <dd>
       <span class="field_meta">
         (optional if <span class="field">Outer</span> is
         <span class="value">EAP-FAST</span>, <span class="value">EAP-TTLS</span>
         or <span class="value">PEAP</span>, otherwise ignored, defaults to
         <span class="value">Automatic</span>)
         <span class="type">string</span>
       </span>
-      Must be one of <span class="value">Automatic</span>,
-      <span class="value">MD5</span>, <span class="value">MSCHAPv2</span>,
-      <span class="value">EAP-MSCHAPv2</span>, <span class="value">PAP</span>.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">Automatic</span>,
+        <span class="value">MD5</span>, <span class="value">MSCHAPv2</span>,
+        <span class="value">EAP-MSCHAPv2</span>, and
+        <span class="value">PAP</span>.
+      </span>
       For tunneling outer protocols.
     </dd>
 
     <dt class="field">Outer</dt>
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
-      Must be one of <span class="value">LEAP</span>,
-      <span class="value">EAP-AKA</span>, <span class="value">EAP-FAST</span>,
-      <span class="value">EAP-TLS</span>, <span class="value">EAP-TTLS</span>,
-      <span class="value">EAP-SIM</span> or <span class="value">PEAP</span>.
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">LEAP</span>,
+        <span class="value">EAP-AKA</span>, <span class="value">EAP-FAST</span>,
+        <span class="value">EAP-TLS</span>, <span class="value">EAP-TTLS</span>,
+        <span class="value">EAP-SIM</span> and <span class="value">PEAP</span>.
+      </span>
     </dd>
 
     <dt class="field">Password</dt>
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">string</span>
       </span>
       Password of user. If not specified, defaults to prompting the user.
     </dd>
@@ skipping 124 matching lines @@
       set to <span class="snippet">["Web"]</span>.
     </dd>
 
     <dt class="field">Type</dt>
     <dd>
       <span class="field_meta">
         (required if <span class="field">Remove</span> is
         <span class="value">false</span>, otherwise ignored)
         <span class="type">string</span>
       </span>
-      One
-      of <span class="value">Client</span>, <span class="value">Server</span>,
-      or <span class="value">Authority</span>. <span class="value">Client</span>
-      indicates the certificate is for identifying the user or device over HTTPS
-      or for VPN/802.1X. <span class="value">Server</span> indicates the
-      certificate identifies an HTTPS or VPN/802.1X
-      peer. <span class="value">Authority</span> indicates the certificate is a
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">Client</span>,
+        <span class="value">Server</span>, and
+        <span class="value">Authority</span>.
+      </span>
+      <span class="value">Client</span> indicates the certificate is for
+      identifying the user or device over HTTPS or for
+      VPN/802.1X. <span class="value">Server</span> indicates the certificate
+      identifies an HTTPS or VPN/802.1X peer.
+      <span class="value">Authority</span> indicates the certificate is a
       certificate authority and any certificates it issues should be
       trusted. Note that if <span class="field">Type</span> disagrees with the
-      x509 v3 basic constraints or key usage attributes,
-      the <span class="field">Type</span> field should be honored.
+      x509 v3 basic constraints or key usage attributes, the
+      <span class="field">Type</span> field should be honored.
     </dd>
 
     <dt class="field">X509</dt>
     <dd>
       <span class="field_meta">
         (required if <span class="field">Type</span> is
         <span class="value">Server</span> or
         <span class="value">Authority</span>, otherwise ignored)
         <span class="type">string</span>
       </span> For certificate
@@ skipping 123 matching lines @@
     <dd>
       <span class="field_meta">
         (required)
         <span class="type">string</span>
       </span>
       The type of the ONC file, which must be set
       to <span class="value">EncryptedConfiguration</span>.
     </dd>
   </dl>
 
-  <p>
+  <p class="rule">
+    <span class="rule_id"></span>
     When decrypted, the ciphertext must contain a JSON object of
     type <span class="type">UnencryptedConfiguration</span>.
   </p>
 </section>
 
 <section>
   <h1>String Expansions</h1>
   <p>
     The values of some fields, such
     as <span class="field">WiFi.EAP.Identity</span>
@@ skipping 278 matching lines @@
     is transmitted or saved to disk should be secure. On client device, when
     user names for connections that are user-specific are persisted to disk,
     they should be stored in a location that is encrypted. Users can also opt in
     these cases to not save their user credentials in the config file and will
     instead be prompted when they are needed.
   </p>
 </section>
 </section>
 </body>
 </html>