Index: chrome/browser/policy/proto/cloud/device_management_backend.proto |
diff --git a/chrome/browser/policy/proto/cloud/device_management_backend.proto b/chrome/browser/policy/proto/cloud/device_management_backend.proto |
deleted file mode 100644 |
index 7bda9e64107554e68eca6352636eebb4fc36cdce..0000000000000000000000000000000000000000 |
--- a/chrome/browser/policy/proto/cloud/device_management_backend.proto |
+++ /dev/null |
@@ -1,630 +0,0 @@ |
-// Copyright (c) 2012 The Chromium Authors. All rights reserved. |
-// Use of this source code is governed by a BSD-style license that can be |
-// found in the LICENSE file. |
- |
-syntax = "proto2"; |
- |
-option optimize_for = LITE_RUNTIME; |
- |
-package enterprise_management; |
- |
-// Request from device to server to register device. |
-message DeviceRegisterRequest { |
- // Reregister device without erasing server state. It can be used |
- // to refresh dmtoken etc. Client MUST set this value to true if it |
- // reuses an existing device id. |
- optional bool reregister = 1; |
- |
- // Device register type. This field does not exist for TT release. |
- // When a client requests for policies, server should verify the |
- // client has been registered properly. For example, a client must |
- // register with type DEVICE in order to retrieve device policies. |
- enum Type { |
- TT = 0; // Register for TT release. |
- USER = 1; // Register for Chrome OS user polices. |
- DEVICE = 2; // Register for device policies. |
- BROWSER = 3; // Register for Chrome user policies. |
- ANDROID_BROWSER = 4; // Register for Android Chrome browser user policies. |
- IOS_BROWSER = 5; // Register for iOS Chrome browser user policies. |
- } |
- // NOTE: we also use this field to detect client version. If this |
- // field is missing, then the request comes from TT. We will remove |
- // Chrome OS TT support once it is over. |
- optional Type type = 2 [default = TT]; |
- |
- // Machine hardware id, such as serial number. |
- // This field is required if register type == DEVICE. |
- optional string machine_id = 3; |
- |
- // Machine model name, such as "ZGA", "Cr-48", "Nexus One". If the |
- // model name is not available, client SHOULD send generic name like |
- // "Android", or "Chrome OS". |
- optional string machine_model = 4; |
- |
- // When true, indicates that the |machine_id| has been identified as auto- |
- // enrollment candidate on the client and the server can use it to verify |
- // that the client is to be enrolled in the correct mode. |
- // Defaults to false when not present. |
- optional bool auto_enrolled = 5; |
- |
- // Indicates a requisition of the registering entity that the server can act |
- // upon. This allows clients to pass hints e.g. at device enrollment time |
- // about the intended use of the device. |
- optional string requisition = 6; |
-} |
- |
-// Response from server to device register request. |
-message DeviceRegisterResponse { |
- // Device management token for this registration. This token MUST be |
- // part of HTTP Authorization header for all future requests from |
- // device to server. |
- required string device_management_token = 1; |
- |
- // Device display name. By default, server generates the name in |
- // the format of "Machine Model - Machine Id". However, domain |
- // admin can update it using CPanel, so do NOT treat it as constant. |
- optional string machine_name = 2; |
- |
- // Enum listing the possible modes the device should be locked into when the |
- // registration is finished. |
- enum DeviceMode { |
- // In ENTERPRISE mode the device has no local owner and device settings are |
- // controlled through the cloud policy infrastructure. Auto-enrollment is |
- // supported in that mode. |
- ENTERPRISE = 0; |
- // Devices in RETAIL mode also have no local owner and get their device |
- // settings from the cloud, but additionally this mode enables the demo |
- // account on the device. |
- RETAIL = 1; |
- } |
- optional DeviceMode enrollment_type = 3 [default = ENTERPRISE]; |
-} |
- |
-// Request from device to server to unregister device. |
-// GoogleDMToken MUST be in HTTP Authorization header. |
-message DeviceUnregisterRequest { |
-} |
- |
-// Response from server to device for unregister request. |
-message DeviceUnregisterResponse { |
-} |
- |
-// Request from device to server to upload device EMCert |
-// (enteprise machine cert used for remote attestation). |
-// GoogleDMToken MUST be in HTTP Authorization header. |
-message DeviceCertUploadRequest { |
- // EMCert in X.509 format. |
- optional bytes device_certificate = 1; |
-} |
- |
-// Response from server to device for cert upload request. |
-message DeviceCertUploadResponse { |
-} |
- |
-// Request to access a Google service with the given scope. |
-message DeviceServiceApiAccessRequest { |
- // The list of auth scopes the device requests from DMServer. |
- repeated string auth_scope = 1; |
- |
- // OAuth2 client ID to which the returned authorization code is bound. |
- optional string oauth2_client_id = 2; |
-} |
- |
-message DeviceServiceApiAccessResponse { |
- // The OAuth2 authorization code for the requested scope(s). |
- // This can be exchanged for a refresh token. |
- optional string auth_code = 1; |
-} |
- |
-message PolicyFetchRequest { |
- // This is the policy type, which maps to D3 policy type internally. |
- // By convention, we use "/" as separator to create policy namespace. |
- // The policy type names are case insensitive. |
- // |
- // Possible values for Chrome OS are: |
- // google/chromeos/device => ChromeDeviceSettingsProto |
- // google/chromeos/user => ChromeSettingsProto |
- // google/chromeos/publicaccount => ChromeSettingsProto |
- // google/chrome/extension => ExternalPolicyData |
- // google/android/user => ChromeSettingsProto |
- // google/ios/user => ChromeSettingsProto |
- optional string policy_type = 1; |
- |
- // This is the last policy timestamp that client received from server. |
- optional int64 timestamp = 2; |
- |
- // Tell server what kind of security signature is required. |
- enum SignatureType { |
- NONE = 0; |
- SHA1_RSA = 1; |
- } |
- optional SignatureType signature_type = 3 [default = NONE]; |
- |
- // The version number of the public key that is currently stored |
- // on the client. This should be the last number the server had |
- // supplied as new_public_key_version in PolicyData. |
- // This field is unspecified if the client does not yet have a |
- // public key. |
- optional int32 public_key_version = 4; |
- |
- // Machine hardware id, such as serial number. |
- // This field is should be set only if the serial number for the device is |
- // missing from the server, as indicated by the valid_serial_number_missing |
- // field in the last policy fetch response. |
- optional string machine_id = 5; |
- |
- // This field is used for devices to send the additional ID to fetch settings. |
- // Retrieving some settings requires more than just device or user ID. |
- // For example, to retrieve public account, devices need to pass in |
- // public account ID in addition to device ID. To retrieve extension or |
- // plug-in settings, devices need to pass in extension/plug-in ID in |
- // addition to user ID. |
- // policy_type represents the type of settings (e.g. public account, |
- // extension) devices request to fetch. |
- optional string settings_entity_id = 6; |
- |
- // If this fetch is due to a policy invalidation, this field contains the |
- // version provided with the invalidation. The server interprets this value |
- // and the value of invalidation_payload to fetch the up-to-date policy. |
- optional int64 invalidation_version = 7; |
- |
- // If this fetch is due to a policy invalidation, this field contains the |
- // payload delivered with the invalidation. The server interprets this value |
- // and the value of invalidation_version to fetch the up-to-date policy. |
- optional bytes invalidation_payload = 8; |
-} |
- |
-// This message is included in serialized form in PolicyFetchResponse |
-// below. It may also be signed, with the signature being created for |
-// the serialized form. |
-message PolicyData { |
- // See PolicyFetchRequest.policy_type. |
- optional string policy_type = 1; |
- |
- // [timestamp] is milliseconds since Epoch in UTC timezone. It is |
- // included here so that the time at which the server issued this |
- // response cannot be faked (as protection against replay attacks). |
- // It is the timestamp generated by DMServer, NOT the time admin |
- // last updated the policy or anything like that. |
- optional int64 timestamp = 2; |
- |
- // The DM token that was used by the client in the HTTP POST header |
- // for authenticating the request. It is included here again so that |
- // the client can verify that the response is meant for him (and not |
- // issued by a replay or man-in-the-middle attack). |
- optional string request_token = 3; |
- |
- // The serialized value of the actual policy protobuf. This can be |
- // deserialized to an instance of, for example, ChromeSettingsProto, |
- // ChromeDeviceSettingsProto, or ExternalPolicyData. |
- optional bytes policy_value = 4; |
- |
- // The device display name assigned by the server. It is only |
- // filled if the display name is available. |
- // |
- // The display name of the machine as generated by the server or set |
- // by the Administrator in the CPanel GUI. This is the same thing as |
- // |machine_name| in DeviceRegisterResponse but it might have |
- // changed since then. |
- optional string machine_name = 5; |
- |
- // Version number of the server's current public key. (The key that |
- // was used to sign this response. Numbering should start at 1 and be |
- // increased by 1 at each key rotation.) |
- optional int32 public_key_version = 6; |
- |
- // The user this policy is intended for. In case of device policy, the name |
- // of the owner (who registered the device). |
- optional string username = 7; |
- |
- // In this field the DMServer should echo back the "deviceid" HTTP parameter |
- // from the request. |
- optional string device_id = 8; |
- |
- // Indicates which state this association with DMServer is in. This can be |
- // used to tell the client that it is not receiving policy even though the |
- // registration with the server is kept active. |
- enum AssociationState { |
- // Association is active and policy is pushed. |
- ACTIVE = 0; |
- // Association is alive, but the corresponding domain is not managed. |
- UNMANAGED = 1; |
- // Client got dropped on the server side. |
- DEPROVISIONED = 2; |
- } |
- optional AssociationState state = 9 [default = ACTIVE]; |
- |
- // Indicates if the the server cannot find a valid serial number for the |
- // device. If this flag is set, the device should send the valid serial |
- // number with a device policy fetch request. Note that this only |
- // applies to device policy. |
- optional bool valid_serial_number_missing = 10; |
- |
- // Indicates which public account or extension/plug-in this policy data is |
- // for. See PolicyFetchRequest.settings_entity_id for more details. |
- optional string settings_entity_id = 11; |
- |
- // Indicates the identity the device service account is associated with. |
- // This is only sent as part of device policy fetch. |
- optional string service_account_identity = 12; |
- |
- // The object source which hosts policy objects within the invalidation |
- // service. This value is combined with invalidation_name to form the object |
- // id used to register for invalidations to this policy. |
- optional int32 invalidation_source = 13; |
- |
- // The name which uniquely identifies this policy within the invalidation |
- // service object source. This value is combined with invalidation_source to |
- // form the object id used to register for invalidations to this policy. |
- optional bytes invalidation_name = 14; |
-} |
- |
-message PolicyFetchResponse { |
- // Since a single policy request may ask for multiple policies, we |
- // provide separate error code for each individual policy fetch. |
- |
- // We will use standard HTTP Status Code as error code. |
- optional int32 error_code = 1; |
- |
- // Human readable error message for customer support purpose. |
- optional string error_message = 2; |
- |
- // This is a serialized |PolicyData| protobuf (defined above). |
- optional bytes policy_data = 3; |
- |
- // Signature of the policy data above. |
- optional bytes policy_data_signature = 4; |
- |
- // If the public key has been rotated on the server, the new public |
- // key is sent here. It is already used for |policy_data_signature| |
- // above, whereas |new_public_key_signature| is created using the |
- // old key (so the client can trust the new key). If this is the |
- // first time when the client requests policies (so it doesn't have |
- // on old public key), then |new_public_key_signature| is empty. |
- optional bytes new_public_key = 5; |
- optional bytes new_public_key_signature = 6; |
-} |
- |
-// Request from device to server for reading policies. |
-message DevicePolicyRequest { |
- // The policy fetch request. If this field exists, the request must |
- // comes from a non-TT client. The repeated field allows client to |
- // request multiple policies for better performance. |
- repeated PolicyFetchRequest request = 3; |
-} |
- |
-// Response from server to device for reading policies. |
-message DevicePolicyResponse { |
- // The policy fetch response. |
- repeated PolicyFetchResponse response = 3; |
-} |
- |
-message TimePeriod { |
- // [timestamp] is milli seconds since Epoch in UTC timezone. |
- optional int64 start_timestamp = 1; |
- optional int64 end_timestamp = 2; |
-} |
- |
-message ActiveTimePeriod { |
- optional TimePeriod time_period = 1; |
- |
- // The active duration during the above time period. |
- // The unit is milli-second. |
- optional int32 active_duration = 2; |
-} |
- |
-// This captures launch events for one app/extension or other installments. |
-message InstallableLaunch { |
- optional string install_id = 1; |
- |
- // Time duration where this report covers. These are required |
- // and the record will be ignored if not set. |
- optional TimePeriod duration = 2; |
- |
- // Client will send at most 50 timestamps to DM. All the rest |
- // launch activities will be summed into the total count. |
- // We will distribute the count evenly among the time span when |
- // doing time based aggregation. |
- repeated int64 timestamp = 3; |
- optional int64 total_count = 4; |
-} |
- |
-// Used to report the device location. |
-message DeviceLocation { |
- enum ErrorCode { |
- ERROR_CODE_NONE = 0; |
- ERROR_CODE_POSITION_UNAVAILABLE = 1; |
- } |
- |
- // Latitude in decimal degrees north (WGS84 coordinate frame). |
- optional double latitude = 1; |
- |
- // Longitude in decimal degrees west (WGS84 coordinate frame). |
- optional double longitude = 2; |
- |
- // Altitude in meters (above WGS84 datum). |
- optional double altitude = 3; |
- |
- // Accuracy of horizontal position in meters. |
- optional double accuracy = 4; |
- |
- // Accuracy of altitude in meters. |
- optional double altitude_accuracy = 5; |
- |
- // Heading in decimal degrees clockwise from true north. |
- optional double heading = 6; |
- |
- // Horizontal component of device velocity in meters per second. |
- optional double speed = 7; |
- |
- // Time of position measurement in milisecons since Epoch in UTC time. |
- optional int64 timestamp = 8; |
- |
- // Error code, see enum above. |
- optional ErrorCode error_code = 9; |
- |
- // Human-readable error message. |
- optional string error_message = 10; |
-} |
- |
-// Details about a network interface. |
-message NetworkInterface { |
- // Indicates the type of network device. |
- enum NetworkDeviceType { |
- TYPE_ETHERNET = 0; |
- TYPE_WIFI = 1; |
- TYPE_WIMAX = 2; |
- TYPE_BLUETOOTH = 3; |
- TYPE_CELLULAR = 4; |
- } |
- |
- // Network device type. |
- optional NetworkDeviceType type = 1; |
- |
- // MAC address (if applicable) of the corresponding network device. This is |
- // formatted as an ASCII string with 12 hex digits. Example: A0B1C2D3E4F5. |
- optional string mac_address = 2; |
- |
- // MEID (if applicable) of the corresponding network device. Formatted as |
- // ASCII string composed of 14 hex digits. Example: A10000009296F2. |
- optional string meid = 3; |
- |
- // IMEI (if applicable) of the corresponding network device. 15-16 decimal |
- // digits encoded as ASCII string. Example: 355402040158759. |
- optional string imei = 4; |
-} |
- |
-// Details about a device user. |
-message DeviceUser { |
- // Types of device users which can be reported. |
- enum UserType { |
- // A user managed by the same domain as the device. |
- USER_TYPE_MANAGED = 0; |
- |
- // A user not managed by the same domain as the device. |
- USER_TYPE_UNMANAGED = 1; |
- } |
- |
- // The type of the user. |
- required UserType type = 1; |
- |
- // Email address of the user. Present only if the user type is managed. |
- optional string email = 2; |
-} |
- |
-// Report device level status. |
-message DeviceStatusReportRequest { |
- // The OS version reported by the device is a platform version |
- // e.g. 1435.0.2011_12_16_1635. |
- optional string os_version = 1; |
- optional string firmware_version = 2; |
- |
- // "Verified", "Dev". Same as verified mode. |
- // If the mode is unknown, this field should not be set. |
- optional string boot_mode = 3; |
- |
- // Device active times collection since last report rpc call. |
- // No longer used -- use active_period instead. |
- repeated TimePeriod active_time = 4 [deprecated = true]; |
- |
- // The browser version string as shown in the About dialog. |
- // e.g. 17.0.963.18. |
- optional string browser_version = 5; |
- |
- // A list of periods when the device was active, aggregated by day. |
- repeated ActiveTimePeriod active_period = 6; |
- |
- // The device location. |
- optional DeviceLocation device_location = 7; |
- |
- // List of network interfaces. |
- repeated NetworkInterface network_interface = 8; |
- |
- // List of recent device users, in descending order by last login time. |
- repeated DeviceUser user = 9; |
-} |
- |
-// Report session (a user on one device) level status. |
-message SessionStatusReportRequest { |
- // Installed apps for this user on this device. |
- repeated string installed_app_id = 1; |
- |
- // Installed extensions for this user on this device. |
- repeated string installed_extension_id = 2; |
- |
- // One stat per app for top 30 apps. |
- repeated InstallableLaunch app_launch_stat = 3; |
-} |
- |
-// Response from DMServer to update devices' status. |
-// It is possible that status report fails but policy request succeed. In such |
-// case, the DeviceStatusReportResponse will contain an error code and the |
-// device should re-send status report data in the next policy request. The |
-// device should re-send report data if policy request fails, even if |
-// DeviceStatusReportResponse contains no error code. |
-message DeviceStatusReportResponse { |
- optional int32 error_code = 1; |
- |
- // Human readable error message for customer support purpose. |
- optional string error_message = 2; |
-} |
- |
-// Response from DMServer to update user devices' status. |
-// It is possible that status report fails but policy request succeed. In such |
-// case, the SessionStatusReportResponse will contain an error code and the |
-// device should re-send status report data in the next policy request. The |
-// device should re-send report data if policy request fails, even if |
-// SessionStatusReportResponse contains no error code. |
-message SessionStatusReportResponse { |
- optional int32 error_code = 1; |
- |
- // Human readable error message for customer support purpose. |
- optional string error_message = 2; |
-} |
- |
-// Request from device to server to determine whether the device should |
-// go through enterprise enrollment. Unlike the other requests, this request is |
-// not authenticated. |
-message DeviceAutoEnrollmentRequest { |
- // SHA-256 hash of the device's serial number, mod |modulus|. |
- // Should always be present. |
- optional int64 remainder = 1; |
- |
- // Modulus of the hash used by the client. Should always be present. This |
- // is the number of buckets the client thinks the server has. For now, |
- // it is a power of 2, but due to the strict constraint on how many serial |
- // numbers a bucket can contain, it may become non power of 2. If that |
- // happens, client-side needs to change its assumption. |
- optional int64 modulus = 2; |
-} |
- |
-// Response from server to auto-enrollment detection request. |
-message DeviceAutoEnrollmentResponse { |
- // If this field is present, the other fields are ignored and the client |
- // should send a new DeviceAutoEnrollmentRequest with a new |remainder| |
- // computed using this new |modulus|. If this field is empty, the client's |
- // request was accepted. |
- // DMServer guarantees that if the modulus sent by client in |
- // DeviceAutoEnrollmentRequest matches server's expectation, this field |
- // is unset. |
- optional int64 expected_modulus = 1; |
- |
- // List of hashes in the client's hash bucket. If the client's hash matches |
- // any in this list, the client device should do enterprise enrollment. |
- // If it matches none, enrollment should be optional. |
- // Each entry has exactly 256 bits (32 bytes). |
- repeated bytes hash = 2; |
-} |
- |
-// Request from the DMAgent on the device to the DMServer. This is |
-// container for all requests from device to server. The overall HTTP |
-// request MUST be in the following format: |
-// |
-// * HTTP method is POST |
-// * Data mime type is application/x-protobuffer |
-// * HTTP parameters are (all required, all case sensitive): |
-// * request: MUST BE one of |
-// * cert_upload |
-// * enterprise_check |
-// * ping |
-// * policy |
-// * register |
-// * status |
-// * unregister |
-// * api_authorization |
-// |
-// * devicetype: MUST BE "1" for Android or "2" for Chrome OS. |
-// * apptype: MUST BE Android or Chrome. |
-// * deviceid: MUST BE no more than 64-char in [\x21-\x7E]. |
-// * agent: MUST BE no more than 64-char long. |
-// * HTTP Authorization header MUST be in the following formats: |
-// * For register and ping requests |
-// Authorization: GoogleLogin auth=<auth cookie for Mobile Sync> |
-// |
-// * For unregister, policy, status, and cert_upload requests |
-// Authorization: GoogleDMToken token=<dm token from register> |
-// |
-// * The Authorization header isn't used for enterprise_check |
-// request, nor for register requests using OAuth. In the latter case, |
-// the OAuth token is passed in the "oauth" parameter. |
-// |
-// DeviceManagementRequest should only contain one request which matches the |
-// HTTP query parameter - request, as listed below. Other requests within the |
-// container will be ignored. |
-// cert_upload: cert_upload_request |
-// enterprise_check: auto_enrollment_request |
-// ping: policy_request |
-// policy: policy_request |
-// register: register_request |
-// status: device_status_report_request or session_status_report_request |
-// unregister: unregister_request |
-// |
-// |
-message DeviceManagementRequest { |
- // Register request. |
- optional DeviceRegisterRequest register_request = 1; |
- |
- // Unregister request. |
- optional DeviceUnregisterRequest unregister_request = 2; |
- |
- // Policy request. |
- optional DevicePolicyRequest policy_request = 3; |
- |
- // Update status. |
- optional DeviceStatusReportRequest device_status_report_request = 4; |
- optional SessionStatusReportRequest session_status_report_request = 5; |
- |
- // Auto-enrollment detection. |
- optional DeviceAutoEnrollmentRequest auto_enrollment_request = 6; |
- |
- // EMCert upload (for remote attestation) |
- optional DeviceCertUploadRequest cert_upload_request = 7; |
- |
- // Request for OAuth2 authorization codes to access Google services. |
- optional DeviceServiceApiAccessRequest service_api_access_request = 8; |
-} |
- |
-// Response from server to device. |
-// |
-// The server uses the following numbers as HTTP status codes |
-// to report top-level errors. |
-// |
-// 200 OK: valid response is returned to client. |
-// 400 Bad Request: invalid argument. |
-// 401 Unauthorized: invalid auth cookie or DM token. |
-// 403 Forbidden: device management is not allowed. |
-// 404 Not Found: the request URL is invalid. |
-// 410 Device Not Found: the device id is not found. |
-// 491 Request Pending: the request is pending approval. |
-// 500 Internal Server Error: most likely a bug in DM server. |
-// 503 Service Unavailable: most likely a backend error. |
-// 901 Device Not Found: the device id is not found. |
-// 902 Policy Not Found: the policy is not found. |
-message DeviceManagementResponse { |
- // Error message. |
- optional string error_message = 2; |
- |
- // Register response |
- optional DeviceRegisterResponse register_response = 3; |
- |
- // Unregister response |
- optional DeviceUnregisterResponse unregister_response = 4; |
- |
- // Policy response. |
- optional DevicePolicyResponse policy_response = 5; |
- |
- // Device status report response. |
- optional DeviceStatusReportResponse device_status_report_response = 6; |
- |
- // Session status report response. |
- optional SessionStatusReportResponse session_status_report_response = 7; |
- |
- // Auto-enrollment detection response. |
- optional DeviceAutoEnrollmentResponse auto_enrollment_response = 8; |
- |
- // EMCert upload response. |
- optional DeviceCertUploadResponse cert_upload_response = 9; |
- |
- // Response to OAuth2 authorization code request. |
- optional DeviceServiceApiAccessResponse service_api_access_response = 10; |
-} |