Partial sync of device_management_backened.proto with server version.

components/policy/proto/device_management_backend.proto

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 syntax = "proto2";
 
 option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
 // Data along with a cryptographic signature verifying their authenticity.
 message SignedData {
   // The data to be signed.
   optional bytes data = 1;
   // The signature of the data field.
   optional bytes signature = 2;
   // How many bytes were added to the end of original data before signature
   // (e.g. a nonce to avoid proxy attacks of the signing service).
   optional int32 extra_data_bytes = 3;
 }
 
-// Request from device to server to register device.
+// Request from device to server to register a device, user or browser.
 message DeviceRegisterRequest {
   // Reregister device without erasing server state.  It can be used
   // to refresh dmtoken etc.  Client MUST set this value to true if it
   // reuses an existing device id.
   optional bool reregister = 1;
 
-  // Device register type.  This field does not exist for TT release.
+  // Register type.  This field does not exist for TT release.
   // When a client requests for policies, server should verify the
   // client has been registered properly.  For example, a client must
   // register with type DEVICE in order to retrieve device policies.
   enum Type {
     TT   = 0;             // Register for TT release.
     USER = 1;             // Register for Chrome OS user polices.
     DEVICE = 2;           // Register for Chrome OS device policies.
     BROWSER = 3;          // Register for desktop Chrome browser user policies.
     ANDROID_BROWSER = 4;  // Register for Android Chrome browser user policies.
     IOS_BROWSER = 5;      // Register for iOS Chrome browser user policies.
@@ skipping 78 matching lines @@
   // registration is finished.
   enum DeviceMode {
     // In ENTERPRISE mode the device has no local owner and device settings are
     // controlled through the cloud policy infrastructure. Auto-enrollment is
     // supported in that mode.
     ENTERPRISE = 0;
     // Devices in RETAIL mode also have no local owner and get their device
     // settings from the cloud, but additionally this mode enables the demo
     // account on the device.
     RETAIL = 1;
+    // Devices in CHROME_AD mode are in enterprises with AD.  Device settings
+    // are controlled through the AD policy infrastructure.
+    CHROME_AD = 2;
   }
   optional DeviceMode enrollment_type = 3 [default = ENTERPRISE];
+
+  // An opaque configuration string for devices that require it.  CHROME_AD
+  // devices, for example, may use this string for AD discovery.  Must be at
+  // most a few kBytes.
+  optional string configuration_seed = 4;
 }
 
 // Request from device to server to unregister device.
 // GoogleDMToken MUST be in HTTP Authorization header.
 message DeviceUnregisterRequest {
 }
 
 // Response from server to device for unregister request.
 message DeviceUnregisterResponse {
 }
@@ skipping 16 matching lines @@
   repeated string auth_scope = 1;
 
   // OAuth2 client ID to which the returned authorization code is bound.
   optional string oauth2_client_id = 2;
 }
 
 // Response from server to API access request.
 message DeviceServiceApiAccessResponse {
   // The OAuth2 authorization code for the requested scope(s).
   // This can be exchanged for a refresh token.
-  //
-  // The server may send a successful response but not set this field or set an
-  // empty string to reject the auth code request and instruct the client to
-  // skip robot account auth setup.
   optional string auth_code = 1;
 }
 
 message PolicyFetchRequest {
   // This is the policy type, which maps to D3 policy type internally.
   // By convention, we use "/" as separator to create policy namespace.
   // The policy type names are case insensitive.
   //
   // Possible values for Chrome OS are:
   //   google/chromeos/device => ChromeDeviceSettingsProto
@@ skipping 48 matching lines @@
   optional bytes invalidation_payload = 8;
 
   // Hash string for the chrome policy verification public key which is embedded
   // into Chrome binary. Matching private key will be used by the server
   // to sign per-domain policy keys during key rotation. If server does not
   // have the key which matches this hash string, that could indicate malicious
   // or out-of-date Chrome client.
   optional string verification_key_hash = 9;
 }
 
+// This message contains the information which is signed by the verification
+// key during policy key rotation.  It is included in serialized form in
+// PolicyFetchResponse below.  A signature of the serialized form is included
+// in the new_public_key_verification_data_signature field. For backward
+// compatibility reasons, a signature over just {new_public_key, domain} fields
+// is included in new_public_key_verification_signature_DEPRECATED field.
+message PublicKeyVerificationData {
+  // The new public policy key after a key rotation.
+  optional bytes new_public_key = 1;
+
+  // The domain of the device/user.
+  optional string domain = 2;
+
+  // The version number of the new_public_key. This must be monotonically
+  // increasing (within a domain).
+  optional int32 new_public_key_version = 3;
+}
+
 // This message customizes how the device behaves when it is disabled by its
 // owner. The message will be sent as part of the DeviceState fetched during
 // normal operation and as part of the DeviceStateRetrievalResponse fetched when
 // the device is wiped/reinstalled.
 message DisabledState {
   // A message to the finder/thief that should be shown on the screen.
   optional string message = 1;
 }
 
 message DeviceState {
   // Modes of operation that the device can be in.
   enum DeviceMode {
     // The device is operating normally. Sessions can be started and the device
     // can be used.
     DEVICE_MODE_NORMAL = 0;
     // The device has been disabled by its owner. The device will show a warning
     // screen and will not allow any sessions to be started.
     DEVICE_MODE_DISABLED = 1;
   }
   // The mode of operation that the device should be in.
   optional DeviceMode device_mode = 1 [default = DEVICE_MODE_NORMAL];
 
   // State that is relevant only when the |device_mode| is
   // |DEVICE_MODE_DISABLED|.
   optional DisabledState disabled_state = 2;
 }
 
-// This message is included in serialized form in PolicyFetchResponse
-// below.  It may also be signed, with the signature being created for
-// the serialized form.
+// This message is included in serialized form in PolicyFetchResponse below. It
+// may also be signed, with the signature being created for the serialized form.
 message PolicyData {
   // See PolicyFetchRequest.policy_type.
   optional string policy_type = 1;
 
   // [timestamp] is milliseconds since Epoch in UTC timezone. It is
   // included here so that the time at which the server issued this
   // response cannot be faked (as protection against replay attacks).
   // It is the timestamp generated by DMServer, NOT the time admin
   // last updated the policy or anything like that.
   optional int64 timestamp = 2;
@@ skipping 64 matching lines @@
   // id used to register for invalidations to this policy.
   optional int32 invalidation_source = 13;
 
   // The name which uniquely identifies this policy within the invalidation
   // service object source. This value is combined with invalidation_source to
   // form the object id used to register for invalidations to this policy.
   optional bytes invalidation_name = 14;
 
   // Server-provided identifier of the fetched policy. This is to be used
   // by the client when requesting Policy Posture assertion through an API
-  // call or SAML flow.
+  // call or SAML flow. For details, see http://go/chrome-nac-server-design.
   optional string policy_token = 15;
 
   // Indicates the management mode of the device. Note that old policies do not
   // have this field. If this field is not set but request_token is set, assume
   // the management mode is ENTERPRISE_MANAGED. If both this field and
   // request_token are not set, assume the management mode is LOCAL_OWNER.
   enum ManagementMode {
     // The device is owned locally. The policies are set by the local owner of
     // the device.
     LOCAL_OWNER = 0;
@@ skipping 64 matching lines @@
 
   // If the public key has been rotated on the server, the new public
   // key is sent here. It is already used for |policy_data_signature|
   // above, whereas |new_public_key_signature| is created using the
   // old key (so the client can trust the new key). If this is the
   // first time when the client requests policies (so it doesn't have
   // on old public key), then |new_public_key_signature| is empty.
   optional bytes new_public_key = 5;
   optional bytes new_public_key_signature = 6;
 
+  // DEPRECATED ON THE SERVER: Exists only to support older clients.  This
+  // signature is similar to new_public_key_verification_data_signature, but is
+  // computed over PublicKeyVerificationData proto with version field unset.  In
+  // other words, we set the new public key value, and domain value and then
+  // produce this signature.
+  optional bytes new_public_key_verification_signature = 7;
+
+  // This is a serialized |PublicKeyVerificationData| protobuf
+  // (defined above). See comments for |new_public_key_verification_signature|
+  // field for details on how this data is signed.
+  // Please note that |new_public_key| is also included inside this data
+  // field. Thus we have new public key signed with old version of private key
+  // (if client indicated to us that it has old key version), and
+  // new public key data signed by master verification key (if client told
+  // us that it has public verification key - see |verification_key_id| field
+  // of |PolicyFetchRequest|). In most cases, both signatures will be provided.
+  // However, client might not have old policy signing key - for example, when
+  // new profile is being set up. In this case, only verification signature
+  // is supplied.
+  // Or, client might not have verification public key (legacy Chrome build
+  // before verification key was introduced, or outdated build which has
+  // old/compromised verification key). In that case, verification signature
+  // cannot be provided.
+  // If client is missing both public keys (old signing key and verification
+  // key), then we are unable to produce any valid signature and client must
+  // drop such PolicyFetchResponse.
+  optional bytes new_public_key_verification_data = 8;
+
   // If new_public_key is specified, this field contains a signature
   // of a PolicyPublicKeyAndDomain protobuf, signed using a key only
   // available to DMServer. The public key portion of this well-known key is
   // embedded into the Chrome binary. The hash of that embedded key is passed
   // to DMServer as verification_key_hash field in PolicyFetchRequest. DMServer
   // will pick a private key on the server which matches the hash (matches
   // public key on the client). If DMServer is unable to find matching key, it
   // will return an error instead of policy data.
   // In case hash was not specified, DMServer will leave verification signature
   // field empty (legacy behavior).
   // In addition to the checks between new_public_key
   // and new_public_key_signature described above, Chrome also verifies
   // new_public_key with the embedded public key and
   // new_public_key_verification_signature.
-  optional bytes new_public_key_verification_signature = 7;
+  optional bytes new_public_key_verification_data_signature = 9;

[Thiemo Nagel, 2016/10/13 10:45:30]

This change looks weird but I have confirmed with the server guys that this
comment was attached to the wrong member on the client side and I'm fixing that.

 }
 
-// Protobuf used to generate the new_public_key_verification_signature field.
+// DEPRECATED ON THE SERVER: Protobuf used to generate the deprecated
+// new_public_key_verification_signature field.
 message PolicyPublicKeyAndDomain {
   // The public key to sign (taken from the |new_public_key| field in
   // PolicyFetchResponse).
   optional bytes new_public_key = 1;
 
   // The domain associated with this key (should match the domain portion of
   // the username field of the policy).
   optional string domain = 2;
 }
 
@@ skipping 633 matching lines @@
 // OS.
 // Provide user's OAuth token with your HTTP Request.
 message CheckAndroidManagementRequest {}
 
 // Response from server to device for check for Android-for-Work service with
 // DPC enforcement request.
 // SC_CONFLICT HTTP code is returned if DPC enforcement is required.
 message CheckAndroidManagementResponse {}
 
 // Request to register a new device (authenticated by enterprise enrollment
-// certificate).
+// certificate). See http://go/zero-touch-chrome for details.
 // The response message will be the DeviceRegisterReponse.
 message CertificateBasedDeviceRegisterRequest {
   // Signed request to register with a certificate. The signed_request.data
   // field contains a CertificateBasedDeviceRegistrationData with a nonce
   // (as added by the Chrome OS cryptohome client) appended. The
   // signed_request.signature field is a signature of the data field signed
   // with the enrollment certificate's private key.
   optional SignedData signed_request = 1;
 }
 
@@ skipping 39 matching lines @@
 //     * remote_commands
 //     * attribute_update_permission
 //     * attribute_update
 //     * gcm_id_update
 //     * check_android_management
 //     * certificate_based_register
 //
 //   * devicetype: MUST BE "1" for Android or "2" for Chrome OS.
 //   * apptype: MUST BE Android or Chrome.
 //   * deviceid: MUST BE no more than 64-char in [\x21-\x7E].
-//   * agent: MUST BE a string of characters.
+//   * agent: MUST BE no more than 64-char long.
 // * HTTP Authorization header MUST be in the following formats:
 //   * For register, ping and check_android_management requests
 //     Authorization: GoogleLogin auth=<auth cookie for Mobile Sync>
 //
 //   * For unregister, policy, status, cert_upload, remote commands requests,
 //     and gcm id update requests
 //      Authorization: GoogleDMToken token=<dm token from register>
 //
 //   * The Authorization header isn't used for enterprise_check or for
 //     certificate_based_register requests, nor for register requests
@@ skipping 85 matching lines @@
 //
 // 200 OK: valid response is returned to client.
 // 400 Bad Request: invalid argument.
 // 401 Unauthorized: invalid auth cookie or DM token.
 // 403 Forbidden: device management is not allowed.
 // 404 Not Found: the request URL is invalid.
 // 410 Device Not Found: the device id is not found.
 // 491 Request Pending: the request is pending approval.
 // 500 Internal Server Error: most likely a bug in DM server.
 // 503 Service Unavailable: most likely a backend error.
-// 901 Device Not Found: the device id is not found.
 // 902 Policy Not Found: the policy is not found.
 message DeviceManagementResponse {
+  // TODO(hong): move error handling to HTTP level.
+  // Error code to client.
+  enum ErrorCode {
+    SUCCESS = 0;
+    // Returned for register request when device management is not supported
+    // for the domain.
+    DEVICE_MANAGEMENT_NOT_SUPPORTED = 1;
+    // Returned when the device is not found.
+    DEVICE_NOT_FOUND  = 2;
+    // Returned when passed in device management token doesn't match the token
+    // on server side.
+    DEVICE_MANAGEMENT_TOKEN_INVALID  = 3;
+    // Returned when device registration is pending approval (if required).
+    ACTIVATION_PENDING = 4;
+    // Returned when the policy is not found.
+    POLICY_NOT_FOUND  = 5;
+  }
+
+  // Error code for this reponse.
+  //
+  // For responses to TT clients, this field MUST be set, since it WAS
+  // a required field.  For special error code listed above, we return
+  // 200 in HTTP Status Code and set the real error code here.
+  //
+  // For release clients, we plan to move all error code to HTTP
+  // Status Code, so it is much easier for log analysis.  If possible,
+  // we plan to remove this field once Chrome OS TT phase is over.
+  optional ErrorCode error = 1 [default = SUCCESS];
+
   // Error message.
   optional string error_message = 2;
 
   // Register response
   optional DeviceRegisterResponse register_response = 3;
 
   // Unregister response
   optional DeviceUnregisterResponse unregister_response = 4;
 
   // Policy response.
@@ skipping 33 matching lines @@
   // Response to update device attribute.
   optional DeviceAttributeUpdateResponse device_attribute_update_response = 16;
 
   // Response to GCM id update request.
   optional GcmIdUpdateResponse gcm_id_update_response = 17;
 
   // Response to check Android management request.
   optional CheckAndroidManagementResponse
       check_android_management_response = 18;
 }