Add request and response messages related to AD Play user enrollment

components/policy/proto/device_management_backend.proto

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 syntax = "proto2";
 
 option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
@@ skipping 1168 matching lines @@
   // the certificate provided must be DER-encoded and may be supplied in binary
   // or printable (Base64) encoding. If the certificate is provided in Base64
   // encoding, it must be bounded at the beginning by
   // -----BEGIN CERTIFICATE-----, and must be bounded at the end by
   // -----END CERTIFICATE-----.
   optional bytes device_certificate = 2;
   // regular device registration request
   optional DeviceRegisterRequest device_register_request = 3;
 }
 
+// Gets an enrollment token to a Managed Google Play Account for using it with
+// Active Directory. Sent when a new user logs in with Active Directory and
+// opens Play Store for the first time.
+message ActiveDirectoryEnrollPlayUserRequest {}
+
+// The result when a new user logs in to Play Store with Active Directory.
+// 903 Arc Disabled HTTP error code is returned if the reason of the failure is
+// that ARC is not enabled for the domain.
+// 403 Forbidden HTTP error code is returned if the device can't get Managed
+// Google Play accounts.
+message ActiveDirectoryEnrollPlayUserResponse {
+  // The enrollment token which can be used to fetch a Managed Google Play
+  // account.
+  optional string enrollment_token = 1;
+  // The user id which identifies the user enrolled by this token.

[Thiemo Nagel, 2017/01/24 16:59:02]

Nit: I'd suggest to mention in the comment that this user id is opaque to the
client and cannot be used for anything except an activity request.

[Marton Hunyady, 2017/01/24 17:40:05]

Done.

+  optional string user_id = 2;
+}
+
+// Reports that a Managed Google Play account is used. This makes it possible to
+// detect accounts which are no longer present on the device.
+message ActiveDirectoryPlayActivityRequest {
+  // The user id which identifies the user.
+  optional string user_id = 1;
+}
+
+// Response to the Play account activity request.
+message ActiveDirectoryPlayActivityResponse {}
+
 // Request from the DMAgent on the device to the DMServer.  This is
 // container for all requests from device to server.  The overall HTTP
 // request MUST be in the following format:
 //
 // * HTTP method is POST
 // * Data mime type is application/x-protobuffer
 //   * See GoogleContentTypeEnum.java
 // * HTTP parameters are (all required, all case sensitive):
 //   * request: MUST BE one of
 //     * api_authorization
 //     * cert_upload
 //     * check_device_pairing
 //     * device_pairing
 //     * device_state_retrieval
 //     * enterprise_check
 //     * ping
 //     * policy
 //     * register
 //     * status
 //     * unregister
 //     * remote_commands
 //     * attribute_update_permission
 //     * attribute_update
 //     * gcm_id_update
 //     * check_android_management
 //     * certificate_based_register
+//     * active_directory_enroll_play_user
+//     * active_directory_play_activity
 //
 //   * devicetype: MUST BE "1" for Android or "2" for Chrome OS.
 //   * apptype: MUST BE Android or Chrome.
 //   * deviceid: MUST BE no more than 64-char in [\x21-\x7E].
 //   * agent: MUST BE no more than 64-char long.
 // * HTTP Authorization header MUST be in the following formats:
 //   * For register, ping and check_android_management requests
 //     Authorization: GoogleLogin auth=<auth cookie for Mobile Sync>
 //
-//   * For unregister, policy, status, cert_upload, remote commands requests,
-//     and gcm id update requests
+//   * For unregister, policy, status, cert_upload, remote_commands,
+//     gcm_id_update, active_directory_enroll_play_user and
+//     active_directory_play_activity requests
 //      Authorization: GoogleDMToken token=<dm token from register>
 //
 //   * The Authorization header isn't used for enterprise_check or for
 //     certificate_based_register requests, nor for register requests
 //     using OAuth. In the latter case, the OAuth token is passed in the
 //     "oauth" parameter.
 //
 // DeviceManagementRequest should only contain one request which matches the
 // HTTP query parameter - request, as listed below. Other requests within the
 // container will be ignored.
@@ skipping 63 matching lines @@
   // Update the GCM id to device_id mapping.
   optional GcmIdUpdateRequest gcm_id_update_request = 16;
 
   // Check if user is a managed Android-for-Work user with DPC enforcement.
   optional CheckAndroidManagementRequest check_android_management_request = 17;
 
   // Request to register with a registration certificate.
   optional CertificateBasedDeviceRegisterRequest
       certificate_based_register_request = 18;
 
+  // Gets an enrollment token to a Managed Google Play Account for using it with
+  // Active Directory.
+  optional ActiveDirectoryEnrollPlayUserRequest
+      active_directory_enroll_play_user_request = 19;
+
+  // Reports that a Play account is used.
+  optional ActiveDirectoryPlayActivityRequest
+      active_directory_play_activity_request = 20;
 }
 
 // Response from server to device.
 //
 // For release clients, DMServer returns errors using HTTP Status Code, so that
 // clients only need to check one place for all error codes.  It is also easier
 // to perform log analysis and customer support since HTTP Status Code is easily
 // visible in the logs.
 //
 // The following list defines the error code returned by this API:
 //
 // 200 OK: valid response is returned to client.
 // 400 Bad Request: invalid argument.
 // 401 Unauthorized: invalid auth cookie or DM token.
 // 403 Forbidden: device management is not allowed.
 // 404 Not Found: the request URL is invalid.
 // 410 Device Not Found: the device id is not found.
 // 491 Request Pending: the request is pending approval.
 // 500 Internal Server Error: most likely a bug in DM server.
 // 503 Service Unavailable: most likely a backend error.
 // 902 Policy Not Found: the policy is not found.
+// 903 Arc Disabled: ARC is not enabled on the domain.
 message DeviceManagementResponse {
   // TODO(hong): move error handling to HTTP level.
   // Error code to client.
   enum ErrorCode {
     SUCCESS = 0;
     // Returned for register request when device management is not supported
     // for the domain.
     DEVICE_MANAGEMENT_NOT_SUPPORTED = 1;
     // Returned when the device is not found.
     DEVICE_NOT_FOUND  = 2;
@@ skipping 62 matching lines @@
 
   // Response to update device attribute.
   optional DeviceAttributeUpdateResponse device_attribute_update_response = 16;
 
   // Response to GCM id update request.
   optional GcmIdUpdateResponse gcm_id_update_response = 17;
 
   // Response to check Android management request.
   optional CheckAndroidManagementResponse
       check_android_management_response = 18;
+
+  // Response to an Active Directory Play user enrollment request.
+  optional ActiveDirectoryEnrollPlayUserResponse
+      active_directory_enroll_play_user_response = 19;
+
+  // Response to a Play activity request.
+  optional ActiveDirectoryPlayActivityResponse
+      active_directory_play_activity_response = 20;
 }