Network traffic annotation added to common/cloud.

components/policy/core/common/cloud/device_management_service.cc

Index: components/policy/core/common/cloud/device_management_service.cc
diff --git a/components/policy/core/common/cloud/device_management_service.cc b/components/policy/core/common/cloud/device_management_service.cc
index 66a758d37e67640cc5b61a9d1f97fa9e5f725cb6..44d2339e8eb31211b734e55b4017342806321d41 100644
--- a/components/policy/core/common/cloud/device_management_service.cc
+++ b/components/policy/core/common/cloud/device_management_service.cc
@@ -18,6 +18,7 @@
 #include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
 #include "net/http/http_response_headers.h"
+#include "net/traffic_annotation/network_traffic_annotation.h"
 #include "net/url_request/url_fetcher.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "net/url_request/url_request_status.h"
@@ -589,9 +590,30 @@ void DeviceManagementService::StartJob(DeviceManagementRequestJobImpl* job) {
   GURL url = job->GetURL(GetServerUrl());
   DCHECK(url.is_valid()) << "Maybe invalid --device-management-url was passed?";
 
+  net::NetworkTrafficAnnotationTag traffic_annotation =
+      net::DefineNetworkTrafficAnnotation("...", R"(
+        semantics {
+          sender: "..."

[pastarmovj, 2017/04/07 09:58:45]

Cloud Policy

[Ramin Halavati, 2017/04/19 05:21:57]

Done.

+          description: "..."

[Andrew T Wilson (Slow), 2017/04/18 12:01:31]

Communication with the Cloud Policy backend - used to check for the existence of
cloud policy for the signed-in account, and to load/update cloud policy if it
exists.

[Ramin Halavati, 2017/04/19 05:21:57]

Done.

+          trigger: "..."

[Andrew T Wilson (Slow), 2017/04/18 12:01:31]

Sign in to Chrome, then also periodic refreshes.

[Ramin Halavati, 2017/04/19 05:21:57]

Done.

+          data: "..."

[Andrew T Wilson (Slow), 2017/04/18 12:01:31]

Encoded policy settings.

[Ramin Halavati, 2017/04/19 05:21:57]

Could you please elaborate on this, +insisting on user data.

[Andrew T Wilson (Slow), 2017/04/25 13:48:01]

I'm not certain what should be described here - is there a document somewhere
describing what should be in each field? In general, this network traffic
contains various protobufs that implement the cloud policy management protocol,
used to deliver policy from the google cloud to chrome and chrome OS clients,
for managed users.

[Ramin Halavati, 2017/04/26 05:28:06]

There isn't a well defined document, we will define more precise guideline after
the first review of annotations. Generally we should give a clear (but brief)
view of what is SENT by this request, specially regarding user data.

It seems to me that 'Encoded policy settings' is what this request receives and
what is sent is auth data. Am I wrong?

[Andrew T Wilson (Slow), 2017/04/26 09:34:11]

Ah, OK, I get it. In theory, all kinds of data could get sent up, depending on
what piece of the protocol is being executed.

During initial signin or device enrollment, auth data is sent up as part of
registration.
After initial signin/enrollment, if the session or device is managed, a unique
device or profile ID is sent with every future request.
On Chrome OS, other diagnostic information can be sent up for managed sessions,
including things like which users have used the device, device hardware status,
connected networks, CPU usage, etc.

[Ramin Halavati, 2017/04/26 09:44:41]

Done.

+          destination: WEBSITE/GOOGLE_OWNED_SERVICE/OTHER

[pastarmovj, 2017/04/07 09:58:46]

GOOGLE_OWNED_SERVICE

[Ramin Halavati, 2017/04/26 05:28:06]

Done.

+        }
+        policy {
+          cookies_allowed: false/true

[pastarmovj, 2017/04/07 09:58:45]

true?

[Andrew T Wilson (Slow), 2017/04/18 12:01:31]

Yes, true, although we don't really use them.

[Ramin Halavati, 2017/04/19 05:21:57]

If you don't use it, I can add a CL to disable it.

[Andrew T Wilson (Slow), 2017/04/25 13:48:01]

Happy to review such a CL and/or revert it if it turns out we *do* use cookies
:)

[Ramin Halavati, 2017/04/26 05:28:06]

Done in https://codereview.chromium.org/2837123005

+          cookies_store: "..."

[pastarmovj, 2017/04/07 09:58:46]

system?

[Andrew T Wilson (Slow), 2017/04/18 12:01:31]

Yes system

[Ramin Halavati, 2017/04/19 05:21:57]

Done.

+          setting: "..."

[pastarmovj, 2017/04/07 09:58:46]

NA?

[Andrew T Wilson (Slow), 2017/04/18 12:01:31]

Cannot be controlled by user settings.

[Ramin Halavati, 2017/04/19 05:21:57]

Done.

+          chrome_policy {

[pastarmovj, 2017/04/07 09:58:46]

empty.

[Ramin Halavati, 2017/04/19 05:21:57]

Acknowledged.

+            [POLICY_NAME] {

[Andrew T Wilson (Slow), 2017/04/18 12:01:31]

SigninAllowed

[Ramin Halavati, 2017/04/19 05:21:57]

Done.

+              policy_options {mode: MANDATORY/RECOMMENDED/UNSET}

[Andrew T Wilson (Slow), 2017/04/18 12:01:31]

MANDATORY

[Ramin Halavati, 2017/04/19 05:21:57]

Done.

+              [POLICY_NAME]: ... //(value to disable it)

[Andrew T Wilson (Slow), 2017/04/18 12:01:31]

SigninAllowed: false

[Ramin Halavati, 2017/04/19 05:21:57]

Done.

+            }
+          }
+          policy_exception_justification: "..."

[pastarmovj, 2017/04/07 09:58:46]

This request is part of the policy fetcher itself.

[Ramin Halavati, 2017/04/19 05:21:57]

Acknowledged.

+        })");
   net::URLFetcher* fetcher =
       net::URLFetcher::Create(kURLFetcherID, std::move(url),
-                              net::URLFetcher::POST, this)
+                              net::URLFetcher::POST, this, traffic_annotation)
           .release();
   data_use_measurement::DataUseUserData::AttachToFetcher(
       fetcher, data_use_measurement::DataUseUserData::POLICY);