New protocol and testserver for the Chrome-DMServer protocol

chrome/browser/policy/proto/device_management_backend.proto

Index: chrome/browser/policy/proto/device_management_backend.proto
diff --git a/chrome/browser/policy/proto/device_management_backend.proto b/chrome/browser/policy/proto/device_management_backend.proto
index 0f2451b962239e714ca9b7523344c2ba86b58573..e9dd3261402099579ae9e362ad02cae721b79a3c 100644
--- a/chrome/browser/policy/proto/device_management_backend.proto
+++ b/chrome/browser/policy/proto/device_management_backend.proto
@@ -1,13 +1,20 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 syntax = "proto2";
 
+import "cloud_policy.proto";
+
 option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
+// Protocol buffers for the obsolete protocol:

[Mattias Nissler (ping if slow), 2011/01/28 10:29:34]

Which buffers do you mean?

[gfeher, 2011/01/28 13:42:10]

Done.

+// -------------------------------------------
+// TODO(gfeher): Remove these when both Chrome and DMServer is switched to
+// using the new protocol.
+
 // Generic value container.
 message GenericValue {
   enum ValueType {
@@ -57,6 +64,50 @@ message DevicePolicySetting {
   optional string watermark = 3;
 }
 
+// Request for a setting or with optional watermark on client side.
+message DevicePolicySettingRequest {
+  // setting key
+  required string key = 1;
+  // watermark last read from server if available.
+  optional string watermark = 2;
+}
+
+// Request from device to server to read device policies.
+message DevicePolicyRequest {
+  // identify request scope: CrOS settings or other type of settings.
+  optional string policy_scope = 1;
+  // identify key to the settings: proxy etc.
+  repeated DevicePolicySettingRequest setting_request = 2;
+}
+
+// Response from server to agent for reading policies.
+message DevicePolicyResponse {
+  // the result of the settings.
+  repeated DevicePolicySetting setting = 1;
+}
+
+// Protocol buffers for the new protocol:
+// --------------------------------------
+
+// Request from device to server to query if the authenticated user is in a
+// managed domain.
+message ManagedCheckRequest {
+}
+
+// Response from server to device indicating if the authenticated user is in a 
+// managed domain.
+message ManagedCheckResponse {
+  enum Mode {
+    // The device must be enrolled for policies.
+    MANAGED = 1;
+    // The device is not automatically enrolled for policies, but the user
+    // may choose to try to enroll it.
+    UNMANAGED = 2;
+  }
+
+  optional Mode mode = 1; 
+}
+
 // Request from device to server to register device.
 message DeviceRegisterRequest {
   // reregister device without erasing server state.
@@ -68,6 +119,9 @@ message DeviceRegisterRequest {
 message DeviceRegisterResponse {
   // device mangement toke for this registration.
   required string device_management_token = 1;
+
+  // The name of the device, assigned by the server.
+  optional string device_name = 2;
 }
 
 // Request from device to server to unregister device.
@@ -78,48 +132,62 @@ message DeviceUnregisterRequest {
 message DeviceUnregisterResponse {
 }
 
-// Request for a setting or with optional watermark on client side.
-message DevicePolicySettingRequest {
-  // setting key
-  required string key = 1;
-  // watermark last read from server if available.
-  optional string watermark = 2;
-}
-
-// Request from device to server to read device policies.
-message DevicePolicyRequest {
-  // identify request scope: CrOS settings or other type of settings.
+message CloudPolicyRequest {
+  // Identify request scope: chromeos/device for device policies, chromeos/user
+  // for user policies.
   optional string policy_scope = 1;

[Mattias Nissler (ping if slow), 2011/01/28 10:29:34]

Need an additional field for the context's device token. When requesting user
policy, we'll also specify the device's token, in order to enable the server to
make decisions such as only-push-policy-to-managed-devices.

[gfeher, 2011/01/28 13:42:10]

Done.

-  // identify key to the settings: proxy etc.
-  repeated DevicePolicySettingRequest setting_request = 2;
 }
 
-// Response from server to agent for reading policies.
-message DevicePolicyResponse {
-  // the result of the settings.
-  repeated DevicePolicySetting setting = 1;
+// Response from server to device for reading policies.
+message CloudPolicyResponse {
+  // Serialized SignedCloudPolicyResponse.
+  optional bytes signed_response = 1;
+  // Signature of the above data.

[Mattias Nissler (ping if slow), 2011/01/28 10:29:34]

We should also mention that the signature algorithm is SHA1-RSA.

[gfeher, 2011/01/28 13:42:10]

Done.

+  optional bytes signature = 2;
+  // The chain of DER-encoded X.509 certificates of the server's signing key.

[Mattias Nissler (ping if slow), 2011/01/28 10:29:34]

As discussed, specify order here.

[gfeher, 2011/01/28 13:42:10]

Done.

+  repeated bytes certificate_chain = 3;
+}
+message SignedCloudPolicyResponse {
+  // The following three are necessary against replay attacks.

[Mattias Nissler (ping if slow), 2011/01/28 10:29:34]

actually, it's the following two.

[gfeher, 2011/01/28 13:42:10]

Done.

+  // |timestamp| is a unix timestamp (seconds since 1970).
+  optional int64 timestamp = 1;
+  // The token that was used for the request.
+  optional string request_token = 2;
+  // The name of the device, assigned by the server.
+  optional string device_name = 3;
+  // CloudPolicySettings is defined in cloud_policy.proto (which is
+  // auto-generated from chrome/app/policy_templates.json).
+  optional CloudPolicySettings settings = 4;
 }
 
 // Request from the DMAgent on the device to the DMServer.
 // This is container for all requests from client.
 //
+// Http Query parameters:
+// Query parameters contain the following information in each request:
+//   request: register/unregister/policy/cloud_policy/managed_check etc.
+//   devicetype: CrOS/Android/Iphone etc.
+//   apptype: CrOS/AndroidDM etc.
+//   deviceid: unique id that identify the device.
+//   agent: identify agent on device.
+//
 // Authorization:
-// 1. If request is register_request, client must pass in GoogleLogin auth
+// 1. If request is managed_check, client must pass in GoogleLogin auth 
+//    cookie in Authorization header:
+//      Authorization: GoogleLogin auth=<auth cookie>
+//    This is the only case when the deviceid query parameter is set to empty.
+//    The response will contain a flag indicating if the user is in a managed
+//    domain or not. (We don't want to expose device ids of users not in
+//    managed domains.)
+// 2. If request is register_request, client must pass in GoogleLogin auth
 //    cookie in Authorization header:
 //      Authorization: GoogleLogin auth=<auth cookie>
 //    The response will contain an unique DMToken for future requests.
 //    Depending on domain policy, the request may need admin approval before
 //    DMToken is issued.
-// 2. For other requests, client must pass in DMToken in Authorization header:
+// 3. For other requests, client must pass in DMToken in Authorization header:
 //    Authorization: GoogleDMToken token=<google dm token>
 //
-// Http Query parameters:
-// Query parameters contain the following information in each request:
-//   request: register/unregister/policy etc.
-//   devicetype: CrOS/Android/Iphone etc.
-//   apptype: CrOS/AndroidDM etc.
-//   deviceid: unique id that identify the device.
-//   agent: identify agent on device.
 message DeviceManagementRequest {
   // Register request.
   optional DeviceRegisterRequest register_request = 1;
@@ -129,6 +197,12 @@ message DeviceManagementRequest {
 
   // Data request.
   optional DevicePolicyRequest policy_request = 3;
+
+  // Data request (new protocol).
+  optional CloudPolicyRequest cloud_policy_request = 4;
+
+  // Request to check if a user is managed or not.
+  optional ManagedCheckRequest managed_check_request = 5;
 }
 
 // Response from server to device.
@@ -164,4 +238,10 @@ message DeviceManagementResponse {
 
   // Policy response.
   optional DevicePolicyResponse policy_response = 5;
-}
+
+  // Policy response (new protocol).
+  optional CloudPolicyResponse cloud_policy_response  = 6;
+
+  // Response to managed check request.
+  optional ManagedCheckResponse managed_check_response = 7;
+}