Reusing names of policy keys from policy_constants.h

components/policy/resources/policy_templates.json

 {
 # policy_templates.json - Metafile for policy templates
 #
 # The content of this file is evaluated as a Python expression.
 #
 # This file is used as input to generate the following policy templates:
 # ADM, ADMX+ADML, MCX/plist and html documentation.
 #
 # Policy templates are user interface definitions or documents about the
 # policies that can be used to configure Chrome. Each policy is a name-value
@@ skipping 105 matching lines @@
 #   templates and documentation. The policy definition list that Chrome sees
 #   will include policies marked with 'future'. If a WIP policy isn't meant to
 #   be seen by the policy providers either, the 'supported_on' key should be set
 #   to an empty list.
 #
 # IDs:
 #   Since a Protocol Buffer definition is generated from this file, unique and
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 284
+#   For your editing convenience: highest ID currently used: 289
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
 #     $1 -> Google Chrome / Chromium
 #     $2 -> Google Chrome OS / Chromium OS
 #     $3 -> Google Chrome Frame / Chromium Frame
 #     $6 is reserved for doc_writer
 #
 # Device Policy:
 #   An additional flag device_only (optional, defaults to False) indicates
@@ skipping 441 matching lines @@
           Enables usage of STUN and relay servers when connecting to a remote client.
 
           If this setting is enabled, then this machine can discover and connect to remote host machines even if they are separated by a firewall.
 
           If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine can only connect to host machines within the local network.''',
         },
         {
           'name': 'RemoteAccessHostFirewallTraversal',
           'type': 'main',
           'schema': { 'type': 'boolean' },
-          'supported_on': ['chrome.*:14-'],
+          'supported_on': ['chrome.*:14-', 'chrome_os:41-'],

[bartfab (slow), 2015/01/14 11:09:02]

Here and below: 41 just branched. This should be 42- now.

[Łukasz Anforowicz, 2015/01/14 19:35:12]

I think this is okay - support for Chromoting into Chrome OS (in it2me / remote
support mode) is enabled in 41 (this includes Chromoting policies).

[bartfab (slow), 2015/01/15 09:41:44]

Chrome OS supports cloud policy only. The cloud policy protobuf is generated
from policy_templates.json. This means that only policies listed in this file
will be part of the protobuf.

The existing chromoting policies did make it into the protobuf, even if they
were not marked as supported on Chrome OS 41. So it is OK to retroactively mark
them as supported.

But the new policies you are adding are not part of the protobuf that gets
compiled into Chrome OS 41. How does your code access e.g. the
RemoteAccessHostTokenUrl policy on M41? You could use raw protobuf to but I
doubt that this how your code works. I would rather expect that the five new
policies are simply unsupported on Chrome OS until this CL lands and thus,
should be marked as 42-.

[Łukasz Anforowicz, 2015/01/15 17:35:22]

You're right.  On non-Chrome-OS Chromoting didn't depend on
policy_templates.json at all, but on Chrome-OS it does use the PolicyService
from g_browser_process (which, as I infer from your explanation above, means
that it depends on policy_templates.json generating the right protobufs).

I changed 41 to 42 in the 5 new policies.

[bartfab (slow), 2015/01/16 09:02:23]

We generate the cloud policy protobuf from policy_templates.json. Since your
policies were not in policy_templates.json, they were not in the protobuf in
M41. No code (other than raw protobuf) would have been able to parse these
policies in M41 - neither the shared PolicyService, nor any other PolicyService
or custom policy implementation.

           'features': {
             'dynamic_refresh': True,
             'per_profile': False,
           },
           'example_value': False,
           'id': 95,
           'caption': '''Enable firewall traversal from remote access host''',
           'desc': '''Enables usage of STUN servers when remote clients are trying to establish a connection to this machine.
 
           If this setting is enabled, then remote clients can discover and connect to this machines even if they are separated by a firewall.
 
           If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network.
 
           If this policy is left not set the setting will be enabled.''',
         },
         {
           'name': 'RemoteAccessHostDomain',
           'type': 'string',
           'schema': { 'type': 'string' },
-          'supported_on': ['chrome.*:22-'],
+          'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
           'features': {
             'dynamic_refresh': True,
             'per_profile': False,
           },
           'example_value': 'my-awesome-domain.com',
           'id': 154,
           'caption': '''Configure the required domain name for remote access hosts''',
           'desc': '''Configures the required host domain name that will be imposed on remote access hosts and prevents users from changing it.
 
           If this setting is enabled, then hosts can be shared only using accounts registered on the specified domain name.
 
           If this setting is disabled or not set, then hosts can be shared using any account.''',
         },
         {
           'name': 'RemoteAccessHostRequireTwoFactor',
           'type': 'main',
           'schema': { 'type': 'boolean' },
-          'supported_on': ['chrome.*:22-'],
+          'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
           'features': {
             'dynamic_refresh': True,
             'per_profile': False,
           },
           'example_value': False,
           'id': 155,
           'caption': '''Enable two-factor authentication for remote access hosts''',
           'desc': '''Enables two-factor authentication for remote access hosts instead of a user-specified PIN.
 
           If this setting is enabled, then users must provide a valid two-factor code when accessing a host.
 
           If this setting is disabled or not set, then two-factor will not be enabled and the default behavior of having a user-defined PIN will be used.''',
         },
         {
           'name': 'RemoteAccessHostTalkGadgetPrefix',
           'type': 'string',
           'schema': { 'type': 'string' },
-          'supported_on': ['chrome.*:22-'],
+          'supported_on': ['chrome.*:22-', 'chrome_os:41-'],
           'features': {
             'dynamic_refresh': True,
             'per_profile': False,
           },
           'example_value': 'chromoting-host',
           'id': 156,
           'caption': '''Configure the TalkGadget prefix for remote access hosts''',
           'desc': '''Configures the TalkGadget prefix that will be used by remote access hosts and prevents users from changing it.
 
           If specified, this prefix is prepended to the base TalkGadget name to create a full domain name for the TalkGadget. The base TalkGadget domain name is '.talkgadget.google.com'.
 
           If this setting is enabled, then hosts will use the custom domain name when accessing the TalkGadget instead of the default domain name.
 
           If this setting is disabled or not set, then the default TalkGadget domain name ('chromoting-host.talkgadget.google.com') will be used for all hosts.
 
           Remote access clients are not affected by this policy setting. They will always use 'chromoting-client.talkgadget.google.com' to access the TalkGadget.''',
         },
         {
           'name': 'RemoteAccessHostRequireCurtain',
           'type': 'main',
           'schema': { 'type': 'boolean' },
-          'supported_on': ['chrome.*:23-'],
+          'supported_on': ['chrome.*:23-', 'chrome_os:41-'],
           'features': {
             'dynamic_refresh': True,
             'per_profile': False,
           },
           'example_value': False,
           'id': 157,
           'caption': '''Enable curtaining of remote access hosts''',
           'desc': '''Enables curtaining of remote access hosts while a connection is in progress.
 
           If this setting is enabled, then hosts' physical input and output devices are disabled while a remote connection is in progress.
 
           If this setting is disabled or not set, then both local and remote users can interact with the host when it is being shared.''',
         },
         {
           'name': 'RemoteAccessHostAllowClientPairing',
           'type': 'main',
           'schema': { 'type': 'boolean' },
-          'supported_on': ['chrome.*:30-'],
+          'supported_on': ['chrome.*:30-', 'chrome_os:41-'],
           'features': {
             'dynamic_refresh': True,
             'per_profile': False,
           },
           'example_value': False,
           'id': 234,
-          'caption': '''Enable or disable PIN-less authentication''',
+          'caption': '''Enable or disable PIN-less authentication for remote access hosts''',
           'desc': '''If this setting is enabled or not configured, then users can opt to pair clients and hosts at connection time, eliminating the need to enter a PIN every time.
 
           If this setting is disabled, then this feature will not be available.''',
         },
         {
           'name': 'RemoteAccessHostAllowGnubbyAuth',
           'type': 'main',
           'schema': { 'type': 'boolean' },
-          'supported_on': ['chrome.*:35-'],
+          'supported_on': ['chrome.*:35-', 'chrome_os:41-'],
           'features': {
             'dynamic_refresh': True,
             'per_profile': False,
           },
           'example_value': True,
           'id': 257,
-          'caption': '''Allow gnubby authentication''',
+          'caption': '''Allow gnubby authentication for remote access hosts''',
           'desc': '''If this setting is enabled, then gnubby authentication requests will be proxied across a remote host connection.
 
           If this setting is disabled or not configured, gnubby authentication requests will not be proxied.''',
         },
         {
           'name': 'RemoteAccessHostAllowRelayedConnection',
           'type': 'main',
           'schema': { 'type': 'boolean' },
-          'supported_on': ['chrome.*:36-'],
+          'supported_on': ['chrome.*:36-', 'chrome_os:41-'],
           'features': {
             'dynamic_refresh': True,
             'per_profile': False,
           },
           'example_value': False,
           'id': 263,
           'caption': '''Enable the use of relay servers by the remote access host''',
           'desc': '''Enables usage of relay servers when remote clients are trying to establish a connection to this machine.
 
           If this setting is enabled, then remote clients can use relay servers to connect to this machine when a direct connection is not available (e.g. due to firewall restrictions).
 
           Note that if the policy <ph name="REMOTEACCESSHOSTFIREWALLTRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is disabled, this policy will be ignored.
 
           If this policy is left not set the setting will be enabled.''',
         },
         {
           'name': 'RemoteAccessHostUdpPortRange',
           'type': 'string',
           'schema': { 'type': 'string' },
-          'supported_on': ['chrome.*:36-'],
+          'supported_on': ['chrome.*:36-', 'chrome_os:41-'],
           'features': {
             'dynamic_refresh': True,
             'per_profile': False,
           },
           'example_value': '12400-12409',
           'id': 264,
           'caption': '''Restrict the UDP port range used by the remote access host''',
           'desc': '''Restricts the UDP port range used by the remote access host in this machine.
 
           If this policy is left not set, or if it is set to an empty string, the remote access host will be allowed to use any available port, unless the policy <ph name="REMOTEACCESSHOSTFIREWALLTRAVERSAL_POLICY_NAME">RemoteAccessHostFirewallTraversal</ph> is disabled, in which case the remote access host will use UDP ports in the 12400-12409 range.''',
         },
+        {
+          'name': 'RemoteAccessHostMatchUsername',
+          'type': 'main',
+          'schema': { 'type': 'boolean' },
+          'supported_on': ['chrome_os:41-', 'chrome.linux:25-', 'chrome.mac:25-'],

[bartfab (slow), 2015/01/14 11:09:02]

Nit: It is customary to list |chrome| before |chrome_os| in this file.

[Łukasz Anforowicz, 2015/01/14 19:35:12]

Done.

+          'features': {
+            'dynamic_refresh': True,
+            'per_profile': False,
+          },
+          'example_value': False,
+          'id': 285,
+          'caption': '''Requires that the name of the local user and the remote access host owner match''',
+          'desc': '''Requires that the name of the local user and the remote access host owner match.
+
+          If this setting is enabled, then the remote access host compares the name of the local user (that the host is associated with) and the name of the Google account registered as the host owner (i.e. "johndoe" if the host is owned by "johndoe@example.com" Google account).  The remote access host will not start if the name of the host owner is different from the name of the local user that the host is associated with.  RemoteAccessHostMatchUsername policy should be used together with RemoteAccessHostDomain to also enforce that the Google account of the host owner is associated with a specific domain (i.e. "example.com").
+
+          If this setting is disabled or not set, then the remote access host can be associated with any local user.''',
+        },
+        {
+          'name': 'RemoteAccessHostTokenUrl',
+          'type': 'string',
+          'schema': { 'type': 'string' },
+          'supported_on': ['chrome.*:28-','chrome_os:41-'],
+          'features': {
+            'dynamic_refresh': True,
+            'per_profile': False,
+          },
+          'example_value': 'https://example.com/issue',
+          'id': 286,
+          'caption': '''URL where remote access clients should obtain their authentication token''',
+          'desc': '''URL where remote access clients should obtain their authentication token.
+
+          If this policy is set, the remote access host will require authenticating clients to obtain an authentication token from this URL in order to connect. Must be used in conjunction with RemoteAccessHostTokenValidationUrl.
+
+          This feature is currently disabled server-side.''',
+        },
+        {
+          'name': 'RemoteAccessHostTokenValidationUrl',
+          'type': 'string',
+          'schema': { 'type': 'string' },
+          'supported_on': ['chrome.*:28-','chrome_os:41-'],
+          'features': {
+            'dynamic_refresh': True,
+            'per_profile': False,
+          },
+          'example_value': 'https://example.com/validate',
+          'id': 287,
+          'caption': '''URL for validating remote access client authentication token''',
+          'desc': '''URL for validating remote access client authentication token.
+
+          If this policy is set, the remote access host will use this URL to validate authentication tokens from remote access clients, in order to accept connections. Must be used in conjunction with RemoteAccessHostTokenUrl.
+
+          This feature is currently disabled server-side.''',
+        },
+        {
+          'name': 'RemoteAccessHostTokenValidationCertificateIssuer',
+          'type': 'string',
+          'schema': { 'type': 'string' },
+          'supported_on': ['chrome.*:28-','chrome_os:41-'],
+          'features': {
+            'dynamic_refresh': True,
+            'per_profile': False,
+          },
+          'example_value': 'Example Certificate Authority',
+          'id': 288,
+          'caption': '''Client certificate for connecting to RemoteAccessHostTokenValidationUrl''',
+          'desc': '''Client certificate for connecting to RemoteAccessHostTokenValidationUrl.
+
+          If this policy is set, the host will use a client certificate with the given issuer CN to authenticate to RemoteAccessHostTokenValidationUrl. Set it to "*" to use any available client certificate.
+
+          This feature is currently disabled server-side.''',
+        },
+        {
+          'name': 'RemoteAccessHostDebugOverridePolicies',
+          'type': 'string',
+          'schema': { 'type': 'string' },
+          'supported_on': ['chrome.*:25-','chrome_os:41-'],
+          'features': {
+            'dynamic_refresh': True,
+            'per_profile': False,
+          },
+          'example_value': '{ "RemoteAccessHostMatchUsername": true }',
+          'id': 289,
+          'caption': '''Policy overrides for Debug builds of the remote access host''',
+          'desc': '''Overrides policies on Debug builds of the remote access host.
+
+          The value is parsed as a JSON dictionary of policy name to policy value mappings.''',
+        },
       ],
     },
     {
       'name': 'PrintingEnabled',
       'type': 'main',
       'schema': { 'type': 'boolean' },
       'supported_on': ['chrome.*:8-', 'chrome_os:11-', 'android:39-'],
       'features': {
         'dynamic_refresh': True,
         'per_profile': True,
@@ skipping 6403 matching lines @@
       'desc': '''Text appended in parentheses next to the policies top-level container to indicate that those policies are of the Recommended level''',
       'text': 'Default Settings (users can override)',
     },
     'doc_complex_policies_on_windows': {
       'desc': '''Text pointing the user to a help article for complex policies on Windows''',
       'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POLICIES_URL">http://www.chromium.org/administrators/complex-policies-on-windows<ex>http://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>''',
     },
   },
   'placeholders': [],
 }