device_management_backend.proto - chromium/src/chrome/browser/policy/proto - Git at Google

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 syntax = "proto2";

 import "cloud_policy.proto";

 option optimize_for = LITE_RUNTIME;

 package enterprise_management;

 // Protocol buffers for the obsolete protocol:
 // -------------------------------------------
 //    GenericValue, GenericNamedValue, GenericSetting, DevicePolicySetting,
 //    DevicePolicySettingRequest, DevicePolicyRequest, DevicePolicyResponse
 // TODO(gfeher): Remove these when both Chrome and DMServer is switched to
 // using the new protocol.

 // Generic value container.
 message GenericValue {
   enum ValueType {
     VALUE_TYPE_BOOL = 1;
     VALUE_TYPE_INT64 = 2;
     VALUE_TYPE_STRING = 3;
     VALUE_TYPE_DOUBLE = 4;
     VALUE_TYPE_BYTES = 5;
     VALUE_TYPE_BOOL_ARRAY = 6;
     VALUE_TYPE_INT64_ARRAY = 7;
     VALUE_TYPE_STRING_ARRAY = 8;
     VALUE_TYPE_DOUBLE_ARRAY = 9;
   }

   optional ValueType value_type = 1 [default = VALUE_TYPE_STRING];

   // basic value types
   optional bool bool_value = 2;
   optional int64 int64_value = 3;
   optional string string_value = 4;
   optional double double_value = 5;
   optional bytes bytes_value = 6;
   repeated bool bool_array = 7;
   repeated int64 int64_array = 8;
   repeated string string_array = 9;
   repeated double double_array = 10;
 }

 // Generic name value pair container.
 message GenericNamedValue {
   required string name = 1;
   optional GenericValue value = 2;
 }

 // A setting is a set of generic name value pairs.
 message GenericSetting {
   repeated GenericNamedValue named_value = 1;
 }

 // Identify a single device policy setting key/value pair.
 message DevicePolicySetting {
   // key of the policy setting
   required string policy_key = 1;
   // value of the setting
   optional GenericSetting policy_value = 2;
   // watermark for setting value.
   optional string watermark = 3;
 }

 // Request for a setting or with optional watermark on client side.
 message DevicePolicySettingRequest {
   // setting key
   required string key = 1;
   // watermark last read from server if available.
   optional string watermark = 2;
 }

 // Request from device to server to read device policies.
 message DevicePolicyRequest {
   // identify request scope: CrOS settings or other type of settings.
   optional string policy_scope = 1;
   // identify key to the settings: proxy etc.
   repeated DevicePolicySettingRequest setting_request = 2;
 }

 // Response from server to agent for reading policies.
 message DevicePolicyResponse {
   // the result of the settings.
   repeated DevicePolicySetting setting = 1;
 }

 // Protocol buffers for the new protocol:
 // --------------------------------------

 // Request from device to server to query if the authenticated user is in a
 // managed domain.
 message ManagedCheckRequest {
 }

 // Response from server to device indicating if the authenticated user is in a
 // managed domain.
 message ManagedCheckResponse {
   enum Mode {
     // The device must be enrolled for policies.
     MANAGED = 1;
     // The device is not automatically enrolled for policies, but the user
     // may choose to try to enroll it.
     UNMANAGED = 2;
   }

   optional Mode mode = 1;
 }

 // Request from device to server to register device.
 message DeviceRegisterRequest {
   // reregister device without erasing server state.
   // it can be used to refresh dmtoken etc.
   optional bool reregister = 1;
 }

 // Response from server to device register request.
 message DeviceRegisterResponse {
   // device mangement toke for this registration.
   required string device_management_token = 1;

   // The name of the device, assigned by the server.
   optional string device_name = 2;
 }

 // Request from device to server to unregister device.
 message DeviceUnregisterRequest {
 }

 // Response from server to device unregister request.
 message DeviceUnregisterResponse {
 }

 message CloudPolicyRequest {
   // Identify request scope: chromeos/device for device policies, chromeos/user
   // for user policies.
   optional string policy_scope = 1;
   // The device token of the owner of the device sending the request. In cases
   // the request was sent by the device owner or device policies were
   // requested, this is the same as the token used for authentication.
   // Otherwise (if the user policy is requested for someone else than the device
   // owner) this token is different from the token used for authentication.
   optional string device_token = 2;
 }

 // Response from server to device for reading policies.
 message CloudPolicyResponse {
   // Serialized SignedCloudPolicyResponse.
   optional bytes signed_response = 1;
   // RSA signature of the SHA1 hash of the above data.
   optional bytes signature = 2;
   // The chain of DER-encoded X.509 certificates of the server's signing key.
   // The first element should be the certificate whose private key was used
   // for signing the response, and each of the following certificates signs the
   // previous one.
   repeated bytes certificate_chain = 3;
 }
 message SignedCloudPolicyResponse {
   // The following two are necessary against replay attacks.
   // |timestamp| is a unix timestamp (seconds since 1970).
   optional int64 timestamp = 1;
   // The token that was used for the request.
   optional string request_token = 2;
   // The name of the device, assigned by the server.
   optional string device_name = 3;
   // CloudPolicySettings is defined in cloud_policy.proto (which is
   // auto-generated from chrome/app/policy_templates.json).
   optional CloudPolicySettings settings = 4;
 }

 // Request from the DMAgent on the device to the DMServer.
 // This is container for all requests from client.
 //
 // Http Query parameters:
 // Query parameters contain the following information in each request:
 //   request: register/unregister/policy/cloud_policy/managed_check etc.
 //   devicetype: CrOS/Android/Iphone etc.
 //   apptype: CrOS/AndroidDM etc.
 //   deviceid: unique id that identify the device.
 //   agent: identify agent on device.
 //
 // Authorization:
 // 1. If request is managed_check, client must pass in GoogleLogin auth
 //    cookie in Authorization header:
 //      Authorization: GoogleLogin auth=<auth cookie>
 //    This is the only case when the deviceid query parameter is set to empty.
 //    The response will contain a flag indicating if the user is in a managed
 //    domain or not. (We don't want to expose device ids of users not in
 //    managed domains.)
 // 2. If request is register_request, client must pass in GoogleLogin auth
 //    cookie in Authorization header:
 //      Authorization: GoogleLogin auth=<auth cookie>
 //    The response will contain an unique DMToken for future requests.
 //    Depending on domain policy, the request may need admin approval before
 //    DMToken is issued.
 // 3. For other requests, client must pass in DMToken in Authorization header:
 //    Authorization: GoogleDMToken token=<google dm token>
 //
 message DeviceManagementRequest {
   // Register request.
   optional DeviceRegisterRequest register_request = 1;

   // Unregister request.
   optional DeviceUnregisterRequest unregister_request = 2;

   // Data request.
   optional DevicePolicyRequest policy_request = 3;

   // Data request (new protocol).
   optional CloudPolicyRequest cloud_policy_request = 4;

   // Request to check if a user is managed or not.
   optional ManagedCheckRequest managed_check_request = 5;
 }

 // Response from server to device.
 message DeviceManagementResponse {
   // Error code to client.
   enum ErrorCode {
     SUCCESS = 0;
     // Returned for register request when device management is not supported
     // for the domain.
     DEVICE_MANAGEMENT_NOT_SUPPORTED = 1;
     // Returned when the device is not found.
     DEVICE_NOT_FOUND  = 2;
     // Returned when passed in device management token doesn't match the token
     // on server side.
     DEVICE_MANAGEMENT_TOKEN_INVALID  = 3;
     // Returned when device registration is pending approval (if required).
     ACTIVATION_PENDING = 4;
     // Returned when the policy is not found.
     POLICY_NOT_FOUND  = 5;
   }

   // Error code for this request.
   required ErrorCode error = 1;

   // Error message.
   optional string error_message = 2;

   // Register response
   optional DeviceRegisterResponse register_response = 3;

   // Unregister response
   optional DeviceUnregisterResponse unregister_response = 4;

   // Policy response.
   optional DevicePolicyResponse policy_response = 5;

   // Policy response (new protocol).
   optional CloudPolicyResponse cloud_policy_response  = 6;

   // Response to managed check request.
   optional ManagedCheckResponse managed_check_response = 7;
 }
	// Copyright (c) 2011 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	syntax = "proto2";

	import "cloud_policy.proto";

	option optimize_for = LITE_RUNTIME;

	package enterprise_management;

	// Protocol buffers for the obsolete protocol:
	// -------------------------------------------
	// GenericValue, GenericNamedValue, GenericSetting, DevicePolicySetting,
	// DevicePolicySettingRequest, DevicePolicyRequest, DevicePolicyResponse
	// TODO(gfeher): Remove these when both Chrome and DMServer is switched to
	// using the new protocol.

	// Generic value container.
	message GenericValue {
	enum ValueType {
	VALUE_TYPE_BOOL = 1;
	VALUE_TYPE_INT64 = 2;
	VALUE_TYPE_STRING = 3;
	VALUE_TYPE_DOUBLE = 4;
	VALUE_TYPE_BYTES = 5;
	VALUE_TYPE_BOOL_ARRAY = 6;
	VALUE_TYPE_INT64_ARRAY = 7;
	VALUE_TYPE_STRING_ARRAY = 8;
	VALUE_TYPE_DOUBLE_ARRAY = 9;
	}

	optional ValueType value_type = 1 [default = VALUE_TYPE_STRING];

	// basic value types
	optional bool bool_value = 2;
	optional int64 int64_value = 3;
	optional string string_value = 4;
	optional double double_value = 5;
	optional bytes bytes_value = 6;
	repeated bool bool_array = 7;
	repeated int64 int64_array = 8;
	repeated string string_array = 9;
	repeated double double_array = 10;
	}

	// Generic name value pair container.
	message GenericNamedValue {
	required string name = 1;
	optional GenericValue value = 2;
	}

	// A setting is a set of generic name value pairs.
	message GenericSetting {
	repeated GenericNamedValue named_value = 1;
	}

	// Identify a single device policy setting key/value pair.
	message DevicePolicySetting {
	// key of the policy setting
	required string policy_key = 1;
	// value of the setting
	optional GenericSetting policy_value = 2;
	// watermark for setting value.
	optional string watermark = 3;
	}

	// Request for a setting or with optional watermark on client side.
	message DevicePolicySettingRequest {
	// setting key
	required string key = 1;
	// watermark last read from server if available.
	optional string watermark = 2;
	}

	// Request from device to server to read device policies.
	message DevicePolicyRequest {
	// identify request scope: CrOS settings or other type of settings.
	optional string policy_scope = 1;
	// identify key to the settings: proxy etc.
	repeated DevicePolicySettingRequest setting_request = 2;
	}

	// Response from server to agent for reading policies.
	message DevicePolicyResponse {
	// the result of the settings.
	repeated DevicePolicySetting setting = 1;
	}

	// Protocol buffers for the new protocol:
	// --------------------------------------

	// Request from device to server to query if the authenticated user is in a
	// managed domain.
	message ManagedCheckRequest {
	}

	// Response from server to device indicating if the authenticated user is in a
	// managed domain.
	message ManagedCheckResponse {
	enum Mode {
	// The device must be enrolled for policies.
	MANAGED = 1;
	// The device is not automatically enrolled for policies, but the user
	// may choose to try to enroll it.
	UNMANAGED = 2;
	}

	optional Mode mode = 1;
	}

	// Request from device to server to register device.
	message DeviceRegisterRequest {
	// reregister device without erasing server state.
	// it can be used to refresh dmtoken etc.
	optional bool reregister = 1;
	}

	// Response from server to device register request.
	message DeviceRegisterResponse {
	// device mangement toke for this registration.
	required string device_management_token = 1;

	// The name of the device, assigned by the server.
	optional string device_name = 2;
	}

	// Request from device to server to unregister device.
	message DeviceUnregisterRequest {
	}

	// Response from server to device unregister request.
	message DeviceUnregisterResponse {
	}

	message CloudPolicyRequest {
	// Identify request scope: chromeos/device for device policies, chromeos/user
	// for user policies.
	optional string policy_scope = 1;
	// The device token of the owner of the device sending the request. In cases
	// the request was sent by the device owner or device policies were
	// requested, this is the same as the token used for authentication.
	// Otherwise (if the user policy is requested for someone else than the device
	// owner) this token is different from the token used for authentication.
	optional string device_token = 2;
	}

	// Response from server to device for reading policies.
	message CloudPolicyResponse {
	// Serialized SignedCloudPolicyResponse.
	optional bytes signed_response = 1;
	// RSA signature of the SHA1 hash of the above data.
	optional bytes signature = 2;
	// The chain of DER-encoded X.509 certificates of the server's signing key.
	// The first element should be the certificate whose private key was used
	// for signing the response, and each of the following certificates signs the
	// previous one.
	repeated bytes certificate_chain = 3;
	}
	message SignedCloudPolicyResponse {
	// The following two are necessary against replay attacks.
	// \|timestamp\| is a unix timestamp (seconds since 1970).
	optional int64 timestamp = 1;
	// The token that was used for the request.
	optional string request_token = 2;
	// The name of the device, assigned by the server.
	optional string device_name = 3;
	// CloudPolicySettings is defined in cloud_policy.proto (which is
	// auto-generated from chrome/app/policy_templates.json).
	optional CloudPolicySettings settings = 4;
	}

	// Request from the DMAgent on the device to the DMServer.
	// This is container for all requests from client.
	//
	// Http Query parameters:
	// Query parameters contain the following information in each request:
	// request: register/unregister/policy/cloud_policy/managed_check etc.
	// devicetype: CrOS/Android/Iphone etc.
	// apptype: CrOS/AndroidDM etc.
	// deviceid: unique id that identify the device.
	// agent: identify agent on device.
	//
	// Authorization:
	// 1. If request is managed_check, client must pass in GoogleLogin auth
	// cookie in Authorization header:
	// Authorization: GoogleLogin auth=<auth cookie>
	// This is the only case when the deviceid query parameter is set to empty.
	// The response will contain a flag indicating if the user is in a managed
	// domain or not. (We don't want to expose device ids of users not in
	// managed domains.)
	// 2. If request is register_request, client must pass in GoogleLogin auth
	// cookie in Authorization header:
	// Authorization: GoogleLogin auth=<auth cookie>
	// The response will contain an unique DMToken for future requests.
	// Depending on domain policy, the request may need admin approval before
	// DMToken is issued.
	// 3. For other requests, client must pass in DMToken in Authorization header:
	// Authorization: GoogleDMToken token=<google dm token>
	//
	message DeviceManagementRequest {
	// Register request.
	optional DeviceRegisterRequest register_request = 1;

	// Unregister request.
	optional DeviceUnregisterRequest unregister_request = 2;

	// Data request.
	optional DevicePolicyRequest policy_request = 3;

	// Data request (new protocol).
	optional CloudPolicyRequest cloud_policy_request = 4;

	// Request to check if a user is managed or not.
	optional ManagedCheckRequest managed_check_request = 5;
	}

	// Response from server to device.
	message DeviceManagementResponse {
	// Error code to client.
	enum ErrorCode {
	SUCCESS = 0;
	// Returned for register request when device management is not supported
	// for the domain.
	DEVICE_MANAGEMENT_NOT_SUPPORTED = 1;
	// Returned when the device is not found.
	DEVICE_NOT_FOUND = 2;
	// Returned when passed in device management token doesn't match the token
	// on server side.
	DEVICE_MANAGEMENT_TOKEN_INVALID = 3;
	// Returned when device registration is pending approval (if required).
	ACTIVATION_PENDING = 4;
	// Returned when the policy is not found.
	POLICY_NOT_FOUND = 5;
	}

	// Error code for this request.
	required ErrorCode error = 1;

	// Error message.
	optional string error_message = 2;

	// Register response
	optional DeviceRegisterResponse register_response = 3;

	// Unregister response
	optional DeviceUnregisterResponse unregister_response = 4;

	// Policy response.
	optional DevicePolicyResponse policy_response = 5;

	// Policy response (new protocol).
	optional CloudPolicyResponse cloud_policy_response = 6;

	// Response to managed check request.
	optional ManagedCheckResponse managed_check_response = 7;
	}