| // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| syntax = "proto2"; |
| |
| import "cloud_policy.proto"; |
| |
| option optimize_for = LITE_RUNTIME; |
| |
| package enterprise_management; |
| |
| // Protocol buffers for the obsolete protocol: |
| // ------------------------------------------- |
| // GenericValue, GenericNamedValue, GenericSetting, DevicePolicySetting, |
| // DevicePolicySettingRequest, DevicePolicyRequest, DevicePolicyResponse |
| // TODO(gfeher): Remove these when both Chrome and DMServer is switched to |
| // using the new protocol. |
| |
| // Generic value container. |
| message GenericValue { |
| enum ValueType { |
| VALUE_TYPE_BOOL = 1; |
| VALUE_TYPE_INT64 = 2; |
| VALUE_TYPE_STRING = 3; |
| VALUE_TYPE_DOUBLE = 4; |
| VALUE_TYPE_BYTES = 5; |
| VALUE_TYPE_BOOL_ARRAY = 6; |
| VALUE_TYPE_INT64_ARRAY = 7; |
| VALUE_TYPE_STRING_ARRAY = 8; |
| VALUE_TYPE_DOUBLE_ARRAY = 9; |
| } |
| |
| optional ValueType value_type = 1 [default = VALUE_TYPE_STRING]; |
| |
| // basic value types |
| optional bool bool_value = 2; |
| optional int64 int64_value = 3; |
| optional string string_value = 4; |
| optional double double_value = 5; |
| optional bytes bytes_value = 6; |
| repeated bool bool_array = 7; |
| repeated int64 int64_array = 8; |
| repeated string string_array = 9; |
| repeated double double_array = 10; |
| } |
| |
| // Generic name value pair container. |
| message GenericNamedValue { |
| required string name = 1; |
| optional GenericValue value = 2; |
| } |
| |
| // A setting is a set of generic name value pairs. |
| message GenericSetting { |
| repeated GenericNamedValue named_value = 1; |
| } |
| |
| // Identify a single device policy setting key/value pair. |
| message DevicePolicySetting { |
| // key of the policy setting |
| required string policy_key = 1; |
| // value of the setting |
| optional GenericSetting policy_value = 2; |
| // watermark for setting value. |
| optional string watermark = 3; |
| } |
| |
| // Request for a setting or with optional watermark on client side. |
| message DevicePolicySettingRequest { |
| // setting key |
| required string key = 1; |
| // watermark last read from server if available. |
| optional string watermark = 2; |
| } |
| |
| // Request from device to server to read device policies. |
| message DevicePolicyRequest { |
| // identify request scope: CrOS settings or other type of settings. |
| optional string policy_scope = 1; |
| // identify key to the settings: proxy etc. |
| repeated DevicePolicySettingRequest setting_request = 2; |
| } |
| |
| // Response from server to agent for reading policies. |
| message DevicePolicyResponse { |
| // the result of the settings. |
| repeated DevicePolicySetting setting = 1; |
| } |
| |
| // Request from device to server to register device. The response will include |
| // a device token that can be used to query policies. |
| message DeviceRegisterRequest { |
| // reregister device without erasing server state. |
| // it can be used to refresh dmtoken etc. |
| optional bool reregister = 1; |
| } |
| |
| // Response from server to device register request. |
| message DeviceRegisterResponse { |
| // device mangement toke for this registration. |
| required string device_management_token = 1; |
| } |
| |
| // Protocol buffers for the new protocol: |
| // -------------------------------------- |
| |
| // Request from device to server to get policies for an unregistered user. |
| // These are actually "meta-policies", that control the rules for the user |
| // about enrolling for real policies. |
| message InitialPolicyRequest { |
| } |
| |
| message InitialPolicySettings { |
| enum EnrollmentRule { |
| // The user must enroll its device for policies. |
| MANAGED = 1; |
| // The users's device is not automatically enrolled for policies, but the |
| // user may choose to try to enroll it. |
| UNMANAGED = 2; |
| } |
| |
| optional EnrollmentRule enrollment_rule = 1; |
| } |
| |
| // Response from server to device containing the policies available before |
| // registration. |
| message InitialPolicyResponse { |
| optional InitialPolicySettings settings = 1; |
| } |
| |
| // Request from device to server to unregister device management token. |
| message DeviceUnregisterRequest { |
| } |
| |
| // Response from server to unregister request. |
| message DeviceUnregisterResponse { |
| } |
| |
| // Request from device to server to register device. The response will include |
| // a device token that can be used to query policies. |
| message CloudRegisterRequest { |
| enum Type { |
| // Requesting token for user policies. |
| USER = 1; |
| // Requesting token for device policies. |
| DEVICE = 2; |
| } |
| optional Type type = 1; |
| // Unique identifier of the machine. Only set if type == DEVICE. |
| // This won't be sent in later requests, the machine can be identified |
| // by its device token. |
| optional string machine_id = 2; |
| } |
| |
| // Response from server to device register request. |
| message CloudRegisterResponse { |
| // Token for this registration. |
| required string device_management_token = 1; |
| |
| // The name of the requesting device, assigned by the server. |
| optional string machine_name = 2; |
| } |
| |
| message CloudPolicyRequest { |
| // Identify request scope: chromeos/device for device policies, chromeos/user |
| // for user policies. Only those policy scopes will be served, that are |
| // allowed by the type choice in CloudRegisterRequest. |
| optional string policy_scope = 1; |
| |
| // The token used to query device policies on the device sending the request. |
| // Note, that the token used for actual authentication is sent in an HTTP |
| // header. These two tokens are the same if this request is for querying |
| // device policies and they differ if this request is for querying user |
| // policies. In the second case, the server can use device_policy_token to |
| // identify the device and determine if the user is allowed to get policies |
| // on the given device. |
| optional string device_policy_token = 2; |
| } |
| |
| // Response from server to device for reading policies. |
| message CloudPolicyResponse { |
| // Serialized SignedCloudPolicyResponse. |
| optional bytes signed_response = 1; |
| // RSA signature of the SHA1 hash of the above data. |
| optional bytes signature = 2; |
| // The chain of DER-encoded X.509 certificates of the server's signing key. |
| // The first element should be the certificate whose private key was used |
| // for signing the response, and each of the following certificates signs the |
| // previous one. |
| repeated bytes certificate_chain = 3; |
| } |
| message SignedCloudPolicyResponse { |
| // The following two are necessary against replay attacks. |
| // |timestamp| is a unix timestamp (seconds since 1970). |
| optional int64 timestamp = 1; |
| // The token that was used for the request. |
| optional string request_token = 2; |
| // The name of the device, assigned by the server. |
| optional string device_name = 3; |
| // CloudPolicySettings is defined in cloud_policy.proto (which is |
| // auto-generated from chrome/app/policy_templates.json). |
| optional CloudPolicySettings settings = 4; |
| } |
| |
| // Request from the DMAgent on the device to the DMServer. |
| // This is container for all requests from client. |
| // |
| // Http Query parameters: |
| // Query parameters contain the following information in each request: |
| // request: register/unregister/policy/cloud_policy/cloud_register/ |
| // initial_policy |
| // devicetype: CrOS/Android/Iphone etc. |
| // apptype: CrOS/AndroidDM etc. |
| // agent: identify agent on device. |
| // |
| // Authorization: |
| // 1. If request is initial_policy, client must pass in GoogleLogin |
| // auth cookie in Authorization header: |
| // Authorization: GoogleLogin auth=<auth cookie> |
| // The response will contain settings that a user can get without |
| // registration. Currently the only such setting is a flag indicating if the |
| // user is in a managed domain or not. (We don't want to expose device ids of |
| // users not in managed domains.) |
| // 2. If request is register_request, client must pass in GoogleLogin auth |
| // cookie in Authorization header: |
| // Authorization: GoogleLogin auth=<auth cookie> |
| // The response will contain an unique DMToken for future requests. |
| // Depending on domain policy, the request may need admin approval before |
| // DMToken is issued. |
| // 3. For other requests, client must pass in DMToken in Authorization header: |
| // Authorization: GoogleDMToken token=<google dm token> |
| // |
| message DeviceManagementRequest { |
| // Register request (old protocol). |
| optional DeviceRegisterRequest register_request = 1; |
| |
| // Unregister request. |
| optional DeviceUnregisterRequest unregister_request = 2; |
| |
| // Data request. |
| optional DevicePolicyRequest policy_request = 3; |
| |
| // Data request (new protocol). |
| optional CloudPolicyRequest cloud_policy_request = 4; |
| |
| // Request for initial (before registration) policies. |
| optional InitialPolicyRequest initial_policy_request = 5; |
| |
| // Register request (new protocol). |
| optional CloudRegisterRequest cloud_register_request = 6; |
| } |
| |
| // Response from server to device. |
| message DeviceManagementResponse { |
| // Error code to client. |
| enum ErrorCode { |
| SUCCESS = 0; |
| // Returned for register request when device management is not supported |
| // for the domain. |
| DEVICE_MANAGEMENT_NOT_SUPPORTED = 1; |
| // Returned when the device is not found. |
| DEVICE_NOT_FOUND = 2; |
| // Returned when passed in device management token doesn't match the token |
| // on server side. |
| DEVICE_MANAGEMENT_TOKEN_INVALID = 3; |
| // Returned when device registration is pending approval (if required). |
| ACTIVATION_PENDING = 4; |
| // Returned when the policy is not found. |
| POLICY_NOT_FOUND = 5; |
| } |
| |
| // Error code for this request. |
| required ErrorCode error = 1; |
| |
| // Error message. |
| optional string error_message = 2; |
| |
| // Register response (old protocol). |
| optional DeviceRegisterResponse register_response = 3; |
| |
| // Unregister response |
| optional DeviceUnregisterResponse unregister_response = 4; |
| |
| // Policy response. |
| optional DevicePolicyResponse policy_response = 5; |
| |
| // Policy response (new protocol). |
| optional CloudPolicyResponse cloud_policy_response = 6; |
| |
| // Response to initial (before registration) policy request. |
| optional InitialPolicyResponse initial_policy_response = 7; |
| |
| // Register response (new protocol). |
| optional CloudRegisterResponse cloud_register_response = 8; |
| } |