device_management_backend.proto revision 72a454cd3513ac24fbdd0e0cb9ad70b86a99b801 
1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5syntax = "proto2";
6
7import "cloud_policy.proto";
8
9option optimize_for = LITE_RUNTIME;
10
11package enterprise_management;
12
13// Protocol buffers for the obsolete protocol:
14// -------------------------------------------
15//    GenericValue, GenericNamedValue, GenericSetting, DevicePolicySetting,
16//    DevicePolicySettingRequest, DevicePolicyRequest, DevicePolicyResponse
17// TODO(gfeher): Remove these when both Chrome and DMServer is switched to
18// using the new protocol.
19
20// Generic value container.
21message GenericValue {
22  enum ValueType {
23    VALUE_TYPE_BOOL = 1;
24    VALUE_TYPE_INT64 = 2;
25    VALUE_TYPE_STRING = 3;
26    VALUE_TYPE_DOUBLE = 4;
27    VALUE_TYPE_BYTES = 5;
28    VALUE_TYPE_BOOL_ARRAY = 6;
29    VALUE_TYPE_INT64_ARRAY = 7;
30    VALUE_TYPE_STRING_ARRAY = 8;
31    VALUE_TYPE_DOUBLE_ARRAY = 9;
32  }
33
34  optional ValueType value_type = 1 [default = VALUE_TYPE_STRING];
35
36  // basic value types
37  optional bool bool_value = 2;
38  optional int64 int64_value = 3;
39  optional string string_value = 4;
40  optional double double_value = 5;
41  optional bytes bytes_value = 6;
42  repeated bool bool_array = 7;
43  repeated int64 int64_array = 8;
44  repeated string string_array = 9;
45  repeated double double_array = 10;
46}
47
48// Generic name value pair container.
49message GenericNamedValue {
50  required string name = 1;
51  optional GenericValue value = 2;
52}
53
54// A setting is a set of generic name value pairs.
55message GenericSetting {
56  repeated GenericNamedValue named_value = 1;
57}
58
59// Identify a single device policy setting key/value pair.
60message DevicePolicySetting {
61  // key of the policy setting
62  required string policy_key = 1;
63  // value of the setting
64  optional GenericSetting policy_value = 2;
65  // watermark for setting value.
66  optional string watermark = 3;
67}
68
69// Request for a setting or with optional watermark on client side.
70message DevicePolicySettingRequest {
71  // setting key
72  required string key = 1;
73  // watermark last read from server if available.
74  optional string watermark = 2;
75}
76
77// Request from device to server to read device policies.
78message DevicePolicyRequest {
79  // identify request scope: CrOS settings or other type of settings.
80  optional string policy_scope = 1;
81  // identify key to the settings: proxy etc.
82  repeated DevicePolicySettingRequest setting_request = 2;
83}
84
85// Response from server to agent for reading policies.
86message DevicePolicyResponse {
87  // the result of the settings.
88  repeated DevicePolicySetting setting = 1;
89}
90
91// Protocol buffers for the new protocol:
92// --------------------------------------
93
94// Request from device to server to query if the authenticated user is in a
95// managed domain.
96message ManagedCheckRequest {
97}
98
99// Response from server to device indicating if the authenticated user is in a 
100// managed domain.
101message ManagedCheckResponse {
102  enum Mode {
103    // The device must be enrolled for policies.
104    MANAGED = 1;
105    // The device is not automatically enrolled for policies, but the user
106    // may choose to try to enroll it.
107    UNMANAGED = 2;
108  }
109
110  optional Mode mode = 1; 
111}
112
113// Request from device to server to register device.
114message DeviceRegisterRequest {
115  // reregister device without erasing server state.
116  // it can be used to refresh dmtoken etc.
117  optional bool reregister = 1;
118}
119
120// Response from server to device register request.
121message DeviceRegisterResponse {
122  // device mangement toke for this registration.
123  required string device_management_token = 1;
124
125  // The name of the device, assigned by the server.
126  optional string device_name = 2;
127}
128
129// Request from device to server to unregister device.
130message DeviceUnregisterRequest {
131}
132
133// Response from server to device unregister request.
134message DeviceUnregisterResponse {
135}
136
137message CloudPolicyRequest {
138  // Identify request scope: chromeos/device for device policies, chromeos/user
139  // for user policies.
140  optional string policy_scope = 1;
141  // The device token of the owner of the device sending the request. In cases
142  // the request was sent by the device owner or device policies were
143  // requested, this is the same as the token used for authentication.
144  // Otherwise (if the user policy is requested for someone else than the device
145  // owner) this token is different from the token used for authentication.
146  optional string device_token = 2;
147}
148
149// Response from server to device for reading policies.
150message CloudPolicyResponse {
151  // Serialized SignedCloudPolicyResponse.
152  optional bytes signed_response = 1;
153  // RSA signature of the SHA1 hash of the above data.
154  optional bytes signature = 2;
155  // The chain of DER-encoded X.509 certificates of the server's signing key.
156  // The first element should be the certificate whose private key was used
157  // for signing the response, and each of the following certificates signs the
158  // previous one.
159  repeated bytes certificate_chain = 3;
160}
161message SignedCloudPolicyResponse {
162  // The following two are necessary against replay attacks.
163  // |timestamp| is a unix timestamp (seconds since 1970).
164  optional int64 timestamp = 1;
165  // The token that was used for the request.
166  optional string request_token = 2;
167  // The name of the device, assigned by the server.
168  optional string device_name = 3;
169  // CloudPolicySettings is defined in cloud_policy.proto (which is
170  // auto-generated from chrome/app/policy_templates.json).
171  optional CloudPolicySettings settings = 4;
172}
173
174// Request from the DMAgent on the device to the DMServer.
175// This is container for all requests from client.
176//
177// Http Query parameters:
178// Query parameters contain the following information in each request:
179//   request: register/unregister/policy/cloud_policy/managed_check etc.
180//   devicetype: CrOS/Android/Iphone etc.
181//   apptype: CrOS/AndroidDM etc.
182//   deviceid: unique id that identify the device.
183//   agent: identify agent on device.
184//
185// Authorization:
186// 1. If request is managed_check, client must pass in GoogleLogin auth 
187//    cookie in Authorization header:
188//      Authorization: GoogleLogin auth=<auth cookie>
189//    This is the only case when the deviceid query parameter is set to empty.
190//    The response will contain a flag indicating if the user is in a managed
191//    domain or not. (We don't want to expose device ids of users not in
192//    managed domains.)
193// 2. If request is register_request, client must pass in GoogleLogin auth
194//    cookie in Authorization header:
195//      Authorization: GoogleLogin auth=<auth cookie>
196//    The response will contain an unique DMToken for future requests.
197//    Depending on domain policy, the request may need admin approval before
198//    DMToken is issued.
199// 3. For other requests, client must pass in DMToken in Authorization header:
200//    Authorization: GoogleDMToken token=<google dm token>
201//
202message DeviceManagementRequest {
203  // Register request.
204  optional DeviceRegisterRequest register_request = 1;
205
206  // Unregister request.
207  optional DeviceUnregisterRequest unregister_request = 2;
208
209  // Data request.
210  optional DevicePolicyRequest policy_request = 3;
211
212  // Data request (new protocol).
213  optional CloudPolicyRequest cloud_policy_request = 4;
214
215  // Request to check if a user is managed or not.
216  optional ManagedCheckRequest managed_check_request = 5;
217}
218
219// Response from server to device.
220message DeviceManagementResponse {
221  // Error code to client.
222  enum ErrorCode {
223    SUCCESS = 0;
224    // Returned for register request when device management is not supported
225    // for the domain.
226    DEVICE_MANAGEMENT_NOT_SUPPORTED = 1;
227    // Returned when the device is not found.
228    DEVICE_NOT_FOUND  = 2;
229    // Returned when passed in device management token doesn't match the token
230    // on server side.
231    DEVICE_MANAGEMENT_TOKEN_INVALID  = 3;
232    // Returned when device registration is pending approval (if required).
233    ACTIVATION_PENDING = 4;
234    // Returned when the policy is not found.
235    POLICY_NOT_FOUND  = 5;
236  }
237
238  // Error code for this request.
239  required ErrorCode error = 1;
240
241  // Error message.
242  optional string error_message = 2;
243
244  // Register response
245  optional DeviceRegisterResponse register_response = 3;
246
247  // Unregister response
248  optional DeviceUnregisterResponse unregister_response = 4;
249
250  // Policy response.
251  optional DevicePolicyResponse policy_response = 5;
252
253  // Policy response (new protocol).
254  optional CloudPolicyResponse cloud_policy_response  = 6;
255
256  // Response to managed check request.
257  optional ManagedCheckResponse managed_check_response = 7;
258}