diff --git a/dmbackend/device_management.proto b/dmbackend/device_management.proto new file mode 100644 index 0000000..716b9d5 --- /dev/null +++ b/dmbackend/device_management.proto @@ -0,0 +1,5014 @@ +// Copyright 2013 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +syntax = "proto2"; + +option optimize_for = LITE_RUNTIME; + +package enterprise_management; + +option go_package = "chromium/policy/enterprise_management_proto"; + +import "private_membership_rlwe.proto"; + +// Everything below this comment will be synchronized between client and server +// repos ( go/cros-proto-sync ). + +// This enum needs to be shared between DeviceRegisterRequest and +// LicenseAvailability protos. With java_api_version 1, this means that enum +// needs to be wrapped into a message. +message LicenseType { + // Enumerates different license types. + enum LicenseTypeEnum { + // Unknown/undefined + UNDEFINED = 0; + // Chrome Device Management Perpetual + CDM_PERPETUAL = 1; + // Chrome Device Management Annual + CDM_ANNUAL = 2; + // Chrome Kiosk + KIOSK = 3; + // Chrome Enterprise bundled license + CDM_PACKAGED = 4; + } + + optional LicenseTypeEnum license_type = 1; +} + +// The current active session type on the device, or `NO_SESSION` if no user +// is currently logged in. +// This enum is used in the response payload of the +// `FETCH_CRD_AVAILABILITY_INFO` remote command. +// NOTE: Please DO NOT rename enum entries as they are used by external APIs. +enum UserSessionType { + USER_SESSION_TYPE_UNKNOWN = 0; + AUTO_LAUNCHED_KIOSK_SESSION = 1; + MANUALLY_LAUNCHED_KIOSK_SESSION = 2; + AFFILIATED_USER_SESSION = 3; + UNAFFILIATED_USER_SESSION = 4; + MANAGED_GUEST_SESSION = 5; + GUEST_SESSION = 6; + NO_SESSION = 7; +} + +// The type of the CRD session. This enum is used in: +// * the response payload of `FETCH_CRD_AVAILABILITY_INFO`. +// * the request payload of `DEVICE_START_CRD_SESSION`. +enum CrdSessionType { + CRD_SESSION_TYPE_UNKNOWN = 0; + // A session where the admin has exclusive control of the remote machine. + REMOTE_ACCESS_SESSION = 1; + // A session where the admin and the local user share control of the remote + // machine. + REMOTE_SUPPORT_SESSION = 2; +} + +// Enum indicating why a CRD session is or is not available. +// This enum is used in the response payload of the +// `FETCH_CRD_AVAILABILITY_INFO` remote command. +// NOTE: Please DO NOT rename enum entries as they are used by external APIs. +enum CrdSessionAvailability { + CRD_SESSION_AVAILABILITY_UNKNOWN = 0; + // The CRD session is available and the admin can start a CRD session. + AVAILABLE = 1; + // The CRD session is not available for the current user session type. + UNAVAILABLE_UNSUPPORTED_USER_SESSION_TYPE = 2; + // The CRD session is not available since the device is in an unmanaged + // environment. + UNAVAILABLE_UNMANAGED_ENVIRONMENT = 3; + // The CRD session type is unsupported by device os version + UNAVAILABLE_UNSUPPORTED_DEVICE_OS_VERSION = 4; + // CRD is disabled on the device by the 'enterprise remote support connection' + // policy. + UNAVAILABLE_DISABLED_BY_POLICY = 5; +} + +// Result code used in the response payload of the `START_CRD_SESSION` remote +// command. This is used because it is more granular than the normal +// `ResultType` enum used as the result code for a remote command. +enum StartCrdSessionResultCode { + START_CRD_SESSION_RESULT_UNKNOWN = -1; + // Successfully obtained access code. + START_CRD_SESSION_SUCCESS = 0; + // Failed as required services are not launched on the device. + SERVICES_NOT_READY = 1; + // Failure as the current user type does not support remotely starting CRD. + FAILURE_UNSUPPORTED_USER_TYPE = 2; + // Failed as device is currently in use and no interruptUser flag is set. + FAILURE_NOT_IDLE = 3; + // Failed as we could not get OAuth token for whatever reason. + FAILURE_NO_OAUTH_TOKEN = 4; + // Failed as we could not get ICE configuration for whatever reason. + // deprecated + FAILURE_NO_ICE_CONFIG = 5; + // Failure during attempt to start CRD host and obtain CRD token. + FAILURE_CRD_HOST_ERROR = 6; + // Failure to start a curtained session as we're not in a managed environment. + FAILURE_UNMANAGED_ENVIRONMENT = 7; + // Failed because RemoteAccessHostAllowEnterpriseRemoteSupportConnections + // policy is disabled. + FAILURE_DISABLED_BY_POLICY = 8; +} + +// Result code used in the response payload of the `FETCH_SUPPORT_PACKET` remote +// command. The response payload will be a JSON string as follows: +// { +// "result": , +// (optional) "notes": [] +// } +enum FetchSupportPacketResultCode { + // Unspecified result. + FETCH_SUPPORT_PACKET_RESULT_CODE_UNSPECIFIED = 0; + // Success. + FETCH_SUPPORT_PACKET_RESULT_SUCCESS = 1; + // Command is not enabled for the device or the user. + FAILURE_COMMAND_NOT_ENABLED = 2; + // Failed to create the file to upload. + FAILURE_EXPORTING_FILE = 3; + // Internal failure at reporting pipeline. LogUploadEvent can't be enqueued. + FAILURE_REPORTING_PIPELINE = 4; + // File upload to File Storage Server has failed. + FAILURE_LOG_UPLOAD = 5; +} + +// Result payload field that will used for FETCH_SUPPORT_PACKET remote command. +// This field represents the warnings or notes that the device sends along with +// the command result. This enum will be used to attach optional notes to +// successful execution. Failure details will be send to the server in +// FetchSupportPacketResultCode enum. +enum FetchSupportPacketResultNote { + FETCH_SUPPORT_PACKET_RESULT_PAYLOAD_UNSPECIFIED = 0; + // Warning that the requested PII is not allowed to be included in the + // collected logs due to privacy issues. This is not an error but a warning to + // the admin. The log file will be created and uploaded without PII. + WARNING_PII_NOT_ALLOWED = 1; +} + +// Data along with a cryptographic signature verifying their authenticity. +message SignedData { + // The data to be signed. + optional bytes data = 1; + // The signature of the data field. + optional bytes signature = 2; + // How many bytes were added to the end of original data before signature + // (e.g. a nonce to avoid proxy attacks of the signing service). + optional int32 extra_data_bytes = 3; +} + +// Request from device to server to check user account type for enrollment. +message CheckUserAccountRequest { + // Email address of a user. + // The user may not exist in GAIA. + optional string user_email = 1; + // If enrollment nudge policy is required. + optional bool enrollment_nudge_request = 2 [default = false]; +} + +// Request from device to server to register a device, user or browser. +message DeviceRegisterRequest { + reserved 5, 10; + + // Reregister device without erasing server state. It can be used + // to refresh dmtoken etc. Client MUST set this value to true if it + // reuses an existing device id. + optional bool reregister = 1; + + // Register type. This field does not exist for TT release. + // When a client requests for policies, server should verify the + // client has been registered properly. For example, a client must + // register with type DEVICE in order to retrieve device policies. + enum Type { + reserved 5; + + TT = 0; // Register for TT release. + USER = 1; // Register for Chrome OS user polices. + DEVICE = 2; // Register for Chrome OS device policies. + BROWSER = 3; // Register for desktop Chrome browser user policies. + ANDROID_BROWSER = 4; // Register for Android Chrome browser user policies. + IOS_BROWSER = 6; // Register for iOS Chrome browser user policies. + } + // NOTE: we also use this field to detect client version. If this + // field is missing, then the request comes from TT. We will remove + // Chrome OS TT support once it is over. + optional Type type = 2 [default = TT]; + + // Machine hardware id, such as serial number. + // This field is required if register type == DEVICE. + optional string machine_id = 3; + + // Machine model name, such as "ZGA", "Cr-48", "Nexus One". If the + // model name is not available, client SHOULD send generic name like + // "Android", or "Chrome OS". + optional string machine_model = 4; + + // Indicates a requisition of the registering entity that the server can act + // upon. This allows clients to pass hints e.g. at device enrollment time + // about the intended use of the device. + optional string requisition = 6; + + // The current server-backed state key for the client, if applicable. This can + // be used by the server to link the registration request to an existing + // device record for re-enrollment. + optional bytes server_backed_state_key = 7; + + // Enumerates different flavors of registration. + enum Flavor { + reserved 12; + + // User manually enrolls a device for device management. + FLAVOR_ENROLLMENT_MANUAL = 0; + // User re-starts enrollment manually to recover from loss of policy. + FLAVOR_ENROLLMENT_MANUAL_RENEW = 1; + // Device enrollment forced by local device configuration, such as OEM + // partition flags to force enrollment. + FLAVOR_ENROLLMENT_LOCAL_FORCED = 2; + // Enrollment advertised by local device configuration, such as OEM + // partition flags indicating to prompt for enrollment, but allowing the + // user to skip. + FLAVOR_ENROLLMENT_LOCAL_ADVERTISED = 3; + // Device state downloaded from the server during OOBE indicates that + // re-enrollment is mandatory. + FLAVOR_ENROLLMENT_SERVER_FORCED = 4; + // Device state downloaded from the server during OOBE indicates that the + // device should prompt for (re-)enrollment, but the user is allowed to + // skip. + FLAVOR_ENROLLMENT_SERVER_ADVERTISED = 5; + // Device detected in steady state that it is supposed to be enrolled, but + // the policy is missing. + FLAVOR_ENROLLMENT_RECOVERY = 6; + // User policy registration for a logged-in user. + FLAVOR_USER_REGISTRATION = 7; + // Attestation-based with the option to use a different authentication + // mechanism. + FLAVOR_ENROLLMENT_ATTESTATION = 8; + // Forced attestation-based enrollment (cannot fallback to another flavor). + FLAVOR_ENROLLMENT_ATTESTATION_LOCAL_FORCED = 9; + // Device state downloaded from the server during OOBE indicates that + // re-enrollment is mandatory and should be attestation-based. + FLAVOR_ENROLLMENT_ATTESTATION_SERVER_FORCED = 10; + // Device state downloaded from the server indicated that re-enrollment is + // mandatory, but it failed and we are doing a fallback to manual + // enrollment. + FLAVOR_ENROLLMENT_ATTESTATION_MANUAL_FALLBACK = 11; + // Device state downloaded from the server during OOBE indicates that + // initial enrollment is mandatory. + FLAVOR_ENROLLMENT_INITIAL_SERVER_FORCED = 13; + // Device state downloaded from the server during OOBE indicates that + // initial enrollment is mandatory and should be attestation-based. + FLAVOR_ENROLLMENT_ATTESTATION_INITIAL_SERVER_FORCED = 14; + // Device state downloaded from the server indicated that initial enrollment + // is mandatory, but it failed and we are doing a fallback to manual + // enrollment. + FLAVOR_ENROLLMENT_ATTESTATION_INITIAL_MANUAL_FALLBACK = 15; + // An enterprise rollback just took place and the device was wiped. + // Attempt to re-enroll with attestation. This is forced from the + // client side. + FLAVOR_ENROLLMENT_ATTESTATION_ROLLBACK_FORCED = 16; + // An enterprise rollback just took place and the device was wiped. + // Attestation re-enrollment just failed, attempt manual enrollment as + // fallback. + FLAVOR_ENROLLMENT_ATTESTATION_ROLLBACK_MANUAL_FALLBACK = 17; + // Device state downloaded from the server indicated that initial enrollment + // is mandatory and should be token-based. + FLAVOR_ENROLLMENT_TOKEN_INITIAL_SERVER_FORCED = 18; + // Device state downloaded from the server indicated that initial + // token-based enrollment is mandatory, but it failed and we are doing + // fallback to manual enrollment. + FLAVOR_ENROLLMENT_TOKEN_INITIAL_MANUAL_FALLBACK = 19; + } + + // Indicates the registration flavor. This is passed to the server FYI when + // registering for policy so the server can distinguish registration triggers. + optional Flavor flavor = 8; + + // If specified, represents the license type selected by user on the device. + optional LicenseType license_type = 9; + + // Enumerates different expected lifetimes of registration. + enum Lifetime { + // Default case. + LIFETIME_UNDEFINED = 0; + // No expiration, most of the registrations have this lifetime. + LIFETIME_INDEFINITE = 1; + // Lifetime for ephemeral user policy registration. + LIFETIME_EPHEMERAL_USER = 2; + } + + // Indicates the expected lifetime of registration. + optional Lifetime lifetime = 11 [default = LIFETIME_INDEFINITE]; + + // The 4-character brand code of the device. + optional string brand_code = 12; + + // Previous DMToken that should be reused for re-registration. + optional string reregistration_dm_token = 13; + + // MAC address for onboard network (ethernet) interface. + // The format is twelve (12) hexadecimal digits without any delimiter + // (uppercase letters). + // This field might be set only if register type == DEVICE. + optional string ethernet_mac_address = 14; + + // Built-in MAC address for the docking station that the device can be + // connected to. + // The format is twelve (12) hexadecimal digits without any delimiter + // (uppercase letters). + // This field might be set only if register type == DEVICE. + optional string dock_mac_address = 15; + + // The date the device was manufactured in yyyy-mm-dd format. + // This field might be set only if register type == DEVICE. + optional string manufacture_date = 16; + + // Currently using in token enrollment to ensure domain in request matches + // domain from token. + optional string expected_enrollment_domain = 17; + + // Identification of the device that is not already available. + optional DeviceRegisterIdentification device_register_identification = 18; + + // Indicates all possible PSM (Private Set Membership) protocol final results + // without specifying the root cause in case of an error. + enum PsmExecutionResult { + // PSM protocol started and it neither finished successfully nor + // terminated due to a protocol's error. + PSM_RESULT_UNKNOWN = 0; + + // PSM finished successfully and there was server-backed state for the + // device. + PSM_RESULT_SUCCESSFUL_WITH_STATE = 1; + + // PSM finished successfully and there was no server-backed state for the + // device. + PSM_RESULT_SUCCESSFUL_WITHOUT_STATE = 2; + + // PSM terminated due to an error. + PSM_RESULT_ERROR = 3; + + // PSM check was skipped, as the device is going through Flex Auto + // Enrollment after legacy state determination. + PSM_SKIPPED_FOR_FLEX_AUTO_ENROLLMENT = 4; + } + optional PsmExecutionResult psm_execution_result = 19; + + // Timestamp of PSM retrieving the device's determination successfully in + // milliseconds since Epoch in UTC timezone (Java time). + optional int64 psm_determination_timestamp_ms = 20; + + // Information specific to Demo Mode about the device and the demo context. + // Only set when the device is enrolling into Demo Mode, as defined by + // DeviceRegisterRequest.requisition == "cros-demo-mode". + optional DemoModeDimensions demo_mode_dimensions = 21; + + // Contains encoded customer information relevant for the generic OIDC profile + // enrollment process. + optional string oidc_profile_enrollment_state = 22; + + // Next id: 23. +} + +// Identification of a device used during its registration. +message DeviceRegisterIdentification { + // The attested device ID for devices using Zero-Touch (see go/zt-sn). + optional string attested_device_id = 1; +} + +// Response from server to device +message CheckUserAccountResponse { + // Enum listing the possible user account status. + enum UserAccountType { + UNKNOWN_USER_ACCOUNT_TYPE = 0; + + // There is no GAIA user exist mapping to the specific user email. + NOT_EXIST = 1; + + // The GAIA user mapping to the specific user email is not a dasher user. + CONSUMER = 2; + // The GAIA user is a dasher user. See http://go/is-dasher-user + DASHER = 3; + } + + // The domain abstracted from the specific email has been verified by dasher. + optional bool domain_verified = 1; + + // The account type mapping from the specific user email. + optional UserAccountType user_account_type = 2; + + // Enum listing the possible enrollment nudge types. + enum EnrollmentNudgeType { + UNKNOWN_ENROLLMENT_NUDGE_TYPE = 0; + // Enrollment is not required. + NONE = 1; + // Requires the user to complete the enrollment process before they can + // login. + ENROLLMENT_REQUIRED = 2; + } + + // Whether to nudge managed users to enroll unowned devices. + optional EnrollmentNudgeType enrollment_nudge_type = 3; +} + +// Response from server to device register request. +message DeviceRegisterResponse { + reserved 6; + + // Device management token for this registration. This token MUST be + // part of HTTP Authorization header for all future requests from + // device to server. + required string device_management_token = 1; + + // Device display name. By default, server generates the name in + // the format of "Machine Model - Machine Id". However, domain + // admin can update it using Admin console, so do NOT treat it as constant. + optional string machine_name = 2; + + // Enum listing the possible modes the device should be locked into when the + // registration is finished. + enum DeviceMode { + // In ENTERPRISE mode the device has no local owner and device settings are + // controlled through the cloud policy infrastructure. Auto-enrollment is + // supported in that mode. + ENTERPRISE = 0; + // DEPRECATED: Devices in RETAIL mode also have no local owner and get their + // device settings from the cloud, but additionally this mode enables the + // demo account on the device. + RETAIL_DEPRECATED = 1; + // DEPRECATED: Devices in CHROME_AD mode are in enterprises with AD. Device + // settings are controlled through the AD policy infrastructure. + CHROME_AD_DEPRECATED = 2; + // Devices in DEMO mode have no local owner and get their device settings + // from the cloud. They are controlled by demo mode domain and provide + // customized demo experience to the users. + DEMO = 3; + } + optional DeviceMode enrollment_type = 3 [default = ENTERPRISE]; + + // An opaque configuration string for devices that require it. CHROME_AD + // devices, for example, may use this string for AD discovery. Must be at + // most a few kBytes. + optional string configuration_seed = 4; + + // List of user affiliation IDs. The list is used to define if the user + // registering for policy is affiliated on the device. + // Only sent if DeviceRegisterRequest.Type == USER + repeated string user_affiliation_ids = 5; + + // The display name Chrome should use when setting up the profile, used for + // OIDC managed profile only. + optional string user_display_name = 7; + + // The email of the user who logged into this profile, used for OIDC managed + // profile only. + optional string user_email = 8; + + // Enum listing the possible types of the third party identity used for OIDC + // managed profiles. + enum ThirdPartyIdentityType { + // The profile does not have third party identity. + NONE = 0; + // The third party identity is synced to Google (Dasher) and there is an + // associated GAIA ID for it. + DASHER_BASED = 1; + // The third party identity is not synced to Google and there is no + // associated GAIA ID for it. + DASHERLESS = 2; + } + optional ThirdPartyIdentityType third_party_identity_type = 9 + [default = NONE]; +} + +// Request from device to server to unregister device. +// GoogleDMToken MUST be in HTTP Authorization header. +message DeviceUnregisterRequest {} + +// Response from server to device for unregister request. +message DeviceUnregisterResponse {} + +// Request from device to server to upload a device certificate or an enrollment +// identifier. +// GoogleDMToken MUST be in HTTP Authorization header. +message DeviceCertUploadRequest { + enum CertificateType { + // Default value for when a type is not specified. + CERTIFICATE_TYPE_UNSPECIFIED = 0; + // Enterprise machine certificate used for remote attestation. + ENTERPRISE_MACHINE_CERTIFICATE = 1; + // Enrollment certificate used to obtain an enrollment identifier. + ENTERPRISE_ENROLLMENT_CERTIFICATE = 2; + } + + // Certificate in X.509 format. + optional bytes device_certificate = 1; + // Type of certificate. If omitted, will be guessed from the other fields. + optional CertificateType certificate_type = 2; + // Enrollment identifier if provided. + optional bytes enrollment_id = 3; +} + +// Response from server to device for cert upload request. +message DeviceCertUploadResponse {} + +// Request to access a Google service with the given scope. +message DeviceServiceApiAccessRequest { + // The list of auth scopes the device requests from DMServer. + repeated string auth_scopes = 1; + + // OAuth2 client ID to which the returned authorization code is bound. + optional string oauth2_client_id = 2; + + // Enumerates different flavors of registration. + enum DeviceType { + // Authcode will be used by Chrome OS + // (this is typically requested during device enrollment) + CHROME_OS = 0; + // Authcode will be used by Android (ARC) subsystem + // (this is typically requested during ARC Kiosk session setup) + ANDROID_OS = 1; + // Authcode will be used by Chrome OS Demo Mode. This auth code can be used + // to access Google Docs. + // Please see go/cros-demo-mode and go/demo-mode-account-brainstorm. + CHROME_OS_DEMO_MODE = 2; + // Authcode will be used by the enterprise-managed Chrome Browser to + // register for policy invalidations. This is requested during enrollment. + CHROME_BROWSER = 3; + } + + // Device type indicates the intended use of the auth code. + optional DeviceType device_type = 3; +} + +// Response from server to API access request. +message DeviceServiceApiAccessResponse { + // The OAuth2 authorization code for the requested scope(s). + // This can be exchanged for a refresh token. + optional string auth_code = 1; +} + +// Device Identifier for non-Chrome OS platform. +message BrowserDeviceIdentifier { + reserved 3; + + // Name of the computer. + optional string computer_name = 1; + // Device serial number (definition depending on the platform). + optional string serial_number = 2; +} + +message PolicyFetchRequest { + reserved 5; + + // This is the policy type, which maps to D3 policy type internally. + // By convention, we use "/" as separator to create policy namespace. + // The policy type names are case insensitive. + // + // Possible values for Chrome OS are: + // google/chromeos/device => ChromeDeviceSettingsProto + // google/chromeos/publicaccount => ChromeSettingsProto + // google/chromeos/signinextension => ExternalPolicyData + // google/chromeos/remotecommand => RemoteCommand (*) + // + // For users signed in to Chrome, + // google/chromeos/user => ChromeSettingsProto + // google/android/user => ChromeSettingsProto + // google/chrome/user => ChromeSettingsProto + // google/ios/user => ChromeSettingsProto + // google/chrome/extension => ExternalPolicyData + // + // For Chrome Browser Cloud Management, + // google/chrome/machine-level-user => ChromeSettingsProto + // google/chrome/machine-level-user-android => ChromeSettingsProto + // google/chrome/machine-level-user-ios => ChromeSettingsProto + // google/chrome/machine-level-extension => ExternalPolicyData + // google/machine-level-apps => + // Omaha policy fetch is translated into two policy types + // google/chrome/machine-level-user => ChromeSettingsProto + // google/machine-level-omaha => OmahaSettingsClientProto + // + // Types marked with an (*) are not policies, but data signed with the policy + // key. It is illegal to try to fetch policies with those types. + optional string policy_type = 1; + + // This is the last policy timestamp that client received from server. The + // expectation is that this field is filled by the value of + // PolicyData.timestamp from the last policy received by the client. + optional int64 timestamp = 2; + + // Tell server what kind of security signature is required. + // TODO(b/147782972): Move to toplevel in sync with Chrome OS client code. + enum SignatureType { + NONE = 0; + SHA1_RSA = 1; + SHA256_RSA = 2; + } + optional SignatureType signature_type = 3 [default = NONE]; + + // The version number of the public key that is currently stored + // on the client. This should be the last number the server had + // supplied as new_public_key_version in PolicyData. + // This field is unspecified if the client does not yet have a + // public key. + optional int32 public_key_version = 4; + + // This field is used for devices to send the additional ID to fetch settings. + // Retrieving some settings requires more than just device or user ID. + // For example, to retrieve public account, devices need to pass in + // public account ID in addition to device ID. To retrieve extension or + // plug-in settings, devices need to pass in extension/plug-in ID in + // addition to user ID. + // policy_type represents the type of settings (e.g. public account, + // extension) devices request to fetch. + optional string settings_entity_id = 6; + + // If this fetch is due to a policy invalidation, this field contains the + // version provided with the invalidation. The server interprets this value + // and the value of invalidation_payload to fetch the up-to-date policy. + optional int64 invalidation_version = 7; + + // If this fetch is due to a policy invalidation, this field contains the + // payload delivered with the invalidation. The server interprets this value + // and the value of invalidation_version to fetch the up-to-date policy. + optional bytes invalidation_payload = 8; + + // Hash string for the chrome policy verification public key which is embedded + // into Chrome binary. Matching private key will be used by the server + // to sign per-domain policy keys during key rotation. If server does not + // have the key which matches this hash string, that could indicate malicious + // or out-of-date Chrome client. + optional string verification_key_hash = 9; + + // Encoded information from a policy invalidation notification. This is opaque + // to the client and should be forwarded from the invalidation notification. + optional string policy_invalidation_info = 10; + + // Whether or not the client only supports the new PolicyData invalidation + // topics. If true, only the policy_invalidation_topic and + // command_invalidation_topic fields will be set in the PolicyData response. + optional bool invalidation_topics_only = 11; + + // If this is an affiliated user, this is the device's DMToken. + optional string device_dm_token = 12; + + // Device identifier for helping identify non-Chrome OS devices. + optional BrowserDeviceIdentifier browser_device_identifier = 13; +} + +// This message customizes how the device behaves when it is disabled by its +// owner. The message will be sent as part of the DeviceState fetched during +// normal operation and as part of the DeviceStateRetrievalResponse fetched when +// the device is wiped/reinstalled. +message DisabledState { + // A message to the finder/thief that should be shown on the screen. + optional string message = 1; +} + +message DeviceState { + // Modes of operation that the device can be in. + enum DeviceMode { + // The device is operating normally. Sessions can be started and the device + // can be used. + DEVICE_MODE_NORMAL = 0; + // The device has been disabled by its owner. The device will show a warning + // screen and will not allow any sessions to be started. + DEVICE_MODE_DISABLED = 1; + } + // The mode of operation that the device should be in. + optional DeviceMode device_mode = 1 [default = DEVICE_MODE_NORMAL]; + + // State that is relevant only when the |device_mode| is + // |DEVICE_MODE_DISABLED|. + optional DisabledState disabled_state = 2; +} + +message CustomerLogo { + // The SCS url for the logo set by the admin for a particular OU. + // This is in the form https://admin.googleusercontent.com/. + optional string logo_url = 1; +} + +// This message is included in serialized form in PolicyFetchResponse below. It +// may also be signed, with the signature being created for the serialized form. +message PolicyData { + reserved 10, 13, 14, 18, 19; + reserved "command_invalidation_name"; + reserved "command_invalidation_source"; + reserved "invalidation_name"; + reserved "invalidation_source"; + reserved "valid_serial_number_missing"; + + // See PolicyFetchRequest.policy_type. + optional string policy_type = 1; + + // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). It is + // included here so that the time at which the server issued this response + // cannot be faked (as protection against replay attacks). It is the timestamp + // generated by DMServer, NOT the time admin last updated the policy or + // anything like that. + optional int64 timestamp = 2; + + // The DMToken that was used by the client in the HTTP POST header for + // authenticating the request. It is included here again so that the client + // can verify that the response is meant for them (and not issued by a replay + // or man-in-the-middle attack). + // Note that the existence or non-existence of the DMToken is not the correct + // way to determine whether the device is managed. Cf. |management_mode| below + // for details. + optional string request_token = 3; + + // The serialized value of the actual policy protobuf. This can be + // deserialized to an instance of, for example, ChromeSettingsProto, + // ChromeDeviceSettingsProto, or ExternalPolicyData. + optional bytes policy_value = 4; + + // The device display name assigned by the server. It is only + // filled if the display name is available. + // + // The display name of the machine as generated by the server or set + // by the Administrator in the Admin console GUI. This is the same thing as + // |machine_name| in DeviceRegisterResponse but it might have + // changed since then. + optional string machine_name = 5; + + // Version number of the server's current public key. (The key that + // was used to sign this response. Numbering should start at 1 and be + // increased by 1 at each key rotation.) + optional int32 public_key_version = 6; + + // The user this policy is intended for. In case of device policy, the name + // of the owner (who registered the device). + optional string username = 7; + + // In this field the DMServer should echo back the "deviceid" HTTP parameter + // from the request. This is also used for user and device local accounts ids, + // see client_id in code. + optional string device_id = 8; + + // Indicates which state this association with DMServer is in. This can be + // used to tell the client that it is not receiving policy even though the + // registration with the server is kept active. + enum AssociationState { + // Association is active and policy is pushed. + ACTIVE = 0; + // Association is alive, but the corresponding domain is not managed. + UNMANAGED = 1; + // The device has been deprovisioned by the administrator and is no longer + // managed. + DEPROVISIONED = 2; + } + optional AssociationState state = 9 [default = ACTIVE]; + + // Indicates which public account or extension/plug-in this policy data is + // for. See PolicyFetchRequest.settings_entity_id for more details. + optional string settings_entity_id = 11; + + // Indicates the identity the device service account is associated with. + // This is only sent as part of device policy fetch. + optional string service_account_identity = 12; + + // Server-provided identifier of the fetched policy. This is to be used + // by the client when requesting Policy Posture assertion through an API + // call or SAML flow. For details, see http://go/chrome-nac-server-design. + optional string policy_token = 15; + + // Indicates the management mode of the device. Note that old policies do not + // have this field. If this field is not set but request_token is set, assume + // the management mode is ENTERPRISE_MANAGED. If both this field and + // request_token are not set, assume the management mode is LOCAL_OWNER. + enum ManagementMode { + // The device is owned locally. The policies are set by the local owner of + // the device. + LOCAL_OWNER = 0; + // The device is enterprise-managed (either via DM server or through Active + // Directory). See the comment above for backward compatibility. + ENTERPRISE_MANAGED = 1; + // Obsolete. Don't use. + OBSOLETE_CONSUMER_MANAGED = 2; + } + optional ManagementMode management_mode = 16; + + // Indicates the state that the device should be in. + optional DeviceState device_state = 17; + + // The free-text location info the admin enters to associate the device + // with a location. + optional string annotated_location = 20; + + // The free-text asset identifier the admin enters to associate the device + // with a user-generated identifier. + optional string annotated_asset_id = 21; + + // The unique directory api ID of the device which was generated on the + // server-side. + optional string directory_api_id = 22; + + // List of device affiliation IDs. If there exists an overlap between user + // affiliation IDs and device affiliation IDs, we consider that the user is + // affiliated on the device. Otherwise the user is not affiliated on the + // device. Should be fetched with device policy. Ignored if fetched with + // other polices. + repeated string device_affiliation_ids = 23; + + // List of user affiliation IDs. The list is used to define if current user + // is affiliated on the device. See device_affiliation_ids for details. + // Should be fetched with user policy. Ignored if fetched with other polices. + repeated string user_affiliation_ids = 24; + + // Used as the display domain when the primary domain gets renamed. This field + // is present only for device policies. + optional string display_domain = 25; + + // Invalidation topic for devices. Clients register for FCM messages using + // this topic in order to receive notifications for device policy changes. + optional string policy_invalidation_topic = 26; + + // Invalidation topic for commands. Clients register for FCM messages using + // this topic in order to receive notifications that one or more commands are + // available for execution. + optional string command_invalidation_topic = 27; + + // Whether the device needs to upload an enrollment identifier to the cloud. + // TODO(b/136188860) migrates to enrollment_certificate_needed under + // client_action_required. + optional bool enrollment_id_needed = 28; + + // Gaia id of the user the policy is intended for. + // Should be fetched with user policy. + optional string gaia_id = 29; + + // Indicate this device's market segment. The MarketSegment enum in + // cloud_policy_constants.h (http://shortn/_3iFWcdjy0P) must be kept in sync + // with this enum. + enum MarketSegment { + MARKET_SEGMENT_UNSPECIFIED = 0; + ENROLLED_EDUCATION = 1; + ENROLLED_ENTERPRISE = 2; + } + + // This field should only be set for Device Policy response. + // See go/cros-rlz-segments + optional MarketSegment market_segment = 30; + + // This field is currently only set for Device Policy response. + // This represents the logo set by the admin for the OU that the device + // belongs to. This is domain metadata included in a device policy response, + // but it is not an explicit device policy. + optional CustomerLogo customer_logo = 31; + + // b/129771193 + // This setting is from SingleSignOnSettingsProto#change_password_uri + // http://google3/ccc/hosted/policies/services/common/sso_settings.proto?l=48&rcl=241246111 + // This field is currently only set for User Policy response. + optional string change_password_uri = 32; + + // This field is used for asking client to perform some actions. For instance, + // server asks client to re-upload enrollment certificate. In long term, new + // added field which asks client to perform an action in policy data should be + // put in ClientActionRequired message. + optional ClientActionRequired client_action_required = 33; + + // Obfuscated customerId the device is enrolled into. + // Only set for device policy. + optional string obfuscated_customer_id = 34; + + // The different types of user segments for metrics logging. If any values are + // added to this enum, the corresponding enum in + // UserTypeByDeviceTypeMetricsProvider::UserSegment + // (http://shortn/_uK3ZM4pC0a) should be updated. + enum MetricsLogSegment { + UNSPECIFIED = 0; + K12 = 1; + UNIVERSITY = 2; + NONPROFIT = 3; + ENTERPRISE = 4; + } + + // Indicates the segment the user's metrics should be logged under, + // UNSPECIFIED if not relevant. + // This field should only be set for User Policy response. + optional MetricsLogSegment metrics_log_segment = 35; + + // This field will be populated with primary domain name for domain verified + // customer, and primary admin email for domainless customer. The client side + // will use this field to display who manages this device/browser/user. + optional string managed_by = 36; + + // An identifier (e.g. "inboundSamlSsoProfiles/0abcdefg1234567") for the + // device's managing OU's SSO profile. Currently, this points to the OU's + // SAML settings. May support OIDC in the future. + optional string sso_profile = 37; + + // Indicates which kind of licenses this device is using, so that chrome OS + // can check that. The value is from ChromeOsDeviceInfo + // http://google3/ccc/hosted/devices/services/chromeos/common.proto;rcl=436571779;l=549 + optional string license_sku = 38; +} + +message ClientActionRequired { + // Whether device needs to upload an enterprise enrollment certificate to + // cloud. + optional bool enrollment_certificate_needed = 1; +} + +message PolicyFetchResponse { + // Since a single policy request may ask for multiple policies, DM server + // provides separate error codes (making use of standard HTTP Status Codes) + // for each individual policy fetch. + optional int32 error_code = 1; + + // Human readable error message for customer support purpose. + optional string error_message = 2; + + // This is a serialized |PolicyData| protobuf (defined above). + optional bytes policy_data = 3; + + // Signature of the policy data above. + optional bytes policy_data_signature = 4; + + // If the public key has been rotated on the server, the new public + // key is sent here. It is already used for |policy_data_signature| + // above, whereas |new_public_key_signature| is created using the + // old key (so the client can trust the new key). If this is the + // first time when the client requests policies (so it doesn't have + // on old public key), then |new_public_key_signature| is empty. + optional bytes new_public_key = 5; + optional bytes new_public_key_signature = 6; + + // DEPRECATED: Exists only to support older clients. This signature is similar + // to new_public_key_verification_data_signature, but is computed over + // DEPRECATEDPolicyPublicKeyAndDomain (which is equivalent to + // PublicKeyVerificationData proto with version field unset). + // + // Do not remove this unless you know for sure that this is not required by + // managed devices any more, including devices that might be pinned to + // milestones older than current Stable. + // Note: As of February 2024, this is still strictly required by + // CloudPolicyValidator, see + // https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_validator.cc;drc=08b91b49531894cbe9061a1148fd535155c2554b;l=407 + optional bytes new_public_key_verification_signature_deprecated = 7 + [deprecated = true]; + + // This is a serialized |PublicKeyVerificationData| protobuf (defined + // below). See comments for |new_public_key_verification_data_signature| field + // for details on how this data is signed. + // Please note that |new_public_key| is also included inside this data + // field. Thus we have new public key signed with old version of private key + // (if client indicated to us that it has old key version), and + // new public key data signed by primary verification key (if client told + // us that it has public verification key - see |verification_key_id| field + // of |PolicyFetchRequest|). In most cases, both signatures will be provided. + // However, client might not have old policy signing key - for example, when + // new profile is being set up. In this case, only verification signature + // is supplied. + // Or, client might not have verification public key (legacy Chrome build + // before verification key was introduced, or outdated build which has + // old/compromised verification key). In that case, verification signature + // cannot be provided. + // If client is missing both public keys (old signing key and verification + // key), then we are unable to produce any valid signature and client must + // drop such PolicyFetchResponse. + optional bytes new_public_key_verification_data = 8; + + // If new_public_key is specified, this field contains the signature of a + // PublicKeyVerificationData protobuf, signed using a key only available to + // DMServer. The public key portion of this well-known key is embedded into + // the Chrome binary. The hash of that embedded key is passed to DMServer as + // verification_key_hash field in PolicyFetchRequest. DMServer picks a private + // key on the server which matches the hash (matches public key on the + // client). If DMServer is unable to find matching key, it returns an error + // instead of policy data. In case a hash was not specified, DMServer leaves + // the verification signature field empty (legacy behavior). + // This signature is provided to better protect first key delivery (since the + // browser does not possess the previous signing key, DMServer cannot compute + // new_public_key_signature). + // See http://go/chrome-nac-server-design for more information. + optional bytes new_public_key_verification_data_signature = 9; + + // DEPRECATED! Client-side should verify and rely on the policy_type inside + // the signed policy_data. + optional string policy_type = 10 [deprecated = true]; + + // The type of signature used to generate policy_data_signature. + optional PolicyFetchRequest.SignatureType policy_data_signature_type = 11; +} + +// DEPRECATED: Protobuf used to generate the deprecated +// new_public_key_verification_signature field. +message DEPRECATEDPolicyPublicKeyAndDomain { + // The public key to sign (taken from the |new_public_key| field in + // PolicyFetchResponse). + optional bytes new_public_key = 1; + + // The domain associated with this key (should match the domain portion of the + // username field of the policy). + optional string domain = 2; +} + +// This message contains the information which is signed by the verification key +// during policy key rotation. It is included in serialized form in +// PolicyFetchResponse above. A signature of the serialized form is included in +// the new_public_key_verification_data_signature field. +message PublicKeyVerificationData { + // The new public policy key after a key rotation. + optional bytes new_public_key = 1; + + // The domain of the device/user. + optional string domain = 2; + + // The version number of the new_public_key. This must be monotonically + // increasing (within a domain). + optional int32 new_public_key_version = 3; +} + +// Request from device to server for reading policies. +message DevicePolicyRequest { + // The policy fetch requests. If this field exists, the requests must come + // from a non-TT client. The repeated field allows clients to request + // multiple policies for better performance. + repeated PolicyFetchRequest requests = 3; + + // Reason for the requesting policies, to help with monitoring and alerting + // (e.g. to detect an increase in fetch failures during enrollment). + enum Reason { + UNSPECIFIED = 0; + // Required policy fetch during device enrollment. + DEVICE_ENROLLMENT = 1; + // Policy fetch triggered by incoming FCM invalidation. + INVALIDATION = 2; + // CloudPolicyClient registration changed (e.g. during startup). + REGISTRATION_CHANGED = 3; + // Retry after previous policy fetch failure. + RETRY = 4; + // Various retry reasons based on DMServer status, see + // `CloudPolicyRefreshScheduler`. + RETRY_AFTER_STATUS_SERVICE_ACTIVATION_PENDING = 5; + RETRY_AFTER_STATUS_SERVICE_POLICY_NOT_FOUND = 6; + RETRY_AFTER_STATUS_SERVICE_TOO_MANY_REQUESTS = 7; + RETRY_AFTER_STATUS_REQUEST_FAILED = 8; + RETRY_AFTER_STATUS_TEMPORARY_UNAVAILABLE = 9; + RETRY_AFTER_STATUS_CANNOT_SIGN_REQUEST = 10; + RETRY_AFTER_STATUS_REQUEST_INVALID = 11; + RETRY_AFTER_STATUS_HTTP_STATUS_ERROR = 12; + RETRY_AFTER_STATUS_RESPONSE_DECODING_ERROR = 13; + RETRY_AFTER_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED = 14; + RETRY_AFTER_STATUS_REQUEST_TOO_LARGE = 15; + // Scheduled policy refresh (e.g. once per day). + SCHEDULED = 16; + // Policy fetch triggered by sign-in. + SIGNIN = 17; + // A placeholder reason used for tests (should not occur in production). + TEST = 18; + // Policy fetched at browser start, e.g. device policies at Ash start. + BROWSER_START = 19; + // ChromeOS Policy fetch request from Lacros to Ash. + LACROS = 20; + // Policy fetched as requested by the user, e.g. through chrome://policy. + USER_REQUEST = 21; + // Policy fetches triggered by the Chrome Remote Desktop policy watcher. + CRD_HOST_POLICY_WATCHER = 22; + } + optional Reason reason = 4; +} + +// Response from server to device for reading policies. +message DevicePolicyResponse { + // The policy fetch responses. + repeated PolicyFetchResponse responses = 3; +} + +message TimePeriod { + // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). + optional int64 start_timestamp = 1; + optional int64 end_timestamp = 2; +} + +message ActiveTimePeriod { + optional TimePeriod time_period = 1; + + // The active duration during the above time period. + // The unit is milli-second. + optional int32 active_duration = 2; + + // Email address of the active user. Present only if the user type is managed + // and affiliated. + optional string user_email = 3; + + enum SessionType { + SESSION_UNKNOWN = 0; + SESSION_AFFILIATED_USER = 1; + SESSION_MANAGED_GUEST = 2; + SESSION_KIOSK = 3; + SESSION_ARC_KIOSK = 4; + SESSION_WEB_KIOSK = 5; + } + + optional SessionType session_type = 4; +} + +// Details about a network interface. +message NetworkInterface { + // Indicates the type of network device. + enum NetworkDeviceType { + reserved 2; + + TYPE_ETHERNET = 0; + TYPE_WIFI = 1; + TYPE_BLUETOOTH = 3; + TYPE_CELLULAR = 4; + } + + // Network device type. + optional NetworkDeviceType type = 1; + + // MAC address (if applicable) of the corresponding network device. This is + // formatted as an ASCII string with 12 hex digits. Example: A0B1C2D3E4F5. + optional string mac_address = 2; + + // MEID (if applicable) of the corresponding network device. Formatted as + // ASCII string composed of 14 hex digits. Example: A10000009296F2. + optional string meid = 3; + + // IMEI (if applicable) of the corresponding network device. 15-16 decimal + // digits encoded as ASCII string. Example: 355402040158759. + optional string imei = 4; + + // The device path associated with this network interface. + optional string device_path = 5; + + // The integrated circuit card ID associated with the device's sim card. + optional string iccid = 6; + + // The mobile directory number associated with the device's sim card. + optional string mdn = 7; + + // List of EID (EUICC Identifier) of all cellular EUICCs + // (Embedded Universal Integrated Circuit Cards) on the device. + // 32 decimal digits encoded as ASCII string. e.g. + repeated string eids = 8; +} + +// Information about configured/visible networks - this is separate from +// NetworkInterface because a configured network may not be associated with +// any specific interface, or may be visible across multiple interfaces. +message NetworkState { + // The current state of this network. + enum ConnectionState { + reserved 1; // CARRIER + reserved 6; // OFFLINE + reserved 10; // ACTIVATION_FAILURE + + IDLE = 0; + ASSOCIATION = 2; + CONFIGURATION = 3; + READY = 4; + PORTAL = 5; + ONLINE = 7; + DISCONNECT = 8; + FAILURE = 9; + UNKNOWN = 11; + } + + // For networks associated with a device, the path of the device. + optional string device_path = 1; + + // Current state of this connection as reported by shill. + optional ConnectionState connection_state = 2; + + // For wireless networks, the signal_strength in dBm. + optional int32 signal_strength = 3; + + // The IP address this interface is bound to, if any. + optional string ip_address = 4; + + // The gateway IP for this interface, if any. + optional string gateway = 5; +} + +// Details about a device user. +message DeviceUser { + // Types of device users which can be reported. + enum UserType { + // A user managed by the same domain as the device. + USER_TYPE_MANAGED = 0; + + // A user not managed by the same domain as the device. + USER_TYPE_UNMANAGED = 1; + } + + // The type of the user. + required UserType type = 1; + + // Email address of the user. Present only if the user type is managed. + optional string email = 2; +} + +// Information about a single disk volume. +message VolumeInfo { + optional string volume_id = 1; + + // The unit is bytes. + optional int64 storage_total = 2; + optional int64 storage_free = 3; +} + +// Information about a single CPU utilization. +message CpuUtilizationInfo { + // CPU utilization (0-100). + optional int32 cpu_utilization_pct = 1; + // The timestamp representing time at which the information was collected. + // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). + optional int64 timestamp = 2; +} + +// Information about a single free RAM. +message SystemFreeRamInfo { + // Free RAM [in bytes] (unreliable due to GC). + optional int64 size_in_bytes = 1; + // The timestamp representing time at which the information was collected. + // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). + optional int64 timestamp = 2; +} + +// Information about a single CPU temperature channel. +message CPUTempInfo { + // Temperature channel label. + optional string cpu_label = 1; + // CPU temperature in Celsius. + optional int32 cpu_temp = 2; + // Unix timestamp. + optional int64 timestamp = 3; +} + +// Contains the Stateful Partition Information for user data storage in the +// device. +message StatefulPartitionInfo { + // Available space for user data storage in the device in bytes. + optional uint64 available_space = 1; + // Total space for user data storage in the device in bytes. + optional uint64 total_space = 2; + // File system on stateful partition. e.g. ext4. + optional string filesystem = 3; + // Source of stateful partition. e.g. /dev/mmcblk0p1. + optional string mount_source = 4; +} + +// Chrome release channel, shared for different reports. +enum Channel { + CHANNEL_UNKNOWN = 0; + CHANNEL_CANARY = 1; + CHANNEL_DEV = 2; + CHANNEL_BETA = 3; + CHANNEL_STABLE = 4; +} + +// Frequently changing data for battery. +message BatterySample { + optional int64 timestamp = 1; + // Battery voltage + optional int64 voltage = 2; + // Battery remaining capacity (mA-hours) + optional int64 remaining_capacity = 3; + // Temperature in Celsius. + optional int32 temperature = 4; + // The battery discharge rate measured in mW. Positive if the battery is being + // discharged, negative if it's being charged. + optional int32 discharge_rate = 5; + // Battery charge percentage + optional int32 charge_rate = 6; + // Battery current (mA) + optional int64 current = 7; + // Battery status read from sysfs + optional string status = 8; +} + +// Status of the single battery +message BatteryInfo { + optional string serial = 1; + optional string manufacturer = 2; + optional string battery_health = 3; + // Design capacity (mA-hours) + optional int64 design_capacity = 4; + // Full charge capacity (mA-hours) + optional int64 full_charge_capacity = 5; + optional int32 cycle_count = 6; + // Last sampling data. + repeated BatterySample samples = 7; + // Designed minimum output voltage (mV) + optional int32 design_min_voltage = 9; + // The date the battery was manufactured in yyyy-mm-dd format. + optional string manufacture_date = 10; + // Technology of the battery. + optional string technology = 11; +} + +// Status of the power subsystem +message PowerStatus { + enum PowerSource { + POWER_UNKNOWN = 0; + POWER_AC = 1; + POWER_BATTERY = 2; + } + optional PowerSource power_source = 1; + repeated BatteryInfo batteries = 2; +} + +// LifeTime estimation for eMMC devices +message DiskLifetimeEstimation { + // Lifetime estimations for SLC and MLC areas of eMMC. + // Values range from 00h to 0Bh -- indicating the percentage of device + // lifetime used. + optional int32 slc = 1; + optional int32 mlc = 2; +} + +// Status of the single storage device +// Next id: 29 +message DiskInfo { + optional string serial = 1; + optional string manufacturer = 2; + optional string model = 3; + // Size in bytes + optional int64 size = 4; + // eMMC / NVMe / ATA / SCSI. + optional string type = 5; + optional string health = 6; + // volume_id for volumes on this disk. + repeated string volumes = 7; + // Read/write statistics for this disk. + optional uint64 bytes_read_since_last_boot = 8; + optional uint64 bytes_written_since_last_boot = 9; + optional uint64 read_time_seconds_since_last_boot = 10; + optional uint64 write_time_seconds_since_last_boot = 11; + // Counts the time the disk and queue were busy, so unlike the fields above, + // parallel requests are not counted multiple times. + optional uint64 io_time_seconds_since_last_boot = 12; + // Time spent discarding since last boot. Discarding is writing to clear + // blocks which are no longer in use. Supported on kernels 4.18+. + optional uint64 discard_time_seconds_since_last_boot = 13; + + // The manufacturer of the block device. + oneof vendor_id { + // NVME vendors: + // https://pcisig.com/membership/member-companies + uint32 nvme_subsystem_vendor = 14; + // EMMC oemids + // https://screenshot.googleplex.com/eZWNnV8qGnc + uint32 emmc_oemid = 15; + uint32 other_vendor = 16; + uint32 jedec_manfid = 27; + } + + // The manufacturer-specific product identifier. + oneof product_id { + uint32 nvme_subsystem_device = 17; + uint32 emmc_pnm = 18; + uint32 other_product = 19; + } + + // The revision of the device's hardware. + oneof hardware_revision { + uint32 nvme_hardware_rev = 20; + uint32 emmc_hardware_rev = 21; + uint32 other_hardware_rev = 22; + } + + // The revision of the device's firmware. + oneof firmware_revision { + uint64 nvme_firmware_rev = 23; + uint64 emmc_firmware_rev = 24; + uint32 other_firmware_rev = 25; + uint32 ufs_firmware_rev = 28; + } + + // The purpose of the device on the system. + enum DevicePurpose { + PURPOSE_UNKNOWN = 0; + PURPOSE_BOOT = 1; + PURPOSE_SWAP = 2; + } + optional DevicePurpose purpose = 26; +} + +// Status of the storage subsystem. +message StorageStatus { + repeated DiskInfo disks = 1; + optional DiskLifetimeEstimation lifetime_estimation = 2; +} + +// Sampling for single temperature measurements +message ThermalSample { + optional int64 timestamp = 1; + optional int32 temperature = 2; +} + +// Temperature measurement series for thermal point. +message ThermalInfo { + reserved 2; + optional string label = 1; + repeated ThermalSample samples = 3; +} + +// Status for various on-board components +message BoardStatus { + repeated ThermalInfo thermal_infos = 1; +} + +// Status about a system's various elements. +message SystemStatus { + // The product SKU (stock keeping unit) number. + optional string vpd_sku_number = 1; + // The date the device was first activated. + // Format: YYYY-WW. + optional string first_power_date = 2; + // The date the device was manufactured (finalized in factory). + // Format: YYYY-MM-DD. + optional string manufacture_date = 3; + // Contents of CrosConfig in /arc/build-properties/marketing-name. E.g. "HP + // Chromebook x360 14" + optional string marketing_name = 4; + // The BIOS version. E.g. "Google_Sarien.12200.58.0" + optional string bios_version = 5; + // The product name of the motherboard. E.g. "Sarien" + optional string board_name = 6; + // The version of the motherboard. E.g. "rev16" + optional string board_version = 7; + // The chassis type of the device. The values reported by chassis type are + // mapped in + // www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.0.0.pdf. + // E.g. "9" + optional uint64 chassis_type = 8; + // The product name (model) of the system. E.g. "Sarien" + optional string product_name = 9; + // The product serial number. + optional string vpd_serial_number = 10; +} + +// Status of a single C-state. C-states are various modes the CPU can transition +// to in order to use more or less power. +message CpuCStateInfo { + // Name of the state. + optional string name = 1; + // Time spent in the state since the last reboot, in microseconds. + optional uint64 time_in_state_since_last_boot_us = 2; +} + +// Status of a single logical CPU. +message LogicalCpuInfo { + // Maximum frequency the CPU is allowed to run at, by policy. + optional uint32 scaling_max_frequency_khz = 1; + // Current frequency the CPU is running at. + optional uint32 scaling_current_frequency_khz = 2; + // Idle time since last boot. + optional uint64 idle_time_seconds = 3; + // Information about the logical CPU's time in various C-states. + repeated CpuCStateInfo c_states = 4; +} + +// Status of a single physical CPU on the device. +message CpuInfo { + // The CPU model name. + optional string model_name = 1; + + // The CPU architecture. + enum Architecture { + ARCHITECTURE_UNSPECIFIED = 0; + X86_64 = 1; + AARCH64 = 2; + ARMV7L = 3; + } + optional Architecture architecture = 2; + + // The max CPU clock speed in kHz. + optional uint32 max_clock_speed_khz = 3; + + repeated LogicalCpuInfo logical_cpus = 4; +} + +// Overall CPU information for the device. +message GlobalCpuInfo { + // Total number of threads on the device. + optional uint32 num_total_threads = 1; +} + +// Status for a single display. A display screen with resolution 1920x1080 +// would have resolution_width: 1920 and resolution_height: 1080. +message DisplayInfo { + // Resolution width + optional uint32 resolution_width = 1; + // Resolution height + optional uint32 resolution_height = 2; + // Refresh rate (Hz) + optional uint32 refresh_rate = 3; + // Set to true if display is internal, otherwise set to false. + optional bool is_internal = 4; +} + +// Status of a single graphics adapter (GPU). +message GraphicsAdapterInfo { + // Adapter name. Example: Mesa DRI Intel(R) UHD Graphics 620 (Kabylake GT2) + optional string name = 1; + // Driver version + optional string driver_version = 2; + // Represents the graphics card device id + optional uint64 device_id = 3; + // GPU consumption of system RAM (bytes) + optional uint64 system_ram_usage = 4; +} + +// Status of the graphics subsystem. +message GraphicsStatus { + optional GraphicsAdapterInfo adapter = 1; + repeated DisplayInfo displays = 2; +} + +// Status of a crash report. +message CrashReportInfo { + // The status options should align with crash_reporter::ReportUploadState. + enum CrashReportUploadStatus { + UPLOAD_STATUS_UNKNOWN = 0; + UPLOAD_STATUS_NOT_UPLOADED = 1; + UPLOAD_STATUS_PENDING = 2; + UPLOAD_STATUS_PENDING_USER_REQUESTED = 3; + UPLOAD_STATUS_UPLOADED = 4; + } + + // ID as provided by chrome://crashes. + optional string remote_id = 1; + + // The timestamp when the crash is captured. + // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). + optional int64 capture_timestamp = 2; + + // Human readable string that identifies what caused the crash. + optional string cause = 3; + + // The upload status of crash report. + optional CrashReportUploadStatus upload_status = 4; +} + +// Timezone information for the device. This reflects what set timezone of the +// device, not necessarily the actual location of the device. +message TimezoneInfo { + // The timezone of the device in POSIX standard. (MST7MDT,M3.2.0,M11.1.0) + optional string posix = 1; + // The timezone region of the device in the Olsen format (America/Denver). + optional string region = 2; +} + +// Memory information for the device. +message MemoryInfo { + // Total memory, in KiB. + optional uint32 total_memory_kib = 1; + // Free memory, in KiB. + optional uint32 free_memory_kib = 2; + // Available memory, in KiB. + optional uint32 available_memory_kib = 3; + // Number of page faults since the last boot. + optional uint64 page_faults_since_last_boot = 4; +} + +// Information about the device's backlights. +message BacklightInfo { + // Path to this backlight on the system. Useful if the caller needs to + // correlate with other information. + optional string path = 1; + // Maximum brightness for the backlight. + optional uint32 max_brightness = 2; + // Current brightness of the backlight, between 0 and max_brightness. + optional uint32 brightness = 3; +} + +// Information about the device's fan. +message FanInfo { + // Fan speed in RPM. + optional uint32 speed_rpm = 1; +} + +// Information about a device's Bluetooth adapter, which is used to detect and +// connect to Bluetooth devices. +message BluetoothAdapterInfo { + // The name of the adapter. + optional string name = 1; + // The MAC address of the adapter. + optional string address = 2; + // Indicates whether the adapter is on or off. + optional bool powered = 3; + // The number of devices connected to this adapter. + optional uint32 num_connected_devices = 4; +} + +// Information from the device's SMBIOS. This is used to determine +// info such as the device's vendor and product name/version. +message SmbiosInfo { + optional string sys_vendor = 1; + optional string product_name = 2; + optional string product_version = 3; + optional string bios_version = 4; +} + +// Information about the parameters passed to the kernel. +message KernelParameters { + // True if cros_efi was passed to the kernel. + // Used to know if the device was booted via EFI. + optional bool cros_efi = 1; +} + +// Information about the device's EFI Variables from efivarfs. +message EFIVars { + // True if Secure Boot is enabled on the device. + optional bool secure_boot = 1; +} + +// Information about how the OS was booted. This is information +// such as boot method and other bios settings +message BootInfo { + enum BootMethod { + UNKNOWN = 0; + CROS_SECURE = 1; + // This field maps to kCrosEfi from cros_healthd. + CROS_UEFI = 2; + CROS_LEGACY = 3; + CROS_EFI_SECURE = 4; + } + optional BootMethod boot_method = 1; + + // DEPRECATED: secure_boot is deprecated in favor of the + // CROS_EFI_SECURE BootMethod value. + optional bool secure_boot = 2 [deprecated = true]; +} + +// Hardware component bus device classes. +// Maps to BusDeviceClass from cros_healthd. +enum BusDeviceClass { + DEVICE_CLASS_UNSPECIFIED = 0; + DISPLAY_CONTROLLER = 1; + ETHERNET_CONTROLLER = 2; + WIRELESS_CONTROLLER = 3; + BLUETOOTH_ADAPTER = 4; + THUNDERBOLT_CONTROLLER = 5; +} + +// Hardware component buses. +// Maps to BusInfo types from cros_healthd. +enum BusType { + BUS_TYPE_UNSPECIFIED = 0; + PCI_BUS = 1; + USB_BUS = 2; + THUNDERBOLT_BUS = 3; +} + +// Information about a device's network hardware. +message NetworkAdapterInfo { + optional BusDeviceClass device_class = 1; + optional BusType bus_type = 2; + optional int32 vendor_id = 3; + optional string vendor_name = 4; + optional int32 device_id = 5; + optional string device_name = 6; + repeated string driver = 7; +} + +// Information about the list of browsers and profiles that are +// running and installed on the device in the DeviceStatusReport +message LaCrOsBrowserReport { + // Limited to one user since LaCrosBrowserReport is repeated based on each + // user. If multiple lacros user profiles exist, each LaCrOsBrowserReport + // message (one per lacros user profile) will contain the same |device_user|. + optional DeviceUser device_user = 1; + // Group of data regarding the browser and user profile. + optional BrowserReport browser_report = 2; +} + +// Information specific to Demo Mode about the device and the demo context. +message DemoModeDimensions { + // Two-letter country code. + optional string country = 1; + // Name of the retailer whose store the device is running in. Also called + // retailer_id elsewhere in some legacy field names. + optional string retailer_name = 2; + // Retailer-defined number to identify the store that a device is running in. + // Also called store_id elsewhere in some legacy field names. + optional string store_number = 3; + // Device attributes significant to Demo Mode for customization purposes. + enum CustomizationFacet { + UNDEFINED = 0; + CLOUD_GAMING_DEVICE = 1; + FEATURE_AWARE_DEVICE = 2; + } + repeated CustomizationFacet customization_facets = 4; +} + +// Report device level status. +message DeviceStatusReportRequest { + reserved 4, 7, 13, 20; + + // The OS version reported by the device is a platform version + // e.g. 1435.0.2011_12_16_1635. + optional string os_version = 1; + optional string firmware_version = 2; + + // "Verified", "Dev". Same as verified mode. + // If the mode is unknown, this field should not be set. + optional string boot_mode = 3; + + // The browser version string as shown in the About dialog. + // e.g. 17.0.963.18. + optional string browser_version = 5; + + // A list of periods when the device was active, aggregated by day by user. + repeated ActiveTimePeriod active_periods = 6; + + // List of network interfaces. + repeated NetworkInterface network_interfaces = 8; + + // List of recent device users, in descending order by last login time. + repeated DeviceUser users = 9; + + // Disk space + other info about mounted/connected volumes. + repeated VolumeInfo volume_infos = 10; + + // List of visible/configured networks + repeated NetworkState network_states = 11; + + // Samples of CPU utilization (0-100), sampled once every 120 seconds. + // Deprecated: Use CpuUtilizationInfo instead. + repeated int32 cpu_utilization_pct_samples = 12 [deprecated = true]; + + // Total RAM on the device. + // To deprecate: Use SystemFreeRamInfo instead. + optional int64 system_ram_total = 14; + + // Samples of free RAM [in bytes] (unreliable due to GC). + // Deprecated: Use SystemRamFreeInfo instead. + repeated int64 system_ram_free_samples = 15 [deprecated = true]; + + // Samples of CPU temperatures in Celsius, plus associated labels + // identifying which CPU produced the temperature measurement. + repeated CPUTempInfo cpu_temp_infos = 16; + + // This field is set only when an OS update is needed because of the required + // platform version of an updated kiosk app is different from the current + // OS version. + optional OsUpdateStatus os_update_status = 17; + + // Set only when there is an auto launched with zero delay Chrome or ARC kiosk + // app and it is currently running. Otherwise, this field is empty. + optional AppStatus running_kiosk_app = 18; + + // Sound output volume level in range [0,100]. + optional int32 sound_volume = 19; + + // TPM version information. + optional TpmVersionInfo tpm_version_info = 21; + + // Release channel (stable, beta, etc.). + optional Channel channel = 22; + + // TPM status information. + optional TpmStatusInfo tpm_status_info = 23; + + // Whether hardware write protect switch is on. + optional bool write_protect_switch = 24; + + // Status of the power subsystem. + optional PowerStatus power_status = 25; + + // Status of the storage subsystem. + optional StorageStatus storage_status = 26; + + // Status of various main board components. + optional BoardStatus board_status = 27; + + // Information about a system's various non-hardware elements. This includes + // information from cached VPD, CrosConfig, and DMI. + optional SystemStatus system_status = 28; + + // Stateful Partition Information for user data. + optional StatefulPartitionInfo stateful_partition_info = 29; + + // Samples of CPU utilization (0-100), sampled once every 120 seconds. + repeated CpuUtilizationInfo cpu_utilization_infos = 30; + + // Samples of free RAM [in bytes] (unreliable due to GC). + repeated SystemFreeRamInfo system_ram_free_infos = 31; + + // Information about a devices physical CPU(s). + repeated CpuInfo cpu_info = 32; + + // Status of the graphics adapter(s) and display(s). + optional GraphicsStatus graphics_status = 33; + + // Information about the crash report(s) generated from the local device. + repeated CrashReportInfo crash_report_infos = 34; + + // Information of the device's current timezone. + optional TimezoneInfo timezone_info = 35; + + // Information about the device's memory. + optional MemoryInfo memory_info = 36; + + // Information about the device's backlights. + repeated BacklightInfo backlight_info = 37; + + // Information about the device's fans. + repeated FanInfo fan_info = 38; + + // Overall information about the device's CPUs. + optional GlobalCpuInfo global_cpu_info = 39; + + // Information about the device's Bluetooth adapters. + repeated BluetoothAdapterInfo bluetooth_adapter_info = 40; + + // Information from the device's SMBIOS. + optional SmbiosInfo smbios_info = 41; + + // Information about the parameters passed to the kernel. + optional KernelParameters kernel_parameters = 42; + + // Information about the device's EFI Variables from efivarfs. + optional EFIVars efi_vars = 43; + + // KernelParameters(42) and EFIVars(43) are deprecated + // and rolled into BootInfo(44) + + // Information about how the os was booted. + optional BootInfo boot_info = 44; + + // Information about the device's network hardware. + repeated NetworkAdapterInfo network_adapter_info = 45; + + // Information about LaCrOs + repeated LaCrOsBrowserReport lacros_browser_report = 46; + + // Root device size as displayed in the device UI. + optional int64 root_device_total_storage_bytes = 47; + + // Flag whether LaCros is the primary browser. + optional bool is_lacros_primary_browser = 48; + + // Information specific to Demo Mode about the device and the demo context. + // Only included for devices in Demo Mode. + optional DemoModeDimensions demo_mode_dimensions = 49; +} + +message OsUpdateStatus { + enum UpdateStatus { + OS_UP_TO_DATE = 0; + OS_IMAGE_DOWNLOAD_NOT_STARTED = 1; + OS_IMAGE_DOWNLOAD_IN_PROGRESS = 2; + OS_UPDATE_NEED_REBOOT = 3; + } + + optional UpdateStatus update_status = 1; + + // New platform version of the os image being downloaded and applied. It + // is only set when update status is OS_IMAGE_DOWNLOAD_IN_PROGRESS or + // OS_UPDATE_NEED_REBOOT. Note this could be a dummy "0.0.0.0" for + // OS_UPDATE_NEED_REBOOT status for some edge cases, e.g. update engine is + // restarted without a reboot. + optional string new_platform_version = 2; + + // New required platform version from the pending updated kiosk app. + optional string new_required_platform_version = 3; + + // The timestamp of the last update check. + // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). + optional int64 last_checked_timestamp = 4; + + // The timestamp of the last reboot. + // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). + optional int64 last_reboot_timestamp = 5; +} + +// Provides status information for an installed app/extension. +message AppStatus { + // ID of the installed app/extension for a Chrome app. + // Package name for ARC kiosk app. + optional string app_id = 1; + + // Currently installed version of the app for a Chrome app. + // Empty for ARC kiosk app. + optional string extension_version = 2; + + // Self-reported status summary (via chrome.reporting APIs) + optional string status = 3; + + // If true, the application is currently in a self-reported error state. + optional bool error = 4; + + // App required Chrome version, specified in app’s manifest file. + // Empty for ARC kiosk app. + optional string required_platform_version = 5; +} + +// Provides all application types information. +message AppInfo { + enum AppType { + TYPE_UNKNOWN = 0; + TYPE_ARC = 1; // Android app. + TYPE_BUILTIN = 2; // Built-in app. + TYPE_CROSTINI = 3; // Linux (via Crostini) app. + TYPE_EXTENSION = 4; // Extension-backed app. + TYPE_WEB = 5; // Web app. + TYPE_PLUGINVM = 6; // Plugin VM app. + TYPE_BOREALIS = 7; // Borealis app. + TYPE_BRUSCHETTA = 8; // Bruschetta app. + } + + enum Status { + STATUS_UNKNOWN = 0; + STATUS_INSTALLED = 1; // Installed and launachable. + STATUS_DISABLED = 2; // Disabled or terminated. + STATUS_UNINSTALLED = 3; // Uninstalled by user. + } + + // ID of the application as defined by the OS, except for web apps, where it + // is the start url. + optional string app_id = 1; + + // Type of application (Chrome native, extension, Crostini, web app). + optional AppType app_type = 2; + + // Name of the application as defined by the OS. + optional string app_name = 3; + + // Identify if the app is installed, disabled, or uninstalled. + optional Status status = 4; + + // The time the app was installed, if available. + optional int64 install_time = 5; + + // Version of the application, if applicable. + optional string version = 7; + + // A list of time periods when the app was active. These times are aggregated + // per day, are pruned on the device after reporting successfully, and are + // stored only for 30 days in the past. + repeated TimePeriod active_time_periods = 8; +} + +// LINT.IfChange +// Provides Android application permission. +message AndroidAppPermission { + // Name of application permission. + optional string name = 1; + + // Identify whether the application permission is granted. + optional bool granted = 2; + + // Identify whether the application permission is managed. + optional bool managed = 3; +} + +// Provides Android application information. +message AndroidAppInfo { + enum AndroidAppStatus { + STATUS_UNKNOWN = 0; + STATUS_ENABLED = 1; + STATUS_SUSPENDED = 2; + STATUS_DISABLED = 3; + } + + enum InstalledSource { + SOURCE_UNKNOWN = 0; + SOURCE_BY_ADMIN = 1; + SOURCE_BY_USER = 2; + SOURCE_NOT_INSTALLED = 3; + } + + // ID of the Android application. + optional string app_id = 1; + + // Name of the Android application. + optional string app_name = 2; + + // Name of the Android application package. + optional string package_name = 3; + + // Status of the Android application. It is set as STATUS_SUSPENDED if the + // application is suspended by specific policies. + optional AndroidAppStatus status = 4; + + // Identify how the Android application is installed. + optional InstalledSource installed_source = 5; + + // Package version of the Android application. + optional int32 version = 6; + + // Permissions of the Android application. + repeated AndroidAppPermission permissions = 7; +} +// LINT.ThenChange(//depot/google3/java/com/google/chrome/cros/spanner/devicemanagement/schema/chrome_os.proto) + +// Chrome user profile level status. +// Deprecated : Use ChromeUserProfileInfo instead. +message ChromeUserProfileReport { + // A string to uniquely identify this profile within the browser. + optional string id = 1; + // A JSON encoded string containing both the “email” and “id” (obfuscated + // GaiaID) of the user signed in to the Chrome browser, if any. + optional string chrome_signed_in_user = 2; + // The list of extensions installed in the browser. This string contains + // the json encoded data as returned by the chrome.management.getAll() API. + optional string extension_data = 3; + // The list of plugins installed in the browser, one plugin name per repeated + // string. This string contains the JSON encoded data as returned by + // the navigator.plugins . + optional string plugins = 4; + // The list of browser policies set for this user profile and their sources. + // This string contains the json encoded data as generated by the + // chrome://policy page “Export to JSON” button. + optional string policy_data = 5; + // The last time the user level policies where fetched. + // [policy_fetched_timestamp] is milliseconds since Epoch in UTC timezone + // (Java time). For V1, we may need to rely on the DM server for this info. + optional int64 policy_fetched_timestamp = 6; + // The number of safe browsing warning pages the user has seen since the last + // report was successfully uploaded. + optional uint64 safe_browsing_warnings = 7; + // The number of safe browsing warning pages the user has clicked through + // since the last report was successfully uploaded. + optional uint64 safe_browsing_warnings_click_through = 8; + // The name of the loaded profile, which was entered by the user when creating + // the profile. Empty when in incognito mode. + optional string name = 9; + // A list of extensions requested for installation. + repeated ExtensionRequest extension_requests = 10; +} + +// Sign in information of Profile. +message ChromeSignedInUser { + // The email of the signed in user. + optional string email = 1; + // The obfuscated GaiaID of the signed in user. + optional string obfuscated_gaia_id = 2; +} + +// Extension request information. +message ExtensionRequest { + // ID of the installed app/extension for a Chrome app or extension. + optional string id = 1; + + // When the user commits to requesting the extension. + // [request_timestamp] is milliseconds since Epoch in UTC timezone + // (Java time). + optional int64 request_timestamp = 2; + + // User justification describing why the extension is being requested. + optional string justification = 3; +} + +// Extension information. +message Extension { + reserved 7, 12; + + // ID of the installed app/extension for a Chrome app or extension. + optional string id = 1; + // Currently installed version of the extension. + optional string version = 2; + // The name of the extension. + optional string name = 3; + // The description of the extension that is provided by extension author. + optional string description = 4; + + // The type of extension. + enum ExtensionType { + TYPE_UNKNOWN = 0; + TYPE_EXTENSION = 1; + TYPE_HOSTED_APP = 2; + TYPE_PACKAGED_APP = 3; + TYPE_LEGACY_PACKAGED_APP = 4; + TYPE_THEME = 5; + TYPE_USER_SCRIPT = 6; + TYPE_PLATFORM_APP = 7; + TYPE_LOGIN_SCREEN_EXTENSION = 8; + TYPE_CHROMEOS_SYSTEM_EXTENSION = 9; + } + optional ExtensionType app_type = 5; + + // URL of the homepage. + optional string homepage_url = 6; + + // The installation source of the extension. + enum InstallType { + // An extension that is installed by user or installed by default but not + // component extension. + TYPE_NORMAL = 0; + // An extension that is loaded as unpacked extension from chrome extension + // page or --load-extension command line switch. + TYPE_DEVELOPMENT = 1; + // An extension that is loaded from the settings in Window Registry or + // a preferences JSON file on Mac and Linux. + TYPE_SIDELOAD = 2; + // An extension that is loaded from policy settings. + TYPE_ADMIN = 3; + // Chrome component extension and unknown sources. + TYPE_OTHER = 4; + } + optional InstallType install_type = 8; + + // True if the extension is currently enabled. + optional bool enabled = 9; + + // The list of api based permissions the extension requires. + repeated string permissions = 10; + + // The list of host based permissions the extension requires. + repeated string host_permissions = 11; + + // True if the extension comes from web store. + optional bool from_webstore = 13; + + // Manifest version of the extension. + optional int32 manifest_version = 14; +} + +// Policy information. +message Policy { + // The name of the policy. + optional string name = 1; + + // The level of a policy determines its enforceability and whether users can + // override it or not. + enum PolicyLevel { + LEVEL_UNKNOWN = 0; + // Recommended policies are a default value configured by admins and users + // can choose to override it. + LEVEL_RECOMMENDED = 1; + + // Mandatory policies must be enforced and users can't circumvent them. + LEVEL_MANDATORY = 2; + } + optional PolicyLevel level = 2; + + // The scope of a policy flags whether it's applied to the current user or to + // the machine. + enum PolicyScope { + SCOPE_UNKNOWN = 0; + // User policies apply to current Session/Profile if it's cloud policy. + // Or apply to current OS user on Windows. + SCOPE_USER = 1; + + // Machine policies apply to any users of the current machine. + SCOPE_MACHINE = 2; + } + optional PolicyScope scope = 3; + + // The source of a policy indicates where its value is originating from. + enum PolicySource { + SOURCE_UNKNOWN = 0; + // A policy is set by Chrome when it's running in an + // enterprise environment. + SOURCE_ENTERPRISE_DEFAULT = 1; + + // A policy is set by Google's cloud management tool. + SOURCE_CLOUD = 2; + + // A policy is set by active directory on ChromeOS. + SOURCE_ACTIVE_DIRECTORY = 3; + + // A policy is overridden by ChromeOS if it's running in a public session or + // kiosk mode. + SOURCE_DEVICE_LOCAL_ACCOUNT_OVERRIDE_DEPRECATED = 4; + + // A policy is set by OS built-in tool on desktop. + SOURCE_PLATFORM = 5; + + // A policy is set by Google's cloud management tool but has higher + // priority. + SOURCE_PRIORITY_CLOUD_DEPRECATED = 6; + + // A policy is set by multiple sources and value has been merged. + SOURCE_MERGED = 7; + + // A policy is set by command line switch for testing purpose. + SOURCE_COMMAND_LINE = 8; + + // A policy is set by Google's cloud management tool in Ash and piped to + // Lacros. + SOURCE_CLOUD_FROM_ASH = 9; + + // A policy that is set by the restricted managed guest session override. + SOURCE_RESTRICTED_MANAGED_GUEST_SESSION_OVERRIDE = 10; + } + optional PolicySource source = 4; + + // The value of policy. + optional string value = 5; + + // The error message of policy. + optional string error = 6; +} + +// Extension policy information. +message ExtensionPolicy { + // The id of extension that policies apply to. + optional string extension_id = 1; + + // The list of policies that extension currently uses. + repeated Policy policies = 2; +} + +// Cloud policy last fetch time. +message PolicyFetchTimestamp { + // The type of cloud policy. + // TODO(b/327655459): This field is deprecated, delete once server + // side references are all removed. + optional string type = 1; + // The last time the policies where fetched for the policy type. + // [timestamp] is milliseconds since Epoch in UTC timezone (Java time). + optional int64 timestamp = 2; +} + +// Chrome user profile level status, used by activated Profiles. Profile name is +// not listed here as they are in the ChromeUserProfileBasicInfo. +message ChromeUserProfileInfo { + reserved 6; + + // A string to uniquely identify this profile within the browser. + optional string id = 1; + + // The name of the profile, which was entered by the user when creating + // the profile. Empty when in incognito mode + optional string name = 2; + + // Indicates if the profile contains all details. Only active profiles can + // upload all needed details, idle profiles only upload |id| and |name|. + optional bool is_detail_available = 3; + + // Gaia account information if the Profile is signed in. + optional ChromeSignedInUser chrome_signed_in_user = 4; + + // A list of extensions installed in the browser. + repeated Extension extensions = 5; + + // A list of extensions requested for installation. + repeated ExtensionRequest extension_requests = 10; + + // A list of Chrome browser policies set for this user profile. + repeated Policy chrome_policies = 7; + + // A list of extensions' policies set for this user profile. The policies is + // only added if the extension is installed. + repeated ExtensionPolicy extension_policies = 8; + + // The last time the cloud policies where fetched for each policy type. + // Only one policy type which is google/chrome/machine-level-user uploads + // timestamp currently. More details in b/132973694 + repeated PolicyFetchTimestamp policy_fetched_timestamps = 9; +} + +// Report browser level status. +message BrowserReport { + reserved 7; + + // The Chrome browser version, as seen from within Chrome code as opposed to + // user agent. + optional string browser_version = 1; + + // Release channel (stable, beta, etc.). + optional Channel channel = 2; + + // Required. The path to the browser executable so that we can uniquely + // identify it. + optional string executable_path = 3; + + // Profile specific reports, one per profile. + // Deprecated by ChromeUserProfileInfo and only used by old Chrome browser. + repeated ChromeUserProfileReport chrome_user_profile_reports = 4; + + // A list of all Profiles that are created in the current browser instance. + // Only activated Profiles are able to upload full details while the idle ones + // contain id and name only. Please note that some activated Profiles may not + // upload full details due to the limitation of the report size. + // These details will be uploaded in the following reports. + repeated ChromeUserProfileInfo chrome_user_profile_infos = 6; + + // The installed version of the browser if it differs from |browser_version|, + // or absent otherwise. When present, it indicates that an update (of a higher + // or lower version) has been installed and will be the active version + // following a browser restart. + optional string installed_browser_version = 8; + + // True for an extended stable channel installation. + optional bool is_extended_stable_channel = 9 [default = false]; +} + +// Report Operating system related information. +message OSReport { + // A string contains OS name. + optional string name = 1; + + // A string contains OS architecture. + optional string arch = 2; + + // A string contains OS version. + optional string version = 3; + + enum VersionType { + UNKNOWN = 0; + HOME = 1; + PROFESSIONAL = 2; + SERVER = 3; + ENTERPRISE = 4; + EDUCATION = 5; + EDUCATION_PRO = 6; + } + + optional VersionType version_type = 4; +} + +// Report the status of a Chrome installation on non-Chrome OS platform. +message ChromeDesktopReportRequest { + reserved 10; + // The name of the machine within its local network. The string is a JSON + // encoded structure with a single computername field. + // This field is replaced by computer_name and only used by old Chrome + // browser using the JSON legacy browser. + // TODO(b/189584065): Remove when usage goes to zero. + optional string machine_name = 1 [deprecated = true]; + // OS info. The string is a an encoded JSON object as returned by + // chrome.runtime.getPlatformInfo. + // This field is replaced by OSReport and only used by old Chrome browser. + optional string os_info = 2; + // The user name from the OS point of view. The string is a JSON encoded + // structure with a single username field containing "DOMAIN\username". + // This field is replaced by os_user_name and only used by old Chrome browser. + optional string os_user = 3; + // Browser related info. + optional BrowserReport browser_report = 4; + // The device serial number (this might differ with the client ID, depending + // on the platform). Deprecated: Please use + // ChromeDesktopReportProtoProcessor.getBrowserDeviceIdentifier().getSerialNumber + // to extract the Serial Number from the Report Request. + optional string serial_number = 5 [deprecated = true]; + // A string represents the name of computer. Deprecated: Please use + // ChromeDesktopReportProtoProcessor.getBrowserDeviceIdentifier().getSerialNumber + // to extract the Computer Name from the Report Request. + optional string computer_name = 6 [deprecated = true]; + // Operating system related information. + optional OSReport os_report = 7; + // A string contains OS user name. + optional string os_user_name = 8; + // Device identifier for helping identify non-Chrome OS devices. + // TODO(crbug.com/40706071): This will also replace the computer_name and + // serial_number fields. + optional BrowserDeviceIdentifier browser_device_identifier = 9; + // Public key that can be used for attesting the machine. + optional string machine_attestation_key = 11; + // A string that represents the device model. + optional string device_model = 12; + // A string that represents the brand/manufacturer of a device. + optional string brand_name = 13; +} + +// Report user level status on Chrome OS platform. Chrome OS equivalent of +// ChromeDesktopReportRequest. +message ChromeOsUserReportRequest { + reserved 3; + // Browser related info. + optional BrowserReport browser_report = 1; + // Android applications installed in primary profile. + repeated AndroidAppInfo android_app_infos = 2; +} + +// Report user level status on all platforms. It includes the information of the +// profile that user has signed in plus some basic browser and OS information. +message ChromeProfileReportRequest { + // Browser related info + optional BrowserReport browser_report = 1; + + // Basic OS information + optional OSReport os_report = 2; +} + +// A validation issue from validating a policy value that was contained in +// the payload of the policy fetch response. +message PolicyValueValidationIssue { + // Policy name of the faulty value. + optional string policy_name = 1; + + // LINT.IfChange + enum ValueValidationIssueSeverity { + // Default value for when a severity is not specified. + VALUE_VALIDATION_ISSUE_SEVERITY_UNSPECIFIED = 0; + + // This result is a warning. The policy blob has not been rejected. + VALUE_VALIDATION_ISSUE_SEVERITY_WARNING = 1; + + // This result is an error. The policy blob was rejected completely and not + // updated on the device. + VALUE_VALIDATION_ISSUE_SEVERITY_ERROR = 2; + } + // LINT.ThenChange(//depot/google3/chrome/cros/reporting/api/proto/policy_validation_report.proto) + + // Severity of this policy value validation result. + optional ValueValidationIssueSeverity severity = 2; + + // Message containing detailed information about the value validation warning + // or error (e.g. type and specific location). This message is intended as + // debug information for developers (not localized). + optional string debug_message = 3; +} + +// This message is used to upload the result of cloud policy validation after a +// PolicyFetchRequest. +message PolicyValidationReportRequest { + // |policy_type| sent in PolicyFetchRequest on the request which + // returned policy with validation errors. + optional string policy_type = 1; + + // |policy_token| from the PolicyFetchResponse. This is used to identify the + // specific policy fetch event that triggered this validation report. + optional string policy_token = 2; + + // Specifies the result type of the validation. + // Each enum value can correspond to one of three client behaviors (noted as + // 'Client behavior' in the comment for each enum value): + // - Unknown: + // It is not known if the fetched policy blob was accepted or rejected. + // - Policy blob accepted: + // The client has accepted and applied the fetched policy blob. + // - Policy blob rejected: + // The client has completely rejected the fetched policy blob. + // LINT.IfChange + enum ValidationResultType { + // An enum value was received which is not known in this version of the + // proto. + // Client behavior: Unknown. + VALIDATION_RESULT_TYPE_ERROR_UNSPECIFIED = 0; + // Policy validated successfully. + // Client behavior: Policy blob accepted. + // Note: This result is here for completeness, the client will not send + // reports with this enum value. + VALIDATION_RESULT_TYPE_SUCCESS = 1; + // Bad signature on the initial key. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_BAD_INITIAL_SIGNATURE = 2; + // Bad signature. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_BAD_SIGNATURE = 3; + // Policy blob contains error code. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_ERROR_CODE_PRESENT = 4; + // Policy payload failed to decode. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_PAYLOAD_PARSE_ERROR = 5; + // Unexpected policy type. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_WRONG_POLICY_TYPE = 6; + // Unexpected settings entity id. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_WRONG_SETTINGS_ENTITY_ID = 7; + // Timestamp is missing or is older than the timestamp of the previous + // policy. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_BAD_TIMESTAMP = 8; + // DMToken is empty or doesn't match. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_BAD_DM_TOKEN = 9; + // Device id is empty or doesn't match. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_BAD_DEVICE_ID = 10; + // Username doesn't match. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_BAD_USER = 11; + // Policy payload protobuf parse error. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_POLICY_PARSE_ERROR = 12; + // Policy key signature could not be verified using the hard-coded + // verification key. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_BAD_KEY_VERIFICATION_SIGNATURE = 13; + // There were validation warnings during validation of policy values in the + // payload. See |policy_value_validation_results|. + // Client behavior: Policy blob accepted. + VALIDATION_RESULT_TYPE_VALUE_WARNING = 14; + // There were validation errors during validation of policy values in the + // payload. There may also have been warnings. See + // |policy_value_validation_results| - that list will contain at least one + // payload validation errors, and zero or more payload validation warnings. + // Client behavior: Policy blob rejected. + VALIDATION_RESULT_TYPE_VALUE_ERROR = 15; + } + // LINT.ThenChange(//depot/google3/chrome/cros/reporting/api/proto/policy_validation_report.proto) + + // The validation result. + optional ValidationResultType validation_result_type = 3; + + // Value validation issues in the policy payload. Will be filled if + // |validation_result_type| is VALIDATION_RESULT_TYPE_VALUE_WARNING + // or VALIDATION_RESULT_TYPE_VALUE_ERROR. + repeated PolicyValueValidationIssue policy_value_validation_issues = 4; +} + +// Response from DMServer to a policy validation report. +message PolicyValidationReportResponse {} + +message AndroidStatus { + // JSON string of ARC status report. + optional string status_payload = 1; + // DroidGuard response obtained from DroidGuard server. + optional string droid_guard_info = 2; +} + +enum CrostiniAppType { + // The default terminal App. + CROSTINI_APP_TYPE_TERMINAL = 0; + // A registered interactive Crostini App which is + // not the default terminal app. + CROSTINI_APP_TYPE_INTERACTIVE = 1; + // Detected non-registered container applications. + CROSTINI_APP_TYPE_OTHER = 2; +} + +message CrostiniApp { + // The default display name of the App. + optional string app_name = 1; + // The type of the App. + optional CrostiniAppType app_type = 2; + + // Time stamp of last launch of the App with a three day granularity. + // The timestamp is milliseconds since Epoch in UTC timezone (Java time). + optional int64 last_launch_time_window_start_timestamp = 3; + + // If available, the name of the Debian package belonging to this App. + optional string package_name = 4; + // If available, the version of the Debian package belonging to this App. + optional string package_version = 5; + // If available, a hash of the package belonging to this App. + optional string package_hash = 6; +} + +message CrostiniStatus { + // Time stamp of last launch of a Crostini app with three day granularity, + // The timestamp is milliseconds since Epoch in UTC timezone (Java time). + optional int64 last_launch_time_window_start_timestamp = 1; + + // The VM image version at the time of the last launch. + optional string last_launch_vm_image_version = 2; + // The VM kernel version at the time of the last launch. + optional string last_launch_vm_kernel_version = 3; + + // Contains information about each installed app at the time of the + // report. + repeated CrostiniApp installed_apps = 4; +} + +// Report current active session (a user on one device) level status. +message SessionStatusReportRequest { + reserved 1, 2, 3, 6; + + // If this is a kiosk session, this is the device local account ID. + optional string device_local_account_id = 4; + + // Information about kiosk app for kiosk session. + repeated AppStatus installed_apps = 5; + + // Information about ARC status. + optional AndroidStatus android_status = 7; + + // If this is a regular user session, this is the user's DMToken. + optional string user_dm_token = 8; + + // Time zone id of the active user. Not set for enterprise users. + // Format of the id is as specified in tz database e.g. Pacific/Honolulu. For + // more details check third_party/icu/source/i18n/unicode/timezone.h. + optional string time_zone = 9; + + // Information about Crostini status. + optional CrostiniStatus crostini_status = 10; + + // Information about all applications for this user on this device, including + // uninstalled and disabled apps. + repeated AppInfo app_infos = 11; +} + +// Response from DMServer to update devices' status. +// It is possible that status report fails but policy request succeed. In such +// case, the DeviceStatusReportResponse will contain an error code and the +// device should re-send status report data in the next policy request. The +// device should re-send report data if policy request fails, even if +// DeviceStatusReportResponse contains no error code. +message DeviceStatusReportResponse { + optional int32 error_code = 1; + + // Human readable error message for customer support purpose. + optional string error_message = 2; +} + +// Response from DMServer to a Chrome desktop report request. The report +// upload errors will be set in the containing DeviceManagementResponse or +// eventually at the HTTP level. +message ChromeDesktopReportResponse {} + +// Response from DMServer to a ChromeOS user report request. The report +// upload errors will be set in the containing DeviceManagementResponse or +// eventually at the HTTP level. +message ChromeOsUserReportResponse {} + +// Response from DMServer to a profile report request. The report +// upload errors will be set in the containing DeviceManagementResponse or +// eventually at the HTTP level. +message ChromeProfileReportResponse {} + +// Response from DMServer to update user devices' status. +// It is possible that status report fails but policy request succeed. In such +// case, the SessionStatusReportResponse will contain an error code and the +// device should re-send status report data in the next policy request. The +// device should re-send report data if policy request fails, even if +// SessionStatusReportResponse contains no error code. +message SessionStatusReportResponse { + optional int32 error_code = 1; + + // Human readable error message for customer support purpose. + optional string error_message = 2; +} + +// Request from client to query device state using Private Set Membership (PSM). +// Please see go/cros-enterprise-psm and go/cros-client-psm for more details. +message PrivateSetMembershipRequest { + // A request proto from the RLWE PSM protocol. + optional PrivateSetMembershipRlweRequest rlwe_request = 1; +} + +message PrivateSetMembershipResponse { + // A response proto from the RLWE PSM protocol. + optional PrivateSetMembershipRlweResponse rlwe_response = 1; +} + +message PrivateSetMembershipRlweRequest { + // First request sent by the client for checking membership. + optional private_membership.rlwe.PrivateMembershipRlweOprfRequest + oprf_request = 1; + + // Second request sent by the client for checking membership. + optional private_membership.rlwe.PrivateMembershipRlweQueryRequest + query_request = 2; +} + +message PrivateSetMembershipRlweResponse { + // First response sent by the server for checking membership. + optional private_membership.rlwe.PrivateMembershipRlweOprfResponse + oprf_response = 1; + + // Second response sent by the server for checking membership. + optional private_membership.rlwe.PrivateMembershipRlweQueryResponse + query_response = 2; +} + +// Request from device to server to determine whether the device should +// go through enterprise enrollment. Unlike the other requests, this request is +// not authenticated. +message DeviceAutoEnrollmentRequest { + // Device identifier hash, mod |modulus|. + // The type of the device identifier hash depends on |enrollment_check_type|. + // If |modulus| is 1, |remainder| should be 0. + // |remainder| should always be present. + optional int64 remainder = 1; + + // Modulus of the hash used by the client. For now, it is a power of 2, but + // due to the strict constraint on how many serial numbers a bucket can + // contain, it may become non power of 2. If that happens, client-side needs + // to change its assumption. + // |modulus| should always be present, but setting |modulus| to 1 means that + // no bits of the client's hash are uploaded. |remainder| should be 0 in this + // case. + optional int64 modulus = 2; + + enum EnrollmentCheckType { + // Unspecified. + ENROLLMENT_CHECK_TYPE_UNSPECIFIED = 0; + // Forced Re-Enrollment check with full SHA-256 hashes of the + // server-backed state key. + ENROLLMENT_CHECK_TYPE_FRE = 1; + // Forced Enrollment check with SHA-256 hashes of (brand code + “_” + serial + // number), truncated to first 8 bytes each. + ENROLLMENT_CHECK_TYPE_FORCED_ENROLLMENT = 2; + } + + // Specifies the type of auto enrollment check that is being made. + // This also defines the format of the device identifier hash used in this + // exchange. + optional EnrollmentCheckType enrollment_check_type = 3 + [default = ENROLLMENT_CHECK_TYPE_FRE]; +} + +// Response from server to auto-enrollment detection request. +message DeviceAutoEnrollmentResponse { + // If this field is present, the other fields are ignored and the client + // should send a new DeviceAutoEnrollmentRequest with a |remainder| + // computed using this new |expected_modulus|. If this field is empty, the + // client's request was accepted. + // DMServer guarantees that if the modulus sent by client in + // DeviceAutoEnrollmentRequest matches server's expectation, this field + // is unset. + optional int64 expected_modulus = 1; + + // List of hashes. If the client's hash matches any in this list, the + // client device should do enterprise enrollment. If it matches none, + // enrollment should be optional. + // The format of each entry depends on the |enrollment_check_type| that was + // set in the DeviceAutoEnrollmentRequest. + repeated bytes hashes = 2; +} + +// Sent by the client to the server. This request is keyed by the opaque +// server-backed state key, (optionally) serial number and RLZ brand code; there +// is no further authentication. +// +// This message can be used for secondary state determination by managed devices +// after a hard reset to recover state. In this case, the client only sets the +// `server_backed_state_key`. The device management server keeps a mapping of +// this identifier to device state. In case device has been deprovisioned, the +// server also performs initial enrollment check using the serial number and +// brand code stored in device state from previous enrollment. +// +// It is also used for unified state determination, which replaces both initial +// and secondary state enrollment. In this case, this request can also be sent +// by brand new devices and the server would not know their serial number and +// brand code, hence the values are supplied as part of the request. +// +// Another device state retrieval scenario is Flex Auto Enrollment initial +// state determination, in which case the Flex enrollment token is included +// (along with brand code and serial number) to retrieve token-keyed state +// from the server. +message DeviceStateRetrievalRequest { + // Opaque, client-determined, unpredictable, stable and unique device + // identifier to retrieve state for. This field contains 32 bytes of data that + // looks essentially random to the server. It may be generated e.g. by running + // a concatenation of suitable device identifiers through a cryptographic hash + // algorithm such as SHA-256. + optional bytes server_backed_state_key = 1; + + // The serial number of the device. + optional string serial_number = 2; + + // The 4-character brand code of the device. + optional string brand_code = 3; + + // The enrollment token for Flex Auto Enrollment. + optional string enrollment_token = 4; +} + +// Sent by the client to the server when in registered state to update the +// device-determined device state keys. +message DeviceStateKeyUpdateRequest { + // The client-determined state keys. To the server, these look like 32 bytes + // of random data. The client should generate these keys using a deterministic + // algorithm that takes stable device identifiers as an input and produces a + // key as the output, possibly by running the identifiers through a + // cryptographic hash function such as SHA-256. + repeated bytes server_backed_state_keys = 1; +} + +// Server to client message carrying the device state response. Because the +// request is not authenticated, the only protection against state extraction +// from server is the unpredictability of the server-backed state ID. Thus, the +// response should not contain any sensitive data. If the server doesn't know +// the requested identifier, it just returns a message with restore_mode set to +// RESTORE_MODE_NONE. +message DeviceStateRetrievalResponse { + // Restorative action to take after device reset. + enum RestoreMode { + // No secondary state restoration. + RESTORE_MODE_NONE = 0; + // Enterprise enrollment requested, but user may skip. + RESTORE_MODE_REENROLLMENT_REQUESTED = 1; + // Enterprise enrollment is enforced and cannot be skipped. + RESTORE_MODE_REENROLLMENT_ENFORCED = 2; + // The device has been disabled by its owner. The device will show a warning + // screen and prevent the user from proceeding further. + RESTORE_MODE_DISABLED = 3; + // Enterprise enrollment is enforced using Zero-Touch and cannot be skipped. + RESTORE_MODE_REENROLLMENT_ZERO_TOUCH = 4; + } + // The server-indicated restore mode. + optional RestoreMode restore_mode = 1 [default = RESTORE_MODE_NONE]; + + // Primary domain the device is associated with. + optional string management_domain = 2; + + // State that is relevant only when the |restore_mode| is + // |RESTORE_MODE_DISABLED|. + optional DisabledState disabled_state = 3; + + // Initial device state if |restore_mode| is |RESTORE_MODE_NONE|. + optional DeviceInitialEnrollmentStateResponse initial_state_response = 4; + + // license type the device used in last enrollment + optional LicenseType license_type = 5; +} + +// Request from device to server to retrieve the enrollment mode and domain for +// this device. The client will use this request when the +// DeviceAutoEnrollmentRequest exchange with |enrollment_check_type| set to +// |ENROLLMENT_CHECK_TYPE_FORCED_ENROLLMENT| indicated that it should be +// enrolled. This request is not authenticated. +message DeviceInitialEnrollmentStateRequest { + // The serial number of the device. + optional string serial_number = 1; + + // The 4-character brand code of the device. + optional string brand_code = 2; + + // The enrollment token for Flex Auto Enrollment. + optional string enrollment_token = 3; +} + +// Response from server DeviceInitialEnrollmentStateRequest. +message DeviceInitialEnrollmentStateResponse { + // Initial action to take after OOBE. + enum InitialEnrollmentMode { + // No initial enrollment. + INITIAL_ENROLLMENT_MODE_NONE = 0; + // Enterprise enrollment is enforced and cannot be skipped. + INITIAL_ENROLLMENT_MODE_ENROLLMENT_ENFORCED = 1; + // Zero-Touch (attestation-based) enrollment is enforced and cannot be + // skipped. + INITIAL_ENROLLMENT_MODE_ZERO_TOUCH_ENFORCED = 2; + // The device has been disabled by its owner. The device will show a warning + // screen and prevent the user from proceeding further. + INITIAL_ENROLLMENT_MODE_DISABLED = 3; + // Token-based enrollment is enforced and cannot be skipped. + INITIAL_ENROLLMENT_MODE_TOKEN_ENROLLMENT_ENFORCED = 4; + } + + // The server-indicated initial enrollment mode. + optional InitialEnrollmentMode initial_enrollment_mode = 1 + [default = INITIAL_ENROLLMENT_MODE_NONE]; + + // The domain the device should be enrolled into. + optional string management_domain = 2; + + // Whether the device comes packaged with a license or not. + optional bool is_license_packaged_with_device = 3; + + // State that is relevant only when the |initial_enrollment_mode| is + // |INITIAL_ENROLLMENT_MODE_DISABLED|. + optional DisabledState disabled_state = 4; + + // License Packaging SKU type. + // LINT.IfChange + enum LicensePackagingSKU { + // Not a License Packaged Device. + NOT_EXIST = 0; + // Enterprise SKU. + CHROME_ENTERPRISE = 1; + // Education SKU. + CHROME_EDUCATION = 2; + // Terminal SKU + CHROME_TERMINAL = 3; + } + // LINT.ThenChange(//depot/google3/google/chrome/licensepackaging/v1/service.proto) + + // SKU Type for License Packaged Device. + optional LicensePackagingSKU license_packaging_sku = 5; + + // Assigned upgrade type. See: go/zte-sku-consumption and go/cros-kiosk-prd + // LINT.IfChange(AssignedUpgradeTypeChange) + enum AssignedUpgradeType { + // Unspecified + ASSIGNED_UPGRADE_TYPE_UNSPECIFIED = 0; + // Chrome Enterprise Upgrade (CEU) + ASSIGNED_UPGRADE_TYPE_CHROME_ENTERPRISE = 1; + // Kiosk & Signage Upgrade (KSU) + ASSIGNED_UPGRADE_TYPE_KIOSK_AND_SIGNAGE = 2; + } + // LINT.ThenChange(//depot/google3/java/com/google/chrome/cros/spanner/devicemanagement/schema/enrollment.proto:AssignedUpgradeTypeChange) + + optional AssignedUpgradeType assigned_upgrade_type = 6; +} + +// Sent by the client to the server to pair the Host device with the Controller +// device. The HTTP request contains an end-user OAuth token and only succeeds +// if both Host and Controller devices belong to the end-user domain. +message DevicePairingRequest { + // The device ID of the Host device. + optional string host_device_id = 1; + + // The device ID of the Controller device. + optional string controller_device_id = 2; +} + +// Response from the server to the device pairing request. +message DevicePairingResponse { + // The client should check HTTP status code first. If HTTP status code is not + // 200 (e.g. 500 internal error), then it means the pairing fails. If HTTP + // status code is 200, then the client should check the status code within the + // response. + enum StatusCode { + SUCCESS = 0; + + // A generic failure code for pairing. + FAILED = 1; + + // The Host device cannot be found in the user's domain. + HOST_DEVICE_NOT_FOUND = 2; + + // The Controller device cannot be found in the user's domain. + CONTROLLER_DEVICE_NOT_FOUND = 3; + + // The Host device is deprovisioned. + HOST_DEVICE_DEPROVISIONED = 4; + + // The Controller device is deprovisioned. + CONTROLLER_DEVICE_DEPROVISIONED = 5; + } + + optional StatusCode status_code = 1 [default = FAILED]; +} + +// Sent by the client to the server to check if the devices are paired. The HTTP +// request contains controller service account OAuth token as well as the +// DMToken from the Host device. +message CheckDevicePairingRequest { + // The device ID of the Host device. + optional string host_device_id = 1; + + // The device ID of the Controller device. + optional string controller_device_id = 2; +} + +// Response from the server to the check device pairing request. +message CheckDevicePairingResponse { + // The client should check HTTP status code first. If HTTP status code is not + // 200 (e.g. 500 internal error), then it means the pairing status is unknown. + // If HTTP status code is 200, then the client should check the status code + // within the response. + enum StatusCode { + PAIRED = 0; + + // The Host and Controller devices are not paired. + NOT_PAIRED = 1; + + // The Host device cannot be found in the Host device domain. + HOST_DEVICE_NOT_FOUND = 2; + + // The Controller device cannot be found in the Host device domain. + CONTROLLER_DEVICE_NOT_FOUND = 3; + + // The Host device is deprovisioned. + HOST_DEVICE_DEPROVISIONED = 4; + + // The Controller device is deprovisioned. + CONTROLLER_DEVICE_DEPROVISIONED = 5; + + // Invalid controller identity. + INVALID_CONTROLLER_DEVICE_IDENTITY = 6; + } + + optional StatusCode status_code = 1 [default = NOT_PAIRED]; +} + +// This protobuf defines a single remote command from server to client for +// execution. +message RemoteCommand { + // The names are used as part of metric names. If enumeration is updated + // the names should also be updated: + // - components/policy/core/common/cloud/enterprise_metrics.cc; + // - components/policy/core/common/remote_commands/remote_commands_service.cc; + // - Enterprise.RemoteCommandType in + // tools/metrics/histograms/metadata/enterprise/histograms.xml; + enum Type { + // Simple echo command for testing, will be ignored in production code. + COMMAND_ECHO_TEST = -1; + + // Reboot the device. + DEVICE_REBOOT = 0; + + // Take a screenshot. + DEVICE_SCREENSHOT = 1; + + // Set device volume. + DEVICE_SET_VOLUME = 2; + + // Force a refresh of device status (attributes and logs). + DEVICE_FETCH_STATUS = 3; + + // Forwards a user command received from the management server to the ARC++ + // side. The payload is opaque to Chrome OS. + USER_ARC_COMMAND = 4; + + // Wipe all the users off of the device. + DEVICE_WIPE_USERS = 5; + + // Start Chrome Remote Desktop session. + DEVICE_START_CRD_SESSION = 6; + + // Wipe the device (perform a powerwash). + DEVICE_REMOTE_POWERWASH = 7; + + // Refresh the device machine certificate and re-upload it. + DEVICE_REFRESH_ENTERPRISE_MACHINE_CERTIFICATE = 8; + + // Retrieve a list of available diagnostics routines. + DEVICE_GET_AVAILABLE_DIAGNOSTIC_ROUTINES = 9; + + // Run a given diagnostics routine on the platform. + DEVICE_RUN_DIAGNOSTIC_ROUTINE = 10; + + // Send a command or get an update from an existing diagnostics routine. + DEVICE_GET_DIAGNOSTIC_ROUTINE_UPDATE = 11; + + // Clear the cache and cookies associated with a given profile. + BROWSER_CLEAR_BROWSING_DATA = 12; + + // Reset the cellular EUICC (Embedded Universal Integrated Circuit Card) on + // the device. + DEVICE_RESET_EUICC = 13; + + // Rotates the attestation credentials associated with a browser device. + BROWSER_ROTATE_ATTESTATION_CREDENTIAL = 14; + + // Fetch information that determines the availability of CRD on the device. + FETCH_CRD_AVAILABILITY_INFO = 15; + + // Fetch the logs from the Support Tool on managed ChromeOS devices. + FETCH_SUPPORT_PACKET = 16; + + // Please update metrics after adding a new item - see the comment above. + } + + // The command type. + optional Type type = 1; + + // An opaque unique identifier for the command. The client processes + // the commands in the order of the command list it receives. + optional int64 command_id = 2; + + // The age of the command (in milliseconds) when it is sent from server to + // client, defined as current_server_time - command_generated_time. + optional int64 age_of_command = 3; + + // Extra parameters for this command, expected to be a JSON string. The exact + // format of the JSON payload depends on the command type specified by the + // |type| field: + // |DEVICE_SCREENSHOT|: {"fileUploadUrl" : url_string}. + // |DEVICE_SET_VOLUME|: {"volume": volume_value}, where volume_value must be + // an integer between 0 and 100. + // |DEVICE_RUN_DIAGNOSTIC_ROUTINE|: {"routine" : routine_enum, "params" : + // params_dict}, where params_dict varies by routine. + // |DEVICE_GET_DIAGNOSTIC_ROUTINE_UPDATE|: {"id" : id_integer, "command" : + // command, "includeOutput" : include_output_bool}, where command must be a + // valid `ash::cros_healthd::mojom::DiagnosticRoutineCommandEnum`. + // |DEVICE_REBOOT|: {"user_session_delay_s": delay_integer}, where delay value + // represents seconds until reboot in user session. + // |FETCH_SUPPORT_PACKET|: + // {"supportPacketDetails":{ "issueCaseId": optional_support_case_id_string, + // "issueDescription": optional_issue_description_string, + // "requestedDataCollectors": [], "requestedPiiTypes": []}} + optional string payload = 4; + + // An identifier for the target this command is for. This is the same as + // the device_id in PolicyData. We rely on this identifier not being stable + // across powerwashes. + optional string target_device_id = 5; +} + +// This protobuf defines the execution result of a single remote command +// which will be sent back to the server. +message RemoteCommandResult { + // If you change this, update policy.mojom/CommandResultType. + enum ResultType { + RESULT_IGNORED = 0; // The command was ignored as obsolete. + RESULT_FAILURE = 1; // The command could not be executed or parsed. + RESULT_SUCCESS = 2; // The command was successfully executed. Commands + // such as powerwash will return success before they + // are executed since state will be forgotten. + } + + // The result of the command. + optional ResultType result = 1; + + // The opaque unique identifier of the command. This value is copied from the + // RemoteCommand protobuf that contained the command. + optional int64 command_id = 2; + + // The timestamp representing time at which the command was executed, if the + // result is RESULT_SUCCESS. The timestamp is milliseconds since Epoch in UTC + // timezone (Java time). + optional int64 timestamp = 3; + + // Extra information sent to server as result of execution, expected to be a + // JSON string. + optional string payload = 4; +} + +message DeviceRemoteCommandRequest { + // The command ID of the last command received from the server until + // now. Omitted if no commands have been received yet. + optional int64 last_command_unique_id = 1; + + // The execution results of previously fetched commands. + // The client should send back a command result whenever possible. + repeated RemoteCommandResult command_results = 2; + + // Whether the server should send secure commands or not. + optional bool send_secure_commands = 3; + + // What type of signature to use. Only valid if send_secure_commmands is true. + // If NONE is passed, SHA1_RSA will be used instead for compatibility. + optional PolicyFetchRequest.SignatureType signature_type = 4; + + // A string that represents the type of RemoteCommands that need to be + // fetched. This type helps the server redirect the request to different + // handlers. + optional string type = 5; +} + +message DeviceRemoteCommandResponse { + // The queue of pending, non secure commands. If this is present then there + // shall be no secure commands in this response (and vice versa). + repeated RemoteCommand commands = 1; + + // The queue of pending, secure commands. If this is present then there shall + // be no non secure commands in this response (and vice versa). + // + // The secure_commands.data field contains a serialized PolicyData with a + // “google/chromeos/remotecommand” policy_type. The secure_commands.signature + // field is a signature of the data field with the policy key for the domain + // the device belongs to. + repeated SignedData secure_commands = 2; +} + +// Sent by the client to the server to check if the current user or device is +// allowed to update attributes (asset id and location). The HTTP request +// can contain an end-user OAuth token or a device DMToken. +message DeviceAttributeUpdatePermissionRequest {} + +// Response from the server specifying whether the current user or device is +// allowed to update attributes (asset id and location). +message DeviceAttributeUpdatePermissionResponse { + enum ResultType { + ATTRIBUTE_UPDATE_DISALLOWED = 0; + ATTRIBUTE_UPDATE_ALLOWED = 1; + } + + optional ResultType result = 1; +} + +// Sent by the client to the server to update device attributes (asset id and +// location). The HTTP request can contain an end-user OAuth token or a device +// DMToken. +message DeviceAttributeUpdateRequest { + // The user-generated asset identifier. + optional string asset_id = 1; + + // The user input device location. + optional string location = 2; +} + +// Response from the server to update device attributes (asset id and location). +message DeviceAttributeUpdateResponse { + enum ResultType { + ATTRIBUTE_UPDATE_ERROR = 0; + ATTRIBUTE_UPDATE_SUCCESS = 1; + } + + optional ResultType result = 1; +} + +// Sent by the client to server to update the mapping from GCM id to device_id +// on the server side. +message GcmIdUpdateRequest { + optional string gcm_id = 1; +} + +// Response for GcmIdUpdateRequest, an empty message for now. +message GcmIdUpdateResponse {} + +// Request from device to server to check for Android-for-Work service with +// DPC enforcement. Must be sent only for users who are not managed in Chrome +// OS. +// Provide user's OAuth token with your HTTP Request. +message CheckAndroidManagementRequest {} + +// Response from server to device for check for Android-for-Work service with +// DPC enforcement request. +// SC_CONFLICT HTTP code is returned if DPC enforcement is required. +message CheckAndroidManagementResponse {} + +// Request to register a new device (authenticated by enterprise enrollment +// certificate). See http://go/zero-touch-chrome for details. +// The response message will be the DeviceRegisterResponse. +message CertificateBasedDeviceRegisterRequest { + // Signed request to register with a certificate. The signed_request.data + // field contains a CertificateBasedDeviceRegistrationData with a nonce + // (as added by the Chrome OS cryptohome client) appended. The + // signed_request.signature field is a signature of the data field signed + // with the enrollment certificate's private key. + optional SignedData signed_request = 1; +} + +// Request from device to server to register a device (authenticated with an +// enrollment token). +message TokenBasedDeviceRegisterRequest { + optional DeviceRegisterRequest device_register_request = 1; +} + +// Response to a token-based device registration request +// (@code `TokenBasedDeviceRegisterRequest`). +message TokenBasedDeviceRegisterResponse { + optional DeviceRegisterResponse device_register_response = 1; +} + +// Requested configuration to be passed along a registration request. +message DeviceRegisterConfiguration { + // The device owner's email address. + optional string device_owner = 1; +} + +message CertificateBasedDeviceRegistrationData { + enum CertificateType { + UNKNOWN = 0; + ENTERPRISE_ENROLLMENT_CERTIFICATE = 1; + } + + optional CertificateType certificate_type = 1; + // Device certificate in X.509 format. + // We use CertificateFactory.generateCertificate() call and + // the certificate provided must be DER-encoded and may be supplied in binary + // or printable (Base64) encoding. If the certificate is provided in Base64 + // encoding, it must be bounded at the beginning by + // -----BEGIN CERTIFICATE-----, and must be bounded at the end by + // -----END CERTIFICATE-----. + optional bytes device_certificate = 2; + // regular device registration request + optional DeviceRegisterRequest device_register_request = 3; + // Additional configuration to register the device. + optional DeviceRegisterConfiguration device_register_configuration = 4; +} + +// Request to enroll a Chrome browser. Fields match identically named fields +// in ChromeBrowserDeviceInfo. +message RegisterBrowserRequest { + // The name of the machine within its local network. + optional string machine_name = 1; + // Platform, e.g., Windows or Mac. + optional string os_platform = 2; + // Platform specific version number, e.g., 6.1.7601.0 or 10.12.6 + optional string os_version = 3; + // Device identifier for helping identify non-Chrome OS devices. + // TODO(crbug.com/40706071): This will also replace the machine_name field. + optional BrowserDeviceIdentifier browser_device_identifier = 4; + // The device model, e.g., iPad6,11 + optional string device_model = 5; + // A string that represents the brand/manufacturer of a device. + optional string brand_name = 6; +} + +// Gets an enrollment token to a managed Google Play account for using it with +// Active Directory. Sent when a new user logs in with Active Directory and +// opens Play Store for the first time. +message ActiveDirectoryEnrollPlayUserRequest { + // A server-provider identifier for the previously established SAML session. + // If left empty and SAML authentication is required, + // ActiveDirectoryEnrollPlayUserResponse.saml_parameters.auth_redirect_url + // will contain initial Redirect required to start the SAML flow. + optional string auth_session_id = 1; +} + +// The result when a new user logs in to Play Store with Active Directory. +// 904 Arc Disabled HTTP error code is returned if the reason of the failure is +// that ARC is not enabled for the domain. +// 403 Forbidden HTTP error code is returned if the device can't get Managed +// Google Play accounts. +message ActiveDirectoryEnrollPlayUserResponse { + // The enrollment token which can be used to fetch a Managed Google Play + // account. + optional string enrollment_token = 1; + // The user id which identifies the user enrolled by this token. This user id + // is opaque to the client and is only used in the ActiveDirectoryPlayActivity + // requests. + optional string user_id = 2; + // If SAML authentication is required, SAML flow parameters are specified in + // this proto and both enrollment_token and user_id fields are left unset. + optional SamlParametersProto saml_parameters = 3; +} + +message SamlParametersProto { + // Initial Redirect URL to start the SAML flow. + optional string auth_redirect_url = 1; + // Auth Session ID which the client is supposed to use in the subsequent + // DMServer request (to be sent after SAML flow completes). + optional string auth_session_id = 2; +} + +// Gets a URL to the SAML IdP authentication flow for using it with public +// SAML session. Sent when a user logs in to a SAML public session account. +message PublicSamlUserRequest { + // Identifier for the public saml account. Same as + // DeviceLocalAccountInfoProto.account_id. + optional string account_id = 1; +} + +// The result when a user logs in to a SAML public session account. +message PublicSamlUserResponse { + // SAML flow parameters are specified in this proto. + optional SamlParametersProto saml_parameters = 1; +} + +// Reports that a managed Google Play account is used. This makes the garbage +// collection of accounts possible by reporting the ones which are still in use. +message ActiveDirectoryPlayActivityRequest { + // The user id received in ActiveDirectoryEnrollPlayUserResponse which + // identifies the user. + optional string user_id = 1; +} + +// Response to the Play account activity request. +message ActiveDirectoryPlayActivityResponse {} + +// DEPRECATED: Request to retrieve available device licenses. User auth token +// or auth cookie must be provided with DeviceManagementRequest when +// CheckDeviceLicenseRequest is being sent. +// See go/cdm-mixed-license-pool for more info +message CheckDeviceLicenseRequest {} + +// Represents availability of a single license type. +message LicenseAvailability { + // License type. + optional LicenseType license_type_deprecated = 1 [deprecated = true]; + + // Remaining available licenses (can be 0). + optional int32 available_licenses_deprecated = 2 [deprecated = true]; +} + +// DEPRECATED: Response to a check device license request. +message CheckDeviceLicenseResponse { + enum LicenseSelectionMode { + // Should not happen, included for compatibility. + UNDEFINED = 0; + // User is allowed to choose license. + USER_SELECTION = 1; + // Admin controls license selection preferences through management UI. + ADMIN_SELECTION = 2; + } + + // Policy setting value for license selection mode. + optional LicenseSelectionMode license_selection_mode_deprecated = 1 + [deprecated = true]; + + // Provides available license counts for each purchased license type. + // This field would list each subscription for the domain even if all licenses + // have been used up (in which case available_licenses field is set to zero). + // + // If license_selection_mode == USER_SELECTION and license_availability + // contains more than one entry then device should display a screen asking + // user to choose license type and send selected license type value in the + // DeviceRegisterRequest.license_type field. + repeated LicenseAvailability license_availabilities_deprecated = 2 + [deprecated = true]; +} + +// Sign in an Active Directory user using SAML SSO. The device management server +// redirects the client to the Active Directory server in order to authenticate +// and identify the Active Directory user. Active Directory redirects the client +// back to the device management server with an assertion of the Active +// Directory user's identity. The device management server then redirects the +// client to Google's authentication service in order to provision the user on +// the device. +message ActiveDirectoryUserSigninRequest {} + +message ActiveDirectoryUserSigninResponse { + // Initial Redirect URL to start the SAML flow. + optional string auth_redirect_url = 1; +} + +// Contains information about the TPM used on the device. +message TpmVersionInfo { + enum GscVersion { + GSC_VERSION_UNSPECIFIED = 0; + GSC_VERSION_NOT_GSC = 1; + GSC_VERSION_CR50 = 2; + GSC_VERSION_TI50 = 3; + } + optional uint32 family = 1; + optional uint64 spec_level = 2; + optional uint32 manufacturer = 3; + optional uint32 tpm_model = 4; + optional uint64 firmware_version = 5; + optional string vendor_specific = 6; + optional GscVersion gsc_version = 7; + // This field represents the tpm device id and vendor id + // which is a combined value as declared in the TPM spec. + optional string did_vid = 8; +} + +// Contains status of the TPM unit. +message TpmStatusInfo { + optional bool enabled = 1; + optional bool owned = 2; + // This field was previously named "initialized", but that's not a valid name + // for a proto field since it generates isInitialized method for the Java + // binding which collides with the isInitialized method that exists for all + // Java protos. + optional bool tpm_initialized = 3; + optional bool attestation_prepared = 4; + optional bool attestation_enrolled = 5; + optional int32 dictionary_attack_counter = 6; + optional int32 dictionary_attack_threshold = 7; + optional bool dictionary_attack_lockout_in_effect = 8; + optional int32 dictionary_attack_lockout_seconds_remaining = 9; + // DEPRECATED: Not filled by the client anymore (since b/172748724). + optional bool boot_lockbox_finalized = 10 [deprecated = true]; + optional bool owner_password_is_present = 11; + optional TpmSupportedFeatures tpm_supported_features = 12; +} + +// Contains information about specific features of the TPM unit. +message TpmSupportedFeatures { + optional bool is_allowed = 1; + optional bool support_pinweaver = 2; + optional bool support_runtime_selection = 3; + optional bool support_u2f = 4; +} + +// System state included with some log events. +message SystemState { + // VolumeInfo is reused from existing Chrome reporting. + repeated VolumeInfo volume_infos = 1; +} + +// A single entry in the install log for an extension. +message ExtensionInstallReportLogEvent { + // Enumerates the possible event types. + enum EventType { + // Not used. + LOG_EVENT_TYPE_UNKNOWN = 0; + // Requested by policy to install the extension. + POLICY_REQUEST = 1; + // Install success. + SUCCESS = 2; + // Request canceled. + CANCELED = 3; + // Connectivity state changed. + CONNECTIVITY_CHANGE = 4; + // Session state changed. + SESSION_STATE_CHANGE = 5; + // Extension installation failed. + INSTALLATION_FAILED = 6; + } + + // Enumerates the possible changes in session state. + enum SessionStateChangeType { + // Not used. + SESSION_STATE_CHANGE_TYPE_UNKNOWN = 0; + // Session starting. + LOGIN = 1; + // Session ending. + LOGOUT = 2; + // Suspending. + SUSPEND = 3; + // Resuming. + RESUME = 4; + } + + // Possible failure reasons. See InstallStageTracker::FailureReason for more + // details. InstallStageTracker::FailureReason is the main enum and this is + // a copy used for reporting purposes. + enum FailureReason { + FAILURE_REASON_UNKNOWN = 0; + INVALID_ID = 1; + MALFORMED_EXTENSION_SETTINGS = 2; + REPLACED_BY_ARC_APP = 3; + MALFORMED_EXTENSION_DICT = 4; + NOT_SUPPORTED_EXTENSION_DICT = 5; + MALFORMED_EXTENSION_DICT_FILE_PATH = 6; + MALFORMED_EXTENSION_DICT_VERSION = 7; + MALFORMED_EXTENSION_DICT_UPDATE_URL = 8; + LOCALE_NOT_SUPPORTED = 9; + NOT_PERFORMING_NEW_INSTALL = 10; + TOO_OLD_PROFILE = 11; + DO_NOT_INSTALL_FOR_ENTERPRISE = 12; + ALREADY_INSTALLED = 13; + CRX_FETCH_FAILED = 14; + MANIFEST_FETCH_FAILED = 15; + MANIFEST_INVALID = 16; + NO_UPDATE = 17; + CRX_INSTALL_ERROR_DECLINED = 18; + CRX_INSTALL_ERROR_SANDBOXED_UNPACKER_FAILURE = 19; + CRX_INSTALL_ERROR_OTHER = 20; + NO_UPDATE_URL = 21; + PENDING_ADD_FAILED = 22; + DOWNLOADER_ADD_FAILED = 23; + IN_PROGRESS = 24; + CRX_FETCH_URL_EMPTY = 25; + CRX_FETCH_URL_INVALID = 26; + OVERRIDDEN_BY_SETTINGS = 27; + REPLACED_BY_SYSTEM_APP = 28; + } + + // Stage of extension installing process. See InstallStageTracker::Stage for + // more details. InstallStageTracker::Stage is the main enum and this is + // a copy used for reporting purposes. The entries are in the order they occur + // in the installation process. + enum InstallationStage { + INSTALLATION_STAGE_UNKNOWN = 0; + CREATED = 1; + PENDING = 2; + DOWNLOADING = 3; + INSTALLING = 4; + COMPLETE = 5; + } + + // Type of current user. See user_manager::UserType for more details. + // user_manager::UserType is the main enum and this is a copy used for + // reporting purposes. + enum UserType { + USER_TYPE_UNKNOWN = 0; + USER_TYPE_REGULAR = 1; + USER_TYPE_GUEST = 2; + USER_TYPE_PUBLIC_ACCOUNT = 3; + USER_TYPE_SUPERVISED_DEPRECATED = 4 [deprecated = true]; + USER_TYPE_KIOSK_APP = 5; + USER_TYPE_CHILD = 6; + USER_TYPE_ARC_KIOSK_APP = 7; + USER_TYPE_ACTIVE_DIRECTORY = 8; + USER_TYPE_WEB_KIOSK_APP = 9; + } + + // Current stage of the extension downloading process. See + // ExtensionDownloaderDelegate::Stage for more details. + // ExtensionDownloaderDelegate::Stage is the main enum and this is a copy used + // for reporting purposes. + enum DownloadingStage { + DOWNLOADING_STAGE_UNKNOWN = 0; + DOWNLOAD_PENDING = 1; + QUEUED_FOR_MANIFEST = 2; + DOWNLOADING_MANIFEST = 3; + DOWNLOADING_MANIFEST_RETRY = 4; + PARSING_MANIFEST = 5; + MANIFEST_LOADED = 6; + QUEUED_FOR_CRX = 7; + DOWNLOADING_CRX = 8; + DOWNLOADING_CRX_RETRY = 9; + FINISHED = 10; + } + + // Current stage of the extension creation process. See + // InstallStageTracker::InstallCreationStage for more details. + // InstallStageTracker::InstallCreationStage is the main enum and this is a + // copy used for reporting purposes. + enum InstallCreationStage { + INSTALL_CREATION_STAGE_UNKNOWN = 0; + CREATION_INITIATED = 1; + NOTIFIED_FROM_MANAGEMENT_INITIAL_CREATION_FORCED = 2; + NOTIFIED_FROM_MANAGEMENT_INITIAL_CREATION_NOT_FORCED = 3; + NOTIFIED_FROM_MANAGEMENT = 4; + NOTIFIED_FROM_MANAGEMENT_NOT_FORCED = 5; + SEEN_BY_POLICY_LOADER = 6; + SEEN_BY_EXTERNAL_PROVIDER = 7; + } + + // Status of cache when an attempt is made to fetch the extension from it + // during the downloading process. See + // ExtensionDownloaderDelegate::CacheStatus for more details. + // ExtensionDownloaderDelegate::CacheStatus is the main enum and this is a + // copy used for reporting purposes. + enum DownloadCacheStatus { + CACHE_UNKNOWN = 0; + CACHE_DISABLED = 1; + CACHE_MISS = 2; + CACHE_OUTDATED = 3; + CACHE_HIT = 4; + CACHE_HIT_ON_MANIFEST_FETCH_FAILURE = 5; + } + + // All the ways SandboxedUnpacker can fail. See + // extensions::SandboxedUnpackerFailureReason for more details. + // extensions::SandboxedUnpackerFailureReason is the main enum and this is a + // copy used for reporting purposes. + enum SandboxedUnpackerFailureReason { + SANDBOXED_UNPACKER_FAILURE_REASON_UNKNOWN = 0; + COULD_NOT_GET_TEMP_DIRECTORY = 1; + COULD_NOT_CREATE_TEMP_DIRECTORY = 2; + FAILED_TO_COPY_EXTENSION_FILE_TO_TEMP_DIRECTORY = 3; + COULD_NOT_GET_SANDBOX_FRIENDLY_PATH = 4; + COULD_NOT_LOCALIZE_EXTENSION = 5; + INVALID_MANIFEST = 6; + UNPACKER_CLIENT_FAILED = 7; + UTILITY_PROCESS_CRASHED_WHILE_TRYING_TO_INSTALL = 8; + CRX_FILE_NOT_READABLE = 9; + CRX_HEADER_INVALID = 10; + CRX_MAGIC_NUMBER_INVALID = 11; + CRX_VERSION_NUMBER_INVALID = 12; + CRX_EXCESSIVELY_LARGE_KEY_OR_SIGNATURE = 13; + CRX_ZERO_KEY_LENGTH = 14; + CRX_ZERO_SIGNATURE_LENGTH = 15; + CRX_PUBLIC_KEY_INVALID = 16; + CRX_SIGNATURE_INVALID = 17; + CRX_SIGNATURE_VERIFICATION_INITIALIZATION_FAILED = 18; + CRX_SIGNATURE_VERIFICATION_FAILED = 19; + ERROR_SERIALIZING_MANIFEST_JSON = 20; + ERROR_SAVING_MANIFEST_JSON = 21; + COULD_NOT_READ_IMAGE_DATA_FROM_DISK_UNUSED = 22; + DECODED_IMAGES_DO_NOT_MATCH_THE_MANIFEST_UNUSED = 23; + INVALID_PATH_FOR_BROWSER_IMAGE = 24; + ERROR_REMOVING_OLD_IMAGE_FILE = 25; + INVALID_PATH_FOR_BITMAP_IMAGE = 26; + ERROR_RE_ENCODING_THEME_IMAGE = 27; + ERROR_SAVING_THEME_IMAGE = 28; + DEPRECATED_ABORTED_DUE_TO_SHUTDOWN = 29; + COULD_NOT_READ_CATALOG_DATA_FROM_DISK_UNUSED = 30; + INVALID_CATALOG_DATA = 31; + INVALID_PATH_FOR_CATALOG_UNUSED = 32; + ERROR_SERIALIZING_CATALOG = 33; + ERROR_SAVING_CATALOG = 34; + CRX_HASH_VERIFICATION_FAILED = 35; + UNZIP_FAILED = 36; + DIRECTORY_MOVE_FAILED = 37; + CRX_FILE_IS_DELTA_UPDATE = 38; + CRX_EXPECTED_HASH_INVALID = 39; + DEPRECATED_ERROR_PARSING_DNR_RULESET = 40; + ERROR_INDEXING_DNR_RULESET = 41; + CRX_REQUIRED_PROOF_MISSING = 42; + CRX_HEADER_VERIFIED_CONTENTS_UNCOMPRESSING_FAILURE = 43; + MALFORMED_VERIFIED_CONTENTS = 44; + COULD_NOT_CREATE_METADATA_DIRECTORY = 45; + COULD_NOT_WRITE_VERIFIED_CONTENTS_INTO_FILE = 46; + } + + // Reason why extension failed due to failure reason MANIFEST_INVALID. See + // extensions::ManifestInvalidError for more details. + // extensions::ManifestInvalidError is the main enum and this is a + // copy used for reporting purposes. + enum ManifestInvalidError { + MANIFEST_INVALID_ERROR_UNKNOWN = 0; + XML_PARSING_FAILED = 1; + INVALID_XLMNS_ON_GUPDATE_TAG = 2; + MISSING_GUPDATE_TAG = 3; + INVALID_PROTOCOL_ON_GUPDATE_TAG = 4; + MISSING_APP_ID = 5; + MISSING_UPDATE_CHECK_TAGS = 6; + MULTIPLE_UPDATE_CHECK_TAGS = 7; + INVALID_PRODVERSION_MIN = 8; + EMPTY_CODEBASE_URL = 9; + INVALID_CODEBASE_URL = 10; + MISSING_VERSION_FOR_UPDATE_CHECK = 11; + INVALID_VERSION = 12; + BAD_UPDATE_SPECIFICATION = 13; + BAD_APP_STATUS = 14; + } + + // Extended error code if the extension installation failed due to CRX install + // error. See extensions::CrxInstallErrorDetail for more details. + // extensions::CrxInstallErrorDetail is the main enum and this is a + // copy used for reporting purposes. + enum CrxInstallErrorDetail { + CRX_INSTALL_ERROR_DETAIL_UNKNOWN = 0; + CONVERT_USER_SCRIPT_TO_EXTENSION_FAILED = 1; + UNEXPECTED_ID = 2; + UNEXPECTED_VERSION = 3; + MISMATCHED_VERSION = 4; + CRX_ERROR_MANIFEST_INVALID = 5; + INSTALL_NOT_ENABLED = 6; + OFFSTORE_INSTALL_DISALLOWED = 7; + INCORRECT_APP_CONTENT_TYPE = 8; + NOT_INSTALLED_FROM_GALLERY = 9; + INCORRECT_INSTALL_HOST = 10; + DEPENDENCY_NOT_SHARED_MODULE = 11; + DEPENDENCY_OLD_VERSION = 12; + DEPENDENCY_NOT_ALLOWLISTED = 13; + UNSUPPORTED_REQUIREMENTS = 14; + EXTENSION_IS_BLOCKLISTED = 15; + DISALLOWED_BY_POLICY = 16; + KIOSK_MODE_ONLY = 17; + OVERLAPPING_WEB_EXTENT = 18; + CANT_DOWNGRADE_VERSION = 19; + MOVE_DIRECTORY_TO_PROFILE_FAILED = 20; + CANT_LOAD_EXTENSION = 21; + USER_CANCELED = 22; + USER_ABORTED = 23; + UPDATE_NON_EXISTING_EXTENSION = 24; + } + + // Timestamp, in microseconds since epoch. Set for all log + // events. + optional int64 timestamp = 1; + + // Event type. Set for all log events. + optional EventType event_type = 2; + + // Total and available space on the stateful partition, in bytes. Set for + // event types INSTALLATION_FAILED and SUCCESS. + optional int64 stateful_total = 3; + optional int64 stateful_free = 4; + + // Network state. Set for event type SESSION_STATE_CHANGE of type LOGIN and + // CONNECTIVITY_CHANGE. + optional bool online = 5; + + // Type of session state change. Set for event type SESSION_STATE_CHANGE. + optional SessionStateChangeType session_state_change_type = 6; + + // Type of failure reason. Set for event type INSTALLATION_FAILED. + optional FailureReason failure_reason = 7; + + // Stage of installation process. + optional InstallationStage installation_stage = 8; + + // Stage of downloading process. + optional DownloadingStage downloading_stage = 9; + + // Type of the extension. Set for event type SUCCESS and sometimes (when + // possible) for INSTALLATION_FAILED. + optional Extension.ExtensionType extension_type = 10; + + // Type of the current user. + optional UserType user_type = 11; + + // Whether the current user is new. + optional bool is_new_user = 12; + + // Whether the current failure is a admin side miconfiguration failure. Set + // for event type INSTALLATION_FAILED. + optional bool is_misconfiguration_failure = 13; + + // Stage of install creation process. + optional InstallCreationStage install_creation_stage = 14; + + // Status of cache during downloading process. + optional DownloadCacheStatus download_cache_status = 15; + + // Detailed reason why unpacking of extension failed. + optional SandboxedUnpackerFailureReason unpacker_failure_reason = 16; + + // Detailed reason why extension failed due to failure reason + // MANIFEST_INVALID. + optional ManifestInvalidError manifest_invalid_error = 17; + + // Extended error code if the extension installation failed due to CRX install + // error. + optional CrxInstallErrorDetail crx_install_error_detail = 18; + + // Fetch error code when failure_reason is CRX_FETCH_FAILED or + // MANIFEST_FETCH_FAILED. + optional int32 fetch_error_code = 19; + + // Number of fetch tries made when failure reason is CRX_FETCH_FAILED or + // MANIFEST_FETCH_FAILED. + optional int32 fetch_tries = 20; +} + +// A single entry in the push-install log for an app. +message AppInstallReportLogEvent { + // Enumerates the possible event types. + enum EventType { + // Not used. + LOG_EVENT_TYPE_UNKNOWN = 0; + // Request received by device + SERVER_REQUEST = 1; + // Request forwarded to CloudDPC + CLOUDDPC_REQUEST = 2; + // Request forwarded to CloudDPS + CLOUDDPS_REQUEST = 3; + // Response received from CloudDPS + CLOUDDPS_RESPONSE = 4; + // Log line written by Phonesky + PHONESKY_LOG = 5; + // Install success + SUCCESS = 6; + // Request canceled + CANCELED = 7; + // Connectivity state changed + CONNECTIVITY_CHANGE = 8; + // Session state changed + SESSION_STATE_CHANGE = 9; + // Package installation started + INSTALLATION_STARTED = 10; + // Package installation finished + INSTALLATION_FINISHED = 11; + // Package installation failed + INSTALLATION_FAILED = 12; + // Direct install scheduled + DIRECT_INSTALL = 13; + // No more regular attempts to install + CLOUDDPC_MAIN_LOOP_FAILED = 14; + // PlayStore local policy was set + PLAYSTORE_LOCAL_POLICY_SET = 15; + } + + // Enumerates the possible changes in session state. + enum SessionStateChangeType { + // Not used. + SESSION_STATE_CHANGE_TYPE_UNKNOWN = 0; + // Session starting + LOGIN = 1; + // Session ending + LOGOUT = 2; + // Suspending + SUSPEND = 3; + // Resuming + RESUME = 4; + } + + // Timestamp, in microseconds since epoch. Set for all log + // events. + optional int64 timestamp = 1; + + // Event type. Set for all log events. + optional EventType event_type = 2; + + // Total and available space on the stateful partition, in bytes. Set for + // event types SERVER_REQUEST, CLOUDDPS_RESPONSE, INSTALLATION_STARTED, + // INSTALLATION_FINISHED, INSTALLATION_FAILED and SUCCESS. + optional int64 stateful_total = 3; + optional int64 stateful_free = 4; + + // CloudDPS response. Set for event type CLOUDDPS_RESPONSE. + optional int32 clouddps_response = 5; + + // Log line written by Phonesky. Set for event type PHONESKY_LOG. + optional string phonesky_log = 6; + + // Network state. Set for event type SESSION_STATE_CHANGE of type LOGIN and + // CONNECTIVITY_CHANGE. + optional bool online = 7; + + // Type of session state change. Set for event type SESSION_STATE_CHANGE. + optional SessionStateChangeType session_state_change_type = 8; + + // ARC++ Android id. + optional int64 android_id = 9; +} + +// Log bucket for an extension. +message ExtensionInstallReport { + // Extension id for the extension. + optional string extension_id = 1; + + // Whether the log is incomplete, e.g. due to the log ring buffer overflowing + // or disk corruption. + optional bool incomplete = 2; + + // Log events for the extension. + repeated ExtensionInstallReportLogEvent logs = 3; +} + +// Log bucket for an ARC++ app. +message AppInstallReport { + // Package name of the app. + optional string package = 1; + + // Whether the log is incomplete, e.g. due to the log ring buffer overflowing + // or disk corruption. + optional bool incomplete = 2; + + // Log events for the app. + repeated AppInstallReportLogEvent logs = 3; +} + +// Push-install logs for all ARC++ apps. +message AppInstallReportRequest { + // Log buckets for each app. + repeated AppInstallReport app_install_reports = 1; +} + +// Installation logs for all extensions. +message ExtensionInstallReportRequest { + // Log buckets for each extension. + repeated ExtensionInstallReport extension_install_reports = 1; +} + +// Response from server after receiving a report on the status of app +// push-installs. +message AppInstallReportResponse {} + +// Request from device to stop using a previously issued service account. +// The identity of a freshly-issued service account will be returned by a +// subsequent device policy fetch (see the |service_account_identity| field in +// |PolicyData| and auth codes tied to the new service account can be retrieved +// by subsequent |DeviceServiceApiAccessRequest| requests. +message RefreshAccountRequest { + enum AccountType { + ACCOUNT_TYPE_UNSPECIFIED = 0; + + // Refresh demo mode user account. + // See go/cros-demo-mode and go/demo-mode-account-brainstorm. + CHROME_OS_DEMO_MODE = 1; + } + + optional AccountType account_type = 1; +} + +// Response from server after receiving a request to refresh the service +// account. +message RefreshAccountResponse {} + +// Request from device to upload RSU lookup key. +message RsuLookupKeyUploadRequest { + // Google brand code for the given device SKU. + optional bytes board_id = 1; + + // Hashed Cr50 device ID. + optional bytes cr50_hashed_device_id = 2; +} + +// Response to {@code RsuLookupKeyUploadRequest}. +message RsuLookupKeyUploadResponse { + // Whether RSU lookup key was received. + optional bool rsu_lookup_key_updated = 1; +} + +// Information about an eSIM profile installed on an EUICC (Embedded Universal +// Integrated Circuit Card). +message ESimProfileInfo { + // ICCID of the eSIM profile. Up to 22 decimal digits encoded as ASCII string. + // Example: 3554020401587593554020. + optional string iccid = 1; + + // SM-DP+ (Subscription Manager - Data Preparation) activation code that was + // used to install this eSIM profile. The "address" terminology is historical + // since the string is not strictly just an address. This field should be + // considered mutually exclusive with |smds_address|. Up to 255 characters + // encoded as UTF8 string. + // Example: LPA:1$esim.example.com$matchingId + optional string smdp_address = 2; + + // SM-DS (Subscription Manager - Discovery Service) activation code that was + // used to install this eSIM profile. The "address" terminology is historical + // since the string is not strictly just an address. This field should be + // considered mutually exclusive with |smdp_address|. Up to 255 characters + // encoded as UTF8 string. + // Example: LPA:1$esim.example.com$ + optional string smds_address = 3; + + // The name of the policy-defined network that resulted in the installation of + // this eSIM profile. This metadata is required to guarantee that multiple + // policy-defined networks that are configured with the same activation code + // are handled correctly, and will result in the appropriate number of eSIM + // profiles being installed. + optional string name = 4; +} + +// Request from device to server to update information about EUICCs +// on the device. +message UploadEuiccInfoRequest { + // Number of EUICCs on the device. + optional uint32 euicc_count = 1; + + // List of policy provisioned eSIM profiles on the device. + repeated ESimProfileInfo esim_profiles = 2; + + // A boolean flag which indicates that the list of eSim profiles was cleared. + // We use this differentiate between intentionally empty profile list(after + // cleanup) or not yet provisioned one. + // On the server, we would ignore requests where |esim_profiles| is empty + // if |clear_profile_list| is not set to |true| to not accidentally clear the + // values previously stored for this device(which can happen in a case of + // device being in after-powerwash state, for example). + optional bool clear_profile_list = 3; +} + +// Response from server to device for EUICC status update. +message UploadEuiccInfoResponse {} + +// An event used for reporting when a new print job has completed. +message PrintJobEvent { + message PrintJobConfiguration { + // The ID of the job. This and the device ID uniquely identify a print job + // in enterprise reporting. + optional string id = 1; + + // The name of the document. + optional string title = 2; + + // The final status of the job. + optional int32 status = 3; + + // The time the print job was created in milliseconds since epoch. + optional int64 creation_timestamp_ms = 4; + + // The time the print job was completed in milliseconds since epoch. + optional int64 completion_timestamp_ms = 5; + + // The number of pages in the document. + optional int32 number_of_pages = 6; + + // The settings of the print job. + optional PrintSettings settings = 7; + } + + enum UserType { + UNKNOWN_USER_TYPE = 0; + REGULAR = 1; + GUEST = 2; + KIOSK = 3; + } + + message Printer { + // Displayed name of the printer in the client. + optional string name = 1; + + // URI of the printer, which serves as a unique identifier. + optional string uri = 2; + + // Printer ID. + optional string id = 3; + } + + // The finishing settings of the print job. + message PrintSettings { + enum ColorMode { + UNKNOWN_COLOR_MODE = 0; + BLACK_AND_WHITE = 1; + COLOR = 2; + } + + enum DuplexMode { + UNKNOWN_DUPLEX_MODE = 0; + ONE_SIDED = 1; + TWO_SIDED_LONG_EDGE = 2; + TWO_SIDED_SHORT_EDGE = 3; + } + + message MediaSize { + // Width (in micrometers) + optional int32 width = 1; + + // Height (in micrometers) + optional int32 height = 2; + + // Platform specific id to map it back to the particular media. + optional string vendor_id = 3; + } + + optional ColorMode color = 1; + + optional DuplexMode duplex = 2; + + optional MediaSize media_size = 3; + + optional int32 copies = 4; + } + + optional PrintJobConfiguration job_configuration = 1; + + optional UserType user_type = 2; + + optional Printer printer = 3; +} + +// Provides information about an installed app. +message App { + // Enum listing the available types of the apps. + // Aligned with apps::mojom::AppType. + enum AppType { + // Unknown/undefined. + UNKNOWN = 0; + // ARC++/Android app. + ARC = 1; + // Built-in app. + BUILT_IN = 2; + // Linux/crostini app. + CROSTINI = 3; + // Chrome extension. + EXTENSION = 4; + // Progressive web app. + WEB = 5; + // Plugin VM app. + PLUGIN_VM = 6; + // Borealis VM app. + BOREALIS = 7; + // Bruschetta VM app. + BRUSCHETTA = 8; + } + + // ID of the installed application. Package name for Android apps and 32 + // character long app id for other applications (PWAs, Extensions, Built-in + // apps). + optional string app_id = 1; + + // Type of the application. + optional AppType app_type = 2; + + // Additional IDs of the installed application if exist. + // For example it will contain Chrome style 32 character long ids for Android + // apps, that use package name as their primary ID. + repeated string additional_app_id = 3; +} + +// Information about app activity used for Per-App Time Limits feature. +message AppActivity { + // Enumerates different states that the app can have. + enum AppState { + // State not known. + UNKNOWN = 0; + // Default state - no restrictions enforced. + DEFAULT = 1; + // Important app that cannot be blocked, because it is essential for the OS. + ALWAYS_AVAILABLE = 2; + // App blocked on the client. + BLOCKED = 3; + // App reached usage limit on the client. + LIMIT_REACHED = 4; + // App was uninstalled. It still might have some recent unreported activity. + UNINSTALLED = 5; + } + + // App identifying information. + optional App app_info = 1; + + // A list of time periods when the app was active. + repeated TimePeriod active_time_periods = 2; + + // Timestamp when this activity data were populated. + // Specified in milliseconds since Epoch in UTC timezone (Java time). + optional int64 populated_at = 3; + + // State of the app on client at the time of reporting. To maintain + // consistency and help debugging between client and Family Link. + optional AppState app_state = 4; +} + +// Models a window for screen time. +message ScreenTimeSpan { + optional TimePeriod time_period = 1; + + // The actual activity duration during a particular time period window + // (in milliseconds). + optional int64 active_duration_ms = 2; +} + +// Informs the server about the current state of a child user's session, to +// allow parent supervision. +message ChildStatusReportRequest { + // The user's DMToken. + optional string user_dm_token = 1; + + // Timestamp of this status report in milliseconds since epoch. + optional int64 timestamp_ms = 2; + + // Time zone id of the active user (e.g. America/Sao_Paulo). + // For more details check `third_party/icu/source/i18n/unicode/timezone.h`. + optional string time_zone = 3; + + // A list of time spans when the screen was on during the user's session. + repeated ScreenTimeSpan screen_time_span = 4; + + // Information about ARC status. + optional AndroidStatus android_status = 5; + + // The OS version reported by the device is a platform version + // e.g. 1435.0.2011_12_16_1635. + optional string os_version = 6; + + // "Verified", "Dev". Same as verified mode. + // If the mode is unknown, this field should not be set. + optional string boot_mode = 7; + + // A list of per-app activity used for Per-App Time Limits feature. + // It might not be sent in every report. + repeated AppActivity app_activity = 8; + + // A list of applications which are hidden from the user. + repeated App hidden_app = 9; + + // Next id: 10. +} + +// Response from DMServer to update user devices' status. +// It is possible that status report fails but policy request succeed. In such +// case, the ChildStatusReportResponse will contain an error code and the +// device should re-send status report data in the next policy request. The +// device should re-send report data if policy request fails, even if +// ChildStatusReportResponse contains no error code. +message ChildStatusReportResponse { + optional int32 error_code = 1; + + // Human readable error message for customer support purpose. + optional string error_message = 2; +} + +// Hashing Algorithm for Client Certificate Provisioning Flow. +enum HashingAlgorithm { + // DO NOT USE + HASHING_ALGORITHM_UNSPECIFIED = 0; + + SHA1 = 1; + SHA256 = 2; + + // Do not hash the input data - assume it is input to the signature algorithm. + // The client supports this starting with M-89. + // + // For SigningAlgorithm RSA_PKCS1_V1_5, the client will perform PKCS#1 v1.5 + // padding on `data_to_sign`. `data_to_sign` is expected to already contain a + // PKCS#1 DigestInfo prefix - the client will not attempt to add such a + // prefix. Also `data_to_sign` must be shorter than (key_size-11) bytes. If no + // other key size was specified in the + // RequiredClientCertificateFor{User,Device} policy, 2048 bits is assumed. + NO_HASH = 3; +} + +// Signing Algorithm for Client Certificate Provisioning Flow. +enum SigningAlgorithm { + // DO NOT USE + SIGNING_ALGORITHM_UNSPECIFIED = 0; + + RSA_PKCS1_V1_5 = 1; +} + +// Client Certificate Provisioning "Static" Flow, Stage 1: Start a CSR request. +// No additional fields because cert_profile_id and public_key are passed in the +// outer message. +message StartCsrRequest {} + +message StartCsrResponse { + // The client should register for FCM messages using this topic in order to + // receive notifications for the certificate provisioning process. + optional string invalidation_topic = 1; + + // The verified access challenge. + optional bytes va_challenge = 2; + + // Algorithm to hash data with before signing. + optional HashingAlgorithm hashing_algorithm = 5; + + // Algorithm to sign data with for CSR creation. + optional SigningAlgorithm signing_algorithm = 3; + + // Data to sign for CSR creation. + optional bytes data_to_sign = 4; +} + +// Client Certificate Provisioning "Static" Flow, Stage 2: Finish the CSR +// request. +message FinishCsrRequest { + // Verified access challenge response. + optional bytes va_challenge_response = 1; + + // The signature generated using the private key. + optional bytes signature = 2; +} + +message FinishCsrResponse {} + +// Client Certificate Provisioning "Static" Flow, Stage 3: Download the issued +// certificate. +message DownloadCertRequest {} + +message DownloadCertResponse { + // PEM-encoded issued certificate. + optional string pem_encoded_certificate = 1; +} + +// "Dynamic" flow: Used to start a cerificate provisioning process. +message CertProvStartRequest {} + +message CertProvStartResponse { + // The client should register for FCM messages using this topic in order to + // receive notifications for the certificate provisioning process. + optional string invalidation_topic = 1; +} + +// "Dynamic" flow: Used to fetch the next instruction that the client should +// process. +message CertProvGetNextInstructionRequest {} + +message CertProvGetNextInstructionResponse { + // One of the instructions must be filled. + // If no instruction is available yet, the server should respond with a + // `CertProvBackendError` instead of a `CertProvGetNextInstructionResponse`. + oneof instruction { + CertProvAuthorizeInstruction authorize_instruction = 1; + CertProvProofOfPossessionInstruction proof_of_possession_instruction = 2; + CertProvImportCertificateInstruction import_certificate_instruction = 3; + } +} + +// "Dynamic" flow: Used to authorize the client, currently using a Verified +// Access challenge response. +// The client should send this request after it received a +// `CertProvAuthorizeInstruction`. +message CertProvAuthorizeRequest { + // Verified access challenge response. + optional bytes va_challenge_response = 1; +} + +message CertProvAuthorizeResponse {} + +// "Dynamic" flow: Upload the result of a `ProofOfPossessionInstruction`. +message CertProvUploadProofOfPossessionRequest { + // A client-generated cryptographic signature proving the possession of the + // client's private key. + // The signing key is the client-owned private key corresponding to + // `ClientCertificateProvisioningRequest.public_key`. + // The signed data has been previously delivered by the server in + // `CertProvProofOfPossessionInstruction.data_to_sign`. + // The hashing and signing algorithms have been previously delivered by the + // server in the `hashing_algorithm` and `signing_algorithm` fields of + // `CertProvProofOfPossessionInstruction`. + optional bytes signature = 1; +} + +message CertProvUploadProofOfPossessionResponse {} + +// The client should perform an authorization step. +message CertProvAuthorizeInstruction { + // The verified access challenge. + optional bytes va_challenge = 1; +} + +// The client should provide a proof-of-possession signature generated using +// the private key. +message CertProvProofOfPossessionInstruction { + // Data to sign for CSR creation. + // Depending on the `signature_algorithm` this may either contain the PKCS#1 + // DigestInfo in DER format (note that it must be shorter than (key_size-11) + // bytes) or unhashed data. The client must process `data_to_sign` according + // to the specified `signature_algorithm`, see comments in the + // `CertProvSignatureAlgorithm` enum for more details. + optional bytes data_to_sign = 1; + + // The signature algorithm that the client uses to process `data_to_sign`. + // This defines both the hashing and signing algorithm the client should use. + optional CertProvSignatureAlgorithm signature_algorithm = 2; +} + +// The algorithm that the client should use / has used to sign data using its +// private key for proof-of-posession. +enum CertProvSignatureAlgorithm { + // Default value. This value is unused. + SIGNATURE_ALGORITHM_UNSPECIFIED = 0; + + // The server-side builds the PKCS#1 DigestInfo, i.e., the SHA256 hash + // is constructed on the server-side. The client should sign using RSA + // with PKCS#1 v1.5 padding. If no other key size was specified in the + // RequiredClientCertificateFor{User,Device} policy, 2048 bits is assumed. + SIGNATURE_ALGORITHM_RSA_PKCS1_V1_5_NO_HASH = 1; +} + +// The client should import an issued certificate. +message CertProvImportCertificateInstruction { + // PEM-encoded issued certificate. + optional string pem_encoded_certificate = 1; +} + +// Start / continue client certificate provisioning process for the profile +// `cert_profile_id`. +message ClientCertificateProvisioningRequest { + reserved 9 to 11; + // The id that uniquely identifies a certificate provisioning process. + optional string certificate_provisioning_process_id = 16; + + // The scope of the certificate. Similar to policy_type in PolicyFetchRequest. + // google/chromeos/device => a certificate for a device is being requested. + // google/chromeos/user => a certificate for a user is being requested. + optional string certificate_scope = 1; + + // The id of the client certificate profile, specified in the policy. + optional string cert_profile_id = 2; + + // The public key for which the certificate should be issued. It's a + // DER-serialized X.509 SubjectPublicKeyInfo. + optional bytes public_key = 3; + + // Only filled if this is a request for a certificate for a user + optional string device_dm_token = 4; + + oneof request { + // "Static" flow + // (go/chromeos-mgmt-cert-provisioning#heading=h.mh0xyf2o1ums). + StartCsrRequest start_csr_request = 5; + FinishCsrRequest finish_csr_request = 6; + DownloadCertRequest download_cert_request = 7; + + // "Dynamic" flow (go/cert-prov-api-dm-changes) + CertProvStartRequest start_request = 12; + CertProvGetNextInstructionRequest get_next_instruction_request = 13; + CertProvAuthorizeRequest authorize_request = 14; + CertProvUploadProofOfPossessionRequest upload_proof_of_possession_request = + 15; + } + + // Received as part of policy for client certificate profiles. The client + // should not interpret this data and should forward it verbatim. DMServer + // uses `policy_version` as a hint to verify that the policy view of DMServer + // matches the view of Chrome OS device. + optional bytes policy_version = 8; +} + +// This marks an error between ChromeOS client and backend, including those +// involving the Certificate Authority or a Connector software. +// These could be mapped to HTTP error codes, but reuse of HTTP error codes was +// deemed confusing and difficult in the existing device management protocol +// (see existing usage of HTTP error codes described in the +// `DeviceManagementResponse` comment). +message CertProvBackendError { + // If a new error code is added to the enum and used by the DM Server to + // propagate an error, ChromeOS clients running older versions + // will not be aware of the new error code. As proto2 is using closed enums, + // accessing such an unknown enum field returns the enum's default value + // which is the first defined enum value, i.e., `ERROR_UNSPECIFIED`. ChromeOS + // clients treat this error by marking the associated certificate provisioning + // process as failing. + enum Error { + ERROR_UNSPECIFIED = 0; + // The attempted request is invalid in the current state of the certificate + // provisioning process. + INVALID_OPERATION = 1; + // The client has sent inconsistent data. This can happen if the client has + // outdated policy. + INCONSISTENT_DATA = 2; + // The identity of the client could not be verified. + IDENTITY_VERIFICATION_ERROR = 3; + // The Certificate Provisioning Process (CPP) already exists and cannot be + // started again. + CPP_ALREADY_EXISTS = 4; + // The backend does not accept the public key sent by the client. + BAD_PUBLIC_KEY = 5; + // The signature provided by the client is invalid. + INVALID_SIGNATURE = 6; + // The next instruction on how to proceed in the certificate provisioning + // protocol is not yet available. + INSTRUCTION_NOT_YET_AVAILABLE = 7; + // The CA did not respond within the deadline. + CA_UNAVAILABLE = 8; + // The CA exhibited an internal server error. + CA_FAILURE = 9; + // The referenced certificate provisioning profile does not exist. + PROFILE_NOT_FOUND = 10; + // The user primary email cannot be found. + USER_PRIMARY_EMAIL_NOT_FOUND = 11; + // The certificate provisioning profile is referencing a non-existent CA + // connection. + CA_CONNECTION_NOT_FOUND = 12; + // The CA connection referenced by the certificate provisioning profile + // is referencing a non-existent PubSub topic, or the system does not have + // permission to publish to that PubSub topic. + PUBSUB_TOPIC_NOT_FOUND = 13; + // The Adapter uploaded a certificate that cannot be parsed or was issued + // for a wrong public key. + BAD_ADAPTER_CERTIFICATE_RECEIVED = 14; + // The requested certificate provisioning process cannot be found on + // Spanner. + CERTIFICATE_PROVISIONING_PROCESS_NOT_FOUND = 15; + } + + // The specific error type. + optional Error error = 1; + + // A debug message that could be useful for understanding the error. + optional string debug_message = 2; +} + +// Response for ClientCertificateProvisioningRequest. +message ClientCertificateProvisioningResponse { + reserved 6; + + // Error conditions that the server side reports to the client that don't fit + // into the standard HTTP error schema. + // Note that HTTP errors can still be signaled for the client certificate + // provisioning requests, e.g. bad DMToken or internal errors will be + // propagated as HTTP errors. + enum Error { + UNDEFINED = 0; + // The backend has not received a certificate within the time limit. + TIMED_OUT = 1; + // The identity of the client could not be verified. + IDENTITY_VERIFICATION_ERROR = 2; + // The CA encountered an error when processing the certification request. + CA_ERROR = 3; + // The client has sent inconsistent data. + INCONSISTENT_DATA = 4; + // The backend does not accept the public key sent by the client. + BAD_PUBLIC_KEY = 5; + // The leaf CA certificate specified by the admin is invalid. + BAD_CA_CERTIFICATE_SPECIFIED = 6; + // The certificate received from the certificate enrollment agent cannot be + // parsed or is not issued by the leaf CA certificate specified by the + // admin. + BAD_CLIENT_CERTIFICATE_RECEIVED = 7; + // The CSR signature provided by the client is invalid. + INVALID_CSR_SIGNATURE = 8; + // A certificate signing request for the same public key has already been + // sent. + CSR_ALREADY_SENT = 9; + } + + // If filled, the request can currently not be processed and the client + // is supposed to try again later using the same data. + // The value is the number of milliseconds when the client should + // automatically retry. + // Used in "Static" flow only. + optional int64 try_again_later = 1; + + oneof response { + // Used in "Static" flow. + Error error = 2; + StartCsrResponse start_csr_response = 3; + FinishCsrResponse finish_csr_response = 4; + DownloadCertResponse download_cert_response = 5; + + // Used in "Dynamic" flow. + CertProvStartResponse start_response = 7; + CertProvGetNextInstructionResponse get_next_instruction_response = 8; + CertProvAuthorizeResponse authorize_response = 9; + CertProvUploadProofOfPossessionResponse + upload_proof_of_possession_response = 10; + CertProvBackendError backend_error = 11; + } +} + +// Request from browser to server to upload public key. +// GoogleDMToken MUST be in HTTP Authorization header. +message BrowserPublicKeyUploadRequest { + enum KeyTrustLevel { + // UNSPECIFIED. + KEY_TRUST_LEVEL_UNSPECIFIED = 0; + // Chrome Browser with the key stored in the device hardware. + CHROME_BROWSER_HW_KEY = 1; + // Chrome Browser with the key stored at OS level. + CHROME_BROWSER_OS_KEY = 2; + } + + enum KeyType { + KEY_TYPE_UNSPECIFIED = 0; + RSA_KEY = 1; + EC_KEY = 2; + } + + // Public key in EC_NID_X9_62_PRIME256V1_PUBLIC_DER format. + optional bytes public_key = 1; + + // Signature of the new public key signed using the existing key, empty for + // initial upload. + optional bytes signature = 2; + + // Trust Level of the key. + optional KeyTrustLevel key_trust_level = 3; + + // Type of the key. + optional KeyType key_type = 4; + + // Whether the server should create a client certificate for that public key + // and return it as part of the response or not. + optional bool provision_certificate = 5; +} + +// Response from server to device for cert upload request. +message BrowserPublicKeyUploadResponse { + enum ResponseCode { + UNDEFINED = 0; + // The new key is uploaded successfully. + SUCCESS = 1; + // The signature could not be verified. + INVALID_SIGNATURE = 2; + } + optional ResponseCode response_code = 1; + + // If the request had `provision_certificate` as true, this property will + // contain the X.509 client certificate in PEM format. + optional string pem_encoded_certificate = 2; +} + +// Upload request for Firebase Messaging token to communicate registration token +// to the server. The response message will be +// `FmRegistrationTokenUploadResponse`. +// See go/cros-invalidation-with-direct-messaging. +message FmRegistrationTokenUploadRequest { + // Scope of the uploaded token. + enum TokenType { + DEVICE = 0; + BROWSER = 1; + USER = 2; + } + + optional string token = 1; + // Invalidation protocol version that uploader currently supports. + optional int64 protocol_version = 2; + // Scope of the uploaded token. + optional TokenType token_type = 3; + // Token's expiration timestamp in milliseconds since Epoch in UTC timezone + // (Java time). + optional int64 expiration_timestamp_ms = 4; +} + +// Response to `FmRegistrationTokenUploadRequest`. +message FmRegistrationTokenUploadResponse {} + +// Additional detail about the error which can be used to clarify user messaging +// around the error or to influence Chrome's error-handling behavior. +enum DeviceManagementErrorDetail { + NO_ERROR_DETAIL = 0; + + // Only valid for CBCM browser DEVICE_NOT_FOUND errors. Indicates that the + // DMToken should be deleted entirely from its storage location. + CBCM_DELETION_POLICY_PREFERENCE_DELETE_TOKEN = 1; + + // Only valid for CBCM browser DEVICE_NOT_FOUND errors. Indicates that the + // DMToken should be invalidated, preventing device re-enrollment. + CBCM_DELETION_POLICY_PREFERENCE_INVALIDATE_TOKEN = 2; +} + +// Request from the DMAgent on the device to the DMServer. This is +// container for all requests from device to server. The overall HTTP +// request MUST be in the following format: +// +// * HTTP method is POST +// * Data mime type is application/x-protobuffer +// * See GoogleContentTypeEnum.java +// * HTTP parameters are (all required, all case sensitive): +// * request: MUST BE one of +// * api_authorization +// * cert_upload +// * check_device_pairing +// * device_pairing +// * device_state_retrieval +// * enterprise_check +// * enterprise_psm_check +// * chrome_desktop_report +// * chrome_os_user_report +// * policy +// * register +// * status_upload +// * unregister +// * remote_commands +// * attribute_update_permission +// * attribute_update +// * gcm_id_update +// * check_android_management +// * certificate_based_register +// * active_directory_enroll_play_user +// * active_directory_play_activity +// * active_directory_user_signin +// * register_browser +// * policy_validation_report +// * device_initial_enrollment_state +// * refresh_account +// * client_cert_provisioning +// * browser_public_key_upload +// * upload_euicc_info +// * devicetype: MUST BE "1" for Android, "2" for Chrome OS or "3" for Chrome +// browser. +// * apptype: MUST BE Android or Chrome. +// * deviceid: MUST BE no more than 64-char in [\x21-\x7E]. +// * agent: MUST BE no more than 64-char long. +// * HTTP Authorization header MUST be in the following formats: +// * For register for Chrome browsers and token_based_register requests. +// Authorization: GoogleEnrollmentToken token= +// +// * For unregister, policy, status, cert_upload, remote_commands, +// gcm_id_update, active_directory_enroll_play_user, +// active_directory_play_activity, active_directory_user_signin, +// policy_validation_report, chrome_desktop_report, +// chrome_os_user_report, refresh_account, client_cert_provisioning, +// api_authorization requests +// Authorization: GoogleDMToken token= +// +// * The Authorization header isn't used for enterprise_check, +// enterprise_psm_check, device_initial_enrollment_state or +// certificate_based_register requests. +// It is also not used for register requests and check_android_management +// requests - for these requests, the OAuth token is passed in the "oauth" +// HTTP query parameter. +// +// DeviceManagementRequest should only contain one request which matches the +// HTTP query parameter - request, as mentioned in comments on the fields of the +// message. Other requests within the container will be ignored. +message DeviceManagementRequest { + reserved 24; // unused previous version of chrome_desktop_report_request. + + // Register request. + // HTTP query parameter 'request': 'register' + optional DeviceRegisterRequest register_request = 1; + + // Unregister request. + // HTTP query parameter 'request': 'unregister' + optional DeviceUnregisterRequest unregister_request = 2; + + // Policy request. + // HTTP query parameter 'request': 'policy' + optional DevicePolicyRequest policy_request = 3; + + // Update status. + // HTTP query parameter 'request': 'status' + // (this applies to all of the following three fields, and they can all be + // present in the same request). + optional DeviceStatusReportRequest device_status_report_request = 4; + optional SessionStatusReportRequest session_status_report_request = 5; + optional ChildStatusReportRequest child_status_report_request = 30; + + // Auto-enrollment detection. + // HTTP query parameter 'request': 'enterprise_check' + optional DeviceAutoEnrollmentRequest auto_enrollment_request = 6; + + // EMCert upload (for remote attestation) + // HTTP query parameter 'request': 'cert_upload' + optional DeviceCertUploadRequest cert_upload_request = 7; + + // Request for OAuth2 authorization codes to access Google services. + // HTTP query parameter 'request': 'api_authorization' + optional DeviceServiceApiAccessRequest service_api_access_request = 8; + + // Device-state retrieval. + // HTTP query parameter 'request': 'device_state_retrieval' + optional DeviceStateRetrievalRequest device_state_retrieval_request = 9; + + // Device state key update. + // HTTP query parameter 'request': 'policy' + optional DeviceStateKeyUpdateRequest device_state_key_update_request = 10; + + // Pair two devices. + // HTTP query parameter 'request': 'device_pairing' + optional DevicePairingRequest device_pairing_request = 11; + + // Check if two devices are paired. + // HTTP query parameter 'request': 'check_device_pairing' + optional CheckDevicePairingRequest check_device_pairing_request = 12; + + // Remote command fetching. + // HTTP query parameter 'request': 'remote_commands' + optional DeviceRemoteCommandRequest remote_command_request = 13; + + // Check permission for updating device attribute. + // HTTP query parameter 'request': 'attribute_update_permission' + optional DeviceAttributeUpdatePermissionRequest + device_attribute_update_permission_request = 14; + + // Update device attribute. + // HTTP query parameter 'request': 'attribute_update' + optional DeviceAttributeUpdateRequest device_attribute_update_request = 15; + + // Update the GCM id to device_id mapping. + // HTTP query parameter 'request': 'gcm_id_update' + optional GcmIdUpdateRequest gcm_id_update_request = 16; + + // Check if user is a managed Android-for-Work user with DPC enforcement. + // HTTP query parameter 'request': 'check_android_management' + optional CheckAndroidManagementRequest check_android_management_request = 17; + + // Request to register with a registration certificate. + // HTTP query parameter 'request': 'certificate_based_register' + optional CertificateBasedDeviceRegisterRequest + certificate_based_register_request = 18; + + // Gets an enrollment token to a Managed Google Play Account for using it with + // Active Directory. + // HTTP query parameter 'request': 'active_directory_enroll_play_user' + optional ActiveDirectoryEnrollPlayUserRequest + active_directory_enroll_play_user_request = 19; + + // Reports that a Play account is used. + // HTTP query parameter 'request': 'active_directory_play_activity' + optional ActiveDirectoryPlayActivityRequest + active_directory_play_activity_request = 20; + + // Request device license information. + optional CheckDeviceLicenseRequest check_device_license_request_deprecated = + 21 [deprecated = true]; + + // Initiate an Active Directory user signin. + // HTTP query parameter 'request': 'active_directory_user_signin' + optional ActiveDirectoryUserSigninRequest + active_directory_user_signin_request = 22; + + // Request to register a browser independently of its users. + // HTTP query parameter 'request': 'register_browser' + optional RegisterBrowserRequest register_browser_request = 23; + + // A report on the status of app push-installs. + // HTTP query parameter 'request': 'app_install_report' + optional AppInstallReportRequest app_install_report_request = 25; + + // A Chrome desktop report request. + // HTTP query parameter 'request': 'chrome_desktop_report' + optional ChromeDesktopReportRequest chrome_desktop_report_request = 26; + + // Result of validating fetched policy on the client. + // HTTP query parameter 'request': 'policy_validation_report' + optional PolicyValidationReportRequest policy_validation_report_request = 27; + + // Query for initial enrollment details. + // HTTP query parameter 'request': 'device_initial_enrollment_state' + optional DeviceInitialEnrollmentStateRequest + device_initial_enrollment_state_request = 28; + + // Request from device to wipe an old account and get a new account. + // HTTP query parameter 'request': 'refresh_account' + optional RefreshAccountRequest refresh_account_request = 29; + + // Request from device to upload RSU lookup key. + // TODO(crbug.com/40210185): seems unused + optional RsuLookupKeyUploadRequest rsu_lookup_key_upload_request = 31; + + // Request from device for SAML IdP URL address. + // HTTP query parameter 'request': 'public_saml_user_request' + optional PublicSamlUserRequest public_saml_user_request = 32; + + // A ChromeOS user report request. + // HTTP query parameter 'request': 'chrome_os_user_report' + optional ChromeOsUserReportRequest chrome_os_user_report_request = 33; + + // Request to start / continue client certificate provisioning process. + // HTTP query parameter 'request': 'client_cert_provisioning' + optional ClientCertificateProvisioningRequest + client_certificate_provisioning_request = 34; + + // A report on the status of extension install process. + // TODO(crbug.com/40210185): seems unused. + optional ExtensionInstallReportRequest extension_install_report_request = 35; + + // Request to check user account for smart enrollment. + // HTTP query parameter 'request': 'check_user_account' + optional CheckUserAccountRequest check_user_account_request = 36; + + // Request from device to check the state stored in PSM. Currently, it is used + // for ZTE/LP device initial enrollment state check. + // HTTP query parameter 'request': 'enterprise_psm_check' + optional PrivateSetMembershipRequest private_set_membership_request = 37; + + // Request from browser to upload public key. + // HTTP query parameter 'request': 'browser_public_key_upload' + optional BrowserPublicKeyUploadRequest browser_public_key_upload_request = 38; + + // Request to upload info about eSIM provisioning. + // HTTP query parameter 'request': 'upload_euicc_info' + optional UploadEuiccInfoRequest upload_euicc_info_request = 39; + + // Request to upload profile usage information. + // HTTP query parameter 'request': 'chrome_profile_report' + optional ChromeProfileReportRequest chrome_profile_report_request = 40; + + // Request to register a device with an enrollment token. + // HTTP query parameter 'request': 'token_based_register' + optional TokenBasedDeviceRegisterRequest token_based_device_register_request = + 41; + + optional FmRegistrationTokenUploadRequest + fm_registration_token_upload_request = 42; + + // Next id: 43. +} + +// Response from server to device. +// +// For release clients, DMServer returns errors using HTTP Status Code, so that +// clients only need to check one place for all error codes. It is also easier +// to perform log analysis and customer support since HTTP Status Code is easily +// visible in the logs. +// +// Possible HTTP status codes: +// 200 OK: valid response is returned to client. +// 400 Bad Request: invalid argument or payload. +// 401 Unauthorized: invalid auth cookie/OAuth token, DMToken or enrollment +// token. +// 402 Missing license. +// 403 Forbidden: device management is not allowed (e.g. user may not enroll). +// 404 Not Found: the request URL is invalid. +// 405 Invalid serial number. +// 406 Domain mismatch (e.g. device is enrolling into the wrong domain, should +// force-re-enroll into another domain). +// 409 Device id conflict. +// 410 Device Not Found: the device id is not found. +// 412 Pending approval. Used with ClientCertificateProvisioningRequest to +// indicate that a certificate has not been issued yet. +// 413 Request payload too large. +// 417 Consumer (non-dasher) account can not enroll with packaged license. +// 429 Too many requests. +// 500 Internal Server Error: most likely a bug in DM server. +// 503 Service Unavailable: most likely a backend error. +// 902 Policy Not Found: the policy is not found. +// 903 Deprovisioned: the device has been deprovisioned. +// 904 Arc Disabled: ARC is not enabled on the domain. +// 905 Can not enroll packaged license device to domainless customer. +// 906 TOS has not been accepted by customer. +// 907 Illegal account for packaged EDU license. +message DeviceManagementResponse { + reserved 1, 24; + + // Error message. + optional string error_message = 2; + + // Additional details about the error message. + repeated DeviceManagementErrorDetail error_detail = 39; + + // Register response + optional DeviceRegisterResponse register_response = 3; + + // Unregister response + optional DeviceUnregisterResponse unregister_response = 4; + + // Policy response. + optional DevicePolicyResponse policy_response = 5; + + // Update status report response. + optional DeviceStatusReportResponse device_status_report_response = 6; + optional SessionStatusReportResponse session_status_report_response = 7; + optional ChildStatusReportResponse child_status_report_response = 29; + + // Auto-enrollment detection response. + optional DeviceAutoEnrollmentResponse auto_enrollment_response = 8; + + // EMCert upload response. + optional DeviceCertUploadResponse cert_upload_response = 9; + + // Response to OAuth2 authorization code request. + optional DeviceServiceApiAccessResponse service_api_access_response = 10; + + // Device-state retrieval. + optional DeviceStateRetrievalResponse device_state_retrieval_response = 11; + + // Response to device pairing request. + optional DevicePairingResponse device_pairing_response = 12; + + // Response to check device pairing request. + optional CheckDevicePairingResponse check_device_pairing_response = 13; + + // Response to remote command request. + optional DeviceRemoteCommandResponse remote_command_response = 14; + + // Response to check device attribute update permission. + optional DeviceAttributeUpdatePermissionResponse + device_attribute_update_permission_response = 15; + + // Response to update device attribute. + optional DeviceAttributeUpdateResponse device_attribute_update_response = 16; + + // Response to GCM id update request. + optional GcmIdUpdateResponse gcm_id_update_response = 17; + + // Response to check Android management request. + optional CheckAndroidManagementResponse check_android_management_response = + 18; + + // Response to an Active Directory Play user enrollment request. + optional ActiveDirectoryEnrollPlayUserResponse + active_directory_enroll_play_user_response = 19; + + // Response to a Play activity request. + optional ActiveDirectoryPlayActivityResponse + active_directory_play_activity_response = 20; + + // Response to a check device license request. + optional CheckDeviceLicenseResponse check_device_license_response_deprecated = + 21 [deprecated = true]; + + // Response to a request initiating an Active Directory user signin. + optional ActiveDirectoryUserSigninResponse + active_directory_user_signin_response = 22; + + // Response to a Chrome desktop report request. + optional ChromeDesktopReportResponse chrome_desktop_report_response = 23; + + // Response a report on the status of app push-installs + optional AppInstallReportResponse app_install_report_response = 25; + + // Response to a policy validation report. + optional PolicyValidationReportResponse policy_validation_report_response = + 26; + + // Response to initial enrollment details query. + optional DeviceInitialEnrollmentStateResponse + device_initial_enrollment_state_response = 27; + + // Response to refresh account request. + optional RefreshAccountResponse refresh_account_response = 28; + + // Response to RSU lookup key upload request. + optional RsuLookupKeyUploadResponse rsu_lookup_key_upload_response = 30; + + // Response to public SAML session user request. + optional PublicSamlUserResponse public_saml_user_response = 31; + + // Response to a ChromeOS user report request. + optional ChromeOsUserReportResponse chrome_os_user_report_response = 32; + + // Response to a client certificate provisioning request. + optional ClientCertificateProvisioningResponse + client_certificate_provisioning_response = 33; + + // Response to a checking user account type for smart enrollment. + optional CheckUserAccountResponse check_user_account_response = 34; + + // Response to a client private set membership request. + optional PrivateSetMembershipResponse private_set_membership_response = 35; + + // Response to browser public key upload request. + optional BrowserPublicKeyUploadResponse browser_public_key_upload_response = + 36; + + // Response to EUICC info upload request. + optional UploadEuiccInfoResponse upload_euicc_info_response = 37; + + // Response to a Chrome Profile report request. + optional ChromeProfileReportResponse chrome_profile_report_response = 38; + + // Response to a token-based register request. + optional TokenBasedDeviceRegisterResponse + token_based_device_register_response = 40; + + optional FmRegistrationTokenUploadResponse + fm_registration_token_upload_response = 41; + + // Next id: 42. +} + +// Device State Information stored in the server is retrieval at +// enrollment process. Learn more at go/cros-enterprise-psm +message DeviceStateRetrievalInfo { + // Whether the device should retrieve initial state or not. + optional bool has_initial_state = 1; +} \ No newline at end of file diff --git a/dmbackend/private_membership.proto b/dmbackend/private_membership.proto new file mode 100644 index 0000000..4294f57 --- /dev/null +++ b/dmbackend/private_membership.proto @@ -0,0 +1,78 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +option optimize_for = LITE_RUNTIME; + +package private_membership; + +option go_package = "github.com/google/private-membership"; + +// An enum describing different types of available hash functions. +enum HashType { + HASH_TYPE_UNDEFINED = 0; + TEST_HASH_TYPE = 1; + SHA256 = 2; + + reserved 3; + + // Add more hash types if necessary. +} + +// LINT.IfChange +// An enum describing how to hash IDs to encrypted buckets. +enum EncryptedBucketHashType { + ENCRYPTED_BUCKET_HASH_TYPE_UNDEFINED = 0; + + ENCRYPTED_BUCKET_TEST_HASH_TYPE = 3; + + // Use SHA256 of injective concatenation of non-sensitive and sensitive IDs. + // For backwards compatibility, this hash type should be used if this proto + // field is not specified. + SHA256_NON_SENSITIVE_AND_SENSITIVE_ID = 1; + + reserved 2; +} +// LINT.ThenChange(//depot/google3/privacy/private_membership/rlwe/shared/rlwe_id_utils_test.cc:encrypted_bucket_hash_types) + +// A proto message that holds the doubly encrypted identifier. +message DoublyEncryptedId { + // The identifier encrypted using the elliptic curve commutative + // cipher under an ephemeral key generated by the client that was sent in + // the request. + bytes queried_encrypted_id = 1; + + // The double encryption of a client requested identifier. The encryption + // scheme used is the Elliptic Curve commutation cipher. The + // first encryption layer uses the client's ephemeral key while the second + // encryption layer uses the server's match key. + // + // The client will decrypt this field to get their queried identifier + // encrypted under only the server's key. The client will use this value to + // match with the contents of the encrypted bucket to determine if there is a + // match or not. + bytes doubly_encrypted_id = 2; +} + +// A proto message used to store the plaintext response of a membership query of +// a single identifier. +message MembershipResponse { + // True if and only if the queried identifier was a member. + bool is_member = 1; + + // The associated value if the queried identifier was a member. If the + // queried identifier is not a member, the value will be an empty string. + string value = 2; +} \ No newline at end of file diff --git a/dmbackend/private_membership_pb2.py b/dmbackend/private_membership_pb2.py new file mode 100644 index 0000000..27911c7 --- /dev/null +++ b/dmbackend/private_membership_pb2.py @@ -0,0 +1,32 @@ +# -*- coding: utf-8 -*- +# Generated by the protocol buffer compiler. DO NOT EDIT! +# source: private_membership.proto +"""Generated protocol buffer code.""" +from google.protobuf.internal import builder as _builder +from google.protobuf import descriptor as _descriptor +from google.protobuf import descriptor_pool as _descriptor_pool +from google.protobuf import symbol_database as _symbol_database +# @@protoc_insertion_point(imports) + +_sym_db = _symbol_database.Default() + + + + +DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x18private_membership.proto\x12\x12private_membership\"N\n\x11\x44oublyEncryptedId\x12\x1c\n\x14queried_encrypted_id\x18\x01 \x01(\x0c\x12\x1b\n\x13\x64oubly_encrypted_id\x18\x02 \x01(\x0c\"6\n\x12MembershipResponse\x12\x11\n\tis_member\x18\x01 \x01(\x08\x12\r\n\x05value\x18\x02 \x01(\t*I\n\x08HashType\x12\x17\n\x13HASH_TYPE_UNDEFINED\x10\x00\x12\x12\n\x0eTEST_HASH_TYPE\x10\x01\x12\n\n\x06SHA256\x10\x02\"\x04\x08\x03\x10\x03*\x99\x01\n\x17\x45ncryptedBucketHashType\x12(\n$ENCRYPTED_BUCKET_HASH_TYPE_UNDEFINED\x10\x00\x12#\n\x1f\x45NCRYPTED_BUCKET_TEST_HASH_TYPE\x10\x03\x12)\n%SHA256_NON_SENSITIVE_AND_SENSITIVE_ID\x10\x01\"\x04\x08\x02\x10\x02\x42(H\x03Z$github.com/google/private-membershipb\x06proto3') + +_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, globals()) +_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'private_membership_pb2', globals()) +if _descriptor._USE_C_DESCRIPTORS == False: + + DESCRIPTOR._options = None + DESCRIPTOR._serialized_options = b'H\003Z$github.com/google/private-membership' + _HASHTYPE._serialized_start=184 + _HASHTYPE._serialized_end=257 + _ENCRYPTEDBUCKETHASHTYPE._serialized_start=260 + _ENCRYPTEDBUCKETHASHTYPE._serialized_end=413 + _DOUBLYENCRYPTEDID._serialized_start=48 + _DOUBLYENCRYPTEDID._serialized_end=126 + _MEMBERSHIPRESPONSE._serialized_start=128 + _MEMBERSHIPRESPONSE._serialized_end=182 +# @@protoc_insertion_point(module_scope) diff --git a/dmbackend/private_membership_rlwe.proto b/dmbackend/private_membership_rlwe.proto new file mode 100644 index 0000000..2df6556 --- /dev/null +++ b/dmbackend/private_membership_rlwe.proto @@ -0,0 +1,340 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +option optimize_for = LITE_RUNTIME; + +package private_membership.rlwe; + +option go_package = "github.com/google/private-membership"; + +import "private_membership.proto"; +import "serialization.proto"; + +// Request and Response protos +// +// The protocol consists of two roundtrips: +// First Round: OprfRequest and OprfResponse +// Second Round: QueryRequest and QueryResponse + +// First request sent by the client for checking membership. +message PrivateMembershipRlweOprfRequest { + // The identifier encrypted using the elliptic curve commutative + // cipher under an ephemeral key generated by the client. Before encryption, + // the identifier is hashed using either SHA256 or a more computationally + // expensive hash such as Argon2. + repeated bytes encrypted_ids = 1; + + // The name of the use case of this query. + RlweUseCase use_case = 2; +} + +// First response sent by the server for checking membership. +message PrivateMembershipRlweOprfResponse { + // The requested encrypted_id entries that are re-encrypted using the elliptic + // curve commutative cipher using the server’s key. + // + // The client will decrypt to simply get the identifier encrypted under the + // server’s key. The client will use this to match with the associated + // EncryptedBucket to see if there is a match or not. Additionally, the client + // will use it to decrypt the AES encrypted value. + repeated DoublyEncryptedId doubly_encrypted_ids = 1; + + // Unset if the server doesn't support non-sensitive identifier bucketing for + // the requested use case. + HashedBucketsParameters hashed_buckets_parameters = 2; + + // Parameters for the encrypted buckets (second level). + EncryptedBucketsParameters encrypted_buckets_parameters = 3; + + // Parameters describing the Ring LWE group as well as the security parameter. + RlweParameters rlwe_parameters = 4; + + // Version of key that encrypted the identifier-value pair. + // + // The client should provide this value in the second round of the protocol + // to ensure consistency. + int64 key_version = 5; +} + +// Second request sent by the client for checking membership. +message PrivateMembershipRlweQueryRequest { + // Upload a retrieval request consisting of RLWE ciphertexts. + repeated PrivateMembershipRlweQuery queries = 1; + + // The name of the use case of this query. + RlweUseCase use_case = 2; + + // Version of key that encrypted the identifier-value pair. + int64 key_version = 3; +} + +// Second response sent by the server for checking membership. +message PrivateMembershipRlweQueryResponse { + repeated PrivateMembershipRlwePirResponse pir_responses = 1; +} + +// Proto containing plaintext IDs supplied to the client library. +message RlwePlaintextId { + // Non-sensitive portion of the identifier. + string non_sensitive_id = 1; + + // Sensitive portion of the identifier. + string sensitive_id = 2; +} + +// Different use cases of the RLWE-based PSM protocol. +// +// NEXT ID: 25 +enum RlweUseCase { + RLWE_USE_CASE_UNDEFINED = 0; + TEST_USE_CASE = 1; + TEST_USE_CASE2 = 2; + TEST_USE_CASE3 = 3; + + // Use case with empty database. + EMPTY_USE_CASE = 22; + + // The device state of ChromeOS device, used for Zero Touch, License + // Packaging. This is zero-disclosure database, i.e. client does not reveal + // any bits to the server. + CROS_DEVICE_STATE = 5; + + // The device state of ChromeOS device, used for all managed devices and + // License Packaging. This is partial-disclosure database, i.e. client will be + // asked to reveal some bits of the hash of non-sensitive identifier. + CROS_DEVICE_STATE_UNIFIED = 23; + + // The device state of ChromeOS device. + CROS_DEVICE_SECONDARY_STATE = 12 [deprecated = true]; + CROS_DEVICE_STATE_BACKUP = 21 [deprecated = true]; + + // Use-cases for ChromeOS Device Active Reporting to Fresnel. + CROS_FRESNEL_DAILY = 13; + CROS_FRESNEL_MONTHLY = 14; + CROS_FRESNEL_FIRST_ACTIVE = 15; + CROS_FRESNEL_7DAY_ACTIVE = 16; + CROS_FRESNEL_28DAY_ACTIVE = 17; + CROS_FRESNEL_CHURN_MONTHLY_COHORT = 19; + CROS_FRESNEL_CHURN_MONTHLY_OBSERVATION = 20; + + // Use-cases for Cellular Carrier Lock (SimLock). + CROS_SIM_LOCK = 18; + CROS_SIM_LOCK_DEVMODE = 24; + + reserved 4, 6, 7, 8, 9, 10, 11; +} + +// Parameters for the hashed buckets (first level). +// +// Hashed bucket id is derived by taking the prefix of the hash of the non- +// sensitive identifier. +message HashedBucketsParameters { + // The bit length of the hashed bucket id. + int32 hashed_bucket_id_length = 1; + + // The type of hash function to be used for the non-sensitive identifier + // part. + private_membership.HashType non_sensitive_id_hash_type = 2; +} + +// Parameters for the encrypted buckets (second level). +message EncryptedBucketsParameters { + // The bit length of the encrypted bucket ids. + // + // The total number of encrypted buckets can be derived from this field, + // i.e. 2^encrypted_bucket_id_length. + int32 encrypted_bucket_id_length = 1; + + // The type of hash function to be used to generate the encrypted bucket ID. + private_membership.EncryptedBucketHashType sensitive_id_hash_type = 2; +} + +// Public Ring-LWE encryption scheme parameters. +message RlweParameters { + // Sequence of one modulus or two decreasing moduli. + repeated Uint128 modulus = 1; + + // Log (base 2) of the polynomial degree N (dimension of the vectorspace). + int32 log_degree = 2; + + // Plaintext modulus in bits log t. + int32 log_t = 3; + + // Variance of Gaussian error in bits. + int32 variance = 4; + + // Levels of recursion. + int32 levels_of_recursion = 5; +} + +// Represents a unsigned 128-bit integer. +message Uint128 { + // The lower 64 bits of the modulus. + uint64 lo = 1; + + // The higher 64 bits of the modulus. + uint64 hi = 2; +} + +// Single unit of RLWE query. +message PrivateMembershipRlweQuery { + // Corresponds to the doubly_encrypted_id.queried_encrypted_id in the + // PrivateMembershipRlweOprfResponse. + // + // Should be set by the client. + bytes queried_encrypted_id = 1; + + // Upload a retrieval request consisting of RLWE ciphertexts. + PirRequest pir_request = 2; + + // Hashed bucket id at bit level granularity. + message HashedBucketId { + // Hashed bucket id, in bytes. + // + // All bits after bit_length's bit should be set to 0. + bytes hashed_bucket_id = 1; + + // Bit length of the hashed bucket id. + // + // This value should be in + // ((hashed_bucket_id.size() - 1) * 8, hashed_bucket_id.size() * 8] range. + int32 bit_length = 2; + } + // Hashed bucket id. + // + // The hashed bucket id is computed by taking the prefix of the hashed + // non-sensitive id at the bit level. + // e.g. if the hashed non-sensitive id is 11010111 and the bucket id length is + // 6, this will be populated as 11010100. + // + // Should be unset if the server doesn't support non-sensitive identifier + // bucketing for the requested use case. + HashedBucketId hashed_bucket_id = 3; +} + +// Response consisting of a unique query id and the associated PIR response. +message PrivateMembershipRlwePirResponse { + // This corresponds to the queried_encrypted_id set by the client in the query + // request. + bytes queried_encrypted_id = 1; + + // PIR response corresponding to the PIR request. + PirResponse pir_response = 2; +} + +// Request for private bucket retrieval. +message PirRequest { + // The request is an encoding of a flattened table of encrypted {1} and {0} + // messages as necessary for PIR. If the database has D items and we are using + // L levels of recursion, this table will contain L*(D^(1/L)) messages, + // representing a table with L rows and D^(1/L) items per row. Each row should + // contain exactly one {1} ciphertext, with the rest of the items containing + // {0} messages. + // + // The flattened table is laid out in the following order: + // + // level | ciphertexts + // ----------------------------- + // 1 | {0} ... {1} ... {0} + // 2 | {0} ... {1} ... {0} + // ... | ... + // + // The ciphertexts are uploaded in a compressed format as NTT Polynomials + // using a PRNG seed to expand them into ciphertexts. + // If this field is set, none of the sharded_request_type should be set. + repeated .rlwe.SerializedNttPolynomial request = 1; + + // ExpandedRequest can be useful if the querier would like to manipulate the + // PirRequest after it's been created by the client library. To modify it, the + // ciphertext must be expanded first; hence the name ExpandedRequest. + message ExpandedRequest { + // Wrapper around .rlwe.SerializedSymmetricRlweCiphertext so we can + // represent "empty" ciphertext without ambiguity. If `ciphertext` is not + // set, it is consiered "not requested" and the corresponding index will be + // ignored and excluded from the response. When used multiple levels of + // recursion, it is the querier's responsibility to leave the correct + // positions unset so the final query is valid. + message SerializedSymmetricRlweCiphertext { + optional .rlwe.SerializedSymmetricRlweCiphertext ciphertext = 1; + } + repeated SerializedSymmetricRlweCiphertext ciphertexts = 1; + } + + // CompactRequest should be the same as the request field above, except it + // indicates sharding. + message CompactRequest { + repeated .rlwe.SerializedNttPolynomial ciphertexts = 1; + } + + // If one of the sharded_request_type is set, the above `request` field should + // be set. + oneof sharded_request_type { + // Will be used by hashed bucket sharded request because we don't need to + // modify the ciphertext. + CompactRequest compact_request = 3; + + // Will be used by encrypted bucket sharded request because we need to + // modify the ciphertext. + ExpandedRequest expanded_request = 4; + } + + // The PRNG seed used to expand the compressed RLWE ciphertexts. + bytes prng_seed = 2; +} + +// Response for private bucket retrieval. +message PirResponse { + // Sequence of ciphertexts consisting of encrypted buckets. + repeated .rlwe.SerializedSymmetricRlweCiphertext response = 1; + + // Size of the plaintext entry in bytes. + int32 plaintext_entry_size = 2; +} + +// Bucket consisting of encrypted id and values. +message EncryptedBucket { + // All encrypted pairs in the bucket. + repeated EncryptedIdValuePair encrypted_id_value_pairs = 1; + + // Proto storing encrypted id-value pairs. + message EncryptedIdValuePair { + // Identifier that is encrypted using the Elliptic curve commutative cipher. + // Furthermore, the serialization of the encryption is hashed and only a + // prefix is used. + bytes encrypted_id = 1; + + // Value that is encrypted using AES where the key is a serialization + // of the identifier encrypted using the Elliptic curve commutative cipher. + bytes encrypted_value = 2; + + // Proto containing the sensitive and non-sensitive portion of the + // identifier in plaintext. + RlwePlaintextId id = 3; + } +} + +// A collection of plaintext ids and associated membership responses. +message RlweMembershipResponses { + // A pair of queried plaintext id and its associated membership response. + message MembershipResponseEntry { + // Plaintext id that was queried. + RlwePlaintextId plaintext_id = 1; + + // Membership response of the queried plaintext id. + MembershipResponse membership_response = 2; + } + repeated MembershipResponseEntry membership_responses = 1; +} \ No newline at end of file diff --git a/dmbackend/private_membership_rlwe_pb2.py b/dmbackend/private_membership_rlwe_pb2.py new file mode 100644 index 0000000..3e3b290 --- /dev/null +++ b/dmbackend/private_membership_rlwe_pb2.py @@ -0,0 +1,74 @@ +# -*- coding: utf-8 -*- +# Generated by the protocol buffer compiler. DO NOT EDIT! +# source: private_membership_rlwe.proto +"""Generated protocol buffer code.""" +from google.protobuf.internal import builder as _builder +from google.protobuf import descriptor as _descriptor +from google.protobuf import descriptor_pool as _descriptor_pool +from google.protobuf import symbol_database as _symbol_database +# @@protoc_insertion_point(imports) + +_sym_db = _symbol_database.Default() + + +import private_membership_pb2 as private__membership__pb2 +import serialization_pb2 as serialization__pb2 + + +DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1dprivate_membership_rlwe.proto\x12\x17private_membership.rlwe\x1a\x18private_membership.proto\x1a\x13serialization.proto\"q\n PrivateMembershipRlweOprfRequest\x12\x15\n\rencrypted_ids\x18\x01 \x03(\x0c\x12\x36\n\x08use_case\x18\x02 \x01(\x0e\x32$.private_membership.rlwe.RlweUseCase\"\xef\x02\n!PrivateMembershipRlweOprfResponse\x12\x43\n\x14\x64oubly_encrypted_ids\x18\x01 \x03(\x0b\x32%.private_membership.DoublyEncryptedId\x12S\n\x19hashed_buckets_parameters\x18\x02 \x01(\x0b\x32\x30.private_membership.rlwe.HashedBucketsParameters\x12Y\n\x1c\x65ncrypted_buckets_parameters\x18\x03 \x01(\x0b\x32\x33.private_membership.rlwe.EncryptedBucketsParameters\x12@\n\x0frlwe_parameters\x18\x04 \x01(\x0b\x32\'.private_membership.rlwe.RlweParameters\x12\x13\n\x0bkey_version\x18\x05 \x01(\x03\"\xb6\x01\n!PrivateMembershipRlweQueryRequest\x12\x44\n\x07queries\x18\x01 \x03(\x0b\x32\x33.private_membership.rlwe.PrivateMembershipRlweQuery\x12\x36\n\x08use_case\x18\x02 \x01(\x0e\x32$.private_membership.rlwe.RlweUseCase\x12\x13\n\x0bkey_version\x18\x03 \x01(\x03\"v\n\"PrivateMembershipRlweQueryResponse\x12P\n\rpir_responses\x18\x01 \x03(\x0b\x32\x39.private_membership.rlwe.PrivateMembershipRlwePirResponse\"A\n\x0fRlwePlaintextId\x12\x18\n\x10non_sensitive_id\x18\x01 \x01(\t\x12\x14\n\x0csensitive_id\x18\x02 \x01(\t\"|\n\x17HashedBucketsParameters\x12\x1f\n\x17hashed_bucket_id_length\x18\x01 \x01(\x05\x12@\n\x1anon_sensitive_id_hash_type\x18\x02 \x01(\x0e\x32\x1c.private_membership.HashType\"\x8d\x01\n\x1a\x45ncryptedBucketsParameters\x12\"\n\x1a\x65ncrypted_bucket_id_length\x18\x01 \x01(\x05\x12K\n\x16sensitive_id_hash_type\x18\x02 \x01(\x0e\x32+.private_membership.EncryptedBucketHashType\"\x95\x01\n\x0eRlweParameters\x12\x31\n\x07modulus\x18\x01 \x03(\x0b\x32 .private_membership.rlwe.Uint128\x12\x12\n\nlog_degree\x18\x02 \x01(\x05\x12\r\n\x05log_t\x18\x03 \x01(\x05\x12\x10\n\x08variance\x18\x04 \x01(\x05\x12\x1b\n\x13levels_of_recursion\x18\x05 \x01(\x05\"!\n\x07Uint128\x12\n\n\x02lo\x18\x01 \x01(\x04\x12\n\n\x02hi\x18\x02 \x01(\x04\"\x92\x02\n\x1aPrivateMembershipRlweQuery\x12\x1c\n\x14queried_encrypted_id\x18\x01 \x01(\x0c\x12\x38\n\x0bpir_request\x18\x02 \x01(\x0b\x32#.private_membership.rlwe.PirRequest\x12\\\n\x10hashed_bucket_id\x18\x03 \x01(\x0b\x32\x42.private_membership.rlwe.PrivateMembershipRlweQuery.HashedBucketId\x1a>\n\x0eHashedBucketId\x12\x18\n\x10hashed_bucket_id\x18\x01 \x01(\x0c\x12\x12\n\nbit_length\x18\x02 \x01(\x05\"|\n PrivateMembershipRlwePirResponse\x12\x1c\n\x14queried_encrypted_id\x18\x01 \x01(\x0c\x12:\n\x0cpir_response\x18\x02 \x01(\x0b\x32$.private_membership.rlwe.PirResponse\"\xc3\x04\n\nPirRequest\x12.\n\x07request\x18\x01 \x03(\x0b\x32\x1d.rlwe.SerializedNttPolynomial\x12M\n\x0f\x63ompact_request\x18\x03 \x01(\x0b\x32\x32.private_membership.rlwe.PirRequest.CompactRequestH\x00\x12O\n\x10\x65xpanded_request\x18\x04 \x01(\x0b\x32\x33.private_membership.rlwe.PirRequest.ExpandedRequestH\x00\x12\x11\n\tprng_seed\x18\x02 \x01(\x0c\x1a\xf3\x01\n\x0f\x45xpandedRequest\x12j\n\x0b\x63iphertexts\x18\x01 \x03(\x0b\x32U.private_membership.rlwe.PirRequest.ExpandedRequest.SerializedSymmetricRlweCiphertext\x1at\n!SerializedSymmetricRlweCiphertext\x12@\n\nciphertext\x18\x01 \x01(\x0b\x32\'.rlwe.SerializedSymmetricRlweCiphertextH\x00\x88\x01\x01\x42\r\n\x0b_ciphertext\x1a\x44\n\x0e\x43ompactRequest\x12\x32\n\x0b\x63iphertexts\x18\x01 \x03(\x0b\x32\x1d.rlwe.SerializedNttPolynomialB\x16\n\x14sharded_request_type\"f\n\x0bPirResponse\x12\x39\n\x08response\x18\x01 \x03(\x0b\x32\'.rlwe.SerializedSymmetricRlweCiphertext\x12\x1c\n\x14plaintext_entry_size\x18\x02 \x01(\x05\"\xef\x01\n\x0f\x45ncryptedBucket\x12_\n\x18\x65ncrypted_id_value_pairs\x18\x01 \x03(\x0b\x32=.private_membership.rlwe.EncryptedBucket.EncryptedIdValuePair\x1a{\n\x14\x45ncryptedIdValuePair\x12\x14\n\x0c\x65ncrypted_id\x18\x01 \x01(\x0c\x12\x17\n\x0f\x65ncrypted_value\x18\x02 \x01(\x0c\x12\x34\n\x02id\x18\x03 \x01(\x0b\x32(.private_membership.rlwe.RlwePlaintextId\"\xa2\x02\n\x17RlweMembershipResponses\x12\x66\n\x14membership_responses\x18\x01 \x03(\x0b\x32H.private_membership.rlwe.RlweMembershipResponses.MembershipResponseEntry\x1a\x9e\x01\n\x17MembershipResponseEntry\x12>\n\x0cplaintext_id\x18\x01 \x01(\x0b\x32(.private_membership.rlwe.RlwePlaintextId\x12\x43\n\x13membership_response\x18\x02 \x01(\x0b\x32&.private_membership.MembershipResponse*\xaf\x04\n\x0bRlweUseCase\x12\x1b\n\x17RLWE_USE_CASE_UNDEFINED\x10\x00\x12\x11\n\rTEST_USE_CASE\x10\x01\x12\x12\n\x0eTEST_USE_CASE2\x10\x02\x12\x12\n\x0eTEST_USE_CASE3\x10\x03\x12\x12\n\x0e\x45MPTY_USE_CASE\x10\x16\x12\x15\n\x11\x43ROS_DEVICE_STATE\x10\x05\x12\x1d\n\x19\x43ROS_DEVICE_STATE_UNIFIED\x10\x17\x12#\n\x1b\x43ROS_DEVICE_SECONDARY_STATE\x10\x0c\x1a\x02\x08\x01\x12 \n\x18\x43ROS_DEVICE_STATE_BACKUP\x10\x15\x1a\x02\x08\x01\x12\x16\n\x12\x43ROS_FRESNEL_DAILY\x10\r\x12\x18\n\x14\x43ROS_FRESNEL_MONTHLY\x10\x0e\x12\x1d\n\x19\x43ROS_FRESNEL_FIRST_ACTIVE\x10\x0f\x12\x1c\n\x18\x43ROS_FRESNEL_7DAY_ACTIVE\x10\x10\x12\x1d\n\x19\x43ROS_FRESNEL_28DAY_ACTIVE\x10\x11\x12%\n!CROS_FRESNEL_CHURN_MONTHLY_COHORT\x10\x13\x12*\n&CROS_FRESNEL_CHURN_MONTHLY_OBSERVATION\x10\x14\x12\x11\n\rCROS_SIM_LOCK\x10\x12\x12\x19\n\x15\x43ROS_SIM_LOCK_DEVMODE\x10\x18\"\x04\x08\x04\x10\x04\"\x04\x08\x06\x10\x06\"\x04\x08\x07\x10\x07\"\x04\x08\x08\x10\x08\"\x04\x08\t\x10\t\"\x04\x08\n\x10\n\"\x04\x08\x0b\x10\x0b\x42(H\x03Z$github.com/google/private-membershipb\x06proto3') + +_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, globals()) +_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'private_membership_rlwe_pb2', globals()) +if _descriptor._USE_C_DESCRIPTORS == False: + + DESCRIPTOR._options = None + DESCRIPTOR._serialized_options = b'H\003Z$github.com/google/private-membership' + _RLWEUSECASE.values_by_name["CROS_DEVICE_SECONDARY_STATE"]._options = None + _RLWEUSECASE.values_by_name["CROS_DEVICE_SECONDARY_STATE"]._serialized_options = b'\010\001' + _RLWEUSECASE.values_by_name["CROS_DEVICE_STATE_BACKUP"]._options = None + _RLWEUSECASE.values_by_name["CROS_DEVICE_STATE_BACKUP"]._serialized_options = b'\010\001' + _RLWEUSECASE._serialized_start=3044 + _RLWEUSECASE._serialized_end=3603 + _PRIVATEMEMBERSHIPRLWEOPRFREQUEST._serialized_start=105 + _PRIVATEMEMBERSHIPRLWEOPRFREQUEST._serialized_end=218 + _PRIVATEMEMBERSHIPRLWEOPRFRESPONSE._serialized_start=221 + _PRIVATEMEMBERSHIPRLWEOPRFRESPONSE._serialized_end=588 + _PRIVATEMEMBERSHIPRLWEQUERYREQUEST._serialized_start=591 + _PRIVATEMEMBERSHIPRLWEQUERYREQUEST._serialized_end=773 + _PRIVATEMEMBERSHIPRLWEQUERYRESPONSE._serialized_start=775 + _PRIVATEMEMBERSHIPRLWEQUERYRESPONSE._serialized_end=893 + _RLWEPLAINTEXTID._serialized_start=895 + _RLWEPLAINTEXTID._serialized_end=960 + _HASHEDBUCKETSPARAMETERS._serialized_start=962 + _HASHEDBUCKETSPARAMETERS._serialized_end=1086 + _ENCRYPTEDBUCKETSPARAMETERS._serialized_start=1089 + _ENCRYPTEDBUCKETSPARAMETERS._serialized_end=1230 + _RLWEPARAMETERS._serialized_start=1233 + _RLWEPARAMETERS._serialized_end=1382 + _UINT128._serialized_start=1384 + _UINT128._serialized_end=1417 + _PRIVATEMEMBERSHIPRLWEQUERY._serialized_start=1420 + _PRIVATEMEMBERSHIPRLWEQUERY._serialized_end=1694 + _PRIVATEMEMBERSHIPRLWEQUERY_HASHEDBUCKETID._serialized_start=1632 + _PRIVATEMEMBERSHIPRLWEQUERY_HASHEDBUCKETID._serialized_end=1694 + _PRIVATEMEMBERSHIPRLWEPIRRESPONSE._serialized_start=1696 + _PRIVATEMEMBERSHIPRLWEPIRRESPONSE._serialized_end=1820 + _PIRREQUEST._serialized_start=1823 + _PIRREQUEST._serialized_end=2402 + _PIRREQUEST_EXPANDEDREQUEST._serialized_start=2065 + _PIRREQUEST_EXPANDEDREQUEST._serialized_end=2308 + _PIRREQUEST_EXPANDEDREQUEST_SERIALIZEDSYMMETRICRLWECIPHERTEXT._serialized_start=2192 + _PIRREQUEST_EXPANDEDREQUEST_SERIALIZEDSYMMETRICRLWECIPHERTEXT._serialized_end=2308 + _PIRREQUEST_COMPACTREQUEST._serialized_start=2310 + _PIRREQUEST_COMPACTREQUEST._serialized_end=2378 + _PIRRESPONSE._serialized_start=2404 + _PIRRESPONSE._serialized_end=2506 + _ENCRYPTEDBUCKET._serialized_start=2509 + _ENCRYPTEDBUCKET._serialized_end=2748 + _ENCRYPTEDBUCKET_ENCRYPTEDIDVALUEPAIR._serialized_start=2625 + _ENCRYPTEDBUCKET_ENCRYPTEDIDVALUEPAIR._serialized_end=2748 + _RLWEMEMBERSHIPRESPONSES._serialized_start=2751 + _RLWEMEMBERSHIPRESPONSES._serialized_end=3041 + _RLWEMEMBERSHIPRESPONSES_MEMBERSHIPRESPONSEENTRY._serialized_start=2883 + _RLWEMEMBERSHIPRESPONSES_MEMBERSHIPRESPONSEENTRY._serialized_end=3041 +# @@protoc_insertion_point(module_scope) diff --git a/dmbackend/serialization.proto b/dmbackend/serialization.proto new file mode 100644 index 0000000..5ed884a --- /dev/null +++ b/dmbackend/serialization.proto @@ -0,0 +1,70 @@ +/* + * Copyright 2017 Google Inc. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + syntax = "proto2"; + + option optimize_for = LITE_RUNTIME; + + package rlwe; + + option go_package = "github.com/google/shell-encryption"; + + // NTT Polynomial + message SerializedNttPolynomial { + // Coefficients of the polynomial + optional bytes coeffs = 1; + + // Number of coefficients of the polynomial. + optional int32 num_coeffs = 2; + } + + // RLWE Ciphertext + message SerializedSymmetricRlweCiphertext { + // Polynomials composing the ciphertext + repeated SerializedNttPolynomial c = 1; + + // The power of the secret key that the ciphertext is encrypted with. + optional int32 power_of_s = 2; + + // A heuristic on the amount of error in the ciphertext. + optional double error = 3; + } + + // RLWE RelinearizationKey + message SerializedRelinearizationKey { + // Polynomial composing the matrix + repeated SerializedNttPolynomial c = 1; + + // The modulus used to decompose the coefficients of the polynomials. Ranges + // from 1 to the number of bits of the modulus. + optional int32 log_decomposition_modulus = 2; + + // For n parts, the key can relinearize an n-component ciphertext to a + // 2-component ciphertext. + optional int32 num_parts = 3; + + // Seed used to compress this key. + optional bytes prng_seed = 4; // Required + + // The power of s that corresponds to the key. The field is 1 if the key is + // RelinearizationKey. + optional int32 power_of_s = 5; + } + + // RLWE GaloisKeys. + message SerializedGaloisKey { + // The key-switching matrix + optional SerializedRelinearizationKey key = 1; + } \ No newline at end of file diff --git a/dmbackend/serialization_pb2.py b/dmbackend/serialization_pb2.py new file mode 100644 index 0000000..c1d16df --- /dev/null +++ b/dmbackend/serialization_pb2.py @@ -0,0 +1,32 @@ +# -*- coding: utf-8 -*- +# Generated by the protocol buffer compiler. DO NOT EDIT! +# source: serialization.proto +"""Generated protocol buffer code.""" +from google.protobuf.internal import builder as _builder +from google.protobuf import descriptor as _descriptor +from google.protobuf import descriptor_pool as _descriptor_pool +from google.protobuf import symbol_database as _symbol_database +# @@protoc_insertion_point(imports) + +_sym_db = _symbol_database.Default() + + + + +DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x13serialization.proto\x12\x04rlwe\"=\n\x17SerializedNttPolynomial\x12\x0e\n\x06\x63oeffs\x18\x01 \x01(\x0c\x12\x12\n\nnum_coeffs\x18\x02 \x01(\x05\"p\n!SerializedSymmetricRlweCiphertext\x12(\n\x01\x63\x18\x01 \x03(\x0b\x32\x1d.rlwe.SerializedNttPolynomial\x12\x12\n\npower_of_s\x18\x02 \x01(\x05\x12\r\n\x05\x65rror\x18\x03 \x01(\x01\"\xa5\x01\n\x1cSerializedRelinearizationKey\x12(\n\x01\x63\x18\x01 \x03(\x0b\x32\x1d.rlwe.SerializedNttPolynomial\x12!\n\x19log_decomposition_modulus\x18\x02 \x01(\x05\x12\x11\n\tnum_parts\x18\x03 \x01(\x05\x12\x11\n\tprng_seed\x18\x04 \x01(\x0c\x12\x12\n\npower_of_s\x18\x05 \x01(\x05\"F\n\x13SerializedGaloisKey\x12/\n\x03key\x18\x01 \x01(\x0b\x32\".rlwe.SerializedRelinearizationKeyB&H\x03Z\"github.com/google/shell-encryption') + +_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, globals()) +_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'serialization_pb2', globals()) +if _descriptor._USE_C_DESCRIPTORS == False: + + DESCRIPTOR._options = None + DESCRIPTOR._serialized_options = b'H\003Z\"github.com/google/shell-encryption' + _SERIALIZEDNTTPOLYNOMIAL._serialized_start=29 + _SERIALIZEDNTTPOLYNOMIAL._serialized_end=90 + _SERIALIZEDSYMMETRICRLWECIPHERTEXT._serialized_start=92 + _SERIALIZEDSYMMETRICRLWECIPHERTEXT._serialized_end=204 + _SERIALIZEDRELINEARIZATIONKEY._serialized_start=207 + _SERIALIZEDRELINEARIZATIONKEY._serialized_end=372 + _SERIALIZEDGALOISKEY._serialized_start=374 + _SERIALIZEDGALOISKEY._serialized_end=444 +# @@protoc_insertion_point(module_scope)