Home | History | Annotate | Download | only in authpolicy 
      1 // Copyright 2017 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 syntax = "proto2";
      6 
      7 option optimize_for = LITE_RUNTIME;
      8 
      9 package authpolicy;
     10 
     11 // D-Bus call error codes. These values are written to logs. New enum values can
     12 // be added, but existing enums must never be renumbered or deleted and reused.
     13 enum ErrorType {
     14   // TODO(ljusten): Remove this and ERROR_NO_WINDOWS_POLICY when Chrome is
     15   // switched over, see crbug.com/807999.
     16   option allow_alias = true;
     17 
     18   // Everything is A-OK!
     19   ERROR_NONE = 0;
     20   // Unspecified error.
     21   ERROR_UNKNOWN = 1;
     22   // Unspecified D-Bus error.
     23   ERROR_DBUS_FAILURE = 2;
     24   // Badly formatted user principal name.
     25   ERROR_PARSE_UPN_FAILED = 3;
     26   // Auth failed because of bad user name.
     27   ERROR_BAD_USER_NAME = 4;
     28   // Auth failed because of bad password.
     29   ERROR_BAD_PASSWORD = 5;
     30   // Auth failed because of expired password.
     31   ERROR_PASSWORD_EXPIRED = 6;
     32   // Auth failed because of bad realm or network.
     33   ERROR_CANNOT_RESOLVE_KDC = 7;
     34   // kinit exited with unspecified error.
     35   ERROR_KINIT_FAILED = 8;
     36   // net exited with unspecified error.
     37   ERROR_NET_FAILED = 9;
     38   // smdclient exited with unspecified error.
     39   ERROR_SMBCLIENT_FAILED = 10;
     40   // authpolicy_parser exited with unknown error.
     41   ERROR_PARSE_FAILED = 11;
     42   // Parsing GPOs failed.
     43   ERROR_PARSE_PREG_FAILED = 12;
     44   // GPO data is bad.
     45   ERROR_BAD_GPOS = 13;
     46   // Some local IO operation failed.
     47   ERROR_LOCAL_IO = 14;
     48   // Machine is not joined to AD domain yet.
     49   ERROR_NOT_JOINED = 15;
     50   // User is not logged in yet.
     51   ERROR_NOT_LOGGED_IN = 16;
     52   // Failed to send policy to session_manager.
     53   ERROR_STORE_POLICY_FAILED = 17;
     54   // User doesn't have the right to join machines to the domain.
     55   ERROR_JOIN_ACCESS_DENIED = 18;
     56   // General network problem.
     57   ERROR_NETWORK_PROBLEM = 19;
     58   // Machine name contains restricted characters.
     59   ERROR_INVALID_MACHINE_NAME = 20;
     60   // Machine name too long.
     61   ERROR_MACHINE_NAME_TOO_LONG = 21;
     62   // User joined maximum number of machines to the domain.
     63   ERROR_USER_HIT_JOIN_QUOTA = 22;
     64   // Kinit or smbclient failed to contact Key Distribution Center.
     65   ERROR_CONTACTING_KDC_FAILED = 23;
     66   // Kerberos credentials cache not found.
     67   ERROR_NO_CREDENTIALS_CACHE_FOUND = 24;
     68   // Kerberos ticket expired while renewing credentials.
     69   ERROR_KERBEROS_TICKET_EXPIRED = 25;
     70   // Klist exited with unspecified error.
     71   ERROR_KLIST_FAILED = 26;
     72   // Kinit failed because of bad machine name.
     73   ERROR_BAD_MACHINE_NAME = 27;
     74   // Kinit failed to change the password because the password was rejected.
     75   ERROR_PASSWORD_REJECTED = 28;
     76   // Returned by RefreshDevicePolicy when policy fetch succeeded but policy
     77   // cannot be sent to session_manager because install attributes are not locked
     78   // yet. authpolicyd caches policy in this case and returns it in the next
     79   // RefreshDevicePolicy call. Should happen during enrollment only.
     80   ERROR_DEVICE_POLICY_CACHED_BUT_NOT_SENT = 29;
     81   // Join failed because computer organizational unit does not exist.
     82   ERROR_OU_DOES_NOT_EXIST = 30;
     83   // Join failed because computer organizational unit is invalid.
     84   ERROR_INVALID_OU = 31;
     85   // Setting computer organizational unit failed with insufficient permissions.
     86   ERROR_OU_ACCESS_DENIED = 32;
     87   // Setting computer organizational unit failed with unspecified error.
     88   ERROR_SETTING_OU_FAILED = 33;
     89   // Fetching user policy failed because device policy was unavailable.
     90   ERROR_NO_DEVICE_POLICY = 34;
     91   ERROR_NO_WINDOWS_POLICY = 34;
     92   // Domain join failed because the device is already joined.
     93   ERROR_ALREADY_JOINED = 35;
     94   // Domain join failed because KDC does not support the encryption enforced in
     95   // the Samba configuration, e.g. if 'kerberos encryption types' is set to
     96   // 'strong' to enforce AES encryption, but KDC does not support AES.
     97   ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE = 36;
     98   // Kpasswd exited with unspecified error.
     99   ERROR_KPASSWD_FAILED = 37;
    100   // Setting computer organizational unit failed with constraint violation.
    101   ERROR_OU_CONSTRAINT_VIOLATION = 38;
    102   // Should be the last.
    103   ERROR_COUNT = 39;
    104 }
    105 
    106 // Message sent to Chrome by authpolicyd as a response of a successful
    107 // AuthenticateUser call. Contains information about authenticated user fetched
    108 // from Active Directory server with "net ads search ...".
    109 message ActiveDirectoryAccountInfo {
    110   // Unique id of the user account. Taken from the objectGUID property of the
    111   // Active Directory user account information.
    112   optional string account_id = 1;
    113   // Display name of the user. Taken from the displayName property of the Active
    114   // account information.
    115   optional string display_name = 2;
    116   // Given name of the user. AKA first name. Taken from the givenName property
    117   // of the Active Directory user account information.
    118   optional string given_name = 3;
    119   // Logon name of the user (without @realm). Taken from the sAMAccountName
    120   // property of the Active Directory user account information.
    121   optional string sam_account_name = 4;
    122   // Timestamp when the password was last set, see
    123   // https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx. Taken from
    124   // the pwdLastSet property of the Active Directory user account information.
    125   // Used in authpolicyd only, unused in Chrome.
    126   optional uint64 pwd_last_set = 5;
    127   // User account control flags, see
    128   // https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx. Taken from
    129   // the userAccountControl property of the Active Directory user account
    130   // information. Used in authpolicyd only, unused in Chrome.
    131   optional uint32 user_account_control = 6;
    132   // Common name of the user, e.g. "John Doe [jdoe]". Taken from the commonName
    133   // property of the Active Directory user account information.
    134   optional string common_name = 7;
    135   // Next ID to use: 8
    136 }
    137 
    138 // Message sent to Chrome by authpolicyd as a response to a successful
    139 // GetUserStatus call.
    140 message ActiveDirectoryUserStatus {
    141   // Ticket-granting-ticket status.
    142   enum TgtStatus {
    143     TGT_VALID = 0;      // Ticket is still valid.
    144     TGT_EXPIRED = 1;    // Ticket expired.
    145     TGT_NOT_FOUND = 2;  // Kerberos credentials cache not found.
    146     // Next ID to use: 3
    147   }
    148 
    149   // Whether the password has to be changed or sync'ed with cryptohome.
    150   enum PasswordStatus {
    151     PASSWORD_VALID = 0;    // Valid as far as we can tell.
    152     PASSWORD_EXPIRED = 1;  // User has to enter a new password on next logon.
    153     PASSWORD_CHANGED = 2;  // Changed on server, possibly from other client.
    154     // Next ID to use: 3
    155   }
    156 
    157   // User's account information, see above.
    158   optional ActiveDirectoryAccountInfo account_info = 1;
    159   // Status of the user's ticket-granting-ticket (TGT).
    160   optional TgtStatus tgt_status = 2;
    161   // Status of the user's password.
    162   optional PasswordStatus password_status = 3;
    163   reserved 4;
    164   // Next ID to use: 5
    165 }
    166 
    167 // Message sent to Chrome by authpolicyd as a response to a successful
    168 // GetUserKerberosFiles call.
    169 message KerberosFiles {
    170   // Kerberos credential cache.
    171   optional bytes krb5cc = 1;
    172   // Kerberos configuration file.
    173   optional bytes krb5conf = 2;
    174   // Next ID to use: 3
    175 }
    176 
    177 // What Kerberos encryption types kinit should use.
    178 enum KerberosEncryptionTypes {
    179   ENC_TYPES_ALL = 0;     // AES + RC4_HMAC.
    180   ENC_TYPES_STRONG = 1;  // AES only.
    181   ENC_TYPES_LEGACY = 2;  // RC4_HMAC only.
    182   // Next ID to use: 3
    183 }
    184 
    185 // Message sent by Chrome to authpolicyd with JoinAdDomain call.
    186 message JoinDomainRequest {
    187   // Logon name of the user (with @realm) who joins the machine to the domain.
    188   optional string user_principal_name = 1;
    189   // Netbios computer (aka machine) name for the joining device.
    190   // https://technet.microsoft.com/en-us/library/cc959322.aspx
    191   optional string machine_name = 2;
    192   // Domain (realm) the machine should be joined to.
    193   optional string machine_domain = 3;
    194   // Organizational unit the machine should be put into. Goes from leaf to root,
    195   // i.e. the OU at index 1 is the parent of OU at index 0, etc.
    196   repeated string machine_ou = 4;
    197   // Supported Kerberos encryption types for domain join. By default, only
    198   // strong types are allowed during negotiation. However, some Active Directory
    199   // setups might be configured to not allow strong types, in particular for
    200   // cross-domain authentication (join machine to domain A using credentials
    201   // from domain B), where at the time of writing the default settings do not
    202   // allow strong encryption. In this case, domain join fails. Likewise, there
    203   // might also be rare use cases that require legacy encryption only. If the
    204   // server supports strong encryption, it is always preferred.
    205   // On the sign-in screen and during user sessions the device policy
    206   // DeviceKerberosEncryptionTypes policy is used to determine encryption types.
    207   optional KerberosEncryptionTypes kerberos_encryption_types = 5
    208       [default = ENC_TYPES_STRONG];
    209   // The DM token used by Chrome to authenticate to DM server. Passed during
    210   // domain join so authpolicyd can set it in device policy as it's done for
    211   // cloud management.
    212   optional string dm_token = 6;
    213   // Next ID to use: 7
    214 }
    215 
    216 // Message sent by Chrome to authpolicyd with AuthenticateUser call.
    217 message AuthenticateUserRequest {
    218   // Logon name of the user (with @realm).
    219   optional string user_principal_name = 1;
    220   // Unique id of the user account. Taken from the objectGUID property of the
    221   // Active Directory user account information.
    222   optional string account_id = 2;
    223   // Next ID to use: 3
    224 }
    225 
    226 // Message sent by Chrome to authpolicyd with GetUserStatus call.
    227 message GetUserStatusRequest {
    228   // Logon name of the user (with @realm).
    229   optional string user_principal_name = 1;
    230   // Unique id of the user account. Taken from the objectGUID property of the
    231   // Active Directory user account information.
    232   optional string account_id = 2;
    233   // Next ID to use: 3
    234 }
    235