Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / 1edab60bf52128aef2d0c3208e4f37798c213f12 / . / system_api / dbus / kerberos / kerberos_service.proto
blob: e3edf7b5889b4abeff7864ee45f6a9739ba8a596 [file] [log] [blame]
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
syntax = "proto2";
option optimize_for = LITE_RUNTIME;
package kerberos;
// D-Bus call error codes. These values are written to logs. New enum values can
// be added, but existing enums must never be renumbered or deleted and reused.
enum ErrorType {
// Everything is A-OK!
ERROR_NONE = 0;
// Unspecified error.
ERROR_UNKNOWN = 1;
// Unspecified D-Bus error.
ERROR_DBUS_FAILURE = 2;
// General network problem.
ERROR_NETWORK_PROBLEM = 3;
// KRB5 error that has no equivalent in this enum. See logs for original code.
ERROR_UNKNOWN_KRB5_ERROR = 4;
// Auth failed, bad principal while getting Kerberos credentials.
ERROR_BAD_PRINCIPAL = 5;
// Auth failed, bad password while getting Kerberos credentials.
ERROR_BAD_PASSWORD = 6;
// Auth failed, password expired while getting Kerberos credentials.
ERROR_PASSWORD_EXPIRED = 7;
// Auth failed to change password, password was rejected.
ERROR_PASSWORD_REJECTED = 8;
// Kerberos credentials cache not found.
ERROR_NO_CREDENTIALS_CACHE_FOUND = 9;
// Kerberos ticket expired while renewing credentials.
ERROR_KERBEROS_TICKET_EXPIRED = 10;
// KDC does not support the encryption enforced in krb5.conf.
ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE = 11;
// Failed to contact Key Distribution Center.
ERROR_CONTACTING_KDC_FAILED = 12;
// Parsing a request message failed.
ERROR_PARSE_REQUEST_FAILED = 13;
// Some local IO operation failed.
ERROR_LOCAL_IO = 14;
// Requested principal name not known to the account manager.
ERROR_UNKNOWN_PRINCIPAL_NAME = 15;
// Adding account failed since the principal name is already known.
ERROR_DUPLICATE_PRINCIPAL_NAME = 16;
// Some asynchronous operation is still in progress. Should call later.
ERROR_IN_PROGRESS = 17;
// Badly formatted principal name.
ERROR_PARSE_PRINCIPAL_FAILED = 18;
// Badly formatted Kerberos configuration.
ERROR_BAD_CONFIG = 19;
// Failed to run untrusted code in container.
ERROR_JAIL_FAILURE = 20;
// Kerberos feature disabled.
ERROR_KERBEROS_DISABLED = 21;
// Should be the last. Increase when adding new enum values.
ERROR_COUNT = 22;
}
// Error codes returned from ValidateConfig. These values are written to logs.
// New enum values can be added, but existing enums must never be renumbered or
// deleted and reused.
enum ConfigErrorCode {
// Configuration is valid.
CONFIG_ERROR_NONE = 0;
// e.g. realm = { ... [somesection] ... }
CONFIG_ERROR_SECTION_NESTED_IN_GROUP = 1;
// Expected "[section]"
CONFIG_ERROR_SECTION_SYNTAX = 2;
// Expected '{' on new line after "key = "
CONFIG_ERROR_EXPECTED_OPENING_CURLY_BRACE = 3;
// Too many closing curly braces '}'
CONFIG_ERROR_EXTRA_CURLY_BRACE = 4;
// Expected "key = ..."
CONFIG_ERROR_RELATION_SYNTAX = 5;
// Non-whitelisted key used
CONFIG_ERROR_KEY_NOT_SUPPORTED = 6;
// Non-whitelisted section used
CONFIG_ERROR_SECTION_NOT_SUPPORTED = 7;
// The Kerberos library failed to parse the configuration.
CONFIG_ERROR_KRB5_FAILED_TO_PARSE = 8;
// Should be the last. Increase when adding new enum values.
CONFIG_ERROR_COUNT = 9;
}
enum ClearMode {
// Remove all accounts.
CLEAR_ALL = 0;
// Remove all unmanaged accounts, leave managed accounts untouched.
CLEAR_ONLY_UNMANAGED_ACCOUNTS = 1;
// Remove previously remembered passwords for unmanaged accounts.
CLEAR_ONLY_UNMANAGED_REMEMBERED_PASSWORDS = 2;
// Remove all managed accounts, leave unmanaged accounts untouched.
CLEAR_ONLY_MANAGED_ACCOUNTS = 3;
}
// Message sent to Chrome by authpolicyd as a response to a successful
// GetUserKerberosFiles call.
message KerberosFiles {
// Kerberos credential cache.
optional bytes krb5cc = 1;
// Kerberos configuration data.
optional bytes krb5conf = 2;
}
message Account {
// Principal name (user@REALM.COM). Accounts are keyed by principal name.
optional string principal_name = 1;
// Kerberos configuration data. Not set if the configuration file does not
// exist or some error occurred trying to read it.
optional bytes krb5conf = 2;
// For how many seconds the TGT is still valid. A value of zero means that the
// ticket has expired. Not set if the ticket does not exist or some error
// occurred trying to read it.
optional int64 tgt_validity_seconds = 3;
// For how many seconds the TGT is still renewable. A value of zero means that
// the ticket cannot be renewed anymore. Not set if the ticket does not exist
// or some error occurred trying to read it.
optional int64 tgt_renewal_seconds = 4;
// Whether the account is managed by policy.
optional bool is_managed = 5;
// Whether there's a password stored on disk for this account.
optional bool password_was_remembered = 6;
// Whether the account uses the Chrome OS login password for authentication.
optional bool use_login_password = 7;
// TODO(https://crbug.com/952239): Set additional properties.
}
// Contains error information from config validation.
message ConfigErrorInfo {
// Error code. Set to CONFIG_ERROR_NONE if there was no error.
optional ConfigErrorCode code = 1;
// Line index (0-based) where the error occurred.
optional int32 line_index = 2;
}
message AddAccountRequest {
// Principal name of the account to add (user@REALM.COM).
optional string principal_name = 1;
// Whether the account is managed by policy.
optional bool is_managed = 2;
}
message AddAccountResponse {
// Response status.
optional ErrorType error = 1;
}
message RemoveAccountRequest {
// Principal name of the account to remove (user@REALM.COM).
optional string principal_name = 1;
}
message RemoveAccountResponse {
// Response status.
optional ErrorType error = 1;
// List of remaining accounts.
repeated Account accounts = 2;
}
message ClearAccountsRequest {
// What kind of data to clear.
optional ClearMode mode = 1 [default = CLEAR_ALL];
// Do not touch the accounts of the principals listed here.
repeated string principal_names_to_ignore = 2;
}
message ClearAccountsResponse {
// Response status.
optional ErrorType error = 1;
// List of remaining accounts.
repeated Account accounts = 2;
}
message ListAccountsRequest {
// Reserved for future use.
}
message ListAccountsResponse {
// Response status.
optional ErrorType error = 1;
// List of accounts.
repeated Account accounts = 2;
}
message SetConfigRequest {
// Principal name of the account to be updated (user@REALM.COM).
optional string principal_name = 1;
// Kerberos configuration data to set.
optional string krb5conf = 2;
}
message SetConfigResponse {
// Response status.
optional ErrorType error = 1;
}
message ValidateConfigRequest {
// Kerberos configuration data to validate.
optional string krb5conf = 1;
}
message ValidateConfigResponse {
// Response status. Equals ERROR_BAD_CONFIG if validation failed.
optional ErrorType error = 1;
// More specific information descripting the kind of error.
optional ConfigErrorInfo error_info = 2;
}
message AcquireKerberosTgtRequest {
// Principal name of the account to acquire a ticket for (user@REALM.COM).
optional string principal_name = 1;
// Whether the daemon should remember the password (passed separately in a
// file descriptor).
optional bool remember_password = 2;
// Whether to use the Chrome OS login password for authentication. The
// password file descriptor (passed as D-Bus param) is ignored in this case.
optional bool use_login_password = 3;
}
message AcquireKerberosTgtResponse {
// Response status.
optional ErrorType error = 1;
}
message GetKerberosFilesRequest {
// Principal name of the account to get files from (user@REALM.COM).
optional string principal_name = 1;
}
message GetKerberosFilesResponse {
// Response status.
optional ErrorType error = 1;
// Retrieved Kerberos files.
optional KerberosFiles files = 2;
}