| // Copyright 2020 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| syntax = "proto2"; |
| |
| option optimize_for = LITE_RUNTIME; |
| |
| package system_proxy; |
| |
| // TODO(acostinas, crbug.com/1076377) Deprecated, to be removed. Please use |
| // SetAuthenticationDetailsRequest. |
| message SetSystemTrafficCredentialsRequest { |
| // The username for authenticating system services to the remote web proxy. |
| optional string system_services_username = 1; |
| |
| // The password for authenticating system services to the remote web proxy. |
| optional string system_services_password = 2; |
| } |
| |
| // TODO(acostinas, crbug.com/1076377) Deprecated, to be removed. Please use |
| // SetAuthenticationDetailsResponse. |
| message SetSystemTrafficCredentialsResponse { |
| // Error message, empty if no error occurred. |
| optional string error_message = 1; |
| } |
| |
| // Both |username| and |password| use UTF-8 as character encoding and are not |
| // percent-escaped (i.e. not URL encoded). |
| message Credentials { |
| // The username for authenticating to the remote web proxy. |
| optional string username = 1; |
| // The password for authenticating to the remote web proxy. |
| optional string password = 2; |
| // Authentication schemes for which policy set credentials can be |
| // automatically applied. Valid values are 'basic', 'digest' and 'ntlm'. |
| repeated string policy_credentials_auth_schemes = 3; |
| } |
| |
| // The protection space determines the domain over which credentials can |
| // be automatically applied (defined in RFC7235 , section 2.2). |
| message ProtectionSpace { |
| // The origin of the URL of the web proxy server issuing |
| // the challenge, formatted as scheme://url:port. |
| optional string origin = 1; |
| // The case-sensitive realm string of the challenge. |
| optional string realm = 2; |
| // The authentication scheme that can be basic, digest or NTLM. |
| optional string scheme = 3; |
| } |
| |
| // A System-proxy worker instance forwards traffic originating from either |
| // system services only, or user only via ARC and Crostini connections. |
| enum TrafficOrigin { |
| // Should not be used. |
| UNSPECIFIED = 0; |
| |
| SYSTEM = 1; |
| |
| USER = 2; |
| |
| ALL = 3; |
| } |
| |
| // Message request to remove the user credentials from the System-proxy service. |
| message ClearUserCredentialsRequest {} |
| |
| message ClearUserCredentialsResponse { |
| // Error message, empty if no error occurred. |
| optional string error_message = 1; |
| } |
| |
| message SetAuthenticationDetailsRequest { |
| // Indicates if the credentials should be used for system or user traffic. |
| optional TrafficOrigin traffic_type = 1; |
| // Indicates if Kerberos authentication is allowed on Chrome OS. If yes and |
| // the proxy server supports Kerberos, this is the first method tried by |
| // libcurl when authenticating, with fallback on less secure methods in case |
| // of failure. |
| optional bool kerberos_enabled = 2; |
| // The credentials to authenticate with the remote proxy server. |
| optional Credentials credentials = 3; |
| // The domain for which the credentials can be applied without asking again |
| // for authentication. |
| optional ProtectionSpace protection_space = 4; |
| // Used by System-proxy to request the ticket cache and configuration files |
| // with kerberosd. |
| optional string active_principal_name = 5; |
| } |
| |
| message SetAuthenticationDetailsResponse { |
| // Error message, empty if no error occurred. |
| optional string error_message = 1; |
| } |
| |
| message ShutDownRequest { |
| // Indicates which worker process should be shut down. If |ALL| are selected, |
| // it will shut down the service. |
| optional TrafficOrigin traffic_type = 1; |
| } |
| |
| message ShutDownResponse { |
| // Error message, empty if no error occurred. |
| optional string error_message = 1; |
| } |
| |
| // Connection details sent along with the WorkerActiveSignal which indicates |
| // what type of traffic is being forwarded and the proxy url to connect to. |
| // Chrome will use this information to forward the local proxy address either to |
| // system services (through the proxy resolution service) or to ARC. |
| message WorkerActiveSignalDetails { |
| // Indicates if the worker is authenticathing system or user traffic. |
| optional TrafficOrigin traffic_origin = 1; |
| // The local proxy address formatted as host:port. The proxy will be forwarded |
| // to system services as a PAC-style string and to ARC++ in scheme://host:port |
| // format. |
| optional string local_proxy_url = 2; |
| } |
| |
| // Message sent with the AuthenticationRequiredSignal. Contains information to |
| // search credentials in Chrome's http auth credential cache. After receiving |
| // this signal, Chrome is expected to call |SetAuthenticationDetails| with the |
| // missing credentials. |
| message AuthenticationRequiredDetails { |
| optional ProtectionSpace proxy_protection_space = 1; |
| // If true, it means that the credentials previously acquired for proxy |
| // authentication are incorrect and the user will be prompted to introduce new |
| // proxy credentials. If new credentials are set in the authentication |
| // dialogue, they are forwarded to System-proxy via the |
| // |SetAuthenticationDetails| D-Bus call and will overwrite the existing |
| // cached credentials associated with |proxy_protection_space|, otherwise the |
| // existing incorrect credentials are not cleared from the cache. |
| optional bool bad_cached_credentials = 2; |
| } |
| |
| // Message sent with the `GenerateNetworkAuthMessage` method. |
| message GenerateNetworkAuthMessageRequest { |
| optional NtlmAuthMessageRequest ntlm_message_auth_request = 1; |
| } |
| |
| message GenerateNetworkAuthMessageResponse { |
| // The network authentication message. If the method fails `auth_message` will |
| // be empty. |
| optional bytes auth_message = 1; |
| optional string error_message = 2; |
| } |
| |
| // These fields must be kept in sync with the chromium |
| // net::ntlm::NtlmClient::GenerateAuthenticateMessage() method args. |
| message NtlmAuthMessageRequest { |
| // Flag which indicates if the generated NTLM authentication message is |
| // NTLMv2. |
| optional bool ntlmv2_enabled = 1; |
| // Enables Message Integrity Check (MIC). This flag is ignored if |
| // `ntlmv2_enabled` is false. |
| optional bool mic_enabled = 2; |
| // Enables Extended Protection for Authentication (EPA). This flag is |
| // ignored if `ntlmv2_enabled` is false. |
| optional bool epa_enabled = 3; |
| // UTF-8 encoding of the domain name. |
| optional string domain = 4; |
| // Uppercase UTF-8 encoding of the username. Note that the NTLM hash will be |
| // generated using locale insensitive conversion rules. |
| optional string username = 5; |
| optional string hostname = 6; |
| optional string channel_bindings = 7; |
| optional string spn = 8; |
| optional uint64 client_time = 9; |
| // 8 bytes randomly generated by the client. This will be used by the server |
| // to compute the expected response. |
| optional bytes client_challenge = 10; |
| optional bytes server_challenge_message = 11; |
| } |