| syntax = "proto2"; |
| |
| option optimize_for = LITE_RUNTIME; |
| |
| package authpolicy.protos; |
| |
| // Active directory information entered during domain join. |
| message ActiveDirectoryConfig { |
| // Computer name from domain join operation. |
| optional string machine_name = 1; |
| reserved 2; |
| // Realm where the computer was joined to. |
| optional string realm = 3; |
| } |
| |
| // Information about a GPO parsed from net ads gpo list. |name| is the 16-byte |
| // guid (e.g. {12345678-90AB-...}). |share| and |directory| are created from |
| // the first and the last part of the GPO's 'filesyspath' value in the net |
| // output, e.g. if filesyspath is |
| // \\example.com\SysVol\example.com\Policies\{12345678-90AB-CDEF-1234-567890ABCDEF}, |
| // then |share| is 'SysVol' and |directory| is |
| // example.com\Policies\{12345678-90AB-CDEF-1234-567890ABCDEF}. |version| is the |
| // user or machine version of the GPO, depending on the policy scope. |
| message GpoEntry { |
| optional string name = 1; |
| optional string share = 2; |
| optional string directory = 3; |
| optional uint32 version = 4; |
| } |
| |
| // List of GPOs on server. Agnostic of policy scope (user/machine); GPOs can |
| // contain both user and machine policy. |
| message GpoList { |
| repeated GpoEntry entries = 1; |
| } |
| |
| // Local file paths of downloaded GPO files. |
| message FilePathList { |
| repeated string entries = 1; |
| } |
| |
| // Validity and renewal lifetimes of a Kerberos ticket-granting-ticket. |
| message TgtLifetime { |
| // Number of seconds the TGT is still valid and can be used to query service |
| // tickets. |
| optional int64 validity_seconds = 1; |
| |
| // Number of seconds until the TGT cannot be renewed again. Zero in case the |
| // TGT cannot be renewed. Otherwise, not smaller than |validity_seconds|. |
| // Note that this is just an upper bound on total validity time. Renewal must |
| // still happen within the validity lifetime. |
| optional int64 renewal_seconds = 2; |
| } |
| |
| // Data returned from net ads info. |
| message ServerInfo { |
| // Key distribution center IP address. |
| optional string kdc_ip = 1; |
| // Server time in base::Time's internal time representation. |
| optional int64 server_time = 2; |
| } |
| |
| // Debug flags. |
| message DebugFlags { |
| // Disable seccomp filters. |
| optional bool disable_seccomp = 1; |
| // Log seccomp filter failures. |
| optional bool log_seccomp = 2; |
| // Enable krb5 trace logs. Only shown if log_command_output is set as well. |
| optional bool trace_krb5 = 3; |
| // Log policy values read from GPO. |
| optional bool log_policy_values = 4; |
| // Log command line and exit code in ProcessExecutor. |
| optional bool log_commands = 5; |
| // Log stdout and stderr in ProcessExecutor no matter whether the command |
| // succeeded or not. |
| optional bool log_command_output = 6; |
| // Log stdout and stderr in ProcessExecutor if the command failed. |
| optional bool log_command_output_on_error = 7; |
| // Log list of filtered, broken and valid GPOs. |
| optional bool log_gpo = 8; |
| // Log level for Samba net commands. Only shown if log_command_output is set |
| // as well. |
| optional string net_log_level = 10 [default = "0"]; |
| // Disable the log anonymizer. |
| optional bool disable_anonymizer = 11; |
| // Log results of GetUserStatus. |
| optional bool log_status = 12; |
| // Log state of GPO version cache and auth data cache. |
| optional bool log_caches = 13; |
| } |
| |
| // Container for policy for extensions. |
| message ExtensionPolicy { |
| // Extension ID, e.g. gihmafigllmhbppdfjnfecimiohcljba. |
| optional string id = 1; |
| |
| // Extension policy json data. |
| optional string json_data = 2; |
| } |
| |
| // Policy loaded and parsed from GPO. |
| message GpoPolicyData { |
| // User or device policy, depending on which GPOs were loaded. User and device |
| // GPOs are serialized CloudPolicySettings and ChromeDeviceSettingsProto |
| // protos, respectively. |
| optional string user_or_device_policy = 1; |
| |
| // Extension policy can be both in user and device GPOs. |
| repeated ExtensionPolicy extension_policies = 2; |
| } |
| |
| // Backup data for Kerberos ticket manager state. |
| message TgtState { |
| // Realm used to acquire the ticket-granting-ticket. |
| optional string realm = 1; |
| // Key distribution center (KDC) IP address. |
| optional string kdc_ip = 2; |
| // User principal (user@REALM). |
| optional string principal = 3; |
| // Kerberos credential cache. |
| optional string krb5cc = 4; |
| } |
| |
| // Backup data for user authentication state. Stored on the user's Cryptohome. |
| message UserBackupData { |
| // Kerberos ticket manager state. |
| optional TgtState tgt_state = 1; |
| // Timestamp of last password change on server. |
| optional uint64 pwd_last_set = 2; |
| // User sAMAccountName. |
| optional string user_name = 3; |
| // Is the user affiliated with the machine's domain? |
| optional bool is_user_affiliated = 4; |
| // Realm part of user login "user@realm". |
| optional string user_realm = 5; |
| } |
| |
| message CachedRealmData { |
| // Timestamp when this data item was created (base::Time internal value). |
| optional int64 cache_time = 1; |
| // Active Directory workgroup. |
| optional string workgroup = 2; |
| // Key distribution center (KDC) IP address. |
| optional string kdc_ip = 3; |
| // Domain controller (DC) name. |
| optional string dc_name = 4; |
| // Whether this realm is affiliated with the device's realm. |
| optional bool is_affiliated = 5; |
| } |
| |
| message CachedAuthData { |
| // Maps usually capitalized realm (CORP.EXAMPLE.COM) to cached realm data. |
| map<string, CachedRealmData> realm_data = 1; |
| } |