File: kerberos_service.proto

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (242 lines) | stat: -rw-r--r-- 8,186 bytes parent folder | download | duplicates (9) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
 
// Copyright 2019 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

syntax = "proto2";

option optimize_for = LITE_RUNTIME;

package kerberos;
option go_package = "go.chromium.org/chromiumos/system_api/kerberos_proto";

// D-Bus call error codes. These values are written to logs. New enum values can
// be added, but existing enums must never be renumbered or deleted and reused.
enum ErrorType {
  // Everything is A-OK!
  ERROR_NONE = 0;
  // Unspecified error.
  ERROR_UNKNOWN = 1;
  // Unspecified D-Bus error.
  ERROR_DBUS_FAILURE = 2;
  // General network problem.
  ERROR_NETWORK_PROBLEM = 3;
  // KRB5 error that has no equivalent in this enum. See logs for original code.
  ERROR_UNKNOWN_KRB5_ERROR = 4;
  // Auth failed, bad principal while getting Kerberos credentials.
  ERROR_BAD_PRINCIPAL = 5;
  // Auth failed, bad password while getting Kerberos credentials.
  ERROR_BAD_PASSWORD = 6;
  // Auth failed, password expired while getting Kerberos credentials.
  ERROR_PASSWORD_EXPIRED = 7;
  // Auth failed to change password, password was rejected.
  ERROR_PASSWORD_REJECTED = 8;
  // Kerberos credentials cache not found.
  ERROR_NO_CREDENTIALS_CACHE_FOUND = 9;
  // Kerberos ticket expired while renewing credentials.
  ERROR_KERBEROS_TICKET_EXPIRED = 10;
  // KDC does not support the encryption enforced in krb5.conf.
  ERROR_KDC_DOES_NOT_SUPPORT_ENCRYPTION_TYPE = 11;
  // Failed to contact Key Distribution Center.
  ERROR_CONTACTING_KDC_FAILED = 12;
  // Parsing a request message failed.
  ERROR_PARSE_REQUEST_FAILED = 13;
  // Some local IO operation failed.
  ERROR_LOCAL_IO = 14;
  // Requested principal name not known to the account manager.
  ERROR_UNKNOWN_PRINCIPAL_NAME = 15;
  // Adding account failed since the principal name is already known.
  ERROR_DUPLICATE_PRINCIPAL_NAME = 16;
  // Some asynchronous operation is still in progress. Should call later.
  ERROR_IN_PROGRESS = 17;
  // Badly formatted principal name.
  ERROR_PARSE_PRINCIPAL_FAILED = 18;
  // Badly formatted Kerberos configuration.
  ERROR_BAD_CONFIG = 19;
  // Failed to run untrusted code in container.
  ERROR_JAIL_FAILURE = 20;
  // Kerberos feature disabled.
  ERROR_KERBEROS_DISABLED = 21;
  // Should be the last. Increase when adding new enum values.
  ERROR_COUNT = 22;
}

// Error codes returned from ValidateConfig. These values are written to logs.
// New enum values can be added, but existing enums must never be renumbered or
// deleted and reused.
enum ConfigErrorCode {
  // Configuration is valid.
  CONFIG_ERROR_NONE = 0;
  // e.g. realm = { ... [somesection] ... }.
  CONFIG_ERROR_SECTION_NESTED_IN_GROUP = 1;
  // Expected "[section]".
  CONFIG_ERROR_SECTION_SYNTAX = 2;
  // Expected '{' on new line after "key = "
  CONFIG_ERROR_EXPECTED_OPENING_CURLY_BRACE = 3;
  // Too many closing curly braces '}'.
  CONFIG_ERROR_EXTRA_CURLY_BRACE = 4;
  // Expected "key = ...".
  CONFIG_ERROR_RELATION_SYNTAX = 5;
  // Non-allowlisted key used.
  CONFIG_ERROR_KEY_NOT_SUPPORTED = 6;
  // Non-allowlisted section used.
  CONFIG_ERROR_SECTION_NOT_SUPPORTED = 7;
  // The Kerberos library failed to parse the configuration.
  CONFIG_ERROR_KRB5_FAILED_TO_PARSE = 8;
  // Too many nested '{'.
  CONFIG_ERROR_TOO_MANY_NESTED_GROUPS = 9;
  // Config line is too long.
  CONFIG_ERROR_LINE_TOO_LONG = 10;
  // Should be the last. Increase when adding new enum values.
  CONFIG_ERROR_COUNT = 11;
}

enum ClearMode {
  // Remove all accounts.
  CLEAR_ALL = 0;
  // Remove all unmanaged accounts, leave managed accounts untouched.
  CLEAR_ONLY_UNMANAGED_ACCOUNTS = 1;
  // Remove previously remembered passwords for unmanaged accounts.
  CLEAR_ONLY_UNMANAGED_REMEMBERED_PASSWORDS = 2;
  // Remove all managed accounts, leave unmanaged accounts untouched.
  CLEAR_ONLY_MANAGED_ACCOUNTS = 3;
}

// Message sent to Chrome by kerberosd as a response to a successful
// GetUserKerberosFiles call.
message KerberosFiles {
  // Kerberos credential cache.
  optional bytes krb5cc = 1;
  // Kerberos configuration data.
  optional bytes krb5conf = 2;
}

message Account {
  // Principal name (user@REALM.COM). Accounts are keyed by principal name.
  optional string principal_name = 1;
  // Kerberos configuration data. Not set if the configuration file does not
  // exist or some error occurred trying to read it.
  optional bytes krb5conf = 2;
  // For how many seconds the TGT is still valid. A value of zero means that the
  // ticket has expired. Not set if the ticket does not exist or some error
  // occurred trying to read it.
  optional int64 tgt_validity_seconds = 3;
  // For how many seconds the TGT is still renewable. A value of zero means that
  // the ticket cannot be renewed anymore. Not set if the ticket does not exist
  // or some error occurred trying to read it.
  optional int64 tgt_renewal_seconds = 4;
  // Whether the account is managed by policy.
  optional bool is_managed = 5;
  // Whether there's a password stored on disk for this account.
  optional bool password_was_remembered = 6;
  // Whether the account uses the ChromeOS login password for authentication.
  optional bool use_login_password = 7;
}

// Contains error information from config validation.
message ConfigErrorInfo {
  // Error code. Set to CONFIG_ERROR_NONE if there was no error.
  optional ConfigErrorCode code = 1;
  // Line index (0-based) where the error occurred.
  optional int32 line_index = 2;
}

message AddAccountRequest {
  // Principal name of the account to add (user@REALM.COM).
  optional string principal_name = 1;
  // Whether the account is managed by policy.
  optional bool is_managed = 2;
}

message AddAccountResponse {
  // Response status.
  optional ErrorType error = 1;
}

message RemoveAccountRequest {
  // Principal name of the account to remove (user@REALM.COM).
  optional string principal_name = 1;
}

message RemoveAccountResponse {
  // Response status.
  optional ErrorType error = 1;
  // List of remaining accounts.
  repeated Account accounts = 2;
}

message ClearAccountsRequest {
  // What kind of data to clear.
  optional ClearMode mode = 1 [default = CLEAR_ALL];
  // Do not touch the accounts of the principals listed here.
  repeated string principal_names_to_ignore = 2;
}

message ClearAccountsResponse {
  // Response status.
  optional ErrorType error = 1;
  // List of remaining accounts.
  repeated Account accounts = 2;
}

message ListAccountsRequest {
  // Reserved for future use.
}

message ListAccountsResponse {
  // Response status.
  optional ErrorType error = 1;
  // List of accounts.
  repeated Account accounts = 2;
}

message SetConfigRequest {
  // Principal name of the account to be updated (user@REALM.COM).
  optional string principal_name = 1;
  // Kerberos configuration data to set.
  optional string krb5conf = 2;
}

message SetConfigResponse {
  // Response status.
  optional ErrorType error = 1;
}

message ValidateConfigRequest {
  // Kerberos configuration data to validate.
  optional string krb5conf = 1;
}

message ValidateConfigResponse {
  // Response status. Equals ERROR_BAD_CONFIG if validation failed.
  optional ErrorType error = 1;
  // More specific information descripting the kind of error.
  optional ConfigErrorInfo error_info = 2;
}

message AcquireKerberosTgtRequest {
  // Principal name of the account to acquire a ticket for (user@REALM.COM).
  optional string principal_name = 1;
  // Whether the daemon should remember the password (passed separately in a
  // file descriptor).
  optional bool remember_password = 2;
  // Whether to use the ChromeOS login password for authentication. The
  // password file descriptor (passed as D-Bus param) is ignored in this case.
  optional bool use_login_password = 3;
}

message AcquireKerberosTgtResponse {
  // Response status.
  optional ErrorType error = 1;
}

message GetKerberosFilesRequest {
  // Principal name of the account to get files from (user@REALM.COM).
  optional string principal_name = 1;
}

message GetKerberosFilesResponse {
  // Response status.
  optional ErrorType error = 1;
  // Retrieved Kerberos files.
  optional KerberosFiles files = 2;
}