PSM: Support PSM RLWE based message definitions in Chromium

This CL adds the communication between client and server
for issuing and retrieving determination using PSM. It also
supports the usage of private_membership third_party protos
package in device_management_backend.

BUG=chromium:1094675

Binary-Size: Increase is temporary.
Change-Id: If791aa1a4a936e1d42fde397a33c1a19c640359d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2245131
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Amr Aboelkher <amraboelkher@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Commit-Queue: Amr Aboelkher <amraboelkher@chromium.org>
Cr-Commit-Position: refs/heads/master@{#803532}

chrome/test/BUILD.gn

@@ -66,6 +66,9 @@ group("policy_testserver_pyproto") {
     "$root_out_dir/pyproto/components/policy/proto/device_management_backend_pb2.py",
     "$root_out_dir/pyproto/components/policy/proto/cloud_policy_pb2.py",
     "$root_out_dir/pyproto/components/policy/proto/policy_common_definitions_pb2.py",
+    "$root_out_dir/pyproto/third_party/shell-encryption/src/serialization_pb2.py",
+    "$root_out_dir/pyproto/third_party/private_membership/src/private_membership_pb2.py",
+    "$root_out_dir/pyproto/third_party/private_membership/src/private_membership_rlwe_pb2.py",
   ]
 
   if (!is_android) {
@@ -800,6 +803,9 @@ if (!is_android) {
       "//chrome:browser_tests_pak",
       "//chrome/browser/resources/media/mei_preload:component",
       "//chrome/test/data/webui:modulize",
+      "//components/policy/proto",
+      "//third_party/private_membership:private_membership_proto",
+      "//third_party/shell-encryption:serialization_proto",
 
       # TODO(thakis): Why do these need copying in browser_tests?
       # content_browsertests uses the non-copied files instead.

components/policy/proto/BUILD.gn

@@ -67,7 +67,22 @@ proto_library("proto_internal") {
     sources += [ "chrome_extension_policy.proto" ]
   }
 
-  link_deps = [ ":policy_common_definitions_compile_proto" ]
+  extra_configs =
+      [ "//third_party/private_membership:private_membership_config" ]
+
+  import_dirs = [
+    "//third_party/private_membership/src",
+    "//third_party/shell-encryption/src",
+    ".",
+  ]
+
+  proto_in_dir = "//"
+
+  link_deps = [
+    ":policy_common_definitions_compile_proto",
+    "//third_party/private_membership:private_membership_proto",
+  ]
+
   cc_generator_options = "dllexport_decl=POLICY_PROTO_EXPORT:"
   cc_include = "components/policy/proto/policy_proto_export.h"
   component_build_force_source_set = true

components/policy/proto/device_management_backend.proto

@@ -8,6 +8,8 @@ option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
+import "private_membership_rlwe.proto";
+
 // Everything below this comment will be synchronized between client and server
 // repos ( go/cros-proto-sync ).
 
@@ -2153,6 +2155,38 @@ message SessionStatusReportResponse {
   optional string error_message = 2;
 }
 
+// Request from client to query device state using Private Set Membership (PSM).
+// Please see go/cros-enterprise-psm and go/cros-client-psm for more details.
+message PrivateSetMembershipRequest {
+  // A request proto from the RLWE PSM protocol.
+  optional PrivateSetMembershipRlweRequest rlwe_request = 1;
+}
+
+message PrivateSetMembershipResponse {
+  // A response proto from the RLWE PSM protocol.
+  optional PrivateSetMembershipRlweResponse rlwe_response = 1;
+}
+
+message PrivateSetMembershipRlweRequest {
+  // First request sent by the client for checking membership.
+  optional private_membership.rlwe.PrivateMembershipRlweOprfRequest
+      oprf_request = 1;
+
+  // Second request sent by the client for checking membership.
+  optional private_membership.rlwe.PrivateMembershipRlweQueryRequest
+      query_request = 2;
+}
+
+message PrivateSetMembershipRlweResponse {
+  // First response sent by the server for checking membership.
+  optional private_membership.rlwe.PrivateMembershipRlweOprfResponse
+      oprf_response = 1;
+
+  // Second response sent by the server for checking membership.
+  optional private_membership.rlwe.PrivateMembershipRlweQueryResponse
+      query_response = 2;
+}
+
 // Request from device to server to determine whether the device should
 // go through enterprise enrollment. Unlike the other requests, this request is
 // not authenticated.
@@ -3437,6 +3471,7 @@ message ClientCertificateProvisioningResponse {
 //     * device_pairing
 //     * device_state_retrieval
 //     * enterprise_check
+//     * enterprise_psm_check
 //     * chrome_desktop_report
 //     * chrome_os_user_report
 //     * ping
@@ -3479,8 +3514,9 @@ message ClientCertificateProvisioningResponse {
 //     Authorization: GoogleDMToken token=<dm token from register>
 //
 //   * The Authorization header isn't used for enterprise_check,
-//     device_initial_enrollment_state or certificate_based_register requests,
-//     nor for register requests using OAuth. In the latter case, the OAuth
+//     enterprise_psm_check, device_initial_enrollment_state or
+//     certificate_based_register requests, nor for register
+//     requests using OAuth. In the latter case, the OAuth
 //     token is passed in the "oauth" parameter.
 //
 // DeviceManagementRequest should only contain one request which matches the
@@ -3628,11 +3664,9 @@ message DeviceManagementRequest {
   // Request to check user account for smart enrollment.
   optional CheckUserAccountRequest check_user_account_request = 36;
 
-  // This message is temporarily commented out due to build errors, to be
-  // resolved in crrev.com/c/2245131.
   // Request from device to check the state stored in PSM. Currently, it is used
-  // for ZT/LP device initial enrollment state check.
-  // optional PrivateSetMembershipRequest private_set_membership_request = 37;
+  // for ZTE/LP device initial enrollment state check.
+  optional PrivateSetMembershipRequest private_set_membership_request = 37;
 
   // Next id: 38.
 }
@@ -3767,10 +3801,8 @@ message DeviceManagementResponse {
   // Response to a checking user account type for smart enrollment.
   optional CheckUserAccountResponse check_user_account_response = 34;
 
-  // This message is temporarily commented out due to build errors, to be
-  // resolved in crrev.com/c/2245131.
   // Response to a client private set membership request.
-  // optional PrivateSetMembershipResponse private_set_membership_response = 35;
+  optional PrivateSetMembershipResponse private_set_membership_response = 35;
 
   // Next id: 36.
 }

components/policy/test_support/local_policy_test_server.cc

@@ -244,6 +244,13 @@ LocalPolicyTestServer::GetPythonPath() const {
                      .AppendASCII("policy")
                      .AppendASCII("proto"));
 
+  ret->push_back(pyproto_dir.AppendASCII("third_party")
+                     .AppendASCII("shell-encryption")
+                     .AppendASCII("src"));
+  ret->push_back(pyproto_dir.AppendASCII("third_party")
+                     .AppendASCII("private_membership")
+                     .AppendASCII("src"));
+
   return ret;
 }
 

net/test/spawned_test_server/local_test_server.cc

@@ -84,8 +84,8 @@ bool LocalTestServer::GetTestServerPath(base::FilePath* testserver_path) const {
     return false;
   }
   testserver_dir = testserver_dir.Append(FILE_PATH_LITERAL("net"))
-                                 .Append(FILE_PATH_LITERAL("tools"))
-                                 .Append(FILE_PATH_LITERAL("testserver"));
+                       .Append(FILE_PATH_LITERAL("tools"))
+                       .Append(FILE_PATH_LITERAL("testserver"));
   *testserver_path = testserver_dir.Append(FILE_PATH_LITERAL("testserver.py"));
   return true;
 }
@@ -161,9 +161,9 @@ bool LocalTestServer::Init(const base::FilePath& document_root) {
     return false;
   SetResourcePath(src_dir.Append(document_root),
                   src_dir.AppendASCII("net")
-                         .AppendASCII("data")
-                         .AppendASCII("ssl")
-                         .AppendASCII("certificates"));
+                      .AppendASCII("data")
+                      .AppendASCII("ssl")
+                      .AppendASCII("certificates"));
   return true;
 }
 
@@ -184,7 +184,7 @@ base::Optional<std::vector<base::FilePath>> LocalTestServer::GetPythonPath()
   // Locate the Python code generated by the protocol buffers compiler.
   base::FilePath pyproto_dir;
   if (GetPyProtoPath(&pyproto_dir)) {
-    ret.push_back(pyproto_dir);
+    ret.push_back(std::move(pyproto_dir));
   } else {
     LOG(WARNING) << "Cannot find pyproto dir for generated code. "
                  << "Testserver features that rely on it will not work";
@@ -215,7 +215,7 @@ bool LocalTestServer::AddCommandLineArguments(
           return false;
       }
     } else if (!AppendArgumentFromJSONValue(key, value, command_line)) {
-        return false;
+      return false;
     }
   }