You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
111 lines
6.2 KiB
111 lines
6.2 KiB
// This contains the allow lists of the emulator gRPC endpoint.
|
|
// This list defines which sets of methods are accessible by whom.
|
|
//
|
|
// You can protect the gRPC services as follows:
|
|
//
|
|
// - Unprotected: The set of methods that can be invoked even when
|
|
// no access token is presented. No security checks will
|
|
// be performed when these methods are invoked.
|
|
//
|
|
// - allowlist: A set of json objects that specificies for each token issuer,
|
|
// what is allowed and what requires an "aud" field.
|
|
//
|
|
// - "iss": The token issuer.
|
|
// - "allowed": List of methods which are allowed, even if no "aud" field
|
|
// is present on the jwt token.
|
|
// - "protected": List of methods which are allowed *ONLY IF* the given method
|
|
// is present in the "aud" field of the jwt token.
|
|
// Note: Methods that are not on the allowed or protected list will ALWAYS be rejected.
|
|
{
|
|
// Set of methods that do not require any validations, they do not require a token.
|
|
// You are always able to invoke this method, without presenting any form of authentication.
|
|
// This is a list of regular expressions. Access will be granted if the regular expression
|
|
// matches the endpoint.
|
|
"unprotected": [
|
|
// ".*" // Matches every method, no authentication will be used **DANGER**
|
|
// "/android.emulation.control.SnapshotService.*" // Everyone can make snapshots.
|
|
],
|
|
// List of methods that require a token, these are the methods
|
|
// we will allow if you present a signed JWT token.
|
|
"allowlist": [
|
|
{
|
|
// Removing android-studio from the allowlist *WILL* break the embedded emulator.
|
|
// You probably do not want to change this.
|
|
"iss": "android-studio", // Tokens issued by android-studio
|
|
// Can access the following set of methods, even if the AUD claim for
|
|
// the given method is *NOT* present.
|
|
"allowed": [
|
|
"/android.emulation.control.EmulatorController/.*",
|
|
// Interaction with extended controls.
|
|
"/android.emulation.control.UiController/.*",
|
|
// Snapshot related functions
|
|
"/android.emulation.control.SnapshotService/.*",
|
|
// Incubating services
|
|
"/android.emulation.control.incubating.*"
|
|
]
|
|
},
|
|
{
|
|
"iss": "icebox",
|
|
"protected": [
|
|
"/android.emulation.control.SnapshotService/PullSnapshot",
|
|
"/android.emulation.control.SnapshotService/DeleteSnapshot",
|
|
"/android.emulation.control.SnapshotService/TrackProcess"
|
|
]
|
|
},
|
|
{
|
|
// For tokens issued by gradle we have the following restrictions:
|
|
"iss": "gradle-utp-emulator-control",
|
|
// Can access the following set of methods, even if the AUD claim for
|
|
// the given method is *NOT* present.
|
|
//
|
|
// Usually these are methods that do not present a significant amount
|
|
// of danger.
|
|
"allowed": [
|
|
"/android.emulation.control.EmulatorController/getSensor",
|
|
"/android.emulation.control.EmulatorController/setSensor",
|
|
"/android.emulation.control.EmulatorController/setPhysicalModel",
|
|
"/android.emulation.control.EmulatorController/getPhysicalModel",
|
|
"/android.emulation.control.EmulatorController/streamPhysicalModel",
|
|
"/android.emulation.control.EmulatorController/setBattery",
|
|
"/android.emulation.control.EmulatorController/getBattery",
|
|
"/android.emulation.control.EmulatorController/setGps",
|
|
"/android.emulation.control.EmulatorController/getGps",
|
|
"/android.emulation.control.EmulatorController/sendPhone",
|
|
"/android.emulation.control.EmulatorController/sendSms",
|
|
"/android.emulation.control.EmulatorController/setDisplayConfigurations",
|
|
"/android.emulation.control.EmulatorController/getDisplayConfigurations",
|
|
"/android.emulation.control.EmulatorController/rotateVirtualSceneCamera",
|
|
"/android.emulation.control.EmulatorController/setVirtualSceneCameraVelocity",
|
|
"/android.emulation.control.EmulatorController/setPosture",
|
|
"/android.emulation.control.EmulatorController/getBrightness",
|
|
"/android.emulation.control.EmulatorController/setBrightness"
|
|
],
|
|
// Set of methods that can *ONLY* be accessed if given regex matches
|
|
// the entry on the "aud" claim.
|
|
"protected": [
|
|
"/android.emulation.control.EmulatorController/getScreenshot",
|
|
"/android.emulation.control.EmulatorController/streamScreenshot",
|
|
// Clipboard access can be used to exchange data between the guest
|
|
// and the host.
|
|
"/android.emulation.control.EmulatorController/setClipboard",
|
|
"/android.emulation.control.EmulatorController/getClipboard",
|
|
"/android.emulation.control.EmulatorController/streamClipboard",
|
|
// Can be used to "authenticate" with biodata.
|
|
"/android.emulation.control.EmulatorController/sendFingerprint",
|
|
// Touch, key and mouse can be used to manipulate device state
|
|
"/android.emulation.control.EmulatorController/sendKey",
|
|
"/android.emulation.control.EmulatorController/sendTouch",
|
|
"/android.emulation.control.EmulatorController/sendMouse",
|
|
// Could be used to trigger the assistant through "Hey Google!"
|
|
"/android.emulation.control.EmulatorController/injectAudio",
|
|
"/android.emulation.control.EmulatorController/streamAudio",
|
|
"/android.emulation.control.EmulatorController/getLogcat",
|
|
"/android.emulation.control.EmulatorController/streamLogcat",
|
|
// Could be used to observe the device state.
|
|
"/android.emulation.control.EmulatorController/getStatus",
|
|
"/android.emulation.control.EmulatorController/streamNotification"
|
|
]
|
|
}
|
|
]
|
|
}
|