| // This contains the allow lists of the emulator gRPC endpoint. |
| // This list defines which sets of methods are accessible by whom. |
| // |
| // You can protect the gRPC services as follows: |
| // |
| // - Unprotected: The set of methods that can be invoked even when |
| // no access token is presented. No security checks will |
| // be performed when these methods are invoked. |
| // |
| // - allowlist: A set of json objects that specificies for each token issuer, |
| // what is allowed and what requires an "aud" field. |
| // |
| // - "iss": The token issuer. |
| // - "allowed": List of methods which are allowed, even if no "aud" field |
| // is present on the jwt token. |
| // - "protected": List of methods which are allowed *ONLY IF* the given method |
| // is present in the "aud" field of the jwt token. |
| // Note: Methods that are not on the allowed or protected list will ALWAYS be rejected. |
| { |
| // Set of methods that do not require any validations, they do not require a token. |
| // You are always able to invoke this method, without presenting any form of authentication. |
| // This is a list of regular expressions. Access will be granted if the regular expression |
| // matches the endpoint. |
| "unprotected": [ |
| // ".*" // Matches every method, no authentication will be used **DANGER** |
| // "/android.emulation.control.SnapshotService.*" // Everyone can make snapshots. |
| ], |
| // List of methods that require a token, these are the methods |
| // we will allow if you present a signed JWT token. |
| "allowlist": [ |
| { |
| // Removing android-studio from the allowlist *WILL* break the embedded emulator. |
| // You probably do not want to change this. |
| "iss": "android-studio", // Tokens issued by android-studio |
| // Can access the following set of methods, even if the AUD claim for |
| // the given method is *NOT* present. |
| "allowed": [ |
| "/android.emulation.control.EmulatorController/.*", |
| // Interaction with extended controls. |
| "/android.emulation.control.UiController/.*", |
| // Snapshot related functions |
| "/android.emulation.control.SnapshotService/.*", |
| // Incubating services |
| "/android.emulation.control.incubating.*" |
| ] |
| }, |
| { |
| "iss": "icebox", |
| "protected": [ |
| "/android.emulation.control.SnapshotService/PullSnapshot", |
| "/android.emulation.control.SnapshotService/DeleteSnapshot", |
| "/android.emulation.control.SnapshotService/TrackProcess" |
| ] |
| }, |
| { |
| // For tokens issued by gradle we have the following restrictions: |
| "iss": "gradle-utp-emulator-control", |
| // Can access the following set of methods, even if the AUD claim for |
| // the given method is *NOT* present. |
| // |
| // Usually these are methods that do not present a significant amount |
| // of danger. |
| "allowed": [ |
| "/android.emulation.control.EmulatorController/getSensor", |
| "/android.emulation.control.EmulatorController/setSensor", |
| "/android.emulation.control.EmulatorController/setPhysicalModel", |
| "/android.emulation.control.EmulatorController/getPhysicalModel", |
| "/android.emulation.control.EmulatorController/streamPhysicalModel", |
| "/android.emulation.control.EmulatorController/setBattery", |
| "/android.emulation.control.EmulatorController/getBattery", |
| "/android.emulation.control.EmulatorController/setGps", |
| "/android.emulation.control.EmulatorController/getGps", |
| "/android.emulation.control.EmulatorController/sendPhone", |
| "/android.emulation.control.EmulatorController/sendSms", |
| "/android.emulation.control.EmulatorController/setDisplayConfigurations", |
| "/android.emulation.control.EmulatorController/getDisplayConfigurations", |
| "/android.emulation.control.EmulatorController/rotateVirtualSceneCamera", |
| "/android.emulation.control.EmulatorController/setVirtualSceneCameraVelocity", |
| "/android.emulation.control.EmulatorController/setPosture", |
| "/android.emulation.control.EmulatorController/getBrightness", |
| "/android.emulation.control.EmulatorController/setBrightness" |
| ], |
| // Set of methods that can *ONLY* be accessed if given regex matches |
| // the entry on the "aud" claim. |
| "protected": [ |
| "/android.emulation.control.EmulatorController/getScreenshot", |
| "/android.emulation.control.EmulatorController/streamScreenshot", |
| // Clipboard access can be used to exchange data between the guest |
| // and the host. |
| "/android.emulation.control.EmulatorController/setClipboard", |
| "/android.emulation.control.EmulatorController/getClipboard", |
| "/android.emulation.control.EmulatorController/streamClipboard", |
| // Can be used to "authenticate" with biodata. |
| "/android.emulation.control.EmulatorController/sendFingerprint", |
| // Touch, key and mouse can be used to manipulate device state |
| "/android.emulation.control.EmulatorController/sendKey", |
| "/android.emulation.control.EmulatorController/sendTouch", |
| "/android.emulation.control.EmulatorController/sendMouse", |
| // Could be used to trigger the assistant through "Hey Google!" |
| "/android.emulation.control.EmulatorController/injectAudio", |
| "/android.emulation.control.EmulatorController/streamAudio", |
| "/android.emulation.control.EmulatorController/getLogcat", |
| "/android.emulation.control.EmulatorController/streamLogcat", |
| // Could be used to observe the device state. |
| "/android.emulation.control.EmulatorController/getStatus", |
| "/android.emulation.control.EmulatorController/streamNotification" |
| ] |
| } |
| ] |
| } |