1// This contains the allow lists of the emulator gRPC endpoint. 2// This list defines which sets of methods are accessible by whom. 3// 4// You can protect the gRPC services as follows: 5// 6// - Unprotected: The set of methods that can be invoked even when 7// no access token is presented. No security checks will 8// be performed when these methods are invoked. 9// 10// - allowlist: A set of json objects that specificies for each token issuer, 11// what is allowed and what requires an "aud" field. 12// 13// - "iss": The token issuer. 14// - "allowed": List of methods which are allowed, even if no "aud" field 15// is present on the jwt token. 16// - "protected": List of methods which are allowed *ONLY IF* the given method 17// is present in the "aud" field of the jwt token. 18// Note: Methods that are not on the allowed or protected list will ALWAYS be rejected. 19{ 20 // Set of methods that do not require any validations, they do not require a token. 21 // You are always able to invoke this method, without presenting any form of authentication. 22 // This is a list of regular expressions. Access will be granted if the regular expression 23 // matches the endpoint. 24 "unprotected": [ 25 // ".*" // Matches every method, no authentication will be used **DANGER** 26 // "/android.emulation.control.SnapshotService.*" // Everyone can make snapshots. 27 ], 28 // List of methods that require a token, these are the methods 29 // we will allow if you present a signed JWT token. 30 "allowlist": [ 31 { 32 // Removing android-studio from the allowlist *WILL* break the embedded emulator. 33 // You probably do not want to change this. 34 "iss": "android-studio", // Tokens issued by android-studio 35 // Can access the following set of methods, even if the AUD claim for 36 // the given method is *NOT* present. 37 "allowed": [ 38 "/android.emulation.control.EmulatorController/.*", 39 // Interaction with extended controls. 40 "/android.emulation.control.UiController/.*", 41 // Snapshot related functions 42 "/android.emulation.control.SnapshotService/.*", 43 // Incubating services 44 "/android.emulation.control.incubating.*" 45 ] 46 }, 47 { 48 "iss": "icebox", 49 "protected": [ 50 "/android.emulation.control.SnapshotService/PullSnapshot", 51 "/android.emulation.control.SnapshotService/DeleteSnapshot", 52 "/android.emulation.control.SnapshotService/TrackProcess" 53 ] 54 }, 55 { 56 // For tokens issued by gradle we have the following restrictions: 57 "iss": "gradle-utp-emulator-control", 58 // Can access the following set of methods, even if the AUD claim for 59 // the given method is *NOT* present. 60 // 61 // Usually these are methods that do not present a significant amount 62 // of danger. 63 "allowed": [ 64 "/android.emulation.control.EmulatorController/getSensor", 65 "/android.emulation.control.EmulatorController/setSensor", 66 "/android.emulation.control.EmulatorController/setPhysicalModel", 67 "/android.emulation.control.EmulatorController/getPhysicalModel", 68 "/android.emulation.control.EmulatorController/streamPhysicalModel", 69 "/android.emulation.control.EmulatorController/setBattery", 70 "/android.emulation.control.EmulatorController/getBattery", 71 "/android.emulation.control.EmulatorController/setGps", 72 "/android.emulation.control.EmulatorController/getGps", 73 "/android.emulation.control.EmulatorController/sendPhone", 74 "/android.emulation.control.EmulatorController/sendSms", 75 "/android.emulation.control.EmulatorController/setDisplayConfigurations", 76 "/android.emulation.control.EmulatorController/getDisplayConfigurations", 77 "/android.emulation.control.EmulatorController/rotateVirtualSceneCamera", 78 "/android.emulation.control.EmulatorController/setVirtualSceneCameraVelocity", 79 "/android.emulation.control.EmulatorController/setPosture", 80 "/android.emulation.control.EmulatorController/getBrightness", 81 "/android.emulation.control.EmulatorController/setBrightness" 82 ], 83 // Set of methods that can *ONLY* be accessed if given regex matches 84 // the entry on the "aud" claim. 85 "protected": [ 86 "/android.emulation.control.EmulatorController/getScreenshot", 87 "/android.emulation.control.EmulatorController/streamScreenshot", 88 // Clipboard access can be used to exchange data between the guest 89 // and the host. 90 "/android.emulation.control.EmulatorController/setClipboard", 91 "/android.emulation.control.EmulatorController/getClipboard", 92 "/android.emulation.control.EmulatorController/streamClipboard", 93 // Can be used to "authenticate" with biodata. 94 "/android.emulation.control.EmulatorController/sendFingerprint", 95 // Touch, key and mouse can be used to manipulate device state 96 "/android.emulation.control.EmulatorController/sendKey", 97 "/android.emulation.control.EmulatorController/sendTouch", 98 "/android.emulation.control.EmulatorController/sendMouse", 99 // Could be used to trigger the assistant through "Hey Google!" 100 "/android.emulation.control.EmulatorController/injectAudio", 101 "/android.emulation.control.EmulatorController/streamAudio", 102 "/android.emulation.control.EmulatorController/getLogcat", 103 "/android.emulation.control.EmulatorController/streamLogcat", 104 // Could be used to observe the device state. 105 "/android.emulation.control.EmulatorController/getStatus", 106 "/android.emulation.control.EmulatorController/streamNotification" 107 ] 108 } 109 ] 110} 111