google-apis-binaryauthorization_v1 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: a20b0fd5d53fadda8a61c7ee79491bb316e22f28991ae974f61f55d3fe2508a3
4
+ data.tar.gz: ce31aed5834429439e060be87c8a2c0b6bdec2891701cdbda75e7ed4be0eb5ef
5
+ SHA512:
6
+ metadata.gz: a758f8b34661656f0c5195a6153cd0cb4715ab55fe16eb0e6cf013a6fa593cefde4e865b4d1e4db24a42bb38325342e19ea0ffb6928f8f8f9eba74b1d1504be4
7
+ data.tar.gz: 536d28939fac7762f56e20e6e0e4c5af47c657a0b2e2a0023cfcbfb75ae46785d7caa315feee28bbbc012284e4115b16fec9c60e43f9fdc99b9d5e5cc8b52eb5
@@ -0,0 +1,13 @@
1
+ --hide-void-return
2
+ --no-private
3
+ --verbose
4
+ --title=google-apis-binaryauthorization_v1
5
+ --markup-provider=redcarpet
6
+ --markup=markdown
7
+ --main OVERVIEW.md
8
+ lib/google/apis/binaryauthorization_v1/*.rb
9
+ lib/google/apis/binaryauthorization_v1.rb
10
+ -
11
+ OVERVIEW.md
12
+ CHANGELOG.md
13
+ LICENSE.md
@@ -0,0 +1,7 @@
1
+ # Release history for google-apis-binaryauthorization_v1
2
+
3
+ ### v0.1.0 (2021-01-07)
4
+
5
+ * Regenerated using generator version 0.1.1
6
+ * Regenerated from discovery document revision 20201113
7
+
@@ -0,0 +1,202 @@
1
+
2
+ Apache License
3
+ Version 2.0, January 2004
4
+ http://www.apache.org/licenses/
5
+
6
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7
+
8
+ 1. Definitions.
9
+
10
+ "License" shall mean the terms and conditions for use, reproduction,
11
+ and distribution as defined by Sections 1 through 9 of this document.
12
+
13
+ "Licensor" shall mean the copyright owner or entity authorized by
14
+ the copyright owner that is granting the License.
15
+
16
+ "Legal Entity" shall mean the union of the acting entity and all
17
+ other entities that control, are controlled by, or are under common
18
+ control with that entity. For the purposes of this definition,
19
+ "control" means (i) the power, direct or indirect, to cause the
20
+ direction or management of such entity, whether by contract or
21
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
22
+ outstanding shares, or (iii) beneficial ownership of such entity.
23
+
24
+ "You" (or "Your") shall mean an individual or Legal Entity
25
+ exercising permissions granted by this License.
26
+
27
+ "Source" form shall mean the preferred form for making modifications,
28
+ including but not limited to software source code, documentation
29
+ source, and configuration files.
30
+
31
+ "Object" form shall mean any form resulting from mechanical
32
+ transformation or translation of a Source form, including but
33
+ not limited to compiled object code, generated documentation,
34
+ and conversions to other media types.
35
+
36
+ "Work" shall mean the work of authorship, whether in Source or
37
+ Object form, made available under the License, as indicated by a
38
+ copyright notice that is included in or attached to the work
39
+ (an example is provided in the Appendix below).
40
+
41
+ "Derivative Works" shall mean any work, whether in Source or Object
42
+ form, that is based on (or derived from) the Work and for which the
43
+ editorial revisions, annotations, elaborations, or other modifications
44
+ represent, as a whole, an original work of authorship. For the purposes
45
+ of this License, Derivative Works shall not include works that remain
46
+ separable from, or merely link (or bind by name) to the interfaces of,
47
+ the Work and Derivative Works thereof.
48
+
49
+ "Contribution" shall mean any work of authorship, including
50
+ the original version of the Work and any modifications or additions
51
+ to that Work or Derivative Works thereof, that is intentionally
52
+ submitted to Licensor for inclusion in the Work by the copyright owner
53
+ or by an individual or Legal Entity authorized to submit on behalf of
54
+ the copyright owner. For the purposes of this definition, "submitted"
55
+ means any form of electronic, verbal, or written communication sent
56
+ to the Licensor or its representatives, including but not limited to
57
+ communication on electronic mailing lists, source code control systems,
58
+ and issue tracking systems that are managed by, or on behalf of, the
59
+ Licensor for the purpose of discussing and improving the Work, but
60
+ excluding communication that is conspicuously marked or otherwise
61
+ designated in writing by the copyright owner as "Not a Contribution."
62
+
63
+ "Contributor" shall mean Licensor and any individual or Legal Entity
64
+ on behalf of whom a Contribution has been received by Licensor and
65
+ subsequently incorporated within the Work.
66
+
67
+ 2. Grant of Copyright License. Subject to the terms and conditions of
68
+ this License, each Contributor hereby grants to You a perpetual,
69
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70
+ copyright license to reproduce, prepare Derivative Works of,
71
+ publicly display, publicly perform, sublicense, and distribute the
72
+ Work and such Derivative Works in Source or Object form.
73
+
74
+ 3. Grant of Patent License. Subject to the terms and conditions of
75
+ this License, each Contributor hereby grants to You a perpetual,
76
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77
+ (except as stated in this section) patent license to make, have made,
78
+ use, offer to sell, sell, import, and otherwise transfer the Work,
79
+ where such license applies only to those patent claims licensable
80
+ by such Contributor that are necessarily infringed by their
81
+ Contribution(s) alone or by combination of their Contribution(s)
82
+ with the Work to which such Contribution(s) was submitted. If You
83
+ institute patent litigation against any entity (including a
84
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
85
+ or a Contribution incorporated within the Work constitutes direct
86
+ or contributory patent infringement, then any patent licenses
87
+ granted to You under this License for that Work shall terminate
88
+ as of the date such litigation is filed.
89
+
90
+ 4. Redistribution. You may reproduce and distribute copies of the
91
+ Work or Derivative Works thereof in any medium, with or without
92
+ modifications, and in Source or Object form, provided that You
93
+ meet the following conditions:
94
+
95
+ (a) You must give any other recipients of the Work or
96
+ Derivative Works a copy of this License; and
97
+
98
+ (b) You must cause any modified files to carry prominent notices
99
+ stating that You changed the files; and
100
+
101
+ (c) You must retain, in the Source form of any Derivative Works
102
+ that You distribute, all copyright, patent, trademark, and
103
+ attribution notices from the Source form of the Work,
104
+ excluding those notices that do not pertain to any part of
105
+ the Derivative Works; and
106
+
107
+ (d) If the Work includes a "NOTICE" text file as part of its
108
+ distribution, then any Derivative Works that You distribute must
109
+ include a readable copy of the attribution notices contained
110
+ within such NOTICE file, excluding those notices that do not
111
+ pertain to any part of the Derivative Works, in at least one
112
+ of the following places: within a NOTICE text file distributed
113
+ as part of the Derivative Works; within the Source form or
114
+ documentation, if provided along with the Derivative Works; or,
115
+ within a display generated by the Derivative Works, if and
116
+ wherever such third-party notices normally appear. The contents
117
+ of the NOTICE file are for informational purposes only and
118
+ do not modify the License. You may add Your own attribution
119
+ notices within Derivative Works that You distribute, alongside
120
+ or as an addendum to the NOTICE text from the Work, provided
121
+ that such additional attribution notices cannot be construed
122
+ as modifying the License.
123
+
124
+ You may add Your own copyright statement to Your modifications and
125
+ may provide additional or different license terms and conditions
126
+ for use, reproduction, or distribution of Your modifications, or
127
+ for any such Derivative Works as a whole, provided Your use,
128
+ reproduction, and distribution of the Work otherwise complies with
129
+ the conditions stated in this License.
130
+
131
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
132
+ any Contribution intentionally submitted for inclusion in the Work
133
+ by You to the Licensor shall be under the terms and conditions of
134
+ this License, without any additional terms or conditions.
135
+ Notwithstanding the above, nothing herein shall supersede or modify
136
+ the terms of any separate license agreement you may have executed
137
+ with Licensor regarding such Contributions.
138
+
139
+ 6. Trademarks. This License does not grant permission to use the trade
140
+ names, trademarks, service marks, or product names of the Licensor,
141
+ except as required for reasonable and customary use in describing the
142
+ origin of the Work and reproducing the content of the NOTICE file.
143
+
144
+ 7. Disclaimer of Warranty. Unless required by applicable law or
145
+ agreed to in writing, Licensor provides the Work (and each
146
+ Contributor provides its Contributions) on an "AS IS" BASIS,
147
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148
+ implied, including, without limitation, any warranties or conditions
149
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150
+ PARTICULAR PURPOSE. You are solely responsible for determining the
151
+ appropriateness of using or redistributing the Work and assume any
152
+ risks associated with Your exercise of permissions under this License.
153
+
154
+ 8. Limitation of Liability. In no event and under no legal theory,
155
+ whether in tort (including negligence), contract, or otherwise,
156
+ unless required by applicable law (such as deliberate and grossly
157
+ negligent acts) or agreed to in writing, shall any Contributor be
158
+ liable to You for damages, including any direct, indirect, special,
159
+ incidental, or consequential damages of any character arising as a
160
+ result of this License or out of the use or inability to use the
161
+ Work (including but not limited to damages for loss of goodwill,
162
+ work stoppage, computer failure or malfunction, or any and all
163
+ other commercial damages or losses), even if such Contributor
164
+ has been advised of the possibility of such damages.
165
+
166
+ 9. Accepting Warranty or Additional Liability. While redistributing
167
+ the Work or Derivative Works thereof, You may choose to offer,
168
+ and charge a fee for, acceptance of support, warranty, indemnity,
169
+ or other liability obligations and/or rights consistent with this
170
+ License. However, in accepting such obligations, You may act only
171
+ on Your own behalf and on Your sole responsibility, not on behalf
172
+ of any other Contributor, and only if You agree to indemnify,
173
+ defend, and hold each Contributor harmless for any liability
174
+ incurred by, or claims asserted against, such Contributor by reason
175
+ of your accepting any such warranty or additional liability.
176
+
177
+ END OF TERMS AND CONDITIONS
178
+
179
+ APPENDIX: How to apply the Apache License to your work.
180
+
181
+ To apply the Apache License to your work, attach the following
182
+ boilerplate notice, with the fields enclosed by brackets "[]"
183
+ replaced with your own identifying information. (Don't include
184
+ the brackets!) The text should be enclosed in the appropriate
185
+ comment syntax for the file format. We also recommend that a
186
+ file or class name and description of purpose be included on the
187
+ same "printed page" as the copyright notice for easier
188
+ identification within third-party archives.
189
+
190
+ Copyright [yyyy] [name of copyright owner]
191
+
192
+ Licensed under the Apache License, Version 2.0 (the "License");
193
+ you may not use this file except in compliance with the License.
194
+ You may obtain a copy of the License at
195
+
196
+ http://www.apache.org/licenses/LICENSE-2.0
197
+
198
+ Unless required by applicable law or agreed to in writing, software
199
+ distributed under the License is distributed on an "AS IS" BASIS,
200
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201
+ See the License for the specific language governing permissions and
202
+ limitations under the License.
@@ -0,0 +1,96 @@
1
+ # Simple REST client for version V1 of the Binary Authorization API
2
+
3
+ This is a simple client library for version V1 of the Binary Authorization API. It provides:
4
+
5
+ * A client object that connects to the HTTP/JSON REST endpoint for the service.
6
+ * Ruby objects for data structures related to the service.
7
+ * Integration with the googleauth gem for authentication using OAuth, API keys, and service accounts.
8
+ * Control of retry, pagination, and timeouts.
9
+
10
+ Note that although this client library is supported and will continue to be updated to track changes to the service, it is otherwise considered complete and not under active development. Many Google services, especially Google Cloud Platform services, may provide a more modern client that is under more active development and improvement. See the section below titled *Which client should I use?* for more information.
11
+
12
+ ## Getting started
13
+
14
+ ### Before you begin
15
+
16
+ There are a few setup steps you need to complete before you can use this library:
17
+
18
+ 1. If you don't already have a Google account, [sign up](https://www.google.com/accounts).
19
+ 2. If you have never created a Google APIs Console project, read about [Managing Projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects) and create a project in the [Google API Console](https://console.cloud.google.com/).
20
+ 3. Most APIs need to be enabled for your project. [Enable it](https://console.cloud.google.com/apis/library/binaryauthorization.googleapis.com) in the console.
21
+
22
+ ### Installation
23
+
24
+ Add this line to your application's Gemfile:
25
+
26
+ ```ruby
27
+ gem 'google-apis-binaryauthorization_v1', '~> 0.1'
28
+ ```
29
+
30
+ And then execute:
31
+
32
+ ```
33
+ $ bundle
34
+ ```
35
+
36
+ Or install it yourself as:
37
+
38
+ ```
39
+ $ gem install google-apis-binaryauthorization_v1
40
+ ```
41
+
42
+ ### Creating a client object
43
+
44
+ Once the gem is installed, you can load the client code and instantiate a client.
45
+
46
+ ```ruby
47
+ # Load the client
48
+ require "google/apis/binaryauthorization_v1"
49
+
50
+ # Create a client object
51
+ client = Google::Apis::BinaryauthorizationV1::BinaryAuthorizationService.new
52
+
53
+ # Authenticate calls
54
+ client.authentication = # ... use the googleauth gem to create credentials
55
+ ```
56
+
57
+ See the class reference docs for information on the methods you can call from a client.
58
+
59
+ ## Documentation
60
+
61
+ More detailed descriptions of the Google simple REST clients are available in two documents.
62
+
63
+ * The [Usage Guide](https://github.com/googleapis/google-api-ruby-client/blob/master/docs/usage-guide.md) discusses how to make API calls, how to use the provided data structures, and how to work the various features of the client library, including media upload and download, error handling, retries, pagination, and logging.
64
+ * The [Auth Guide](https://github.com/googleapis/google-api-ruby-client/blob/master/docs/auth-guide.md) discusses authentication in the client libraries, including API keys, OAuth 2.0, service accounts, and environment variables.
65
+
66
+ (Note: the above documents are written for the simple REST clients in general, and their examples may not reflect the Binaryauthorization service in particular.)
67
+
68
+ For reference information on specific calls in the Binary Authorization API, see the {Google::Apis::BinaryauthorizationV1::BinaryAuthorizationService class reference docs}.
69
+
70
+ ## Which client should I use?
71
+
72
+ Google provides two types of Ruby API client libraries: **simple REST clients** and **modern clients**.
73
+
74
+ This library, `google-apis-binaryauthorization_v1`, is a simple REST client. You can identify these clients by their gem names, which are always in the form `google-apis-<servicename>_<serviceversion>`. The simple REST clients connect to HTTP/JSON REST endpoints and are automatically generated from service discovery documents. They support most API functionality, but their class interfaces are sometimes awkward.
75
+
76
+ Modern clients are produced by a modern code generator, sometimes combined with hand-crafted functionality. Most modern clients connect to high-performance gRPC endpoints, although a few are backed by REST services. Modern clients are available for many Google services, especially Google Cloud Platform services, but do not yet support all the services covered by the simple clients.
77
+
78
+ Gem names for modern clients are often of the form `google-cloud-<service_name>`. (For example, [google-cloud-pubsub](https://rubygems.org/gems/google-cloud-pubsub).) Note that most modern clients also have corresponding "versioned" gems with names like `google-cloud-<service_name>-<version>`. (For example, [google-cloud-pubsub-v1](https://rubygems.org/gems/google-cloud-pubsub-v1).) The "versioned" gems can be used directly, but often provide lower-level interfaces. In most cases, the main gem is recommended.
79
+
80
+ **For most users, we recommend the modern client, if one is available.** Compared with simple clients, modern clients are generally much easier to use and more Ruby-like, support more advanced features such as streaming and long-running operations, and often provide much better performance. You may consider using a simple client instead, if a modern client is not yet available for the service you want to use, or if you are not able to use gRPC on your infrastructure.
81
+
82
+ The [product documentation](https://cloud.google.com/binary-authorization/) may provide guidance regarding the preferred client library to use.
83
+
84
+ ## Supported Ruby versions
85
+
86
+ This library is supported on Ruby 2.5+.
87
+
88
+ Google provides official support for Ruby versions that are actively supported by Ruby Core -- that is, Ruby versions that are either in normal maintenance or in security maintenance, and not end of life. Currently, this means Ruby 2.5 and later. Older versions of Ruby _may_ still work, but are unsupported and not recommended. See https://www.ruby-lang.org/en/downloads/branches/ for details about the Ruby support schedule.
89
+
90
+ ## License
91
+
92
+ This library is licensed under Apache 2.0. Full license text is available in the {file:LICENSE.md LICENSE}.
93
+
94
+ ## Support
95
+
96
+ Please [report bugs at the project on Github](https://github.com/google/google-api-ruby-client/issues). Don't hesitate to [ask questions](http://stackoverflow.com/questions/tagged/google-api-ruby-client) about the client or APIs on [StackOverflow](http://stackoverflow.com).
@@ -0,0 +1,15 @@
1
+ # Copyright 2020 Google LLC
2
+ #
3
+ # Licensed under the Apache License, Version 2.0 (the "License");
4
+ # you may not use this file except in compliance with the License.
5
+ # You may obtain a copy of the License at
6
+ #
7
+ # http://www.apache.org/licenses/LICENSE-2.0
8
+ #
9
+ # Unless required by applicable law or agreed to in writing, software
10
+ # distributed under the License is distributed on an "AS IS" BASIS,
11
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ # See the License for the specific language governing permissions and
13
+ # limitations under the License.
14
+
15
+ require "google/apis/binaryauthorization_v1"
@@ -0,0 +1,37 @@
1
+ # Copyright 2020 Google LLC
2
+ #
3
+ # Licensed under the Apache License, Version 2.0 (the "License");
4
+ # you may not use this file except in compliance with the License.
5
+ # You may obtain a copy of the License at
6
+ #
7
+ # http://www.apache.org/licenses/LICENSE-2.0
8
+ #
9
+ # Unless required by applicable law or agreed to in writing, software
10
+ # distributed under the License is distributed on an "AS IS" BASIS,
11
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ # See the License for the specific language governing permissions and
13
+ # limitations under the License.
14
+
15
+ require 'google/apis/binaryauthorization_v1/service.rb'
16
+ require 'google/apis/binaryauthorization_v1/classes.rb'
17
+ require 'google/apis/binaryauthorization_v1/representations.rb'
18
+ require 'google/apis/binaryauthorization_v1/gem_version.rb'
19
+
20
+ module Google
21
+ module Apis
22
+ # Binary Authorization API
23
+ #
24
+ # The management interface for Binary Authorization, a system providing policy
25
+ # control for images deployed to Kubernetes Engine clusters.
26
+ #
27
+ # @see https://cloud.google.com/binary-authorization/
28
+ module BinaryauthorizationV1
29
+ # Version of the Binary Authorization API this client connects to.
30
+ # This is NOT the gem version.
31
+ VERSION = 'V1'
32
+
33
+ # View and manage your data across Google Cloud Platform services
34
+ AUTH_CLOUD_PLATFORM = 'https://www.googleapis.com/auth/cloud-platform'
35
+ end
36
+ end
37
+ end
@@ -0,0 +1,849 @@
1
+ # Copyright 2020 Google LLC
2
+ #
3
+ # Licensed under the Apache License, Version 2.0 (the "License");
4
+ # you may not use this file except in compliance with the License.
5
+ # You may obtain a copy of the License at
6
+ #
7
+ # http://www.apache.org/licenses/LICENSE-2.0
8
+ #
9
+ # Unless required by applicable law or agreed to in writing, software
10
+ # distributed under the License is distributed on an "AS IS" BASIS,
11
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ # See the License for the specific language governing permissions and
13
+ # limitations under the License.
14
+
15
+ require 'date'
16
+ require 'google/apis/core/base_service'
17
+ require 'google/apis/core/json_representation'
18
+ require 'google/apis/core/hashable'
19
+ require 'google/apis/errors'
20
+
21
+ module Google
22
+ module Apis
23
+ module BinaryauthorizationV1
24
+
25
+ # An admission rule specifies either that all container images used in a pod
26
+ # creation request must be attested to by one or more attestors, that all pod
27
+ # creations will be allowed, or that all pod creations will be denied. Images
28
+ # matching an admission whitelist pattern are exempted from admission rules and
29
+ # will never block a pod creation.
30
+ class AdmissionRule
31
+ include Google::Apis::Core::Hashable
32
+
33
+ # Required. The action when a pod creation is denied by the admission rule.
34
+ # Corresponds to the JSON property `enforcementMode`
35
+ # @return [String]
36
+ attr_accessor :enforcement_mode
37
+
38
+ # Required. How this admission rule will be evaluated.
39
+ # Corresponds to the JSON property `evaluationMode`
40
+ # @return [String]
41
+ attr_accessor :evaluation_mode
42
+
43
+ # Optional. The resource names of the attestors that must attest to a container
44
+ # image, in the format `projects/*/attestors/*`. Each attestor must exist before
45
+ # a policy can reference it. To add an attestor to a policy the principal
46
+ # issuing the policy change request must be able to read the attestor resource.
47
+ # Note: this field must be non-empty when the evaluation_mode field specifies
48
+ # REQUIRE_ATTESTATION, otherwise it must be empty.
49
+ # Corresponds to the JSON property `requireAttestationsBy`
50
+ # @return [Array<String>]
51
+ attr_accessor :require_attestations_by
52
+
53
+ def initialize(**args)
54
+ update!(**args)
55
+ end
56
+
57
+ # Update properties of this object
58
+ def update!(**args)
59
+ @enforcement_mode = args[:enforcement_mode] if args.key?(:enforcement_mode)
60
+ @evaluation_mode = args[:evaluation_mode] if args.key?(:evaluation_mode)
61
+ @require_attestations_by = args[:require_attestations_by] if args.key?(:require_attestations_by)
62
+ end
63
+ end
64
+
65
+ # An admission whitelist pattern exempts images from checks by admission rules.
66
+ class AdmissionWhitelistPattern
67
+ include Google::Apis::Core::Hashable
68
+
69
+ # An image name pattern to allowlist, in the form `registry/path/to/image`. This
70
+ # supports a trailing `*` as a wildcard, but this is allowed only in text after
71
+ # the `registry/` part.
72
+ # Corresponds to the JSON property `namePattern`
73
+ # @return [String]
74
+ attr_accessor :name_pattern
75
+
76
+ def initialize(**args)
77
+ update!(**args)
78
+ end
79
+
80
+ # Update properties of this object
81
+ def update!(**args)
82
+ @name_pattern = args[:name_pattern] if args.key?(:name_pattern)
83
+ end
84
+ end
85
+
86
+ # Occurrence that represents a single "attestation". The authenticity of an
87
+ # attestation can be verified using the attached signature. If the verifier
88
+ # trusts the public key of the signer, then verifying the signature is
89
+ # sufficient to establish trust. In this circumstance, the authority to which
90
+ # this attestation is attached is primarily useful for lookup (how to find this
91
+ # attestation if you already know the authority and artifact to be verified) and
92
+ # intent (for which authority this attestation was intended to sign.
93
+ class AttestationOccurrence
94
+ include Google::Apis::Core::Hashable
95
+
96
+ # One or more JWTs encoding a self-contained attestation. Each JWT encodes the
97
+ # payload that it verifies within the JWT itself. Verifier implementation SHOULD
98
+ # ignore the `serialized_payload` field when verifying these JWTs. If only JWTs
99
+ # are present on this AttestationOccurrence, then the `serialized_payload`
100
+ # SHOULD be left empty. Each JWT SHOULD encode a claim specific to the `
101
+ # resource_uri` of this Occurrence, but this is not validated by Grafeas
102
+ # metadata API implementations. The JWT itself is opaque to Grafeas.
103
+ # Corresponds to the JSON property `jwts`
104
+ # @return [Array<Google::Apis::BinaryauthorizationV1::Jwt>]
105
+ attr_accessor :jwts
106
+
107
+ # Required. The serialized payload that is verified by one or more `signatures`.
108
+ # Corresponds to the JSON property `serializedPayload`
109
+ # NOTE: Values are automatically base64 encoded/decoded in the client library.
110
+ # @return [String]
111
+ attr_accessor :serialized_payload
112
+
113
+ # One or more signatures over `serialized_payload`. Verifier implementations
114
+ # should consider this attestation message verified if at least one `signature`
115
+ # verifies `serialized_payload`. See `Signature` in common.proto for more
116
+ # details on signature structure and verification.
117
+ # Corresponds to the JSON property `signatures`
118
+ # @return [Array<Google::Apis::BinaryauthorizationV1::Signature>]
119
+ attr_accessor :signatures
120
+
121
+ def initialize(**args)
122
+ update!(**args)
123
+ end
124
+
125
+ # Update properties of this object
126
+ def update!(**args)
127
+ @jwts = args[:jwts] if args.key?(:jwts)
128
+ @serialized_payload = args[:serialized_payload] if args.key?(:serialized_payload)
129
+ @signatures = args[:signatures] if args.key?(:signatures)
130
+ end
131
+ end
132
+
133
+ # An attestor that attests to container image artifacts. An existing attestor
134
+ # cannot be modified except where indicated.
135
+ class Attestor
136
+ include Google::Apis::Core::Hashable
137
+
138
+ # Optional. A descriptive comment. This field may be updated. The field may be
139
+ # displayed in chooser dialogs.
140
+ # Corresponds to the JSON property `description`
141
+ # @return [String]
142
+ attr_accessor :description
143
+
144
+ # Required. The resource name, in the format: `projects/*/attestors/*`. This
145
+ # field may not be updated.
146
+ # Corresponds to the JSON property `name`
147
+ # @return [String]
148
+ attr_accessor :name
149
+
150
+ # Output only. Time when the attestor was last updated.
151
+ # Corresponds to the JSON property `updateTime`
152
+ # @return [String]
153
+ attr_accessor :update_time
154
+
155
+ # An user owned Grafeas note references a Grafeas Attestation.Authority Note
156
+ # created by the user.
157
+ # Corresponds to the JSON property `userOwnedGrafeasNote`
158
+ # @return [Google::Apis::BinaryauthorizationV1::UserOwnedGrafeasNote]
159
+ attr_accessor :user_owned_grafeas_note
160
+
161
+ def initialize(**args)
162
+ update!(**args)
163
+ end
164
+
165
+ # Update properties of this object
166
+ def update!(**args)
167
+ @description = args[:description] if args.key?(:description)
168
+ @name = args[:name] if args.key?(:name)
169
+ @update_time = args[:update_time] if args.key?(:update_time)
170
+ @user_owned_grafeas_note = args[:user_owned_grafeas_note] if args.key?(:user_owned_grafeas_note)
171
+ end
172
+ end
173
+
174
+ # An attestor public key that will be used to verify attestations signed by this
175
+ # attestor.
176
+ class AttestorPublicKey
177
+ include Google::Apis::Core::Hashable
178
+
179
+ # ASCII-armored representation of a PGP public key, as the entire output by the
180
+ # command `gpg --export --armor foo@example.com` (either LF or CRLF line endings)
181
+ # . When using this field, `id` should be left blank. The BinAuthz API handlers
182
+ # will calculate the ID and fill it in automatically. BinAuthz computes this ID
183
+ # as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If `id`
184
+ # is provided by the caller, it will be overwritten by the API-calculated ID.
185
+ # Corresponds to the JSON property `asciiArmoredPgpPublicKey`
186
+ # @return [String]
187
+ attr_accessor :ascii_armored_pgp_public_key
188
+
189
+ # Optional. A descriptive comment. This field may be updated.
190
+ # Corresponds to the JSON property `comment`
191
+ # @return [String]
192
+ attr_accessor :comment
193
+
194
+ # The ID of this public key. Signatures verified by BinAuthz must include the ID
195
+ # of the public key that can be used to verify them, and that ID must match the
196
+ # contents of this field exactly. Additional restrictions on this field can be
197
+ # imposed based on which public key type is encapsulated. See the documentation
198
+ # on `public_key` cases below for details.
199
+ # Corresponds to the JSON property `id`
200
+ # @return [String]
201
+ attr_accessor :id
202
+
203
+ # A public key in the PkixPublicKey format (see https://tools.ietf.org/html/
204
+ # rfc5280#section-4.1.2.7 for details). Public keys of this type are typically
205
+ # textually encoded using the PEM format.
206
+ # Corresponds to the JSON property `pkixPublicKey`
207
+ # @return [Google::Apis::BinaryauthorizationV1::PkixPublicKey]
208
+ attr_accessor :pkix_public_key
209
+
210
+ def initialize(**args)
211
+ update!(**args)
212
+ end
213
+
214
+ # Update properties of this object
215
+ def update!(**args)
216
+ @ascii_armored_pgp_public_key = args[:ascii_armored_pgp_public_key] if args.key?(:ascii_armored_pgp_public_key)
217
+ @comment = args[:comment] if args.key?(:comment)
218
+ @id = args[:id] if args.key?(:id)
219
+ @pkix_public_key = args[:pkix_public_key] if args.key?(:pkix_public_key)
220
+ end
221
+ end
222
+
223
+ # Associates `members` with a `role`.
224
+ class Binding
225
+ include Google::Apis::Core::Hashable
226
+
227
+ # Represents a textual expression in the Common Expression Language (CEL) syntax.
228
+ # CEL is a C-like expression language. The syntax and semantics of CEL are
229
+ # documented at https://github.com/google/cel-spec. Example (Comparison): title:
230
+ # "Summary size limit" description: "Determines if a summary is less than 100
231
+ # chars" expression: "document.summary.size() < 100" Example (Equality): title: "
232
+ # Requestor is owner" description: "Determines if requestor is the document
233
+ # owner" expression: "document.owner == request.auth.claims.email" Example (
234
+ # Logic): title: "Public documents" description: "Determine whether the document
235
+ # should be publicly visible" expression: "document.type != 'private' &&
236
+ # document.type != 'internal'" Example (Data Manipulation): title: "Notification
237
+ # string" description: "Create a notification string with a timestamp."
238
+ # expression: "'New message received at ' + string(document.create_time)" The
239
+ # exact variables and functions that may be referenced within an expression are
240
+ # determined by the service that evaluates it. See the service documentation for
241
+ # additional information.
242
+ # Corresponds to the JSON property `condition`
243
+ # @return [Google::Apis::BinaryauthorizationV1::Expr]
244
+ attr_accessor :condition
245
+
246
+ # Specifies the identities requesting access for a Cloud Platform resource. `
247
+ # members` can have the following values: * `allUsers`: A special identifier
248
+ # that represents anyone who is on the internet; with or without a Google
249
+ # account. * `allAuthenticatedUsers`: A special identifier that represents
250
+ # anyone who is authenticated with a Google account or a service account. * `
251
+ # user:`emailid``: An email address that represents a specific Google account.
252
+ # For example, `alice@example.com` . * `serviceAccount:`emailid``: An email
253
+ # address that represents a service account. For example, `my-other-app@appspot.
254
+ # gserviceaccount.com`. * `group:`emailid``: An email address that represents a
255
+ # Google group. For example, `admins@example.com`. * `deleted:user:`emailid`?uid=
256
+ # `uniqueid``: An email address (plus unique identifier) representing a user
257
+ # that has been recently deleted. For example, `alice@example.com?uid=
258
+ # 123456789012345678901`. If the user is recovered, this value reverts to `user:`
259
+ # emailid`` and the recovered user retains the role in the binding. * `deleted:
260
+ # serviceAccount:`emailid`?uid=`uniqueid``: An email address (plus unique
261
+ # identifier) representing a service account that has been recently deleted. For
262
+ # example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
263
+ # If the service account is undeleted, this value reverts to `serviceAccount:`
264
+ # emailid`` and the undeleted service account retains the role in the binding. *
265
+ # `deleted:group:`emailid`?uid=`uniqueid``: An email address (plus unique
266
+ # identifier) representing a Google group that has been recently deleted. For
267
+ # example, `admins@example.com?uid=123456789012345678901`. If the group is
268
+ # recovered, this value reverts to `group:`emailid`` and the recovered group
269
+ # retains the role in the binding. * `domain:`domain``: The G Suite domain (
270
+ # primary) that represents all the users of that domain. For example, `google.
271
+ # com` or `example.com`.
272
+ # Corresponds to the JSON property `members`
273
+ # @return [Array<String>]
274
+ attr_accessor :members
275
+
276
+ # Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`
277
+ # , or `roles/owner`.
278
+ # Corresponds to the JSON property `role`
279
+ # @return [String]
280
+ attr_accessor :role
281
+
282
+ def initialize(**args)
283
+ update!(**args)
284
+ end
285
+
286
+ # Update properties of this object
287
+ def update!(**args)
288
+ @condition = args[:condition] if args.key?(:condition)
289
+ @members = args[:members] if args.key?(:members)
290
+ @role = args[:role] if args.key?(:role)
291
+ end
292
+ end
293
+
294
+ # A generic empty message that you can re-use to avoid defining duplicated empty
295
+ # messages in your APIs. A typical example is to use it as the request or the
296
+ # response type of an API method. For instance: service Foo ` rpc Bar(google.
297
+ # protobuf.Empty) returns (google.protobuf.Empty); ` The JSON representation for
298
+ # `Empty` is empty JSON object ````.
299
+ class Empty
300
+ include Google::Apis::Core::Hashable
301
+
302
+ def initialize(**args)
303
+ update!(**args)
304
+ end
305
+
306
+ # Update properties of this object
307
+ def update!(**args)
308
+ end
309
+ end
310
+
311
+ # Represents a textual expression in the Common Expression Language (CEL) syntax.
312
+ # CEL is a C-like expression language. The syntax and semantics of CEL are
313
+ # documented at https://github.com/google/cel-spec. Example (Comparison): title:
314
+ # "Summary size limit" description: "Determines if a summary is less than 100
315
+ # chars" expression: "document.summary.size() < 100" Example (Equality): title: "
316
+ # Requestor is owner" description: "Determines if requestor is the document
317
+ # owner" expression: "document.owner == request.auth.claims.email" Example (
318
+ # Logic): title: "Public documents" description: "Determine whether the document
319
+ # should be publicly visible" expression: "document.type != 'private' &&
320
+ # document.type != 'internal'" Example (Data Manipulation): title: "Notification
321
+ # string" description: "Create a notification string with a timestamp."
322
+ # expression: "'New message received at ' + string(document.create_time)" The
323
+ # exact variables and functions that may be referenced within an expression are
324
+ # determined by the service that evaluates it. See the service documentation for
325
+ # additional information.
326
+ class Expr
327
+ include Google::Apis::Core::Hashable
328
+
329
+ # Optional. Description of the expression. This is a longer text which describes
330
+ # the expression, e.g. when hovered over it in a UI.
331
+ # Corresponds to the JSON property `description`
332
+ # @return [String]
333
+ attr_accessor :description
334
+
335
+ # Textual representation of an expression in Common Expression Language syntax.
336
+ # Corresponds to the JSON property `expression`
337
+ # @return [String]
338
+ attr_accessor :expression
339
+
340
+ # Optional. String indicating the location of the expression for error reporting,
341
+ # e.g. a file name and a position in the file.
342
+ # Corresponds to the JSON property `location`
343
+ # @return [String]
344
+ attr_accessor :location
345
+
346
+ # Optional. Title for the expression, i.e. a short string describing its purpose.
347
+ # This can be used e.g. in UIs which allow to enter the expression.
348
+ # Corresponds to the JSON property `title`
349
+ # @return [String]
350
+ attr_accessor :title
351
+
352
+ def initialize(**args)
353
+ update!(**args)
354
+ end
355
+
356
+ # Update properties of this object
357
+ def update!(**args)
358
+ @description = args[:description] if args.key?(:description)
359
+ @expression = args[:expression] if args.key?(:expression)
360
+ @location = args[:location] if args.key?(:location)
361
+ @title = args[:title] if args.key?(:title)
362
+ end
363
+ end
364
+
365
+ # An Identity and Access Management (IAM) policy, which specifies access
366
+ # controls for Google Cloud resources. A `Policy` is a collection of `bindings`.
367
+ # A `binding` binds one or more `members` to a single `role`. Members can be
368
+ # user accounts, service accounts, Google groups, and domains (such as G Suite).
369
+ # A `role` is a named list of permissions; each `role` can be an IAM predefined
370
+ # role or a user-created custom role. For some types of Google Cloud resources,
371
+ # a `binding` can also specify a `condition`, which is a logical expression that
372
+ # allows access to a resource only if the expression evaluates to `true`. A
373
+ # condition can add constraints based on attributes of the request, the resource,
374
+ # or both. To learn which resources support conditions in their IAM policies,
375
+ # see the [IAM documentation](https://cloud.google.com/iam/help/conditions/
376
+ # resource-policies). **JSON example:** ` "bindings": [ ` "role": "roles/
377
+ # resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "
378
+ # group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@
379
+ # appspot.gserviceaccount.com" ] `, ` "role": "roles/resourcemanager.
380
+ # organizationViewer", "members": [ "user:eve@example.com" ], "condition": ` "
381
+ # title": "expirable access", "description": "Does not grant access after Sep
382
+ # 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", `
383
+ # ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML example:** bindings: -
384
+ # members: - user:mike@example.com - group:admins@example.com - domain:google.
385
+ # com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/
386
+ # resourcemanager.organizationAdmin - members: - user:eve@example.com role:
387
+ # roles/resourcemanager.organizationViewer condition: title: expirable access
388
+ # description: Does not grant access after Sep 2020 expression: request.time <
389
+ # timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3 For a
390
+ # description of IAM and its features, see the [IAM documentation](https://cloud.
391
+ # google.com/iam/docs/).
392
+ class IamPolicy
393
+ include Google::Apis::Core::Hashable
394
+
395
+ # Associates a list of `members` to a `role`. Optionally, may specify a `
396
+ # condition` that determines how and when the `bindings` are applied. Each of
397
+ # the `bindings` must contain at least one member.
398
+ # Corresponds to the JSON property `bindings`
399
+ # @return [Array<Google::Apis::BinaryauthorizationV1::Binding>]
400
+ attr_accessor :bindings
401
+
402
+ # `etag` is used for optimistic concurrency control as a way to help prevent
403
+ # simultaneous updates of a policy from overwriting each other. It is strongly
404
+ # suggested that systems make use of the `etag` in the read-modify-write cycle
405
+ # to perform policy updates in order to avoid race conditions: An `etag` is
406
+ # returned in the response to `getIamPolicy`, and systems are expected to put
407
+ # that etag in the request to `setIamPolicy` to ensure that their change will be
408
+ # applied to the same version of the policy. **Important:** If you use IAM
409
+ # Conditions, you must include the `etag` field whenever you call `setIamPolicy`.
410
+ # If you omit this field, then IAM allows you to overwrite a version `3` policy
411
+ # with a version `1` policy, and all of the conditions in the version `3` policy
412
+ # are lost.
413
+ # Corresponds to the JSON property `etag`
414
+ # NOTE: Values are automatically base64 encoded/decoded in the client library.
415
+ # @return [String]
416
+ attr_accessor :etag
417
+
418
+ # Specifies the format of the policy. Valid values are `0`, `1`, and `3`.
419
+ # Requests that specify an invalid value are rejected. Any operation that
420
+ # affects conditional role bindings must specify version `3`. This requirement
421
+ # applies to the following operations: * Getting a policy that includes a
422
+ # conditional role binding * Adding a conditional role binding to a policy *
423
+ # Changing a conditional role binding in a policy * Removing any role binding,
424
+ # with or without a condition, from a policy that includes conditions **
425
+ # Important:** If you use IAM Conditions, you must include the `etag` field
426
+ # whenever you call `setIamPolicy`. If you omit this field, then IAM allows you
427
+ # to overwrite a version `3` policy with a version `1` policy, and all of the
428
+ # conditions in the version `3` policy are lost. If a policy does not include
429
+ # any conditions, operations on that policy may specify any valid version or
430
+ # leave the field unset. To learn which resources support conditions in their
431
+ # IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/
432
+ # conditions/resource-policies).
433
+ # Corresponds to the JSON property `version`
434
+ # @return [Fixnum]
435
+ attr_accessor :version
436
+
437
+ def initialize(**args)
438
+ update!(**args)
439
+ end
440
+
441
+ # Update properties of this object
442
+ def update!(**args)
443
+ @bindings = args[:bindings] if args.key?(:bindings)
444
+ @etag = args[:etag] if args.key?(:etag)
445
+ @version = args[:version] if args.key?(:version)
446
+ end
447
+ end
448
+
449
+ #
450
+ class Jwt
451
+ include Google::Apis::Core::Hashable
452
+
453
+ # The compact encoding of a JWS, which is always three base64 encoded strings
454
+ # joined by periods. For details, see: https://tools.ietf.org/html/rfc7515.html#
455
+ # section-3.1
456
+ # Corresponds to the JSON property `compactJwt`
457
+ # @return [String]
458
+ attr_accessor :compact_jwt
459
+
460
+ def initialize(**args)
461
+ update!(**args)
462
+ end
463
+
464
+ # Update properties of this object
465
+ def update!(**args)
466
+ @compact_jwt = args[:compact_jwt] if args.key?(:compact_jwt)
467
+ end
468
+ end
469
+
470
+ # Response message for BinauthzManagementService.ListAttestors.
471
+ class ListAttestorsResponse
472
+ include Google::Apis::Core::Hashable
473
+
474
+ # The list of attestors.
475
+ # Corresponds to the JSON property `attestors`
476
+ # @return [Array<Google::Apis::BinaryauthorizationV1::Attestor>]
477
+ attr_accessor :attestors
478
+
479
+ # A token to retrieve the next page of results. Pass this value in the
480
+ # ListAttestorsRequest.page_token field in the subsequent call to the `
481
+ # ListAttestors` method to retrieve the next page of results.
482
+ # Corresponds to the JSON property `nextPageToken`
483
+ # @return [String]
484
+ attr_accessor :next_page_token
485
+
486
+ def initialize(**args)
487
+ update!(**args)
488
+ end
489
+
490
+ # Update properties of this object
491
+ def update!(**args)
492
+ @attestors = args[:attestors] if args.key?(:attestors)
493
+ @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
494
+ end
495
+ end
496
+
497
+ # A public key in the PkixPublicKey format (see https://tools.ietf.org/html/
498
+ # rfc5280#section-4.1.2.7 for details). Public keys of this type are typically
499
+ # textually encoded using the PEM format.
500
+ class PkixPublicKey
501
+ include Google::Apis::Core::Hashable
502
+
503
+ # A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#
504
+ # section-13
505
+ # Corresponds to the JSON property `publicKeyPem`
506
+ # @return [String]
507
+ attr_accessor :public_key_pem
508
+
509
+ # The signature algorithm used to verify a message against a signature using
510
+ # this key. These signature algorithm must match the structure and any object
511
+ # identifiers encoded in `public_key_pem` (i.e. this algorithm must match that
512
+ # of the public key).
513
+ # Corresponds to the JSON property `signatureAlgorithm`
514
+ # @return [String]
515
+ attr_accessor :signature_algorithm
516
+
517
+ def initialize(**args)
518
+ update!(**args)
519
+ end
520
+
521
+ # Update properties of this object
522
+ def update!(**args)
523
+ @public_key_pem = args[:public_key_pem] if args.key?(:public_key_pem)
524
+ @signature_algorithm = args[:signature_algorithm] if args.key?(:signature_algorithm)
525
+ end
526
+ end
527
+
528
+ # A policy for container image binary authorization.
529
+ class Policy
530
+ include Google::Apis::Core::Hashable
531
+
532
+ # Optional. Admission policy allowlisting. A matching admission request will
533
+ # always be permitted. This feature is typically used to exclude Google or third-
534
+ # party infrastructure images from Binary Authorization policies.
535
+ # Corresponds to the JSON property `admissionWhitelistPatterns`
536
+ # @return [Array<Google::Apis::BinaryauthorizationV1::AdmissionWhitelistPattern>]
537
+ attr_accessor :admission_whitelist_patterns
538
+
539
+ # Optional. Per-cluster admission rules. Cluster spec format: `location.
540
+ # clusterId`. There can be at most one admission rule per cluster spec. A `
541
+ # location` is either a compute zone (e.g. us-central1-a) or a region (e.g. us-
542
+ # central1). For `clusterId` syntax restrictions see https://cloud.google.com/
543
+ # container-engine/reference/rest/v1/projects.zones.clusters.
544
+ # Corresponds to the JSON property `clusterAdmissionRules`
545
+ # @return [Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>]
546
+ attr_accessor :cluster_admission_rules
547
+
548
+ # An admission rule specifies either that all container images used in a pod
549
+ # creation request must be attested to by one or more attestors, that all pod
550
+ # creations will be allowed, or that all pod creations will be denied. Images
551
+ # matching an admission whitelist pattern are exempted from admission rules and
552
+ # will never block a pod creation.
553
+ # Corresponds to the JSON property `defaultAdmissionRule`
554
+ # @return [Google::Apis::BinaryauthorizationV1::AdmissionRule]
555
+ attr_accessor :default_admission_rule
556
+
557
+ # Optional. A descriptive comment.
558
+ # Corresponds to the JSON property `description`
559
+ # @return [String]
560
+ attr_accessor :description
561
+
562
+ # Optional. Controls the evaluation of a Google-maintained global admission
563
+ # policy for common system-level images. Images not covered by the global policy
564
+ # will be subject to the project admission policy. This setting has no effect
565
+ # when specified inside a global admission policy.
566
+ # Corresponds to the JSON property `globalPolicyEvaluationMode`
567
+ # @return [String]
568
+ attr_accessor :global_policy_evaluation_mode
569
+
570
+ # Output only. The resource name, in the format `projects/*/policy`. There is at
571
+ # most one policy per project.
572
+ # Corresponds to the JSON property `name`
573
+ # @return [String]
574
+ attr_accessor :name
575
+
576
+ # Output only. Time when the policy was last updated.
577
+ # Corresponds to the JSON property `updateTime`
578
+ # @return [String]
579
+ attr_accessor :update_time
580
+
581
+ def initialize(**args)
582
+ update!(**args)
583
+ end
584
+
585
+ # Update properties of this object
586
+ def update!(**args)
587
+ @admission_whitelist_patterns = args[:admission_whitelist_patterns] if args.key?(:admission_whitelist_patterns)
588
+ @cluster_admission_rules = args[:cluster_admission_rules] if args.key?(:cluster_admission_rules)
589
+ @default_admission_rule = args[:default_admission_rule] if args.key?(:default_admission_rule)
590
+ @description = args[:description] if args.key?(:description)
591
+ @global_policy_evaluation_mode = args[:global_policy_evaluation_mode] if args.key?(:global_policy_evaluation_mode)
592
+ @name = args[:name] if args.key?(:name)
593
+ @update_time = args[:update_time] if args.key?(:update_time)
594
+ end
595
+ end
596
+
597
+ # Request message for `SetIamPolicy` method.
598
+ class SetIamPolicyRequest
599
+ include Google::Apis::Core::Hashable
600
+
601
+ # An Identity and Access Management (IAM) policy, which specifies access
602
+ # controls for Google Cloud resources. A `Policy` is a collection of `bindings`.
603
+ # A `binding` binds one or more `members` to a single `role`. Members can be
604
+ # user accounts, service accounts, Google groups, and domains (such as G Suite).
605
+ # A `role` is a named list of permissions; each `role` can be an IAM predefined
606
+ # role or a user-created custom role. For some types of Google Cloud resources,
607
+ # a `binding` can also specify a `condition`, which is a logical expression that
608
+ # allows access to a resource only if the expression evaluates to `true`. A
609
+ # condition can add constraints based on attributes of the request, the resource,
610
+ # or both. To learn which resources support conditions in their IAM policies,
611
+ # see the [IAM documentation](https://cloud.google.com/iam/help/conditions/
612
+ # resource-policies). **JSON example:** ` "bindings": [ ` "role": "roles/
613
+ # resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "
614
+ # group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@
615
+ # appspot.gserviceaccount.com" ] `, ` "role": "roles/resourcemanager.
616
+ # organizationViewer", "members": [ "user:eve@example.com" ], "condition": ` "
617
+ # title": "expirable access", "description": "Does not grant access after Sep
618
+ # 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", `
619
+ # ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML example:** bindings: -
620
+ # members: - user:mike@example.com - group:admins@example.com - domain:google.
621
+ # com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/
622
+ # resourcemanager.organizationAdmin - members: - user:eve@example.com role:
623
+ # roles/resourcemanager.organizationViewer condition: title: expirable access
624
+ # description: Does not grant access after Sep 2020 expression: request.time <
625
+ # timestamp('2020-10-01T00:00:00.000Z') - etag: BwWWja0YfJA= - version: 3 For a
626
+ # description of IAM and its features, see the [IAM documentation](https://cloud.
627
+ # google.com/iam/docs/).
628
+ # Corresponds to the JSON property `policy`
629
+ # @return [Google::Apis::BinaryauthorizationV1::IamPolicy]
630
+ attr_accessor :policy
631
+
632
+ def initialize(**args)
633
+ update!(**args)
634
+ end
635
+
636
+ # Update properties of this object
637
+ def update!(**args)
638
+ @policy = args[:policy] if args.key?(:policy)
639
+ end
640
+ end
641
+
642
+ # Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to
643
+ # the trust anchors defined in policy (e.g. a Kritis policy). Typically this
644
+ # means that the verifier has been configured with a map from `public_key_id` to
645
+ # public key material (and any required parameters, e.g. signing algorithm). In
646
+ # particular, verification implementations MUST NOT treat the signature `
647
+ # public_key_id` as anything more than a key lookup hint. The `public_key_id`
648
+ # DOES NOT validate or authenticate a public key; it only provides a mechanism
649
+ # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
650
+ # a trusted channel. Verification implementations MUST reject signatures in any
651
+ # of the following circumstances: * The `public_key_id` is not recognized by the
652
+ # verifier. * The public key that `public_key_id` refers to does not verify the
653
+ # signature with respect to the payload. The `signature` contents SHOULD NOT be "
654
+ # attached" (where the payload is included with the serialized `signature` bytes)
655
+ # . Verifiers MUST ignore any "attached" payload and only verify signatures with
656
+ # respect to explicitly provided payload (e.g. a `payload` field on the proto
657
+ # message that holds this Signature, or the canonical serialization of the proto
658
+ # message that holds this signature).
659
+ class Signature
660
+ include Google::Apis::Core::Hashable
661
+
662
+ # The identifier for the public key that verifies this signature. * The `
663
+ # public_key_id` is required. * The `public_key_id` SHOULD be an RFC3986
664
+ # conformant URI. * When possible, the `public_key_id` SHOULD be an immutable
665
+ # reference, such as a cryptographic digest. Examples of valid `public_key_id`s:
666
+ # OpenPGP V4 public key fingerprint: * "openpgp4fpr:
667
+ # 74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" See https://www.iana.org/assignments/
668
+ # uri-schemes/prov/openpgp4fpr for more details on this scheme. RFC6920 digest-
669
+ # named SubjectPublicKeyInfo (digest of the DER serialization): * "ni:///sha-256;
670
+ # cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" * "nih:///sha-256;
671
+ # 703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
672
+ # Corresponds to the JSON property `publicKeyId`
673
+ # @return [String]
674
+ attr_accessor :public_key_id
675
+
676
+ # The content of the signature, an opaque bytestring. The payload that this
677
+ # signature verifies MUST be unambiguously provided with the Signature during
678
+ # verification. A wrapper message might provide the payload explicitly.
679
+ # Alternatively, a message might have a canonical serialization that can always
680
+ # be unambiguously computed to derive the payload.
681
+ # Corresponds to the JSON property `signature`
682
+ # NOTE: Values are automatically base64 encoded/decoded in the client library.
683
+ # @return [String]
684
+ attr_accessor :signature
685
+
686
+ def initialize(**args)
687
+ update!(**args)
688
+ end
689
+
690
+ # Update properties of this object
691
+ def update!(**args)
692
+ @public_key_id = args[:public_key_id] if args.key?(:public_key_id)
693
+ @signature = args[:signature] if args.key?(:signature)
694
+ end
695
+ end
696
+
697
+ # Request message for `TestIamPermissions` method.
698
+ class TestIamPermissionsRequest
699
+ include Google::Apis::Core::Hashable
700
+
701
+ # The set of permissions to check for the `resource`. Permissions with wildcards
702
+ # (such as '*' or 'storage.*') are not allowed. For more information see [IAM
703
+ # Overview](https://cloud.google.com/iam/docs/overview#permissions).
704
+ # Corresponds to the JSON property `permissions`
705
+ # @return [Array<String>]
706
+ attr_accessor :permissions
707
+
708
+ def initialize(**args)
709
+ update!(**args)
710
+ end
711
+
712
+ # Update properties of this object
713
+ def update!(**args)
714
+ @permissions = args[:permissions] if args.key?(:permissions)
715
+ end
716
+ end
717
+
718
+ # Response message for `TestIamPermissions` method.
719
+ class TestIamPermissionsResponse
720
+ include Google::Apis::Core::Hashable
721
+
722
+ # A subset of `TestPermissionsRequest.permissions` that the caller is allowed.
723
+ # Corresponds to the JSON property `permissions`
724
+ # @return [Array<String>]
725
+ attr_accessor :permissions
726
+
727
+ def initialize(**args)
728
+ update!(**args)
729
+ end
730
+
731
+ # Update properties of this object
732
+ def update!(**args)
733
+ @permissions = args[:permissions] if args.key?(:permissions)
734
+ end
735
+ end
736
+
737
+ # An user owned Grafeas note references a Grafeas Attestation.Authority Note
738
+ # created by the user.
739
+ class UserOwnedGrafeasNote
740
+ include Google::Apis::Core::Hashable
741
+
742
+ # Output only. This field will contain the service account email address that
743
+ # this Attestor will use as the principal when querying Container Analysis.
744
+ # Attestor administrators must grant this service account the IAM role needed to
745
+ # read attestations from the note_reference in Container Analysis (`
746
+ # containeranalysis.notes.occurrences.viewer`). This email address is fixed for
747
+ # the lifetime of the Attestor, but callers should not make any other
748
+ # assumptions about the service account email; future versions may use an email
749
+ # based on a different naming pattern.
750
+ # Corresponds to the JSON property `delegationServiceAccountEmail`
751
+ # @return [String]
752
+ attr_accessor :delegation_service_account_email
753
+
754
+ # Required. The Grafeas resource name of a Attestation.Authority Note, created
755
+ # by the user, in the format: `projects/*/notes/*`. This field may not be
756
+ # updated. An attestation by this attestor is stored as a Grafeas Attestation.
757
+ # Authority Occurrence that names a container image and that links to this Note.
758
+ # Grafeas is an external dependency.
759
+ # Corresponds to the JSON property `noteReference`
760
+ # @return [String]
761
+ attr_accessor :note_reference
762
+
763
+ # Optional. Public keys that verify attestations signed by this attestor. This
764
+ # field may be updated. If this field is non-empty, one of the specified public
765
+ # keys must verify that an attestation was signed by this attestor for the image
766
+ # specified in the admission request. If this field is empty, this attestor
767
+ # always returns that no valid attestations exist.
768
+ # Corresponds to the JSON property `publicKeys`
769
+ # @return [Array<Google::Apis::BinaryauthorizationV1::AttestorPublicKey>]
770
+ attr_accessor :public_keys
771
+
772
+ def initialize(**args)
773
+ update!(**args)
774
+ end
775
+
776
+ # Update properties of this object
777
+ def update!(**args)
778
+ @delegation_service_account_email = args[:delegation_service_account_email] if args.key?(:delegation_service_account_email)
779
+ @note_reference = args[:note_reference] if args.key?(:note_reference)
780
+ @public_keys = args[:public_keys] if args.key?(:public_keys)
781
+ end
782
+ end
783
+
784
+ # Request message for ValidationHelperV1.ValidateAttestationOccurrence.
785
+ class ValidateAttestationOccurrenceRequest
786
+ include Google::Apis::Core::Hashable
787
+
788
+ # Occurrence that represents a single "attestation". The authenticity of an
789
+ # attestation can be verified using the attached signature. If the verifier
790
+ # trusts the public key of the signer, then verifying the signature is
791
+ # sufficient to establish trust. In this circumstance, the authority to which
792
+ # this attestation is attached is primarily useful for lookup (how to find this
793
+ # attestation if you already know the authority and artifact to be verified) and
794
+ # intent (for which authority this attestation was intended to sign.
795
+ # Corresponds to the JSON property `attestation`
796
+ # @return [Google::Apis::BinaryauthorizationV1::AttestationOccurrence]
797
+ attr_accessor :attestation
798
+
799
+ # Required. The resource name of the Note to which the containing Occurrence is
800
+ # associated.
801
+ # Corresponds to the JSON property `occurrenceNote`
802
+ # @return [String]
803
+ attr_accessor :occurrence_note
804
+
805
+ # Required. The URI of the artifact (e.g. container image) that is the subject
806
+ # of the containing Occurrence.
807
+ # Corresponds to the JSON property `occurrenceResourceUri`
808
+ # @return [String]
809
+ attr_accessor :occurrence_resource_uri
810
+
811
+ def initialize(**args)
812
+ update!(**args)
813
+ end
814
+
815
+ # Update properties of this object
816
+ def update!(**args)
817
+ @attestation = args[:attestation] if args.key?(:attestation)
818
+ @occurrence_note = args[:occurrence_note] if args.key?(:occurrence_note)
819
+ @occurrence_resource_uri = args[:occurrence_resource_uri] if args.key?(:occurrence_resource_uri)
820
+ end
821
+ end
822
+
823
+ # Response message for ValidationHelperV1.ValidateAttestationOccurrence.
824
+ class ValidateAttestationOccurrenceResponse
825
+ include Google::Apis::Core::Hashable
826
+
827
+ # The reason for denial if the Attestation couldn't be validated.
828
+ # Corresponds to the JSON property `denialReason`
829
+ # @return [String]
830
+ attr_accessor :denial_reason
831
+
832
+ # The result of the Attestation validation.
833
+ # Corresponds to the JSON property `result`
834
+ # @return [String]
835
+ attr_accessor :result
836
+
837
+ def initialize(**args)
838
+ update!(**args)
839
+ end
840
+
841
+ # Update properties of this object
842
+ def update!(**args)
843
+ @denial_reason = args[:denial_reason] if args.key?(:denial_reason)
844
+ @result = args[:result] if args.key?(:result)
845
+ end
846
+ end
847
+ end
848
+ end
849
+ end