google-apis-binaryauthorization_v1 0.26.0 → 0.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -84,6 +84,41 @@ module Google
84
84
  end
85
85
  end
86
86
 
87
+ # An attestation authenticator that will be used to verify attestations.
88
+ # Typically this is just a set of public keys. Conceptually, an authenticator
89
+ # can be treated as always returning either "authenticated" or "not
90
+ # authenticated" when presented with a signed attestation (almost always assumed
91
+ # to be a [DSSE](https://github.com/secure-systems-lab/dsse) attestation). The
92
+ # details of how an authenticator makes this decision are specific to the type
93
+ # of 'authenticator' that this message wraps.
94
+ class AttestationAuthenticator
95
+ include Google::Apis::Core::Hashable
96
+
97
+ # Optional. A user-provided name for this AttestationAuthenticator. This field
98
+ # has no effect on the policy evaluation behavior except to improve readability
99
+ # of messages in evaluation results.
100
+ # Corresponds to the JSON property `displayName`
101
+ # @return [String]
102
+ attr_accessor :display_name
103
+
104
+ # A bundle of PKIX public keys, used to authenticate attestation signatures.
105
+ # Generally, a signature is considered to be authenticated by a PkixPublicKeySet
106
+ # if any of the public keys verify it (i.e. it is an "OR" of the keys).
107
+ # Corresponds to the JSON property `pkixPublicKeySet`
108
+ # @return [Google::Apis::BinaryauthorizationV1::PkixPublicKeySet]
109
+ attr_accessor :pkix_public_key_set
110
+
111
+ def initialize(**args)
112
+ update!(**args)
113
+ end
114
+
115
+ # Update properties of this object
116
+ def update!(**args)
117
+ @display_name = args[:display_name] if args.key?(:display_name)
118
+ @pkix_public_key_set = args[:pkix_public_key_set] if args.key?(:pkix_public_key_set)
119
+ end
120
+ end
121
+
87
122
  # Occurrence that represents a single "attestation". The authenticity of an
88
123
  # attestation can be verified using the attached signature. If the verifier
89
124
  # trusts the public key of the signer, then verifying the signature is
@@ -131,6 +166,26 @@ module Google
131
166
  end
132
167
  end
133
168
 
169
+ # Specifies the locations for fetching the provenance attestations.
170
+ class AttestationSource
171
+ include Google::Apis::Core::Hashable
172
+
173
+ # The ids of the GCP projects storing the SLSA attestations as container
174
+ # analysis Occurrences.
175
+ # Corresponds to the JSON property `containerAnalysisAttestationProjects`
176
+ # @return [Array<String>]
177
+ attr_accessor :container_analysis_attestation_projects
178
+
179
+ def initialize(**args)
180
+ update!(**args)
181
+ end
182
+
183
+ # Update properties of this object
184
+ def update!(**args)
185
+ @container_analysis_attestation_projects = args[:container_analysis_attestation_projects] if args.key?(:container_analysis_attestation_projects)
186
+ end
187
+ end
188
+
134
189
  # An attestor that attests to container image artifacts. An existing attestor
135
190
  # cannot be modified except where indicated.
136
191
  class Attestor
@@ -305,6 +360,124 @@ module Google
305
360
  end
306
361
  end
307
362
 
363
+ # A single check to perform against a Pod. Checks are grouped into CheckSets,
364
+ # which are defined by the top-level policy.
365
+ class Check
366
+ include Google::Apis::Core::Hashable
367
+
368
+ # Optional. A special-case check that always denies. Note that this still only
369
+ # applies when the scope of the CheckSet applies and the image isn't exempted by
370
+ # an image allowlist. This check is primarily useful for testing, or to set the
371
+ # default behavior for all unmatched scopes to "deny".
372
+ # Corresponds to the JSON property `alwaysDeny`
373
+ # @return [Boolean]
374
+ attr_accessor :always_deny
375
+ alias_method :always_deny?, :always_deny
376
+
377
+ # Optional. A user-provided name for this Check. This field has no effect on the
378
+ # policy evaluation behavior except to improve readability of messages in
379
+ # evaluation results.
380
+ # Corresponds to the JSON property `displayName`
381
+ # @return [String]
382
+ attr_accessor :display_name
383
+
384
+ # Images that are exempted from normal checks based on name pattern only.
385
+ # Corresponds to the JSON property `imageAllowlist`
386
+ # @return [Google::Apis::BinaryauthorizationV1::ImageAllowlist]
387
+ attr_accessor :image_allowlist
388
+
389
+ # An image freshness check, which rejects images that were uploaded before the
390
+ # set number of days ago to the supported repositories.
391
+ # Corresponds to the JSON property `imageFreshnessCheck`
392
+ # @return [Google::Apis::BinaryauthorizationV1::ImageFreshnessCheck]
393
+ attr_accessor :image_freshness_check
394
+
395
+ # Require a signed [DSSE](https://github.com/secure-systems-lab/dsse)
396
+ # attestation with type SimpleSigning.
397
+ # Corresponds to the JSON property `simpleSigningAttestationCheck`
398
+ # @return [Google::Apis::BinaryauthorizationV1::SimpleSigningAttestationCheck]
399
+ attr_accessor :simple_signing_attestation_check
400
+
401
+ # A SLSA provenance attestation check, which ensures that images are built by a
402
+ # trusted builder using source code from its trusted repositories only.
403
+ # Corresponds to the JSON property `slsaCheck`
404
+ # @return [Google::Apis::BinaryauthorizationV1::SlsaCheck]
405
+ attr_accessor :slsa_check
406
+
407
+ # A trusted directory check, which rejects images that do not come from the set
408
+ # of user-configured trusted directories.
409
+ # Corresponds to the JSON property `trustedDirectoryCheck`
410
+ # @return [Google::Apis::BinaryauthorizationV1::TrustedDirectoryCheck]
411
+ attr_accessor :trusted_directory_check
412
+
413
+ # An image vulnerability check, which rejects images that violate the configured
414
+ # vulnerability rules.
415
+ # Corresponds to the JSON property `vulnerabilityCheck`
416
+ # @return [Google::Apis::BinaryauthorizationV1::VulnerabilityCheck]
417
+ attr_accessor :vulnerability_check
418
+
419
+ def initialize(**args)
420
+ update!(**args)
421
+ end
422
+
423
+ # Update properties of this object
424
+ def update!(**args)
425
+ @always_deny = args[:always_deny] if args.key?(:always_deny)
426
+ @display_name = args[:display_name] if args.key?(:display_name)
427
+ @image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
428
+ @image_freshness_check = args[:image_freshness_check] if args.key?(:image_freshness_check)
429
+ @simple_signing_attestation_check = args[:simple_signing_attestation_check] if args.key?(:simple_signing_attestation_check)
430
+ @slsa_check = args[:slsa_check] if args.key?(:slsa_check)
431
+ @trusted_directory_check = args[:trusted_directory_check] if args.key?(:trusted_directory_check)
432
+ @vulnerability_check = args[:vulnerability_check] if args.key?(:vulnerability_check)
433
+ end
434
+ end
435
+
436
+ # A conjunction of policy checks, scoped to a particular namespace or Kubernetes
437
+ # service account. In order for evaluation of a CheckSet to return "allowed" for
438
+ # a given image in a given Pod, one of the following conditions must be
439
+ # satisfied: * The image is explicitly exempted by an entry in `image_allowlist`,
440
+ # OR * ALL of the `checks` evaluate to "allowed".
441
+ class CheckSet
442
+ include Google::Apis::Core::Hashable
443
+
444
+ # Optional. The checks to apply. The ultimate result of evaluating the check set
445
+ # will be "allow" if and only if every check in 'checks' evaluates to "allow".
446
+ # If `checks` is empty, the default behavior is "always allow".
447
+ # Corresponds to the JSON property `checks`
448
+ # @return [Array<Google::Apis::BinaryauthorizationV1::Check>]
449
+ attr_accessor :checks
450
+
451
+ # Optional. A user-provided name for this CheckSet. This field has no effect on
452
+ # the policy evaluation behavior except to improve readability of messages in
453
+ # evaluation results.
454
+ # Corresponds to the JSON property `displayName`
455
+ # @return [String]
456
+ attr_accessor :display_name
457
+
458
+ # Images that are exempted from normal checks based on name pattern only.
459
+ # Corresponds to the JSON property `imageAllowlist`
460
+ # @return [Google::Apis::BinaryauthorizationV1::ImageAllowlist]
461
+ attr_accessor :image_allowlist
462
+
463
+ # A scope specifier for CheckSets.
464
+ # Corresponds to the JSON property `scope`
465
+ # @return [Google::Apis::BinaryauthorizationV1::Scope]
466
+ attr_accessor :scope
467
+
468
+ def initialize(**args)
469
+ update!(**args)
470
+ end
471
+
472
+ # Update properties of this object
473
+ def update!(**args)
474
+ @checks = args[:checks] if args.key?(:checks)
475
+ @display_name = args[:display_name] if args.key?(:display_name)
476
+ @image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
477
+ @scope = args[:scope] if args.key?(:scope)
478
+ end
479
+ end
480
+
308
481
  # A generic empty message that you can re-use to avoid defining duplicated empty
309
482
  # messages in your APIs. A typical example is to use it as the request or the
310
483
  # response type of an API method. For instance: service Foo ` rpc Bar(google.
@@ -375,6 +548,46 @@ module Google
375
548
  end
376
549
  end
377
550
 
551
+ # A Binary Authorization policy for a GKE cluster. This is one type of policy
552
+ # that can occur as a `PlatformPolicy`.
553
+ class GkePolicy
554
+ include Google::Apis::Core::Hashable
555
+
556
+ # Optional. The CheckSets to apply, scoped by namespace or namespace and service
557
+ # account. Exactly one CheckSet will be evaluated for a given Pod (unless the
558
+ # list is empty, in which case the behavior is "always allow"). If multiple
559
+ # CheckSets have scopes that match the namespace and service account of the Pod
560
+ # being evaluated, only the CheckSet with the MOST SPECIFIC scope will match.
561
+ # CheckSets must be listed in order of decreasing specificity, i.e. if a scope
562
+ # matches a given service account (which must include the namespace), it must
563
+ # come before a CheckSet with a scope matching just that namespace. This
564
+ # property is enforced by server-side validation. The purpose of this
565
+ # restriction is to ensure that if more than one CheckSet matches a given Pod,
566
+ # the CheckSet that will be evaluated will always be the first in the list to
567
+ # match (because if any other matches, it must be less specific). If `check_sets`
568
+ # is empty, the default behavior is to allow all images. If `check_sets` is non-
569
+ # empty, the last `check_sets` entry must always be a CheckSet with no scope set,
570
+ # i.e. a catchall to handle any situation not caught by the preceding CheckSets.
571
+ # Corresponds to the JSON property `checkSets`
572
+ # @return [Array<Google::Apis::BinaryauthorizationV1::CheckSet>]
573
+ attr_accessor :check_sets
574
+
575
+ # Images that are exempted from normal checks based on name pattern only.
576
+ # Corresponds to the JSON property `imageAllowlist`
577
+ # @return [Google::Apis::BinaryauthorizationV1::ImageAllowlist]
578
+ attr_accessor :image_allowlist
579
+
580
+ def initialize(**args)
581
+ update!(**args)
582
+ end
583
+
584
+ # Update properties of this object
585
+ def update!(**args)
586
+ @check_sets = args[:check_sets] if args.key?(:check_sets)
587
+ @image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
588
+ end
589
+ end
590
+
378
591
  # An Identity and Access Management (IAM) policy, which specifies access
379
592
  # controls for Google Cloud resources. A `Policy` is a collection of `bindings`.
380
593
  # A `binding` binds one or more `members`, or principals, to a single `role`.
@@ -386,22 +599,22 @@ module Google
386
599
  # evaluates to `true`. A condition can add constraints based on attributes of
387
600
  # the request, the resource, or both. To learn which resources support
388
601
  # conditions in their IAM policies, see the [IAM documentation](https://cloud.
389
- # google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
602
+ # google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
390
603
  # bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
391
604
  # "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
392
605
  # serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
393
606
  # roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
394
607
  # ], "condition": ` "title": "expirable access", "description": "Does not grant
395
608
  # access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
396
- # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML example:**
397
- # bindings: - members: - user:mike@example.com - group:admins@example.com -
398
- # domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com
399
- # role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.
400
- # com role: roles/resourcemanager.organizationViewer condition: title: expirable
401
- # access description: Does not grant access after Sep 2020 expression: request.
402
- # time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For
403
- # a description of IAM and its features, see the [IAM documentation](https://
404
- # cloud.google.com/iam/docs/).
609
+ # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
610
+ # example:** ``` bindings: - members: - user:mike@example.com - group:admins@
611
+ # example.com - domain:google.com - serviceAccount:my-project-id@appspot.
612
+ # gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
613
+ # user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
614
+ # title: expirable access description: Does not grant access after Sep 2020
615
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
616
+ # BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
617
+ # [IAM documentation](https://cloud.google.com/iam/docs/).
405
618
  class IamPolicy
406
619
  include Google::Apis::Core::Hashable
407
620
 
@@ -464,6 +677,47 @@ module Google
464
677
  end
465
678
  end
466
679
 
680
+ # Images that are exempted from normal checks based on name pattern only.
681
+ class ImageAllowlist
682
+ include Google::Apis::Core::Hashable
683
+
684
+ # Required. A disjunction of image patterns to allow. If any of these patterns
685
+ # match, then the image is considered exempted by this allowlist.
686
+ # Corresponds to the JSON property `allowPattern`
687
+ # @return [Array<String>]
688
+ attr_accessor :allow_pattern
689
+
690
+ def initialize(**args)
691
+ update!(**args)
692
+ end
693
+
694
+ # Update properties of this object
695
+ def update!(**args)
696
+ @allow_pattern = args[:allow_pattern] if args.key?(:allow_pattern)
697
+ end
698
+ end
699
+
700
+ # An image freshness check, which rejects images that were uploaded before the
701
+ # set number of days ago to the supported repositories.
702
+ class ImageFreshnessCheck
703
+ include Google::Apis::Core::Hashable
704
+
705
+ # Required. The max number of days that is allowed since the image was uploaded.
706
+ # Must be greater than zero.
707
+ # Corresponds to the JSON property `maxUploadAgeDays`
708
+ # @return [Fixnum]
709
+ attr_accessor :max_upload_age_days
710
+
711
+ def initialize(**args)
712
+ update!(**args)
713
+ end
714
+
715
+ # Update properties of this object
716
+ def update!(**args)
717
+ @max_upload_age_days = args[:max_upload_age_days] if args.key?(:max_upload_age_days)
718
+ end
719
+ end
720
+
467
721
  #
468
722
  class Jwt
469
723
  include Google::Apis::Core::Hashable
@@ -512,6 +766,33 @@ module Google
512
766
  end
513
767
  end
514
768
 
769
+ # Response message for PlatformPolicyManagementService.ListPlatformPolicies.
770
+ class ListPlatformPoliciesResponse
771
+ include Google::Apis::Core::Hashable
772
+
773
+ # A token to retrieve the next page of results. Pass this value in the
774
+ # ListPlatformPoliciesRequest.page_token field in the subsequent call to the `
775
+ # ListPlatformPolicies` method to retrieve the next page of results.
776
+ # Corresponds to the JSON property `nextPageToken`
777
+ # @return [String]
778
+ attr_accessor :next_page_token
779
+
780
+ # The list of platform policies.
781
+ # Corresponds to the JSON property `platformPolicies`
782
+ # @return [Array<Google::Apis::BinaryauthorizationV1::PlatformPolicy>]
783
+ attr_accessor :platform_policies
784
+
785
+ def initialize(**args)
786
+ update!(**args)
787
+ end
788
+
789
+ # Update properties of this object
790
+ def update!(**args)
791
+ @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
792
+ @platform_policies = args[:platform_policies] if args.key?(:platform_policies)
793
+ end
794
+ end
795
+
515
796
  # A public key in the PkixPublicKey format (see https://tools.ietf.org/html/
516
797
  # rfc5280#section-4.1.2.7 for details). Public keys of this type are typically
517
798
  # textually encoded using the PEM format.
@@ -543,6 +824,66 @@ module Google
543
824
  end
544
825
  end
545
826
 
827
+ # A bundle of PKIX public keys, used to authenticate attestation signatures.
828
+ # Generally, a signature is considered to be authenticated by a PkixPublicKeySet
829
+ # if any of the public keys verify it (i.e. it is an "OR" of the keys).
830
+ class PkixPublicKeySet
831
+ include Google::Apis::Core::Hashable
832
+
833
+ # Required. `pkix_public_keys` must have at least one entry.
834
+ # Corresponds to the JSON property `pkixPublicKeys`
835
+ # @return [Array<Google::Apis::BinaryauthorizationV1::PkixPublicKey>]
836
+ attr_accessor :pkix_public_keys
837
+
838
+ def initialize(**args)
839
+ update!(**args)
840
+ end
841
+
842
+ # Update properties of this object
843
+ def update!(**args)
844
+ @pkix_public_keys = args[:pkix_public_keys] if args.key?(:pkix_public_keys)
845
+ end
846
+ end
847
+
848
+ # A Binary Authorization platform policy for deployments on various platforms.
849
+ class PlatformPolicy
850
+ include Google::Apis::Core::Hashable
851
+
852
+ # Optional. A description comment about the policy.
853
+ # Corresponds to the JSON property `description`
854
+ # @return [String]
855
+ attr_accessor :description
856
+
857
+ # A Binary Authorization policy for a GKE cluster. This is one type of policy
858
+ # that can occur as a `PlatformPolicy`.
859
+ # Corresponds to the JSON property `gkePolicy`
860
+ # @return [Google::Apis::BinaryauthorizationV1::GkePolicy]
861
+ attr_accessor :gke_policy
862
+
863
+ # Output only. The relative resource name of the BinAuthz platform policy, in
864
+ # the form of `projects/*/platforms/*/policies/*`.
865
+ # Corresponds to the JSON property `name`
866
+ # @return [String]
867
+ attr_accessor :name
868
+
869
+ # Output only. Time when the policy was last updated.
870
+ # Corresponds to the JSON property `updateTime`
871
+ # @return [String]
872
+ attr_accessor :update_time
873
+
874
+ def initialize(**args)
875
+ update!(**args)
876
+ end
877
+
878
+ # Update properties of this object
879
+ def update!(**args)
880
+ @description = args[:description] if args.key?(:description)
881
+ @gke_policy = args[:gke_policy] if args.key?(:gke_policy)
882
+ @name = args[:name] if args.key?(:name)
883
+ @update_time = args[:update_time] if args.key?(:update_time)
884
+ end
885
+ end
886
+
546
887
  # A policy for container image binary authorization.
547
888
  class Policy
548
889
  include Google::Apis::Core::Hashable
@@ -642,6 +983,34 @@ module Google
642
983
  end
643
984
  end
644
985
 
986
+ # A scope specifier for CheckSets.
987
+ class Scope
988
+ include Google::Apis::Core::Hashable
989
+
990
+ # Optional. Matches all Kubernetes service accounts in the provided namespace,
991
+ # unless a more specific `kubernetes_service_account` scope already matched.
992
+ # Corresponds to the JSON property `kubernetesNamespace`
993
+ # @return [String]
994
+ attr_accessor :kubernetes_namespace
995
+
996
+ # Optional. Matches a single Kubernetes service account, e.g. 'my-namespace:my-
997
+ # service-account'. `kubernetes_service_account` scope is always more specific
998
+ # than `kubernetes_namespace` scope for the same namespace.
999
+ # Corresponds to the JSON property `kubernetesServiceAccount`
1000
+ # @return [String]
1001
+ attr_accessor :kubernetes_service_account
1002
+
1003
+ def initialize(**args)
1004
+ update!(**args)
1005
+ end
1006
+
1007
+ # Update properties of this object
1008
+ def update!(**args)
1009
+ @kubernetes_namespace = args[:kubernetes_namespace] if args.key?(:kubernetes_namespace)
1010
+ @kubernetes_service_account = args[:kubernetes_service_account] if args.key?(:kubernetes_service_account)
1011
+ end
1012
+ end
1013
+
645
1014
  # Request message for `SetIamPolicy` method.
646
1015
  class SetIamPolicyRequest
647
1016
  include Google::Apis::Core::Hashable
@@ -657,22 +1026,22 @@ module Google
657
1026
  # evaluates to `true`. A condition can add constraints based on attributes of
658
1027
  # the request, the resource, or both. To learn which resources support
659
1028
  # conditions in their IAM policies, see the [IAM documentation](https://cloud.
660
- # google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
1029
+ # google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
661
1030
  # bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
662
1031
  # "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
663
1032
  # serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
664
1033
  # roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
665
1034
  # ], "condition": ` "title": "expirable access", "description": "Does not grant
666
1035
  # access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
667
- # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML example:**
668
- # bindings: - members: - user:mike@example.com - group:admins@example.com -
669
- # domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com
670
- # role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.
671
- # com role: roles/resourcemanager.organizationViewer condition: title: expirable
672
- # access description: Does not grant access after Sep 2020 expression: request.
673
- # time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For
674
- # a description of IAM and its features, see the [IAM documentation](https://
675
- # cloud.google.com/iam/docs/).
1036
+ # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
1037
+ # example:** ``` bindings: - members: - user:mike@example.com - group:admins@
1038
+ # example.com - domain:google.com - serviceAccount:my-project-id@appspot.
1039
+ # gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
1040
+ # user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
1041
+ # title: expirable access description: Does not grant access after Sep 2020
1042
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
1043
+ # BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
1044
+ # [IAM documentation](https://cloud.google.com/iam/docs/).
676
1045
  # Corresponds to the JSON property `policy`
677
1046
  # @return [Google::Apis::BinaryauthorizationV1::IamPolicy]
678
1047
  attr_accessor :policy
@@ -742,6 +1111,64 @@ module Google
742
1111
  end
743
1112
  end
744
1113
 
1114
+ # Require a signed [DSSE](https://github.com/secure-systems-lab/dsse)
1115
+ # attestation with type SimpleSigning.
1116
+ class SimpleSigningAttestationCheck
1117
+ include Google::Apis::Core::Hashable
1118
+
1119
+ # Required. The authenticators required by this check to verify an attestation.
1120
+ # Typically this is one or more PKIX public keys for signature verification.
1121
+ # Only one authenticator needs to consider an attestation verified in order for
1122
+ # an attestation to be considered fully authenticated. In otherwords, this list
1123
+ # of authenticators is an "OR" of the authenticator results. At least one
1124
+ # authenticator is required.
1125
+ # Corresponds to the JSON property `attestationAuthenticators`
1126
+ # @return [Array<Google::Apis::BinaryauthorizationV1::AttestationAuthenticator>]
1127
+ attr_accessor :attestation_authenticators
1128
+
1129
+ # Optional. The projects where attestations are stored as Container Analysis
1130
+ # Occurrences. Only one attestation needs to successfully verify an image for
1131
+ # this check to pass, so a single verified attestation found in any of `
1132
+ # container_analysis_attestation_projects` is sufficient for the check to pass.
1133
+ # When fetching Occurrences from Container Analysis, only 'AttestationOccurrence'
1134
+ # kinds are considered. In the future, additional Occurrence kinds may be added
1135
+ # to the query.
1136
+ # Corresponds to the JSON property `containerAnalysisAttestationProjects`
1137
+ # @return [Array<String>]
1138
+ attr_accessor :container_analysis_attestation_projects
1139
+
1140
+ def initialize(**args)
1141
+ update!(**args)
1142
+ end
1143
+
1144
+ # Update properties of this object
1145
+ def update!(**args)
1146
+ @attestation_authenticators = args[:attestation_authenticators] if args.key?(:attestation_authenticators)
1147
+ @container_analysis_attestation_projects = args[:container_analysis_attestation_projects] if args.key?(:container_analysis_attestation_projects)
1148
+ end
1149
+ end
1150
+
1151
+ # A SLSA provenance attestation check, which ensures that images are built by a
1152
+ # trusted builder using source code from its trusted repositories only.
1153
+ class SlsaCheck
1154
+ include Google::Apis::Core::Hashable
1155
+
1156
+ # Specifies a list of verification rules for the SLSA attestations. An image is
1157
+ # considered compliant with the SlsaCheck if any of the rules are satisfied.
1158
+ # Corresponds to the JSON property `rules`
1159
+ # @return [Array<Google::Apis::BinaryauthorizationV1::VerificationRule>]
1160
+ attr_accessor :rules
1161
+
1162
+ def initialize(**args)
1163
+ update!(**args)
1164
+ end
1165
+
1166
+ # Update properties of this object
1167
+ def update!(**args)
1168
+ @rules = args[:rules] if args.key?(:rules)
1169
+ end
1170
+ end
1171
+
745
1172
  # Request message for `TestIamPermissions` method.
746
1173
  class TestIamPermissionsRequest
747
1174
  include Google::Apis::Core::Hashable
@@ -782,6 +1209,40 @@ module Google
782
1209
  end
783
1210
  end
784
1211
 
1212
+ # A trusted directory check, which rejects images that do not come from the set
1213
+ # of user-configured trusted directories.
1214
+ class TrustedDirectoryCheck
1215
+ include Google::Apis::Core::Hashable
1216
+
1217
+ # Required. List of trusted directory patterns. A pattern is in the form "
1218
+ # registry/path/to/directory". The registry domain part is defined as two or
1219
+ # more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be
1220
+ # used in three ways as wildcards: 1. leading * to match varying prefixes in
1221
+ # registry subdomain (useful for location prefixes); 2. trailing * after
1222
+ # registry/ to match varying endings; 3. trailing ** after registry/ to match "/"
1223
+ # as well. For example: -- gcr.io/my-project/my-repo is valid to match a single
1224
+ # directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are
1225
+ # valid to match varying prefixes -- gcr.io/my-project/* will match all direct
1226
+ # directories in my-project -- gcr.io/my-project/** would match all directories
1227
+ # in my-project -- gcr.i* is not allowed since the registry is not completely
1228
+ # specified -- sub*domain.gcr.io/nginx is not valid because only leading * or
1229
+ # trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because
1230
+ # leading * can only match subdomain -- **-docker.pkg.dev is not valid because
1231
+ # one leading * is allowed, and that it cannot match "/"
1232
+ # Corresponds to the JSON property `trustedDirPatterns`
1233
+ # @return [Array<String>]
1234
+ attr_accessor :trusted_dir_patterns
1235
+
1236
+ def initialize(**args)
1237
+ update!(**args)
1238
+ end
1239
+
1240
+ # Update properties of this object
1241
+ def update!(**args)
1242
+ @trusted_dir_patterns = args[:trusted_dir_patterns] if args.key?(:trusted_dir_patterns)
1243
+ end
1244
+ end
1245
+
785
1246
  # An user owned Grafeas note references a Grafeas Attestation.Authority Note
786
1247
  # created by the user.
787
1248
  class UserOwnedGrafeasNote
@@ -892,6 +1353,130 @@ module Google
892
1353
  @result = args[:result] if args.key?(:result)
893
1354
  end
894
1355
  end
1356
+
1357
+ # Specifies verification rules for evaluating the SLSA attestations including:
1358
+ # which builders to trust, where to fetch the SLSA attestations generated by
1359
+ # those builders, and other builder-specific evaluation rules such as which
1360
+ # source repositories are trusted. An image is considered verified by the rule
1361
+ # if any of the fetched SLSA attestations is verified.
1362
+ class VerificationRule
1363
+ include Google::Apis::Core::Hashable
1364
+
1365
+ # Specifies the locations for fetching the provenance attestations.
1366
+ # Corresponds to the JSON property `attestationSource`
1367
+ # @return [Google::Apis::BinaryauthorizationV1::AttestationSource]
1368
+ attr_accessor :attestation_source
1369
+
1370
+ # If true, require the image to be built from a top-level configuration.
1371
+ # trusted_source_repo patterns specifies the repositories containing this
1372
+ # configuration.
1373
+ # Corresponds to the JSON property `configBasedBuildRequired`
1374
+ # @return [Boolean]
1375
+ attr_accessor :config_based_build_required
1376
+ alias_method :config_based_build_required?, :config_based_build_required
1377
+
1378
+ # Each verification rule is used for evaluation against provenances generated by
1379
+ # a specific builder (group). For some of the builders, such as the Google Cloud
1380
+ # Build, users don't need to explicitly specify their roots of trust in the
1381
+ # policy since the evaluation service can automatically fetch them based on the
1382
+ # builder (group).
1383
+ # Corresponds to the JSON property `trustedBuilder`
1384
+ # @return [String]
1385
+ attr_accessor :trusted_builder
1386
+
1387
+ # List of trusted source code repository URL patterns. These patterns match the
1388
+ # full repository URL without its scheme (e.g. "https://"). The patterns must
1389
+ # not include schemes. For example, the pattern "source.cloud.google.com/my-
1390
+ # project/my-repo-name" matches the following URLs: - "source.cloud.google.com/
1391
+ # my-project/my-repo-name" - "git+ssh://source.cloud.google.com/my-project/my-
1392
+ # repo-name" - "https://source.cloud.google.com/my-project/my-repo-name" A
1393
+ # pattern matches a URL either exactly or with * wildcards. * can be used in
1394
+ # only two ways: 1. trailing * after hosturi/ to match varying endings; 2.
1395
+ # trailing ** after hosturi/ to match "/" as well. * and ** can only be used as
1396
+ # wildcards and can only occur at the end of the pattern after a /. (So it's not
1397
+ # possible to match a URL that contains literal *.) For example: - "github.com/
1398
+ # my-project/my-repo" is valid to match a single repo - "github.com/my-project/*"
1399
+ # will match all direct repos in my-project - "github.com/**" matches all repos
1400
+ # in GitHub
1401
+ # Corresponds to the JSON property `trustedSourceRepoPatterns`
1402
+ # @return [Array<String>]
1403
+ attr_accessor :trusted_source_repo_patterns
1404
+
1405
+ def initialize(**args)
1406
+ update!(**args)
1407
+ end
1408
+
1409
+ # Update properties of this object
1410
+ def update!(**args)
1411
+ @attestation_source = args[:attestation_source] if args.key?(:attestation_source)
1412
+ @config_based_build_required = args[:config_based_build_required] if args.key?(:config_based_build_required)
1413
+ @trusted_builder = args[:trusted_builder] if args.key?(:trusted_builder)
1414
+ @trusted_source_repo_patterns = args[:trusted_source_repo_patterns] if args.key?(:trusted_source_repo_patterns)
1415
+ end
1416
+ end
1417
+
1418
+ # An image vulnerability check, which rejects images that violate the configured
1419
+ # vulnerability rules.
1420
+ class VulnerabilityCheck
1421
+ include Google::Apis::Core::Hashable
1422
+
1423
+ # Optional. A list of specific CVEs to ignore even if the vulnerability level
1424
+ # violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed
1425
+ # in the format of Container Analysis note id. For example: - CVE-2021-20305 -
1426
+ # CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.
1427
+ # g., an entry of `CVE-2021-20305` will allow vulnerabilities with a note name
1428
+ # of either `projects/goog-vulnz/notes/CVE-2021-20305` or `projects/CUSTOM-
1429
+ # PROJECT/notes/CVE-2021-20305`.
1430
+ # Corresponds to the JSON property `allowedCves`
1431
+ # @return [Array<String>]
1432
+ attr_accessor :allowed_cves
1433
+
1434
+ # Optional. A list of specific CVEs to always raise warnings about even if the
1435
+ # vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity.
1436
+ # CVEs are listed in the format of Container Analysis note id. For example: -
1437
+ # CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note
1438
+ # provider project, e.g., an entry of `CVE-2021-20305` will block
1439
+ # vulnerabilities with a note name of either `projects/goog-vulnz/notes/CVE-2021-
1440
+ # 20305` or `projects/CUSTOM-PROJECT/notes/CVE-2021-20305`.
1441
+ # Corresponds to the JSON property `blockedCves`
1442
+ # @return [Array<String>]
1443
+ attr_accessor :blocked_cves
1444
+
1445
+ # Optional. The projects where vulnerabilities are stored as Container Analysis
1446
+ # Occurrences. Each project is expressed in the resource format of `projects/[
1447
+ # PROJECT_ID]`, e.g., projects/my-gcp-project. An attempt will be made for each
1448
+ # project to fetch vulnerabilities, and all valid vulnerabilities will be used
1449
+ # to check against the vulnerability policy. If no valid scan is found in all
1450
+ # projects configured here, an error will be returned for the check.
1451
+ # Corresponds to the JSON property `containerAnalysisVulnerabilityProjects`
1452
+ # @return [Array<String>]
1453
+ attr_accessor :container_analysis_vulnerability_projects
1454
+
1455
+ # Required. The threshold for severity for which a fix is currently available.
1456
+ # This field is required and must be set.
1457
+ # Corresponds to the JSON property `maximumFixableSeverity`
1458
+ # @return [String]
1459
+ attr_accessor :maximum_fixable_severity
1460
+
1461
+ # Required. The threshold for severity for which a fix isn't currently available.
1462
+ # This field is required and must be set.
1463
+ # Corresponds to the JSON property `maximumUnfixableSeverity`
1464
+ # @return [String]
1465
+ attr_accessor :maximum_unfixable_severity
1466
+
1467
+ def initialize(**args)
1468
+ update!(**args)
1469
+ end
1470
+
1471
+ # Update properties of this object
1472
+ def update!(**args)
1473
+ @allowed_cves = args[:allowed_cves] if args.key?(:allowed_cves)
1474
+ @blocked_cves = args[:blocked_cves] if args.key?(:blocked_cves)
1475
+ @container_analysis_vulnerability_projects = args[:container_analysis_vulnerability_projects] if args.key?(:container_analysis_vulnerability_projects)
1476
+ @maximum_fixable_severity = args[:maximum_fixable_severity] if args.key?(:maximum_fixable_severity)
1477
+ @maximum_unfixable_severity = args[:maximum_unfixable_severity] if args.key?(:maximum_unfixable_severity)
1478
+ end
1479
+ end
895
1480
  end
896
1481
  end
897
1482
  end