google-cloud-binary_authorization-v1 1.6.0 → 1.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (23) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +2 -2
  3. data/lib/google/cloud/binary_authorization/v1/binauthz_management_service/client.rb +76 -37
  4. data/lib/google/cloud/binary_authorization/v1/binauthz_management_service/rest/client.rb +84 -37
  5. data/lib/google/cloud/binary_authorization/v1/binauthz_management_service/rest.rb +1 -0
  6. data/lib/google/cloud/binary_authorization/v1/bindings_override.rb +110 -0
  7. data/lib/google/cloud/binary_authorization/v1/rest.rb +1 -0
  8. data/lib/google/cloud/binary_authorization/v1/system_policy/client.rb +18 -0
  9. data/lib/google/cloud/binary_authorization/v1/system_policy/rest/client.rb +26 -0
  10. data/lib/google/cloud/binary_authorization/v1/system_policy/rest.rb +1 -0
  11. data/lib/google/cloud/binary_authorization/v1/validation_helper/client.rb +25 -6
  12. data/lib/google/cloud/binary_authorization/v1/validation_helper/rest/client.rb +33 -6
  13. data/lib/google/cloud/binary_authorization/v1/validation_helper/rest.rb +1 -0
  14. data/lib/google/cloud/binary_authorization/v1/version.rb +1 -1
  15. data/lib/google/cloud/binaryauthorization/v1/resources_pb.rb +1 -1
  16. data/lib/google/cloud/binaryauthorization/v1/service_pb.rb +1 -1
  17. data/lib/google/cloud/binaryauthorization/v1/service_services_pb.rb +29 -20
  18. data/proto_docs/google/api/client.rb +149 -29
  19. data/proto_docs/google/cloud/binaryauthorization/v1/resources.rb +106 -52
  20. data/proto_docs/google/cloud/binaryauthorization/v1/service.rb +56 -34
  21. data/proto_docs/google/protobuf/field_mask.rb +229 -0
  22. data/proto_docs/google/type/expr.rb +75 -0
  23. metadata +23 -6
@@ -31,6 +31,8 @@ module Google
31
31
  # @!attribute [rw] selective_gapic_generation
32
32
  # @return [::Google::Api::SelectiveGapicGeneration]
33
33
  # Configuration for which RPCs should be generated in the GAPIC client.
34
+ #
35
+ # Note: This field should not be used in most cases.
34
36
  class CommonLanguageSettings
35
37
  include ::Google::Protobuf::MessageExts
36
38
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -141,9 +143,10 @@ module Google
141
143
  #
142
144
  # Example of a YAML configuration::
143
145
  #
144
- # publishing:
145
- # java_settings:
146
- # library_package: com.google.cloud.pubsub.v1
146
+ # publishing:
147
+ # library_settings:
148
+ # java_settings:
149
+ # library_package: com.google.cloud.pubsub.v1
147
150
  # @!attribute [rw] service_class_names
148
151
  # @return [::Google::Protobuf::Map{::String => ::String}]
149
152
  # Configure the Java class name to use instead of the service's for its
@@ -155,11 +158,11 @@ module Google
155
158
  #
156
159
  # Example of a YAML configuration::
157
160
  #
158
- # publishing:
159
- # java_settings:
160
- # service_class_names:
161
- # - google.pubsub.v1.Publisher: TopicAdmin
162
- # - google.pubsub.v1.Subscriber: SubscriptionAdmin
161
+ # publishing:
162
+ # java_settings:
163
+ # service_class_names:
164
+ # - google.pubsub.v1.Publisher: TopicAdmin
165
+ # - google.pubsub.v1.Subscriber: SubscriptionAdmin
163
166
  # @!attribute [rw] common
164
167
  # @return [::Google::Api::CommonLanguageSettings]
165
168
  # Some settings.
@@ -190,6 +193,20 @@ module Google
190
193
  # @!attribute [rw] common
191
194
  # @return [::Google::Api::CommonLanguageSettings]
192
195
  # Some settings.
196
+ # @!attribute [rw] library_package
197
+ # @return [::String]
198
+ # The package name to use in Php. Clobbers the php_namespace option
199
+ # set in the protobuf. This should be used **only** by APIs
200
+ # who have already set the language_settings.php.package_name" field
201
+ # in gapic.yaml. API teams should use the protobuf php_namespace option
202
+ # where possible.
203
+ #
204
+ # Example of a YAML configuration::
205
+ #
206
+ # publishing:
207
+ # library_settings:
208
+ # php_settings:
209
+ # library_package: Google\Cloud\PubSub\V1
193
210
  class PhpSettings
194
211
  include ::Google::Protobuf::MessageExts
195
212
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -318,10 +335,12 @@ module Google
318
335
  # service names and values are the name to be used for the service client
319
336
  # and call options.
320
337
  #
321
- # publishing:
322
- # go_settings:
323
- # renamed_services:
324
- # Publisher: TopicAdmin
338
+ # Example:
339
+ #
340
+ # publishing:
341
+ # go_settings:
342
+ # renamed_services:
343
+ # Publisher: TopicAdmin
325
344
  class GoSettings
326
345
  include ::Google::Protobuf::MessageExts
327
346
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -344,10 +363,10 @@ module Google
344
363
  #
345
364
  # Example:
346
365
  #
347
- # publishing:
348
- # method_settings:
349
- # - selector: google.storage.control.v2.StorageControl.CreateFolder
350
- # # method settings for CreateFolder...
366
+ # publishing:
367
+ # method_settings:
368
+ # - selector: google.storage.control.v2.StorageControl.CreateFolder
369
+ # # method settings for CreateFolder...
351
370
  # @!attribute [rw] long_running
352
371
  # @return [::Google::Api::MethodSettings::LongRunning]
353
372
  # Describes settings to use for long-running operations when generating
@@ -356,14 +375,14 @@ module Google
356
375
  #
357
376
  # Example of a YAML configuration::
358
377
  #
359
- # publishing:
360
- # method_settings:
361
- # - selector: google.cloud.speech.v2.Speech.BatchRecognize
362
- # long_running:
363
- # initial_poll_delay: 60s # 1 minute
364
- # poll_delay_multiplier: 1.5
365
- # max_poll_delay: 360s # 6 minutes
366
- # total_poll_timeout: 54000s # 90 minutes
378
+ # publishing:
379
+ # method_settings:
380
+ # - selector: google.cloud.speech.v2.Speech.BatchRecognize
381
+ # long_running:
382
+ # initial_poll_delay: 60s # 1 minute
383
+ # poll_delay_multiplier: 1.5
384
+ # max_poll_delay: 360s # 6 minutes
385
+ # total_poll_timeout: 54000s # 90 minutes
367
386
  # @!attribute [rw] auto_populated_fields
368
387
  # @return [::Array<::String>]
369
388
  # List of top-level fields of the request message, that should be
@@ -372,11 +391,24 @@ module Google
372
391
  #
373
392
  # Example of a YAML configuration:
374
393
  #
375
- # publishing:
376
- # method_settings:
377
- # - selector: google.example.v1.ExampleService.CreateExample
378
- # auto_populated_fields:
379
- # - request_id
394
+ # publishing:
395
+ # method_settings:
396
+ # - selector: google.example.v1.ExampleService.CreateExample
397
+ # auto_populated_fields:
398
+ # - request_id
399
+ # @!attribute [rw] batching
400
+ # @return [::Google::Api::BatchingConfigProto]
401
+ # Batching configuration for an API method in client libraries.
402
+ #
403
+ # Example of a YAML configuration:
404
+ #
405
+ # publishing:
406
+ # method_settings:
407
+ # - selector: google.example.v1.ExampleService.BatchCreateExample
408
+ # batching:
409
+ # element_count_threshold: 1000
410
+ # request_byte_threshold: 100000000
411
+ # delay_threshold_millis: 10
380
412
  class MethodSettings
381
413
  include ::Google::Protobuf::MessageExts
382
414
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -411,6 +443,8 @@ module Google
411
443
 
412
444
  # This message is used to configure the generation of a subset of the RPCs in
413
445
  # a service for client libraries.
446
+ #
447
+ # Note: This feature should not be used in most cases.
414
448
  # @!attribute [rw] methods
415
449
  # @return [::Array<::String>]
416
450
  # An allowlist of the fully qualified names of RPCs that should be included
@@ -428,6 +462,77 @@ module Google
428
462
  extend ::Google::Protobuf::MessageExts::ClassMethods
429
463
  end
430
464
 
465
+ # `BatchingConfigProto` defines the batching configuration for an API method.
466
+ # @!attribute [rw] thresholds
467
+ # @return [::Google::Api::BatchingSettingsProto]
468
+ # The thresholds which trigger a batched request to be sent.
469
+ # @!attribute [rw] batch_descriptor
470
+ # @return [::Google::Api::BatchingDescriptorProto]
471
+ # The request and response fields used in batching.
472
+ class BatchingConfigProto
473
+ include ::Google::Protobuf::MessageExts
474
+ extend ::Google::Protobuf::MessageExts::ClassMethods
475
+ end
476
+
477
+ # `BatchingSettingsProto` specifies a set of batching thresholds, each of
478
+ # which acts as a trigger to send a batch of messages as a request. At least
479
+ # one threshold must be positive nonzero.
480
+ # @!attribute [rw] element_count_threshold
481
+ # @return [::Integer]
482
+ # The number of elements of a field collected into a batch which, if
483
+ # exceeded, causes the batch to be sent.
484
+ # @!attribute [rw] request_byte_threshold
485
+ # @return [::Integer]
486
+ # The aggregated size of the batched field which, if exceeded, causes the
487
+ # batch to be sent. This size is computed by aggregating the sizes of the
488
+ # request field to be batched, not of the entire request message.
489
+ # @!attribute [rw] delay_threshold
490
+ # @return [::Google::Protobuf::Duration]
491
+ # The duration after which a batch should be sent, starting from the addition
492
+ # of the first message to that batch.
493
+ # @!attribute [rw] element_count_limit
494
+ # @return [::Integer]
495
+ # The maximum number of elements collected in a batch that could be accepted
496
+ # by server.
497
+ # @!attribute [rw] request_byte_limit
498
+ # @return [::Integer]
499
+ # The maximum size of the request that could be accepted by server.
500
+ # @!attribute [rw] flow_control_element_limit
501
+ # @return [::Integer]
502
+ # The maximum number of elements allowed by flow control.
503
+ # @!attribute [rw] flow_control_byte_limit
504
+ # @return [::Integer]
505
+ # The maximum size of data allowed by flow control.
506
+ # @!attribute [rw] flow_control_limit_exceeded_behavior
507
+ # @return [::Google::Api::FlowControlLimitExceededBehaviorProto]
508
+ # The behavior to take when the flow control limit is exceeded.
509
+ class BatchingSettingsProto
510
+ include ::Google::Protobuf::MessageExts
511
+ extend ::Google::Protobuf::MessageExts::ClassMethods
512
+ end
513
+
514
+ # `BatchingDescriptorProto` specifies the fields of the request message to be
515
+ # used for batching, and, optionally, the fields of the response message to be
516
+ # used for demultiplexing.
517
+ # @!attribute [rw] batched_field
518
+ # @return [::String]
519
+ # The repeated field in the request message to be aggregated by batching.
520
+ # @!attribute [rw] discriminator_fields
521
+ # @return [::Array<::String>]
522
+ # A list of the fields in the request message. Two requests will be batched
523
+ # together only if the values of every field specified in
524
+ # `request_discriminator_fields` is equal between the two requests.
525
+ # @!attribute [rw] subresponse_field
526
+ # @return [::String]
527
+ # Optional. When present, indicates the field in the response message to be
528
+ # used to demultiplex the response into multiple response messages, in
529
+ # correspondence with the multiple request messages originally batched
530
+ # together.
531
+ class BatchingDescriptorProto
532
+ include ::Google::Protobuf::MessageExts
533
+ extend ::Google::Protobuf::MessageExts::ClassMethods
534
+ end
535
+
431
536
  # The organization for which the client libraries are being published.
432
537
  # Affects the url where generated docs are published, etc.
433
538
  module ClientLibraryOrganization
@@ -469,5 +574,20 @@ module Google
469
574
  # Publish the library to package managers like nuget.org and npmjs.com.
470
575
  PACKAGE_MANAGER = 20
471
576
  end
577
+
578
+ # The behavior to take when the flow control limit is exceeded.
579
+ module FlowControlLimitExceededBehaviorProto
580
+ # Default behavior, system-defined.
581
+ UNSET_BEHAVIOR = 0
582
+
583
+ # Stop operation, raise error.
584
+ THROW_EXCEPTION = 1
585
+
586
+ # Pause operation until limit clears.
587
+ BLOCK = 2
588
+
589
+ # Continue operation, disregard limit.
590
+ IGNORE = 3
591
+ end
472
592
  end
473
593
  end
@@ -21,7 +21,8 @@ module Google
21
21
  module Cloud
22
22
  module BinaryAuthorization
23
23
  module V1
24
- # A {::Google::Cloud::BinaryAuthorization::V1::Policy policy} for container image binary authorization.
24
+ # A {::Google::Cloud::BinaryAuthorization::V1::Policy policy} for container image
25
+ # binary authorization.
25
26
  # @!attribute [r] name
26
27
  # @return [::String]
27
28
  # Output only. The resource name, in the format `projects/*/policy`. There is
@@ -42,7 +43,12 @@ module Google
42
43
  # third-party infrastructure images from Binary Authorization policies.
43
44
  # @!attribute [rw] cluster_admission_rules
44
45
  # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1::AdmissionRule}]
45
- # Optional. Per-cluster admission rules. Cluster spec format:
46
+ # Optional. A valid policy has only one of the following rule maps non-empty,
47
+ # i.e. only one of `cluster_admission_rules`,
48
+ # `kubernetes_namespace_admission_rules`,
49
+ # `kubernetes_service_account_admission_rules`,
50
+ # or `istio_service_identity_admission_rules` can be non-empty.
51
+ # Per-cluster admission rules. Cluster spec format:
46
52
  # `location.clusterId`. There can be at most one admission rule per cluster
47
53
  # spec.
48
54
  # A `location` is either a compute zone (e.g. us-central1-a) or a region
@@ -51,19 +57,20 @@ module Google
51
57
  # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
52
58
  # @!attribute [rw] kubernetes_namespace_admission_rules
53
59
  # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1::AdmissionRule}]
54
- # Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
55
- # [a-z.-]+, e.g. 'some-namespace'
60
+ # Optional. Per-kubernetes-namespace admission rules. K8s namespace spec
61
+ # format:
62
+ # `[a-z.-]+`, e.g. `some-namespace`
56
63
  # @!attribute [rw] kubernetes_service_account_admission_rules
57
64
  # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1::AdmissionRule}]
58
65
  # Optional. Per-kubernetes-service-account admission rules. Service account
59
- # spec format: `namespace:serviceaccount`. e.g. 'test-ns:default'
66
+ # spec format: `namespace:serviceaccount`. e.g. `test-ns:default`
60
67
  # @!attribute [rw] istio_service_identity_admission_rules
61
68
  # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1::AdmissionRule}]
62
69
  # Optional. Per-istio-service-identity admission rules. Istio service
63
70
  # identity spec format:
64
- # spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or
65
- # <domain>/ns/<namespace>/sa/<serviceaccount>
66
- # e.g. spiffe://example.com/ns/test-ns/sa/default
71
+ # `spiffe://<domain>/ns/<namespace>/sa/<serviceaccount>` or
72
+ # `<domain>/ns/<namespace>/sa/<serviceaccount>`
73
+ # e.g. `spiffe://example.com/ns/test-ns/sa/default`
67
74
  # @!attribute [rw] default_admission_rule
68
75
  # @return [::Google::Cloud::BinaryAuthorization::V1::AdmissionRule]
69
76
  # Required. Default admission rule for a cluster without a per-cluster, per-
@@ -71,6 +78,11 @@ module Google
71
78
  # @!attribute [r] update_time
72
79
  # @return [::Google::Protobuf::Timestamp]
73
80
  # Output only. Time when the policy was last updated.
81
+ # @!attribute [rw] etag
82
+ # @return [::String]
83
+ # Optional. A checksum, returned by the server, that can be sent on update
84
+ # requests to ensure the policy has an up-to-date value before attempting to
85
+ # update it. See https://google.aip.dev/154.
74
86
  class Policy
75
87
  include ::Google::Protobuf::MessageExts
76
88
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -112,7 +124,7 @@ module Google
112
124
  end
113
125
 
114
126
  module GlobalPolicyEvaluationMode
115
- # Not specified: DISABLE is assumed.
127
+ # Not specified: `DISABLE` is assumed.
116
128
  GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED = 0
117
129
 
118
130
  # Enables system policy evaluation.
@@ -123,8 +135,10 @@ module Google
123
135
  end
124
136
  end
125
137
 
126
- # An {::Google::Cloud::BinaryAuthorization::V1::AdmissionWhitelistPattern admission allowlist pattern} exempts images
127
- # from checks by {::Google::Cloud::BinaryAuthorization::V1::AdmissionRule admission rules}.
138
+ # An [admission allowlist
139
+ # pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern]
140
+ # exempts images from checks by [admission
141
+ # rules][google.cloud.binaryauthorization.v1.AdmissionRule].
128
142
  # @!attribute [rw] name_pattern
129
143
  # @return [::String]
130
144
  # An image name pattern to allowlist, in the form `registry/path/to/image`.
@@ -136,13 +150,15 @@ module Google
136
150
  extend ::Google::Protobuf::MessageExts::ClassMethods
137
151
  end
138
152
 
139
- # An {::Google::Cloud::BinaryAuthorization::V1::AdmissionRule admission rule} specifies either that all container images
140
- # used in a pod creation request must be attested to by one or more
141
- # {::Google::Cloud::BinaryAuthorization::V1::Attestor attestors}, that all pod creations will be allowed, or that all
142
- # pod creations will be denied.
153
+ # An {::Google::Cloud::BinaryAuthorization::V1::AdmissionRule admission rule}
154
+ # specifies either that all container images used in a pod creation request
155
+ # must be attested to by one or more
156
+ # {::Google::Cloud::BinaryAuthorization::V1::Attestor attestors}, that all pod
157
+ # creations will be allowed, or that all pod creations will be denied.
143
158
  #
144
- # Images matching an {::Google::Cloud::BinaryAuthorization::V1::AdmissionWhitelistPattern admission allowlist pattern}
145
- # are exempted from admission rules and will never block a pod creation.
159
+ # Images matching an [admission allowlist
160
+ # pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern] are
161
+ # exempted from admission rules and will never block a pod creation.
146
162
  # @!attribute [rw] evaluation_mode
147
163
  # @return [::Google::Cloud::BinaryAuthorization::V1::AdmissionRule::EvaluationMode]
148
164
  # Required. How this admission rule will be evaluated.
@@ -154,8 +170,8 @@ module Google
154
170
  # to a policy the principal issuing the policy change request must be able
155
171
  # to read the attestor resource.
156
172
  #
157
- # Note: this field must be non-empty when the evaluation_mode field specifies
158
- # REQUIRE_ATTESTATION, otherwise it must be empty.
173
+ # Note: this field must be non-empty when the `evaluation_mode` field
174
+ # specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
159
175
  # @!attribute [rw] enforcement_mode
160
176
  # @return [::Google::Cloud::BinaryAuthorization::V1::AdmissionRule::EnforcementMode]
161
177
  # Required. The action when a pod creation is denied by the admission rule.
@@ -167,11 +183,11 @@ module Google
167
183
  # Do not use.
168
184
  EVALUATION_MODE_UNSPECIFIED = 0
169
185
 
170
- # This rule allows all all pod creations.
186
+ # This rule allows all pod creations.
171
187
  ALWAYS_ALLOW = 1
172
188
 
173
189
  # This rule allows a pod creation if all the attestors listed in
174
- # 'require_attestations_by' have valid attestations for all of the
190
+ # `require_attestations_by` have valid attestations for all of the
175
191
  # images in the pod spec.
176
192
  REQUIRE_ATTESTATION = 2
177
193
 
@@ -194,9 +210,9 @@ module Google
194
210
  end
195
211
  end
196
212
 
197
- # An {::Google::Cloud::BinaryAuthorization::V1::Attestor attestor} that attests to container image
198
- # artifacts. An existing attestor cannot be modified except where
199
- # indicated.
213
+ # An {::Google::Cloud::BinaryAuthorization::V1::Attestor attestor} that attests to
214
+ # container image artifacts. An existing attestor cannot be modified except
215
+ # where indicated.
200
216
  # @!attribute [rw] name
201
217
  # @return [::String]
202
218
  # Required. The resource name, in the format:
@@ -212,18 +228,24 @@ module Google
212
228
  # @!attribute [r] update_time
213
229
  # @return [::Google::Protobuf::Timestamp]
214
230
  # Output only. Time when the attestor was last updated.
231
+ # @!attribute [rw] etag
232
+ # @return [::String]
233
+ # Optional. A checksum, returned by the server, that can be sent on update
234
+ # requests to ensure the attestor has an up-to-date value before attempting
235
+ # to update it. See https://google.aip.dev/154.
215
236
  class Attestor
216
237
  include ::Google::Protobuf::MessageExts
217
238
  extend ::Google::Protobuf::MessageExts::ClassMethods
218
239
  end
219
240
 
220
- # An {::Google::Cloud::BinaryAuthorization::V1::UserOwnedGrafeasNote user owned Grafeas note} references a Grafeas
221
- # Attestation.Authority Note created by the user.
241
+ # An [user owned Grafeas
242
+ # note][google.cloud.binaryauthorization.v1.UserOwnedGrafeasNote] references a
243
+ # Grafeas Attestation.Authority Note created by the user.
222
244
  # @!attribute [rw] note_reference
223
245
  # @return [::String]
224
246
  # Required. The Grafeas resource name of a Attestation.Authority Note,
225
- # created by the user, in the format: `projects/*/notes/*`. This field may
226
- # not be updated.
247
+ # created by the user, in the format: `projects/[PROJECT_ID]/notes/*`. This
248
+ # field may not be updated. A project ID must be used, not a project number.
227
249
  #
228
250
  # An attestation by this attestor is stored as a Grafeas
229
251
  # Attestation.Authority Occurrence that names a container image and that
@@ -242,12 +264,13 @@ module Google
242
264
  # @!attribute [r] delegation_service_account_email
243
265
  # @return [::String]
244
266
  # Output only. This field will contain the service account email address
245
- # that this Attestor will use as the principal when querying Container
267
+ # that this attestor will use as the principal when querying Container
246
268
  # Analysis. Attestor administrators must grant this service account the
247
- # IAM role needed to read attestations from the [note_reference][Note] in
248
- # Container Analysis (`containeranalysis.notes.occurrences.viewer`).
269
+ # IAM role needed to read attestations from the
270
+ # {::Google::Cloud::BinaryAuthorization::V1::UserOwnedGrafeasNote#note_reference note_reference}
271
+ # in Container Analysis (`containeranalysis.notes.occurrences.viewer`).
249
272
  #
250
- # This email address is fixed for the lifetime of the Attestor, but callers
273
+ # This email address is fixed for the lifetime of the attestor, but callers
251
274
  # should not make any other assumptions about the service account email;
252
275
  # future versions may use an email based on a different naming pattern.
253
276
  class UserOwnedGrafeasNote
@@ -255,10 +278,9 @@ module Google
255
278
  extend ::Google::Protobuf::MessageExts::ClassMethods
256
279
  end
257
280
 
258
- # A public key in the PkixPublicKey format (see
259
- # https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details).
260
- # Public keys of this type are typically textually encoded using the PEM
261
- # format.
281
+ # A public key in the PkixPublicKey
282
+ # [format](https://tools.ietf.org/html/rfc5280#section-4.1.2.7). Public keys of
283
+ # this type are typically textually encoded using the PEM format.
262
284
  # @!attribute [rw] public_key_pem
263
285
  # @return [::String]
264
286
  # A PEM-encoded public key, as described in
@@ -270,6 +292,22 @@ module Google
270
292
  # These signature algorithm must match the structure and any object
271
293
  # identifiers encoded in `public_key_pem` (i.e. this algorithm must match
272
294
  # that of the public key).
295
+ # @!attribute [rw] key_id
296
+ # @return [::String]
297
+ # Optional. The ID of this public key.
298
+ # Signatures verified by Binary Authorization must include the ID of the
299
+ # public key that can be used to verify them. The ID must match exactly
300
+ # contents of the `key_id` field exactly.
301
+ #
302
+ # The ID may be explicitly provided by the caller, but it MUST be a valid
303
+ # RFC3986 URI. If `key_id` is left blank and this `PkixPublicKey` is not used
304
+ # in the context of a wrapper (see next paragraph), a default key ID will be
305
+ # computed based on the digest of the DER encoding of the public key.
306
+ #
307
+ # If this `PkixPublicKey` is used in the context of a wrapper that has its
308
+ # own notion of key ID (e.g. `AttestorPublicKey`), then this field can
309
+ # either match that value exactly, or be left blank, in which case it behaves
310
+ # exactly as though it is equal to that wrapper value.
273
311
  class PkixPublicKey
274
312
  include ::Google::Protobuf::MessageExts
275
313
  extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -277,9 +315,10 @@ module Google
277
315
  # Represents a signature algorithm and other information necessary to verify
278
316
  # signatures with a given public key.
279
317
  # This is based primarily on the public key types supported by Tink's
280
- # PemKeyType, which is in turn based on KMS's supported signing algorithms.
281
- # See https://cloud.google.com/kms/docs/algorithms. In the future, BinAuthz
282
- # might support additional public key types independently of Tink and/or KMS.
318
+ # PemKeyType, which is in turn based on KMS's supported signing
319
+ # [algorithms](https://cloud.google.com/kms/docs/algorithms). In the future,
320
+ # Binary Authorization might support additional public key types
321
+ # independently of Tink and/or KMS.
283
322
  module SignatureAlgorithm
284
323
  # Not specified.
285
324
  SIGNATURE_ALGORITHM_UNSPECIFIED = 0
@@ -287,15 +326,27 @@ module Google
287
326
  # RSASSA-PSS 2048 bit key with a SHA256 digest.
288
327
  RSA_PSS_2048_SHA256 = 1
289
328
 
329
+ # RSASSA-PSS 2048 bit key with a SHA256 digest.
330
+ RSA_SIGN_PSS_2048_SHA256 = 1
331
+
290
332
  # RSASSA-PSS 3072 bit key with a SHA256 digest.
291
333
  RSA_PSS_3072_SHA256 = 2
292
334
 
335
+ # RSASSA-PSS 3072 bit key with a SHA256 digest.
336
+ RSA_SIGN_PSS_3072_SHA256 = 2
337
+
293
338
  # RSASSA-PSS 4096 bit key with a SHA256 digest.
294
339
  RSA_PSS_4096_SHA256 = 3
295
340
 
341
+ # RSASSA-PSS 4096 bit key with a SHA256 digest.
342
+ RSA_SIGN_PSS_4096_SHA256 = 3
343
+
296
344
  # RSASSA-PSS 4096 bit key with a SHA512 digest.
297
345
  RSA_PSS_4096_SHA512 = 4
298
346
 
347
+ # RSASSA-PSS 4096 bit key with a SHA512 digest.
348
+ RSA_SIGN_PSS_4096_SHA512 = 4
349
+
299
350
  # RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
300
351
  RSA_SIGN_PKCS1_2048_SHA256 = 5
301
352
 
@@ -325,33 +376,36 @@ module Google
325
376
 
326
377
  # ECDSA on the NIST P-521 curve with a SHA512 digest.
327
378
  EC_SIGN_P521_SHA512 = 11
379
+
380
+ # ML-DSA-65 Post-Quantum Cryptography signature algorithm.
381
+ ML_DSA_65 = 13
328
382
  end
329
383
  end
330
384
 
331
- # An {::Google::Cloud::BinaryAuthorization::V1::AttestorPublicKey attestor public key} that will be used to verify
332
- # attestations signed by this attestor.
385
+ # An [attestor public
386
+ # key][google.cloud.binaryauthorization.v1.AttestorPublicKey] that will be used
387
+ # to verify attestations signed by this attestor.
333
388
  # @!attribute [rw] comment
334
389
  # @return [::String]
335
390
  # Optional. A descriptive comment. This field may be updated.
336
391
  # @!attribute [rw] id
337
392
  # @return [::String]
338
393
  # The ID of this public key.
339
- # Signatures verified by BinAuthz must include the ID of the public key that
340
- # can be used to verify them, and that ID must match the contents of this
341
- # field exactly.
342
- # Additional restrictions on this field can be imposed based on which public
343
- # key type is encapsulated. See the documentation on `public_key` cases below
344
- # for details.
394
+ # Signatures verified by Binary Authorization must include the ID of the
395
+ # public key that can be used to verify them, and that ID must match the
396
+ # contents of this field exactly. Additional restrictions on this field can
397
+ # be imposed based on which public key type is encapsulated. See the
398
+ # documentation on `public_key` cases below for details.
345
399
  # @!attribute [rw] ascii_armored_pgp_public_key
346
400
  # @return [::String]
347
401
  # ASCII-armored representation of a PGP public key, as the entire output by
348
402
  # the command `gpg --export --armor foo@example.com` (either LF or CRLF
349
403
  # line endings).
350
- # When using this field, `id` should be left blank. The BinAuthz API
351
- # handlers will calculate the ID and fill it in automatically. BinAuthz
352
- # computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
353
- # upper-case hex. If `id` is provided by the caller, it will be
354
- # overwritten by the API-calculated ID.
404
+ # When using this field, `id` should be left blank. The Binary
405
+ # Authorization API handlers will calculate the ID and fill it in
406
+ # automatically. Binary Authorization computes this ID as the OpenPGP
407
+ # RFC4880 V4 fingerprint, represented as upper-case hex. If `id` is
408
+ # provided by the caller, it will be overwritten by the API-calculated ID.
355
409
  #
356
410
  # Note: The following fields are mutually exclusive: `ascii_armored_pgp_public_key`, `pkix_public_key`. If a field in that set is populated, all other fields in the set will automatically be cleared.
357
411
  # @!attribute [rw] pkix_public_key