-
Notifications
You must be signed in to change notification settings - Fork 2.2k
/
service.proto
312 lines (272 loc) · 13.1 KB
/
service.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
// Copyright 2021 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.cloud.binaryauthorization.v1;
import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/binaryauthorization/v1/resources.proto";
import "google/protobuf/empty.proto";
import "grafeas/v1/attestation.proto";
option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.BinaryAuthorization.V1";
option go_package = "cloud.google.com/go/binaryauthorization/apiv1/binaryauthorizationpb;binaryauthorizationpb";
option java_multiple_files = false;
option java_package = "com.google.protos.google.cloud.binaryauthorization.v1";
option php_namespace = "Google\\Cloud\\BinaryAuthorization\\V1";
option ruby_package = "Google::Cloud::BinaryAuthorization::V1";
// Customer-facing API for Cloud Binary Authorization.
// Google Cloud Management Service for Binary Authorization admission policies
// and attestation authorities.
//
// This API implements a REST model with the following objects:
//
// * [Policy][google.cloud.binaryauthorization.v1.Policy]
// * [Attestor][google.cloud.binaryauthorization.v1.Attestor]
service BinauthzManagementServiceV1 {
option (google.api.default_host) = "binaryauthorization.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
// A [policy][google.cloud.binaryauthorization.v1.Policy] specifies the [attestors][google.cloud.binaryauthorization.v1.Attestor] that must attest to
// a container image, before the project is allowed to deploy that
// image. There is at most one policy per project. All image admission
// requests are permitted if a project has no policy.
//
// Gets the [policy][google.cloud.binaryauthorization.v1.Policy] for this project. Returns a default
// [policy][google.cloud.binaryauthorization.v1.Policy] if the project does not have one.
rpc GetPolicy(GetPolicyRequest) returns (Policy) {
option (google.api.http) = {
get: "/v1/{name=projects/*/policy}"
};
option (google.api.method_signature) = "name";
}
// Creates or updates a project's [policy][google.cloud.binaryauthorization.v1.Policy], and returns a copy of the
// new [policy][google.cloud.binaryauthorization.v1.Policy]. A policy is always updated as a whole, to avoid race
// conditions with concurrent policy enforcement (or management!)
// requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
// if the request is malformed.
rpc UpdatePolicy(UpdatePolicyRequest) returns (Policy) {
option (google.api.http) = {
put: "/v1/{policy.name=projects/*/policy}"
body: "policy"
};
option (google.api.method_signature) = "policy";
}
// Creates an [attestor][google.cloud.binaryauthorization.v1.Attestor], and returns a copy of the new
// [attestor][google.cloud.binaryauthorization.v1.Attestor]. Returns NOT_FOUND if the project does not exist,
// INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the
// [attestor][google.cloud.binaryauthorization.v1.Attestor] already exists.
rpc CreateAttestor(CreateAttestorRequest) returns (Attestor) {
option (google.api.http) = {
post: "/v1/{parent=projects/*}/attestors"
body: "attestor"
};
option (google.api.method_signature) = "parent,attestor_id,attestor";
}
// Gets an [attestor][google.cloud.binaryauthorization.v1.Attestor].
// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
rpc GetAttestor(GetAttestorRequest) returns (Attestor) {
option (google.api.http) = {
get: "/v1/{name=projects/*/attestors/*}"
};
option (google.api.method_signature) = "name";
}
// Updates an [attestor][google.cloud.binaryauthorization.v1.Attestor].
// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
rpc UpdateAttestor(UpdateAttestorRequest) returns (Attestor) {
option (google.api.http) = {
put: "/v1/{attestor.name=projects/*/attestors/*}"
body: "attestor"
};
option (google.api.method_signature) = "attestor";
}
// Lists [attestors][google.cloud.binaryauthorization.v1.Attestor].
// Returns INVALID_ARGUMENT if the project does not exist.
rpc ListAttestors(ListAttestorsRequest) returns (ListAttestorsResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*}/attestors"
};
option (google.api.method_signature) = "parent";
}
// Deletes an [attestor][google.cloud.binaryauthorization.v1.Attestor]. Returns NOT_FOUND if the
// [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
rpc DeleteAttestor(DeleteAttestorRequest) returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/v1/{name=projects/*/attestors/*}"
};
option (google.api.method_signature) = "name";
}
}
// API for working with the system policy.
service SystemPolicyV1 {
option (google.api.default_host) = "binaryauthorization.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
// Gets the current system policy in the specified location.
rpc GetSystemPolicy(GetSystemPolicyRequest) returns (Policy) {
option (google.api.http) = {
get: "/v1/{name=locations/*/policy}"
};
option (google.api.method_signature) = "name";
}
}
// BinAuthz Attestor verification
service ValidationHelperV1 {
option (google.api.default_host) = "binaryauthorization.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
// Returns whether the given Attestation for the given image URI
// was signed by the given Attestor
rpc ValidateAttestationOccurrence(ValidateAttestationOccurrenceRequest) returns (ValidateAttestationOccurrenceResponse) {
option (google.api.http) = {
post: "/v1/{attestor=projects/*/attestors/*}:validateAttestationOccurrence"
body: "*"
};
}
}
// Request message for [BinauthzManagementService.GetPolicy][].
message GetPolicyRequest {
// Required. The resource name of the [policy][google.cloud.binaryauthorization.v1.Policy] to retrieve,
// in the format `projects/*/policy`.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "binaryauthorization.googleapis.com/Policy"
}
];
}
// Request message for [BinauthzManagementService.UpdatePolicy][].
message UpdatePolicyRequest {
// Required. A new or updated [policy][google.cloud.binaryauthorization.v1.Policy] value. The service will
// overwrite the [policy name][google.cloud.binaryauthorization.v1.Policy.name] field with the resource name in
// the request URL, in the format `projects/*/policy`.
Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
}
// Request message for [BinauthzManagementService.CreateAttestor][].
message CreateAttestorRequest {
// Required. The parent of this [attestor][google.cloud.binaryauthorization.v1.Attestor].
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// Required. The [attestors][google.cloud.binaryauthorization.v1.Attestor] ID.
string attestor_id = 2 [(google.api.field_behavior) = REQUIRED];
// Required. The initial [attestor][google.cloud.binaryauthorization.v1.Attestor] value. The service will
// overwrite the [attestor name][google.cloud.binaryauthorization.v1.Attestor.name] field with the resource name,
// in the format `projects/*/attestors/*`.
Attestor attestor = 3 [(google.api.field_behavior) = REQUIRED];
}
// Request message for [BinauthzManagementService.GetAttestor][].
message GetAttestorRequest {
// Required. The name of the [attestor][google.cloud.binaryauthorization.v1.Attestor] to retrieve, in the format
// `projects/*/attestors/*`.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "binaryauthorization.googleapis.com/Attestor"
}
];
}
// Request message for [BinauthzManagementService.UpdateAttestor][].
message UpdateAttestorRequest {
// Required. The updated [attestor][google.cloud.binaryauthorization.v1.Attestor] value. The service will
// overwrite the [attestor name][google.cloud.binaryauthorization.v1.Attestor.name] field with the resource name
// in the request URL, in the format `projects/*/attestors/*`.
Attestor attestor = 1 [(google.api.field_behavior) = REQUIRED];
}
// Request message for [BinauthzManagementService.ListAttestors][].
message ListAttestorsRequest {
// Required. The resource name of the project associated with the
// [attestors][google.cloud.binaryauthorization.v1.Attestor], in the format `projects/*`.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudresourcemanager.googleapis.com/Project"
}
];
// Requested page size. The server may return fewer results than requested. If
// unspecified, the server will pick an appropriate default.
int32 page_size = 2;
// A token identifying a page of results the server should return. Typically,
// this is the value of [ListAttestorsResponse.next_page_token][google.cloud.binaryauthorization.v1.ListAttestorsResponse.next_page_token] returned
// from the previous call to the `ListAttestors` method.
string page_token = 3;
}
// Response message for [BinauthzManagementService.ListAttestors][].
message ListAttestorsResponse {
// The list of [attestors][google.cloud.binaryauthorization.v1.Attestor].
repeated Attestor attestors = 1;
// A token to retrieve the next page of results. Pass this value in the
// [ListAttestorsRequest.page_token][google.cloud.binaryauthorization.v1.ListAttestorsRequest.page_token] field in the subsequent call to the
// `ListAttestors` method to retrieve the next page of results.
string next_page_token = 2;
}
// Request message for [BinauthzManagementService.DeleteAttestor][].
message DeleteAttestorRequest {
// Required. The name of the [attestors][google.cloud.binaryauthorization.v1.Attestor] to delete, in the format
// `projects/*/attestors/*`.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "binaryauthorization.googleapis.com/Attestor"
}
];
}
// Request to read the current system policy.
message GetSystemPolicyRequest {
// Required. The resource name, in the format `locations/*/policy`.
// Note that the system policy is not associated with a project.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "binaryauthorization.googleapis.com/Policy"
}
];
}
// Request message for
// [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence].
message ValidateAttestationOccurrenceRequest {
// Required. The resource name of the [Attestor][google.cloud.binaryauthorization.v1.Attestor] of the
// [occurrence][grafeas.v1.Occurrence], in the format
// `projects/*/attestors/*`.
string attestor = 1 [(google.api.field_behavior) = REQUIRED];
// Required. An [AttestationOccurrence][grafeas.v1.AttestationOccurrence] to
// be checked that it can be verified by the Attestor. It does not have to be
// an existing entity in Container Analysis. It must otherwise be a valid
// AttestationOccurrence.
grafeas.v1.AttestationOccurrence attestation = 2 [(google.api.field_behavior) = REQUIRED];
// Required. The resource name of the [Note][grafeas.v1.Note] to which the
// containing [Occurrence][grafeas.v1.Occurrence] is associated.
string occurrence_note = 3 [(google.api.field_behavior) = REQUIRED];
// Required. The URI of the artifact (e.g. container image) that is the
// subject of the containing [Occurrence][grafeas.v1.Occurrence].
string occurrence_resource_uri = 4 [(google.api.field_behavior) = REQUIRED];
}
// Response message for
// [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence].
message ValidateAttestationOccurrenceResponse {
// The enum returned in the "result" field.
enum Result {
// Unspecified.
RESULT_UNSPECIFIED = 0;
// The Attestation was able to verified by the Attestor.
VERIFIED = 1;
// The Attestation was not able to verified by the Attestor.
ATTESTATION_NOT_VERIFIABLE = 2;
}
// The result of the Attestation validation.
Result result = 1;
// The reason for denial if the Attestation couldn't be validated.
string denial_reason = 2;
}