fix!: mark some bools as optional, correct response type of DeleteCaPool

PiperOrigin-RevId: 385011540
googleapis · Jul 15, 2021 · 077f0c6 · 077f0c6
1 parent a9338c6
commit 077f0c6
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 16 deletions.
diff --git a/google/cloud/security/privateca/v1/resources.proto b/google/cloud/security/privateca/v1/resources.proto
@@ -251,21 +251,21 @@ message CaPool {
   // [Certificates][google.cloud.security.privateca.v1.Certificate]. The options set here apply to certificates
   // issued by any [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the [CaPool][google.cloud.security.privateca.v1.CaPool].
   message PublishingOptions {
-    // Required. When true, publishes each [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CA certificate and
+    // Optional. When true, publishes each [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CA certificate and
     // includes its URL in the "Authority Information Access" X.509 extension
     // in all issued [Certificates][google.cloud.security.privateca.v1.Certificate]. If this is false, the CA
     // certificate will not be published and the corresponding X.509 extension
     // will not be written in issued certificates.
-    bool publish_ca_cert = 1 [(google.api.field_behavior) = REQUIRED];
+    bool publish_ca_cert = 1 [(google.api.field_behavior) = OPTIONAL];
 
-    // Required. When true, publishes each [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CRL and includes its
+    // Optional. When true, publishes each [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CRL and includes its
     // URL in the "CRL Distribution Points" X.509 extension in all issued
     // [Certificates][google.cloud.security.privateca.v1.Certificate]. If this is false, CRLs will not be published
     // and the corresponding X.509 extension will not be written in issued
     // certificates.
     // CRLs will expire 7 days from their creation. However, we will rebuild
     // daily. CRLs are also rebuilt shortly after a certificate is revoked.
-    bool publish_crl = 2 [(google.api.field_behavior) = REQUIRED];
+    bool publish_crl = 2 [(google.api.field_behavior) = OPTIONAL];
   }
 
   // Defines controls over all certificate issuance within a [CaPool][google.cloud.security.privateca.v1.CaPool].
@@ -330,13 +330,13 @@ message CaPool {
     // [Certificates][google.cloud.security.privateca.v1.Certificate] may be requested from this
     // [CaPool][google.cloud.security.privateca.v1.CaPool].
     message IssuanceModes {
-      // Required. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1.Certificate] by
+      // Optional. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1.Certificate] by
       // specifying a CSR.
-      bool allow_csr_based_issuance = 1 [(google.api.field_behavior) = REQUIRED];
+      bool allow_csr_based_issuance = 1 [(google.api.field_behavior) = OPTIONAL];
 
-      // Required. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1.Certificate] by
+      // Optional. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1.Certificate] by
       // specifying a [CertificateConfig][google.cloud.security.privateca.v1.CertificateConfig].
-      bool allow_config_based_issuance = 2 [(google.api.field_behavior) = REQUIRED];
+      bool allow_config_based_issuance = 2 [(google.api.field_behavior) = OPTIONAL];
     }
 
     // Optional. If any [AllowedKeyType][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.AllowedKeyType] is specified, then the certificate request's
@@ -786,13 +786,15 @@ message CertificateDescription {
     string hex_serial_number = 3;
 
     // For convenience, the actual lifetime of an issued certificate.
-    // Corresponds to 'not_after_time' - 'not_before_time'.
     google.protobuf.Duration lifetime = 4;
 
     // The time at which the certificate becomes valid.
     google.protobuf.Timestamp not_before_time = 5;
 
-    // The time at which the certificate expires.
+    // The time after which the certificate is expired.
+    // Per RFC 5280, the validity period for a certificate is the period of time
+    // from not_before_time through not_after_time, inclusive.
+    // Corresponds to 'not_before_time' + 'lifetime' - 1 second.
     google.protobuf.Timestamp not_after_time = 6;
   }
 
@@ -855,10 +857,10 @@ message X509Extension {
   // Required. The OID for this X.509 extension.
   ObjectId object_id = 1 [(google.api.field_behavior) = REQUIRED];
 
-  // Required. Indicates whether or not this extension is critical (i.e., if the client
+  // Optional. Indicates whether or not this extension is critical (i.e., if the client
   // does not know how to handle this extension, the client should consider this
   // to be an error).
-  bool critical = 2 [(google.api.field_behavior) = REQUIRED];
+  bool critical = 2 [(google.api.field_behavior) = OPTIONAL];
 
   // Required. The value of this X.509 extension.
   bytes value = 3 [(google.api.field_behavior) = REQUIRED];
@@ -992,18 +994,17 @@ message CertificateIdentityConstraints {
   // Optional. A CEL expression that may be used to validate the resolved X.509 Subject
   // and/or Subject Alternative Name before a certificate is signed.
   // To see the full allowed syntax and some examples, see
-  // https://cloud.google.com/certificate-authority-service/docs/cel-guide
+  // https://cloud.google.com/certificate-authority-service/docs/using-cel
   google.type.Expr cel_expression = 1 [(google.api.field_behavior) = OPTIONAL];
 
   // Required. If this is true, the [Subject][google.cloud.security.privateca.v1.Subject] field may be copied from a certificate
   // request into the signed certificate. Otherwise, the requested [Subject][google.cloud.security.privateca.v1.Subject]
-  // will be discarded. The bool is optional to indicate an unset field, which suggests a forgotten value that needs to be set by the caller.
+  // will be discarded.
   optional bool allow_subject_passthrough = 2 [(google.api.field_behavior) = REQUIRED];
 
   // Required. If this is true, the [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] extension may be copied from a
   // certificate request into the signed certificate. Otherwise, the requested
   // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] will be discarded.
-  // The bool is optional to indicate an unset field, which suggests a forgotten value that needs to be set by the caller.
   optional bool allow_subject_alt_names_passthrough = 3 [(google.api.field_behavior) = REQUIRED];
 }
 

diff --git a/google/cloud/security/privateca/v1/service.proto b/google/cloud/security/privateca/v1/service.proto
@@ -260,7 +260,7 @@ service CertificateAuthorityService {
     };
     option (google.api.method_signature) = "name";
     option (google.longrunning.operation_info) = {
-      response_type: "CaPool"
+      response_type: "google.protobuf.Empty"
       metadata_type: "OperationMetadata"
     };
   }