xref: /aosp_15_r20/external/googleapis/google/cloud/binaryauthorization/v1/service.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2021 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.binaryauthorization.v1;
18
19import "google/api/annotations.proto";
20import "google/api/client.proto";
21import "google/api/field_behavior.proto";
22import "google/api/resource.proto";
23import "google/cloud/binaryauthorization/v1/resources.proto";
24import "google/protobuf/empty.proto";
25import "grafeas/v1/attestation.proto";
26
27option cc_enable_arenas = true;
28option csharp_namespace = "Google.Cloud.BinaryAuthorization.V1";
29option go_package = "cloud.google.com/go/binaryauthorization/apiv1/binaryauthorizationpb;binaryauthorizationpb";
30option java_multiple_files = false;
31option java_package = "com.google.protos.google.cloud.binaryauthorization.v1";
32option php_namespace = "Google\\Cloud\\BinaryAuthorization\\V1";
33option ruby_package = "Google::Cloud::BinaryAuthorization::V1";
34
35// Customer-facing API for Cloud Binary Authorization.
36
37// Google Cloud Management Service for Binary Authorization admission policies
38// and attestation authorities.
39//
40// This API implements a REST model with the following objects:
41//
42// * [Policy][google.cloud.binaryauthorization.v1.Policy]
43// * [Attestor][google.cloud.binaryauthorization.v1.Attestor]
44service BinauthzManagementServiceV1 {
45  option (google.api.default_host) = "binaryauthorization.googleapis.com";
46  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
47
48  // A [policy][google.cloud.binaryauthorization.v1.Policy] specifies the [attestors][google.cloud.binaryauthorization.v1.Attestor] that must attest to
49  // a container image, before the project is allowed to deploy that
50  // image. There is at most one policy per project. All image admission
51  // requests are permitted if a project has no policy.
52  //
53  // Gets the [policy][google.cloud.binaryauthorization.v1.Policy] for this project. Returns a default
54  // [policy][google.cloud.binaryauthorization.v1.Policy] if the project does not have one.
55  rpc GetPolicy(GetPolicyRequest) returns (Policy) {
56    option (google.api.http) = {
57      get: "/v1/{name=projects/*/policy}"
58    };
59    option (google.api.method_signature) = "name";
60  }
61
62  // Creates or updates a project's [policy][google.cloud.binaryauthorization.v1.Policy], and returns a copy of the
63  // new [policy][google.cloud.binaryauthorization.v1.Policy]. A policy is always updated as a whole, to avoid race
64  // conditions with concurrent policy enforcement (or management!)
65  // requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
66  // if the request is malformed.
67  rpc UpdatePolicy(UpdatePolicyRequest) returns (Policy) {
68    option (google.api.http) = {
69      put: "/v1/{policy.name=projects/*/policy}"
70      body: "policy"
71    };
72    option (google.api.method_signature) = "policy";
73  }
74
75  // Creates an [attestor][google.cloud.binaryauthorization.v1.Attestor], and returns a copy of the new
76  // [attestor][google.cloud.binaryauthorization.v1.Attestor]. Returns NOT_FOUND if the project does not exist,
77  // INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the
78  // [attestor][google.cloud.binaryauthorization.v1.Attestor] already exists.
79  rpc CreateAttestor(CreateAttestorRequest) returns (Attestor) {
80    option (google.api.http) = {
81      post: "/v1/{parent=projects/*}/attestors"
82      body: "attestor"
83    };
84    option (google.api.method_signature) = "parent,attestor_id,attestor";
85  }
86
87  // Gets an [attestor][google.cloud.binaryauthorization.v1.Attestor].
88  // Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
89  rpc GetAttestor(GetAttestorRequest) returns (Attestor) {
90    option (google.api.http) = {
91      get: "/v1/{name=projects/*/attestors/*}"
92    };
93    option (google.api.method_signature) = "name";
94  }
95
96  // Updates an [attestor][google.cloud.binaryauthorization.v1.Attestor].
97  // Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
98  rpc UpdateAttestor(UpdateAttestorRequest) returns (Attestor) {
99    option (google.api.http) = {
100      put: "/v1/{attestor.name=projects/*/attestors/*}"
101      body: "attestor"
102    };
103    option (google.api.method_signature) = "attestor";
104  }
105
106  // Lists [attestors][google.cloud.binaryauthorization.v1.Attestor].
107  // Returns INVALID_ARGUMENT if the project does not exist.
108  rpc ListAttestors(ListAttestorsRequest) returns (ListAttestorsResponse) {
109    option (google.api.http) = {
110      get: "/v1/{parent=projects/*}/attestors"
111    };
112    option (google.api.method_signature) = "parent";
113  }
114
115  // Deletes an [attestor][google.cloud.binaryauthorization.v1.Attestor]. Returns NOT_FOUND if the
116  // [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
117  rpc DeleteAttestor(DeleteAttestorRequest) returns (google.protobuf.Empty) {
118    option (google.api.http) = {
119      delete: "/v1/{name=projects/*/attestors/*}"
120    };
121    option (google.api.method_signature) = "name";
122  }
123}
124
125// API for working with the system policy.
126service SystemPolicyV1 {
127  option (google.api.default_host) = "binaryauthorization.googleapis.com";
128  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
129
130  // Gets the current system policy in the specified location.
131  rpc GetSystemPolicy(GetSystemPolicyRequest) returns (Policy) {
132    option (google.api.http) = {
133      get: "/v1/{name=locations/*/policy}"
134    };
135    option (google.api.method_signature) = "name";
136  }
137}
138
139// BinAuthz Attestor verification
140service ValidationHelperV1 {
141  option (google.api.default_host) = "binaryauthorization.googleapis.com";
142  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
143
144  // Returns whether the given Attestation for the given image URI
145  // was signed by the given Attestor
146  rpc ValidateAttestationOccurrence(ValidateAttestationOccurrenceRequest) returns (ValidateAttestationOccurrenceResponse) {
147    option (google.api.http) = {
148      post: "/v1/{attestor=projects/*/attestors/*}:validateAttestationOccurrence"
149      body: "*"
150    };
151  }
152}
153
154// Request message for [BinauthzManagementService.GetPolicy][].
155message GetPolicyRequest {
156  // Required. The resource name of the [policy][google.cloud.binaryauthorization.v1.Policy] to retrieve,
157  // in the format `projects/*/policy`.
158  string name = 1 [
159    (google.api.field_behavior) = REQUIRED,
160    (google.api.resource_reference) = {
161      type: "binaryauthorization.googleapis.com/Policy"
162    }
163  ];
164}
165
166// Request message for [BinauthzManagementService.UpdatePolicy][].
167message UpdatePolicyRequest {
168  // Required. A new or updated [policy][google.cloud.binaryauthorization.v1.Policy] value. The service will
169  // overwrite the [policy name][google.cloud.binaryauthorization.v1.Policy.name] field with the resource name in
170  // the request URL, in the format `projects/*/policy`.
171  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
172}
173
174// Request message for [BinauthzManagementService.CreateAttestor][].
175message CreateAttestorRequest {
176  // Required. The parent of this [attestor][google.cloud.binaryauthorization.v1.Attestor].
177  string parent = 1 [
178    (google.api.field_behavior) = REQUIRED,
179    (google.api.resource_reference) = {
180      type: "cloudresourcemanager.googleapis.com/Project"
181    }
182  ];
183
184  // Required. The [attestors][google.cloud.binaryauthorization.v1.Attestor] ID.
185  string attestor_id = 2 [(google.api.field_behavior) = REQUIRED];
186
187  // Required. The initial [attestor][google.cloud.binaryauthorization.v1.Attestor] value. The service will
188  // overwrite the [attestor name][google.cloud.binaryauthorization.v1.Attestor.name] field with the resource name,
189  // in the format `projects/*/attestors/*`.
190  Attestor attestor = 3 [(google.api.field_behavior) = REQUIRED];
191}
192
193// Request message for [BinauthzManagementService.GetAttestor][].
194message GetAttestorRequest {
195  // Required. The name of the [attestor][google.cloud.binaryauthorization.v1.Attestor] to retrieve, in the format
196  // `projects/*/attestors/*`.
197  string name = 1 [
198    (google.api.field_behavior) = REQUIRED,
199    (google.api.resource_reference) = {
200      type: "binaryauthorization.googleapis.com/Attestor"
201    }
202  ];
203}
204
205// Request message for [BinauthzManagementService.UpdateAttestor][].
206message UpdateAttestorRequest {
207  // Required. The updated [attestor][google.cloud.binaryauthorization.v1.Attestor] value. The service will
208  // overwrite the [attestor name][google.cloud.binaryauthorization.v1.Attestor.name] field with the resource name
209  // in the request URL, in the format `projects/*/attestors/*`.
210  Attestor attestor = 1 [(google.api.field_behavior) = REQUIRED];
211}
212
213// Request message for [BinauthzManagementService.ListAttestors][].
214message ListAttestorsRequest {
215  // Required. The resource name of the project associated with the
216  // [attestors][google.cloud.binaryauthorization.v1.Attestor], in the format `projects/*`.
217  string parent = 1 [
218    (google.api.field_behavior) = REQUIRED,
219    (google.api.resource_reference) = {
220      type: "cloudresourcemanager.googleapis.com/Project"
221    }
222  ];
223
224  // Requested page size. The server may return fewer results than requested. If
225  // unspecified, the server will pick an appropriate default.
226  int32 page_size = 2;
227
228  // A token identifying a page of results the server should return. Typically,
229  // this is the value of [ListAttestorsResponse.next_page_token][google.cloud.binaryauthorization.v1.ListAttestorsResponse.next_page_token] returned
230  // from the previous call to the `ListAttestors` method.
231  string page_token = 3;
232}
233
234// Response message for [BinauthzManagementService.ListAttestors][].
235message ListAttestorsResponse {
236  // The list of [attestors][google.cloud.binaryauthorization.v1.Attestor].
237  repeated Attestor attestors = 1;
238
239  // A token to retrieve the next page of results. Pass this value in the
240  // [ListAttestorsRequest.page_token][google.cloud.binaryauthorization.v1.ListAttestorsRequest.page_token] field in the subsequent call to the
241  // `ListAttestors` method to retrieve the next page of results.
242  string next_page_token = 2;
243}
244
245// Request message for [BinauthzManagementService.DeleteAttestor][].
246message DeleteAttestorRequest {
247  // Required. The name of the [attestors][google.cloud.binaryauthorization.v1.Attestor] to delete, in the format
248  // `projects/*/attestors/*`.
249  string name = 1 [
250    (google.api.field_behavior) = REQUIRED,
251    (google.api.resource_reference) = {
252      type: "binaryauthorization.googleapis.com/Attestor"
253    }
254  ];
255}
256
257// Request to read the current system policy.
258message GetSystemPolicyRequest {
259  // Required. The resource name, in the format `locations/*/policy`.
260  // Note that the system policy is not associated with a project.
261  string name = 1 [
262    (google.api.field_behavior) = REQUIRED,
263    (google.api.resource_reference) = {
264      type: "binaryauthorization.googleapis.com/Policy"
265    }
266  ];
267}
268
269// Request message for
270// [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence].
271message ValidateAttestationOccurrenceRequest {
272  // Required. The resource name of the [Attestor][google.cloud.binaryauthorization.v1.Attestor] of the
273  // [occurrence][grafeas.v1.Occurrence], in the format
274  // `projects/*/attestors/*`.
275  string attestor = 1 [(google.api.field_behavior) = REQUIRED];
276
277  // Required. An [AttestationOccurrence][grafeas.v1.AttestationOccurrence] to
278  // be checked that it can be verified by the Attestor. It does not have to be
279  // an existing entity in Container Analysis. It must otherwise be a valid
280  // AttestationOccurrence.
281  grafeas.v1.AttestationOccurrence attestation = 2 [(google.api.field_behavior) = REQUIRED];
282
283  // Required. The resource name of the [Note][grafeas.v1.Note] to which the
284  // containing [Occurrence][grafeas.v1.Occurrence] is associated.
285  string occurrence_note = 3 [(google.api.field_behavior) = REQUIRED];
286
287  // Required. The URI of the artifact (e.g. container image) that is the
288  // subject of the containing [Occurrence][grafeas.v1.Occurrence].
289  string occurrence_resource_uri = 4 [(google.api.field_behavior) = REQUIRED];
290}
291
292// Response message for
293// [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence].
294message ValidateAttestationOccurrenceResponse {
295  // The enum returned in the "result" field.
296  enum Result {
297    // Unspecified.
298    RESULT_UNSPECIFIED = 0;
299
300    // The Attestation was able to verified by the Attestor.
301    VERIFIED = 1;
302
303    // The Attestation was not able to verified by the Attestor.
304    ATTESTATION_NOT_VERIFIABLE = 2;
305  }
306
307  // The result of the Attestation validation.
308  Result result = 1;
309
310  // The reason for denial if the Attestation couldn't be validated.
311  string denial_reason = 2;
312}
313