diff --git a/src/main/java/com/google/api/generator/gapic/composer/GrpcServiceStubClassComposer.java b/src/main/java/com/google/api/generator/gapic/composer/GrpcServiceStubClassComposer.java index 788c7272f6..7b21e8c692 100644 --- a/src/main/java/com/google/api/generator/gapic/composer/GrpcServiceStubClassComposer.java +++ b/src/main/java/com/google/api/generator/gapic/composer/GrpcServiceStubClassComposer.java @@ -105,7 +105,7 @@ public class GrpcServiceStubClassComposer implements ClassComposer { // Legacy support for the original reroute_to_grpc_interface option in gapic.yaml. These two APIs // predate the modern way, which is to add the RPCs directly into the proto. private static final Set REROUTE_TO_GRPC_INTERFACE_SERVICE_ALLOWLIST = - new HashSet<>(Arrays.asList("google.cloud.kms.v1", "google.pubsub.v1")); + new HashSet<>(Arrays.asList("google.pubsub.v1")); private static final Set REROUTE_TO_GRPC_INTERFACE_IAM_METHOD_ALLOWLIST = new HashSet<>(Arrays.asList("SetIamPolicy", "GetIamPolicy", "TestIamPermissions")); diff --git a/src/main/java/com/google/api/generator/gapic/protoparser/Parser.java b/src/main/java/com/google/api/generator/gapic/protoparser/Parser.java index 795ace8eac..0f377ce748 100644 --- a/src/main/java/com/google/api/generator/gapic/protoparser/Parser.java +++ b/src/main/java/com/google/api/generator/gapic/protoparser/Parser.java @@ -229,6 +229,14 @@ public static List parseServices( .filter(a -> MIXIN_ALLOWLIST.contains(a.getName())) .map(a -> a.getName()) .collect(Collectors.toSet()); + Set apiDefinedRpcs = new HashSet<>(); + for (Service service : services) { + if (blockedCodegenMixinApis.contains(service)) { + continue; + } + apiDefinedRpcs.addAll( + service.methods().stream().map(m -> m.name()).collect(Collectors.toSet())); + } // Mix-in APIs only if the protos are present and they're defined in the service.yaml file. Set outputMixinServiceSet = new HashSet<>(); if (servicesContainBlocklistedApi && !mixedInApis.isEmpty()) { @@ -241,13 +249,18 @@ public static List parseServices( String.format("%s.%s", mixinService.protoPakkage(), mixinService.name()))) { continue; } - List mixinMethods = new ArrayList<>(mixinService.methods()); - mixinMethods.forEach( - m -> - updatedMethods.add( - m.toBuilder() - .setMixedInApiName(serviceFullNameFn.apply(mixinService)) - .build())); + mixinService + .methods() + .forEach( + m -> { + // Overridden RPCs defined in the protos take precedence. + if (!apiDefinedRpcs.contains(m.name())) { + updatedMethods.add( + m.toBuilder() + .setMixedInApiName(serviceFullNameFn.apply(mixinService)) + .build()); + } + }); outputMixinServiceSet.add(mixinService); } services.set(i, originalService.toBuilder().setMethods(updatedMethods).build()); diff --git a/test/integration/BUILD.bazel b/test/integration/BUILD.bazel index 59a28a9608..004d8b1f9d 100644 --- a/test/integration/BUILD.bazel +++ b/test/integration/BUILD.bazel @@ -3,6 +3,8 @@ load( "java_gapic_assembly_gradle_pkg", "java_gapic_library", "java_gapic_test", + "java_grpc_library", + "java_proto_library", ) load( "//:rules_bazel/java/integration_test.bzl", @@ -19,7 +21,7 @@ package(default_visibility = ["//visibility:public"]) INTEGRATION_TEST_LIBRARIES = [ "asset", # Basic case. "credentials", # Check that the capital name edge case is handled. - "kms", # Mixins. + "kms", # Mixins, with an override in the proto file. "logging", # Java package remapping in gapic.yaml. "redis", # Has a gapic.yaml. "library", # No gRPC service config. @@ -156,18 +158,63 @@ java_gapic_assembly_gradle_pkg( ) # KMS (for mixins). +load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_googleapis_imports//:imports.bzl", "proto_library_with_info") + +proto_library( + name = "kms_proto", + srcs = [ + "apis/kms/v1/resources.proto", + "apis/kms/v1/service.proto", + ], + deps = [ + "@com_google_googleapis//google/api:annotations_proto", + "@com_google_googleapis//google/api:client_proto", + "@com_google_googleapis//google/api:field_behavior_proto", + "@com_google_googleapis//google/api:resource_proto", + "@com_google_googleapis//google/iam/v1:iam_policy_proto", + "@com_google_googleapis//google/iam/v1:policy_proto", + "@com_google_protobuf//:duration_proto", + "@com_google_protobuf//:field_mask_proto", + "@com_google_protobuf//:struct_proto", + "@com_google_protobuf//:timestamp_proto", + "@com_google_protobuf//:wrappers_proto", + ], +) + +proto_library_with_info( + name = "kms_proto_with_info", + deps = [ + ":kms_proto", + "@com_google_googleapis//google/cloud:common_resources_proto", + "@com_google_googleapis//google/iam/v1:iam_policy_proto", + "@com_google_googleapis//google/iam/v1:policy_proto", + ], +) + +java_proto_library( + name = "kms_java_proto", + deps = [":kms_proto"], +) + +java_grpc_library( + name = "kms_java_grpc", + srcs = [":kms_proto"], + deps = [":kms_java_proto"], +) + java_gapic_library( name = "kms_java_gapic", - srcs = ["@com_google_googleapis//google/cloud/kms/v1:kms_proto_with_info"], + srcs = [":kms_proto_with_info"], grpc_service_config = "@com_google_googleapis//google/cloud/kms/v1:cloudkms_grpc_service_config.json", # For the IAM mixin. - service_yaml = "cloudkms_test_mixins_v1.yaml", + service_yaml = "apis/kms/v1/cloudkms_test_mixins_v1.yaml", test_deps = [ - "@com_google_googleapis//google/cloud/kms/v1:kms_java_grpc", + ":kms_java_grpc", "@com_google_googleapis//google/iam/v1:iam_java_grpc", ], deps = [ - "@com_google_googleapis//google/cloud/kms/v1:kms_java_proto", + ":kms_java_proto", "@com_google_googleapis//google/iam/v1:iam_java_proto", ], ) diff --git a/test/integration/cloudkms_test_mixins_v1.yaml b/test/integration/apis/kms/v1/cloudkms_test_mixins_v1.yaml similarity index 100% rename from test/integration/cloudkms_test_mixins_v1.yaml rename to test/integration/apis/kms/v1/cloudkms_test_mixins_v1.yaml diff --git a/test/integration/apis/kms/v1/resources.proto b/test/integration/apis/kms/v1/resources.proto new file mode 100644 index 0000000000..88e31bd95c --- /dev/null +++ b/test/integration/apis/kms/v1/resources.proto @@ -0,0 +1,605 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.kms.v1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/timestamp.proto"; +import "google/protobuf/wrappers.proto"; +import "google/api/annotations.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.Kms.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms"; +option java_multiple_files = true; +option java_outer_classname = "KmsResourcesProto"; +option java_package = "com.google.cloud.kms.v1"; +option php_namespace = "Google\\Cloud\\Kms\\V1"; + +// A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. +message KeyRing { + option (google.api.resource) = { + type: "cloudkms.googleapis.com/KeyRing" + pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}" + }; + + // Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format + // `projects/*/locations/*/keyRings/*`. + string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created. + google.protobuf.Timestamp create_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; +} + +// A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic +// operations. +// +// A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], +// which represent the actual key material used in cryptographic operations. +message CryptoKey { + option (google.api.resource) = { + type: "cloudkms.googleapis.com/CryptoKey" + pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}" + }; + + // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a + // [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by + // its purpose. For more information, see + // [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes). + enum CryptoKeyPurpose { + // Not specified. + CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0; + + // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with + // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and + // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. + ENCRYPT_DECRYPT = 1; + + // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with + // [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] and + // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. + ASYMMETRIC_SIGN = 5; + + // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with + // [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] and + // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. + ASYMMETRIC_DECRYPT = 6; + } + + // Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format + // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. + string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. A copy of the "primary" [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used + // by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given + // in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. + // + // The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be updated via + // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. + // + // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] + // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] may have a + // primary. For other keys, this field will be omitted. + CryptoKeyVersion primary = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Immutable. The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. + CryptoKeyPurpose purpose = 3 [(google.api.field_behavior) = IMMUTABLE]; + + // Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created. + google.protobuf.Timestamp create_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], the Key Management Service will automatically: + // + // 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. + // 2. Mark the new version as primary. + // + // Key rotations performed manually via + // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and + // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] + // do not affect [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. + // + // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] + // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support + // automatic rotation. For other keys, this field must be omitted. + google.protobuf.Timestamp next_rotation_time = 7; + + // Controls the rate of automatic rotation. + oneof rotation_schedule { + // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] will be advanced by this period when the service + // automatically rotates a key. Must be at least 24 hours and at most + // 876,000 hours. + // + // If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set. + // + // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] + // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support + // automatic rotation. For other keys, this field must be omitted. + google.protobuf.Duration rotation_period = 8; + } + + // A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. + // The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either + // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or + // auto-rotation are controlled by this template. + CryptoKeyVersionTemplate version_template = 11; + + // Labels with user-defined metadata. For more information, see + // [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys). + map labels = 10; +} + +// A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating +// a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with +// [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or +// automatically as a result of auto-rotation. +message CryptoKeyVersionTemplate { + // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on + // this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. + ProtectionLevel protection_level = 1; + + // Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] to use + // when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. + // + // For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both + // this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is + // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Contains an HSM-generated attestation about a key operation. For more +// information, see [Verifying attestations] +// (https://cloud.google.com/kms/docs/attest-key). +message KeyOperationAttestation { + // Attestation formats provided by the HSM. + enum AttestationFormat { + // Not specified. + ATTESTATION_FORMAT_UNSPECIFIED = 0; + + // Cavium HSM attestation compressed with gzip. Note that this format is + // defined by Cavium and subject to change at any time. + CAVIUM_V1_COMPRESSED = 3; + + // Cavium HSM attestation V2 compressed with gzip. This is a new format + // introduced in Cavium's version 3.2-08. + CAVIUM_V2_COMPRESSED = 4; + } + + // Output only. The format of the attestation data. + AttestationFormat format = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The attestation data provided by the HSM when the key + // operation was performed. + bytes content = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; +} + +// A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the +// associated key material. +// +// An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be +// used for cryptographic operations. +// +// For security reasons, the raw cryptographic key material represented by a +// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to +// encrypt, decrypt, or sign data when an authorized user or application invokes +// Cloud KMS. +message CryptoKeyVersion { + option (google.api.resource) = { + type: "cloudkms.googleapis.com/CryptoKeyVersion" + pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}" + }; + + // The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what + // parameters must be used for each cryptographic operation. + // + // The + // [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] + // algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] + // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + // + // Algorithms beginning with "RSA_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] + // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. + // + // The fields in the name after "RSA_SIGN_" correspond to the following + // parameters: padding algorithm, modulus bit length, and digest algorithm. + // + // For PSS, the salt length used is equal to the length of digest + // algorithm. For example, + // [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] + // will use PSS with a salt length of 256 bits or 32 bytes. + // + // Algorithms beginning with "RSA_DECRYPT_" are usable with + // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] + // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. + // + // The fields in the name after "RSA_DECRYPT_" correspond to the following + // parameters: padding algorithm, modulus bit length, and digest algorithm. + // + // Algorithms beginning with "EC_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] + // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. + // + // The fields in the name after "EC_SIGN_" correspond to the following + // parameters: elliptic curve, digest algorithm. + // + // For more information, see [Key purposes and algorithms] + // (https://cloud.google.com/kms/docs/algorithms). + enum CryptoKeyVersionAlgorithm { + // Not specified. + CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0; + + // Creates symmetric encryption keys. + GOOGLE_SYMMETRIC_ENCRYPTION = 1; + + // RSASSA-PSS 2048 bit key with a SHA256 digest. + RSA_SIGN_PSS_2048_SHA256 = 2; + + // RSASSA-PSS 3072 bit key with a SHA256 digest. + RSA_SIGN_PSS_3072_SHA256 = 3; + + // RSASSA-PSS 4096 bit key with a SHA256 digest. + RSA_SIGN_PSS_4096_SHA256 = 4; + + // RSASSA-PSS 4096 bit key with a SHA512 digest. + RSA_SIGN_PSS_4096_SHA512 = 15; + + // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. + RSA_SIGN_PKCS1_2048_SHA256 = 5; + + // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. + RSA_SIGN_PKCS1_3072_SHA256 = 6; + + // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. + RSA_SIGN_PKCS1_4096_SHA256 = 7; + + // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. + RSA_SIGN_PKCS1_4096_SHA512 = 16; + + // RSAES-OAEP 2048 bit key with a SHA256 digest. + RSA_DECRYPT_OAEP_2048_SHA256 = 8; + + // RSAES-OAEP 3072 bit key with a SHA256 digest. + RSA_DECRYPT_OAEP_3072_SHA256 = 9; + + // RSAES-OAEP 4096 bit key with a SHA256 digest. + RSA_DECRYPT_OAEP_4096_SHA256 = 10; + + // RSAES-OAEP 4096 bit key with a SHA512 digest. + RSA_DECRYPT_OAEP_4096_SHA512 = 17; + + // ECDSA on the NIST P-256 curve with a SHA256 digest. + EC_SIGN_P256_SHA256 = 12; + + // ECDSA on the NIST P-384 curve with a SHA384 digest. + EC_SIGN_P384_SHA384 = 13; + + // Algorithm representing symmetric encryption by an external key manager. + EXTERNAL_SYMMETRIC_ENCRYPTION = 18; + } + + // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used. + enum CryptoKeyVersionState { + // Not specified. + CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0; + + // This version is still being generated. It may not be used, enabled, + // disabled, or destroyed yet. Cloud KMS will automatically mark this + // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready. + PENDING_GENERATION = 5; + + // This version may be used for cryptographic operations. + ENABLED = 1; + + // This version may not be used, but the key material is still available, + // and the version can be placed back into the [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] state. + DISABLED = 2; + + // This version is destroyed, and the key material is no longer stored. + // A version may not leave this state once entered. + DESTROYED = 3; + + // This version is scheduled for destruction, and will be destroyed soon. + // Call + // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] + // to put it back into the [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] state. + DESTROY_SCHEDULED = 4; + + // This version is still being imported. It may not be used, enabled, + // disabled, or destroyed yet. Cloud KMS will automatically mark this + // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready. + PENDING_IMPORT = 6; + + // This version was not imported successfully. It may not be used, enabled, + // disabled, or destroyed. The submitted key material has been discarded. + // Additional details can be found in + // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason]. + IMPORT_FAILED = 7; + } + + // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned + // for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in + // [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and + // [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. + enum CryptoKeyVersionView { + // Default view for each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not include + // the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field. + CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0; + + // Provides all fields in each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the + // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation]. + FULL = 1; + } + + // Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format + // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. + string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. + CryptoKeyVersionState state = 3; + + // Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are + // performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. + ProtectionLevel protection_level = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports. + CryptoKeyVersionAlgorithm algorithm = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. Statement that was generated and signed by the HSM at key + // creation time. Use this statement to verify attributes of the key as stored + // on the HSM, independently of Google. Only provided for key versions with + // [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. + KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created. + google.protobuf.Timestamp create_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was + // generated. + google.protobuf.Timestamp generate_time = 11 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is scheduled + // for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is + // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]. + google.protobuf.Timestamp destroy_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time this CryptoKeyVersion's key material was + // destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is + // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. + google.protobuf.Timestamp destroy_event_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was + // imported. + string import_job = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material + // was imported. + google.protobuf.Timestamp import_time = 15 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The root cause of an import failure. Only present if + // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is + // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]. + string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // ExternalProtectionLevelOptions stores a group of additional fields for + // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the + // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. + ExternalProtectionLevelOptions external_protection_level_options = 17; +} + +// The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via +// [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. +message PublicKey { + option (google.api.resource) = { + type: "cloudkms.googleapis.com/PublicKey" + pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey" + }; + + // The public key, encoded in PEM format. For more information, see the + // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for + // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and + // [Textual Encoding of Subject Public Key Info] + // (https://tools.ietf.org/html/rfc7468#section-13). + string pem = 1; + + // The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] associated + // with this key. + CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2; + + // Integrity verification field. A CRC32C checksum of the returned + // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed + // by computing the CRC32C checksum of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and + // comparing your results to this field. Discard the response in case of + // non-matching checksum values, and perform a limited number of retries. A + // persistent mismatch may indicate an issue in your computation of the CRC32C + // checksum. + // Note: This field is defined as int64 for reasons of compatibility across + // different languages. However, it is a non-negative integer, which will + // never exceed 2^32-1, and can be safely downconverted to uint32 in languages + // that support this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value pem_crc32c = 3; + + // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. + // Provided here for verification. + // + // NOTE: This field is in Beta. + string name = 4; +} + +// An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and +// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, +// generated outside of Cloud KMS. +// +// When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a "wrapping key", +// which is a public/private key pair. You use the wrapping key to encrypt (also +// known as wrap) the pre-existing key material to protect it during the import +// process. The nature of the wrapping key depends on the choice of +// [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation +// is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to +// [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] +// can be fetched. The fetched public key can then be used to wrap your +// pre-existing key material. +// +// Once the key material is wrapped, it can be imported into a new +// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling +// [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. +// Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single +// [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to +// unwrap the key material. Only Cloud KMS has access to the private key. +// +// An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS +// will no longer be able to import or unwrap any key material that was wrapped +// with the [ImportJob][google.cloud.kms.v1.ImportJob]'s public key. +// +// For more information, see +// [Importing a key](https://cloud.google.com/kms/docs/importing-a-key). +message ImportJob { + option (google.api.resource) = { + type: "cloudkms.googleapis.com/ImportJob" + pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}" + }; + + // The public key component of the wrapping key. For details of the type of + // key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod]. + message WrappingPublicKey { + // The public key, encoded in PEM format. For more information, see the [RFC + // 7468](https://tools.ietf.org/html/rfc7468) sections for [General + // Considerations](https://tools.ietf.org/html/rfc7468#section-2) and + // [Textual Encoding of Subject Public Key Info] + // (https://tools.ietf.org/html/rfc7468#section-13). + string pem = 1; + } + + // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the key wrapping method chosen for this + // [ImportJob][google.cloud.kms.v1.ImportJob]. + enum ImportMethod { + // Not specified. + IMPORT_METHOD_UNSPECIFIED = 0; + + // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping + // scheme defined in the PKCS #11 standard. In summary, this involves + // wrapping the raw key with an ephemeral AES key, and wrapping the + // ephemeral AES key with a 3072 bit RSA key. For more details, see + // [RSA AES key wrap + // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). + RSA_OAEP_3072_SHA1_AES_256 = 1; + + // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping + // scheme defined in the PKCS #11 standard. In summary, this involves + // wrapping the raw key with an ephemeral AES key, and wrapping the + // ephemeral AES key with a 4096 bit RSA key. For more details, see + // [RSA AES key wrap + // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). + RSA_OAEP_4096_SHA1_AES_256 = 2; + } + + // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used. + enum ImportJobState { + // Not specified. + IMPORT_JOB_STATE_UNSPECIFIED = 0; + + // The wrapping key for this job is still being generated. It may not be + // used. Cloud KMS will automatically mark this job as + // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as the wrapping key is generated. + PENDING_GENERATION = 1; + + // This job may be used in + // [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] and + // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] + // requests. + ACTIVE = 2; + + // This job can no longer be used and may not leave this state once entered. + EXPIRED = 3; + } + + // Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format + // `projects/*/locations/*/keyRings/*/importJobs/*`. + string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Required. Immutable. The wrapping method to be used for incoming key material. + ImportMethod import_method = 2 [ + (google.api.field_behavior) = REQUIRED, + (google.api.field_behavior) = IMMUTABLE + ]; + + // Required. Immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the + // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] of the + // [version_template][google.cloud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you + // attempt to import into. + ProtectionLevel protection_level = 9 [ + (google.api.field_behavior) = REQUIRED, + (google.api.field_behavior) = IMMUTABLE + ]; + + // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created. + google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key material was generated. + google.protobuf.Timestamp generate_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for + // expiration and can no longer be used to import key material. + google.protobuf.Timestamp expire_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if + // [state][google.cloud.kms.v1.ImportJob.state] is [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED]. + google.protobuf.Timestamp expire_event_time = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can + // be used. + ImportJobState state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The public key with which to wrap key material prior to + // import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is + // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]. + WrappingPublicKey public_key = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. Statement that was generated and signed by the key creator + // (for example, an HSM) at key creation time. Use this statement to verify + // attributes of the key as stored on the HSM, independently of Google. + // Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection + // level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. + KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; +} + +// [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed. +// For more information, see [Protection levels] +// (https://cloud.google.com/kms/docs/algorithms#protection_levels). +enum ProtectionLevel { + // Not specified. + PROTECTION_LEVEL_UNSPECIFIED = 0; + + // Crypto operations are performed in software. + SOFTWARE = 1; + + // Crypto operations are performed in a Hardware Security Module. + HSM = 2; + + // Crypto operations are performed by an external key manager. + EXTERNAL = 3; +} + +// ExternalProtectionLevelOptions stores a group of additional fields for +// configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the +// [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. +message ExternalProtectionLevelOptions { + // The URI for an external resource that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents. + string external_key_uri = 1; +} diff --git a/test/integration/apis/kms/v1/service.proto b/test/integration/apis/kms/v1/service.proto new file mode 100644 index 0000000000..b5884df1eb --- /dev/null +++ b/test/integration/apis/kms/v1/service.proto @@ -0,0 +1,1321 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.kms.v1; + +import "google/api/annotations.proto"; +import "google/iam/v1/iam_policy.proto"; +import "google/iam/v1/policy.proto"; +import "google/api/client.proto"; +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/protobuf/field_mask.proto"; +import "google/protobuf/wrappers.proto"; +import "test/integration/apis/kms/v1/resources.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.Kms.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms"; +option java_multiple_files = true; +option java_outer_classname = "KmsProto"; +option java_package = "com.google.cloud.kms.v1"; +option php_namespace = "Google\\Cloud\\Kms\\V1"; + +// Google Cloud Key Management Service +// +// Manages cryptographic keys and operations using those keys. Implements a REST +// model with the following objects: +// +// * [KeyRing][google.cloud.kms.v1.KeyRing] +// * [CryptoKey][google.cloud.kms.v1.CryptoKey] +// * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] +// * [ImportJob][google.cloud.kms.v1.ImportJob] +// +// If you are using manual gRPC libraries, see +// [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc). +service KeyManagementService { + option (google.api.default_host) = "cloudkms.googleapis.com"; + option (google.api.oauth_scopes) = + "https://www.googleapis.com/auth/cloud-platform," + "https://www.googleapis.com/auth/cloudkms"; + + // Lists [KeyRings][google.cloud.kms.v1.KeyRing]. + rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) { + option (google.api.http) = { + get: "/v1/{parent=projects/*/locations/*}/keyRings" + }; + option (google.api.method_signature) = "parent"; + } + + // Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey]. + rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) { + option (google.api.http) = { + get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" + }; + option (google.api.method_signature) = "parent"; + } + + // Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. + rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest) + returns (ListCryptoKeyVersionsResponse) { + option (google.api.http) = { + get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" + }; + option (google.api.method_signature) = "parent"; + } + + // Lists [ImportJobs][google.cloud.kms.v1.ImportJob]. + rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse) { + option (google.api.http) = { + get: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs" + }; + option (google.api.method_signature) = "parent"; + } + + // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing]. + rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) { + option (google.api.http) = { + get: "/v1/{name=projects/*/locations/*/keyRings/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as + // well as its [primary][google.cloud.kms.v1.CryptoKey.primary] + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. + rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) { + option (google.api.http) = { + get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Returns metadata for a given + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. + rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Returns the public key for the given + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The + // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be + // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] + // or + // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. + rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) { + option (google.api.http) = { + get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey" + }; + option (google.api.method_signature) = "name"; + } + + // Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob]. + rpc GetImportJob(GetImportJobRequest) returns (ImportJob) { + option (google.api.http) = { + get: "/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and + // Location. + rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) { + option (google.api.http) = { + post: "/v1/{parent=projects/*/locations/*}/keyRings" + body: "key_ring" + }; + option (google.api.method_signature) = "parent,key_ring_id,key_ring"; + } + + // Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a + // [KeyRing][google.cloud.kms.v1.KeyRing]. + // + // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and + // [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] + // are required. + rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) { + option (google.api.http) = { + post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" + body: "crypto_key" + }; + option (google.api.method_signature) = "parent,crypto_key_id,crypto_key"; + } + + // Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a + // [CryptoKey][google.cloud.kms.v1.CryptoKey]. + // + // The server will assign the next sequential id. If unset, + // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to + // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]. + rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" + body: "crypto_key_version" + }; + option (google.api.method_signature) = "parent,crypto_key_version"; + } + + // Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into + // an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the wrapped + // key material provided in the request. + // + // The version ID will be assigned the next sequential id within the + // [CryptoKey][google.cloud.kms.v1.CryptoKey]. + rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import" + body: "*" + }; + } + + // Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a + // [KeyRing][google.cloud.kms.v1.KeyRing]. + // + // [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is + // required. + rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob) { + option (google.api.http) = { + post: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs" + body: "import_job" + }; + option (google.api.method_signature) = "parent,import_job_id,import_job"; + } + + // Update a [CryptoKey][google.cloud.kms.v1.CryptoKey]. + rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) { + option (google.api.http) = { + patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" + body: "crypto_key" + }; + option (google.api.method_signature) = "crypto_key,update_mask"; + } + + // Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s + // metadata. + // + // [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between + // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] + // and + // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] + // using this method. See + // [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] + // and + // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] + // to move between other states. + rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" + body: "crypto_key_version" + }; + option (google.api.method_signature) = "crypto_key_version,update_mask"; + } + + // Encrypts data, so that it can only be recovered by a call to + // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The + // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be + // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + rpc Encrypt(EncryptRequest) returns (EncryptResponse) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt" + body: "*" + }; + option (google.api.method_signature) = "name,plaintext"; + } + + // Decrypts data that was protected by + // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The + // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be + // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + rpc Decrypt(DecryptRequest) returns (DecryptResponse) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt" + body: "*" + }; + option (google.api.method_signature) = "name,ciphertext"; + } + + // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] + // ASYMMETRIC_SIGN, producing a signature that can be verified with the public + // key retrieved from + // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. + rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign" + body: "*" + }; + option (google.api.method_signature) = "name,digest"; + } + + // Decrypts data that was encrypted with a public key retrieved from + // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] + // corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] + // ASYMMETRIC_DECRYPT. + rpc AsymmetricDecrypt(AsymmetricDecryptRequest) + returns (AsymmetricDecryptResponse) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt" + body: "*" + }; + option (google.api.method_signature) = "name,ciphertext"; + } + + // Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that + // will be used in + // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. + // + // Returns an error if called on an asymmetric key. + rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest) + returns (CryptoKey) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion" + body: "*" + }; + option (google.api.method_signature) = "name,crypto_key_version_id"; + } + + // Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for + // destruction. + // + // Upon calling this method, + // [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will + // be set to + // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will + // be set to a time 24 hours in the future, at which point the + // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be changed to + // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], + // and the key material will be irrevocably destroyed. + // + // Before the + // [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is + // reached, + // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] + // may be called to reverse the process. + rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy" + body: "*" + }; + option (google.api.method_signature) = "name"; + } + + // Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the + // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + // state. + // + // Upon restoration of the CryptoKeyVersion, + // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to + // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], + // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will + // be cleared. + rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore" + body: "*" + }; + option (google.api.method_signature) = "name"; + } + + // Gets the access control policy for a resource. ADDED ONLY FOR MIXIN TESTS. + // Returns an empty policy if the resource exists and does not have a policy + // set. + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) + returns (google.iam.v1.Policy) { + option (google.api.http) = { + post: "/v1/{resource=**}:getIamPolicy" + body: "*" + }; + } +} + +// Request message for +// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. +message ListKeyRingsRequest { + // Required. The resource name of the location associated with the + // [KeyRings][google.cloud.kms.v1.KeyRing], in the format + // `projects/*/locations/*`. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "locations.googleapis.com/Location" + } + ]; + + // Optional. Optional limit on the number of + // [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further + // [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by + // including the + // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] + // in a subsequent request. If unspecified, the server will pick an + // appropriate default. + int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Optional pagination token, returned earlier via + // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]. + string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Only include resources that match the filter in the response. For + // more information, see + // [Sorting and filtering list + // results](https://cloud.google.com/kms/docs/sorting-and-filtering). + string filter = 4 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Specify how the results should be sorted. If not specified, the + // results will be sorted in the default order. For more information, see + // [Sorting and filtering list + // results](https://cloud.google.com/kms/docs/sorting-and-filtering). + string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; +} + +// Request message for +// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. +message ListCryptoKeysRequest { + // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] + // to list, in the format `projects/*/locations/*/keyRings/*`. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/KeyRing" + } + ]; + + // Optional. Optional limit on the number of + // [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response. + // Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be + // obtained by including the + // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] + // in a subsequent request. If unspecified, the server will pick an + // appropriate default. + int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Optional pagination token, returned earlier via + // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]. + string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; + + // The fields of the primary version to include in the response. + CryptoKeyVersion.CryptoKeyVersionView version_view = 4; + + // Optional. Only include resources that match the filter in the response. For + // more information, see + // [Sorting and filtering list + // results](https://cloud.google.com/kms/docs/sorting-and-filtering). + string filter = 5 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Specify how the results should be sorted. If not specified, the + // results will be sorted in the default order. For more information, see + // [Sorting and filtering list + // results](https://cloud.google.com/kms/docs/sorting-and-filtering). + string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; +} + +// Request message for +// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. +message ListCryptoKeyVersionsRequest { + // Required. The resource name of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format + // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKey" + } + ]; + + // Optional. Optional limit on the number of + // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the + // response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] + // can subsequently be obtained by including the + // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] + // in a subsequent request. If unspecified, the server will pick an + // appropriate default. + int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Optional pagination token, returned earlier via + // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]. + string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; + + // The fields to include in the response. + CryptoKeyVersion.CryptoKeyVersionView view = 4; + + // Optional. Only include resources that match the filter in the response. For + // more information, see + // [Sorting and filtering list + // results](https://cloud.google.com/kms/docs/sorting-and-filtering). + string filter = 5 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Specify how the results should be sorted. If not specified, the + // results will be sorted in the default order. For more information, see + // [Sorting and filtering list + // results](https://cloud.google.com/kms/docs/sorting-and-filtering). + string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; +} + +// Request message for +// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs]. +message ListImportJobsRequest { + // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] + // to list, in the format `projects/*/locations/*/keyRings/*`. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/KeyRing" + } + ]; + + // Optional. Optional limit on the number of + // [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response. + // Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be + // obtained by including the + // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token] + // in a subsequent request. If unspecified, the server will pick an + // appropriate default. + int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Optional pagination token, returned earlier via + // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]. + string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Only include resources that match the filter in the response. For + // more information, see + // [Sorting and filtering list + // results](https://cloud.google.com/kms/docs/sorting-and-filtering). + string filter = 4 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Specify how the results should be sorted. If not specified, the + // results will be sorted in the default order. For more information, see + // [Sorting and filtering list + // results](https://cloud.google.com/kms/docs/sorting-and-filtering). + string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; +} + +// Response message for +// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. +message ListKeyRingsResponse { + // The list of [KeyRings][google.cloud.kms.v1.KeyRing]. + repeated KeyRing key_rings = 1; + + // A token to retrieve next page of results. Pass this value in + // [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] + // to retrieve the next page of results. + string next_page_token = 2; + + // The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched + // the query. + int32 total_size = 3; +} + +// Response message for +// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. +message ListCryptoKeysResponse { + // The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. + repeated CryptoKey crypto_keys = 1; + + // A token to retrieve next page of results. Pass this value in + // [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] + // to retrieve the next page of results. + string next_page_token = 2; + + // The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that + // matched the query. + int32 total_size = 3; +} + +// Response message for +// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. +message ListCryptoKeyVersionsResponse { + // The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. + repeated CryptoKeyVersion crypto_key_versions = 1; + + // A token to retrieve next page of results. Pass this value in + // [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] + // to retrieve the next page of results. + string next_page_token = 2; + + // The total number of + // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the + // query. + int32 total_size = 3; +} + +// Response message for +// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs]. +message ListImportJobsResponse { + // The list of [ImportJobs][google.cloud.kms.v1.ImportJob]. + repeated ImportJob import_jobs = 1; + + // A token to retrieve next page of results. Pass this value in + // [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token] + // to retrieve the next page of results. + string next_page_token = 2; + + // The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that + // matched the query. + int32 total_size = 3; +} + +// Request message for +// [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing]. +message GetKeyRingRequest { + // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the + // [KeyRing][google.cloud.kms.v1.KeyRing] to get. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/KeyRing" + } + ]; +} + +// Request message for +// [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey]. +message GetCryptoKeyRequest { + // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] to get. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKey" + } + ]; +} + +// Request message for +// [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion]. +message GetCryptoKeyVersionRequest { + // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKeyVersion" + } + ]; +} + +// Request message for +// [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. +message GetPublicKeyRequest { + // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKeyVersion" + } + ]; +} + +// Request message for +// [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob]. +message GetImportJobRequest { + // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the + // [ImportJob][google.cloud.kms.v1.ImportJob] to get. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/ImportJob" + } + ]; +} + +// Request message for +// [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing]. +message CreateKeyRingRequest { + // Required. The resource name of the location associated with the + // [KeyRings][google.cloud.kms.v1.KeyRing], in the format + // `projects/*/locations/*`. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "locations.googleapis.com/Location" + } + ]; + + // Required. It must be unique within a location and match the regular + // expression `[a-zA-Z0-9_-]{1,63}` + string key_ring_id = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field + // values. + KeyRing key_ring = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for +// [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey]. +message CreateCryptoKeyRequest { + // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing + // associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey]. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/KeyRing" + } + ]; + + // Required. It must be unique within a KeyRing and match the regular + // expression `[a-zA-Z0-9_-]{1,63}` + string crypto_key_id = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field + // values. + CryptoKey crypto_key = 3 [(google.api.field_behavior) = REQUIRED]; + + // If set to true, the request will create a + // [CryptoKey][google.cloud.kms.v1.CryptoKey] without any + // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must + // manually call + // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] + // or + // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion] + // before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey]. + bool skip_initial_version_creation = 5; +} + +// Request message for +// [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]. +message CreateCryptoKeyVersionRequest { + // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the + // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKey" + } + ]; + + // Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + // initial field values. + CryptoKeyVersion crypto_key_version = 2 + [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for +// [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. +message ImportCryptoKeyVersionRequest { + // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKey" + } + ]; + + // Required. The + // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] + // of the key being imported. This does not need to match the + // [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into. + CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2 + [(google.api.field_behavior) = REQUIRED]; + + // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the + // [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key + // material. + string import_job = 4 [(google.api.field_behavior) = REQUIRED]; + + // Required. The incoming wrapped key material that is to be imported. + oneof wrapped_key_material { + // Wrapped key material produced with + // [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256] + // or + // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]. + // + // This field contains the concatenation of two wrapped keys: + //
    + //
  1. An ephemeral AES-256 wrapping key wrapped with the + // [public_key][google.cloud.kms.v1.ImportJob.public_key] using + // RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label. + //
    2. + //
  2. The key to be imported, wrapped with the ephemeral AES-256 key + // using AES-KWP (RFC 5649). + //
    3. + //
+ // + // If importing symmetric key material, it is expected that the unwrapped + // key contains plain bytes. If importing asymmetric key material, it is + // expected that the unwrapped key is in PKCS#8-encoded DER format (the + // PrivateKeyInfo structure from RFC 5208). + // + // This format is the same as the format produced by PKCS#11 mechanism + // CKM_RSA_AES_KEY_WRAP. + bytes rsa_aes_wrapped_key = 5; + } +} + +// Request message for +// [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob]. +message CreateImportJobRequest { + // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the + // [KeyRing][google.cloud.kms.v1.KeyRing] associated with the + // [ImportJobs][google.cloud.kms.v1.ImportJob]. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/KeyRing" + } + ]; + + // Required. It must be unique within a KeyRing and match the regular + // expression `[a-zA-Z0-9_-]{1,63}` + string import_job_id = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field + // values. + ImportJob import_job = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for +// [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey]. +message UpdateCryptoKeyRequest { + // Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values. + CryptoKey crypto_key = 1 [(google.api.field_behavior) = REQUIRED]; + + // Required. List of fields to be updated in this request. + google.protobuf.FieldMask update_mask = 2 + [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for +// [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion]. +message UpdateCryptoKeyVersionRequest { + // Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + // updated values. + CryptoKeyVersion crypto_key_version = 1 + [(google.api.field_behavior) = REQUIRED]; + + // Required. List of fields to be updated in this request. + google.protobuf.FieldMask update_mask = 2 + [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for +// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. +message EncryptRequest { + // Required. The resource name of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] or + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for + // encryption. + // + // If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server + // will use its [primary version][google.cloud.kms.v1.CryptoKey.primary]. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { type: "*" } + ]; + + // Required. The data to encrypt. Must be no larger than 64KiB. + // + // The maximum size depends on the key version's + // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. + // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the + // plaintext must be no larger than 64KiB. For + // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of + // the plaintext and additional_authenticated_data fields must be no larger + // than 8KiB. + bytes plaintext = 2 [(google.api.field_behavior) = REQUIRED]; + + // Optional. Optional data that, if specified, must also be provided during + // decryption through + // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. + // + // The maximum size depends on the key version's + // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. + // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD + // must be no larger than 64KiB. For + // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of + // the plaintext and additional_authenticated_data fields must be no larger + // than 8KiB. + bytes additional_authenticated_data = 3 + [(google.api.field_behavior) = OPTIONAL]; + + // Optional. An optional CRC32C checksum of the + // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. + // If specified, + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // verify the integrity of the received + // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext] + // using this checksum. + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // report an error if the checksum verification fails. If you receive a + // checksum error, your client should verify that + // CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]) + // is equal to + // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c], + // and if so, perform a limited number of retries. A persistent mismatch may + // indicate an issue in your computation of the CRC32C checksum. Note: This + // field is defined as int64 for reasons of compatibility across different + // languages. However, it is a non-negative integer, which will never exceed + // 2^32-1, and can be safely downconverted to uint32 in languages that support + // this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value plaintext_crc32c = 7 + [(google.api.field_behavior) = OPTIONAL]; + + // Optional. An optional CRC32C checksum of the + // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. + // If specified, + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // verify the integrity of the received + // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data] + // using this checksum. + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // report an error if the checksum verification fails. If you receive a + // checksum error, your client should verify that + // CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]) + // is equal to + // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c], + // and if so, perform a limited number of retries. A persistent mismatch may + // indicate an issue in your computation of the CRC32C checksum. Note: This + // field is defined as int64 for reasons of compatibility across different + // languages. However, it is a non-negative integer, which will never exceed + // 2^32-1, and can be safely downconverted to uint32 in languages that support + // this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 + [(google.api.field_behavior) = OPTIONAL]; +} + +// Request message for +// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. +message DecryptRequest { + // Required. The resource name of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The + // server will choose the appropriate version. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKey" + } + ]; + + // Required. The encrypted data originally returned in + // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. + bytes ciphertext = 2 [(google.api.field_behavior) = REQUIRED]; + + // Optional. Optional data that must match the data originally supplied in + // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. + bytes additional_authenticated_data = 3 + [(google.api.field_behavior) = OPTIONAL]; + + // Optional. An optional CRC32C checksum of the + // [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. + // If specified, + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // verify the integrity of the received + // [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext] + // using this checksum. + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // report an error if the checksum verification fails. If you receive a + // checksum error, your client should verify that + // CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]) + // is equal to + // [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c], + // and if so, perform a limited number of retries. A persistent mismatch may + // indicate an issue in your computation of the CRC32C checksum. Note: This + // field is defined as int64 for reasons of compatibility across different + // languages. However, it is a non-negative integer, which will never exceed + // 2^32-1, and can be safely downconverted to uint32 in languages that support + // this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value ciphertext_crc32c = 5 + [(google.api.field_behavior) = OPTIONAL]; + + // Optional. An optional CRC32C checksum of the + // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. + // If specified, + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // verify the integrity of the received + // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data] + // using this checksum. + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // report an error if the checksum verification fails. If you receive a + // checksum error, your client should verify that + // CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]) + // is equal to + // [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c], + // and if so, perform a limited number of retries. A persistent mismatch may + // indicate an issue in your computation of the CRC32C checksum. Note: This + // field is defined as int64 for reasons of compatibility across different + // languages. However, it is a non-negative integer, which will never exceed + // 2^32-1, and can be safely downconverted to uint32 in languages that support + // this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 + [(google.api.field_behavior) = OPTIONAL]; +} + +// Request message for +// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. +message AsymmetricSignRequest { + // Required. The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for + // signing. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKeyVersion" + } + ]; + + // Required. The digest of the data to sign. The digest must be produced with + // the same digest algorithm as specified by the key version's + // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm]. + Digest digest = 3 [(google.api.field_behavior) = REQUIRED]; + + // Optional. An optional CRC32C checksum of the + // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. + // If specified, + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // verify the integrity of the received + // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest] + // using this checksum. + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // report an error if the checksum verification fails. If you receive a + // checksum error, your client should verify that + // CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]) + // is equal to + // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c], + // and if so, perform a limited number of retries. A persistent mismatch may + // indicate an issue in your computation of the CRC32C checksum. Note: This + // field is defined as int64 for reasons of compatibility across different + // languages. However, it is a non-negative integer, which will never exceed + // 2^32-1, and can be safely downconverted to uint32 in languages that support + // this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value digest_crc32c = 4 + [(google.api.field_behavior) = OPTIONAL]; +} + +// Request message for +// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. +message AsymmetricDecryptRequest { + // Required. The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for + // decryption. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKeyVersion" + } + ]; + + // Required. The data encrypted with the named + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using + // OAEP. + bytes ciphertext = 3 [(google.api.field_behavior) = REQUIRED]; + + // Optional. An optional CRC32C checksum of the + // [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. + // If specified, + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // verify the integrity of the received + // [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext] + // using this checksum. + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will + // report an error if the checksum verification fails. If you receive a + // checksum error, your client should verify that + // CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]) + // is equal to + // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c], + // and if so, perform a limited number of retries. A persistent mismatch may + // indicate an issue in your computation of the CRC32C checksum. Note: This + // field is defined as int64 for reasons of compatibility across different + // languages. However, it is a non-negative integer, which will never exceed + // 2^32-1, and can be safely downconverted to uint32 in languages that support + // this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value ciphertext_crc32c = 4 + [(google.api.field_behavior) = OPTIONAL]; +} + +// Response message for +// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. +message DecryptResponse { + // The decrypted data originally supplied in + // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. + bytes plaintext = 1; + + // Integrity verification field. A CRC32C checksum of the returned + // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]. + // An integrity check of + // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] + // can be performed by computing the CRC32C checksum of + // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] + // and comparing your results to this field. Discard the response in case of + // non-matching checksum values, and perform a limited number of retries. A + // persistent mismatch may indicate an issue in your computation of the CRC32C + // checksum. Note: receiving this response message indicates that + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to + // successfully decrypt the + // [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This + // field is defined as int64 for reasons of compatibility across different + // languages. However, it is a non-negative integer, which will never exceed + // 2^32-1, and can be safely downconverted to uint32 in languages that support + // this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value plaintext_crc32c = 2; +} + +// Response message for +// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. +message EncryptResponse { + // The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in + // encryption. Check this field to verify that the intended resource was used + // for encryption. + string name = 1; + + // The encrypted data. + bytes ciphertext = 2; + + // Integrity verification field. A CRC32C checksum of the returned + // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. + // An integrity check of + // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] + // can be performed by computing the CRC32C checksum of + // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] + // and comparing your results to this field. Discard the response in case of + // non-matching checksum values, and perform a limited number of retries. A + // persistent mismatch may indicate an issue in your computation of the CRC32C + // checksum. Note: This field is defined as int64 for reasons of compatibility + // across different languages. However, it is a non-negative integer, which + // will never exceed 2^32-1, and can be safely downconverted to uint32 in + // languages that support this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value ciphertext_crc32c = 4; + + // Integrity verification field. A flag indicating whether + // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] + // was received by + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used + // for the integrity verification of the + // [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of + // this field indicates either that + // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] + // was left unset or that it was not delivered to + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've + // set + // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] + // but this field is still false, discard the response and perform a limited + // number of retries. + // + // NOTE: This field is in Beta. + bool verified_plaintext_crc32c = 5; + + // Integrity verification field. A flag indicating whether + // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] + // was received by + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used + // for the integrity verification of the + // [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A + // false value of this field indicates either that + // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] + // was left unset or that it was not delivered to + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've + // set + // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] + // but this field is still false, discard the response and perform a limited + // number of retries. + // + // NOTE: This field is in Beta. + bool verified_additional_authenticated_data_crc32c = 6; +} + +// Response message for +// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. +message AsymmetricSignResponse { + // The created signature. + bytes signature = 1; + + // Integrity verification field. A CRC32C checksum of the returned + // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]. + // An integrity check of + // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] + // can be performed by computing the CRC32C checksum of + // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] + // and comparing your results to this field. Discard the response in case of + // non-matching checksum values, and perform a limited number of retries. A + // persistent mismatch may indicate an issue in your computation of the CRC32C + // checksum. Note: This field is defined as int64 for reasons of compatibility + // across different languages. However, it is a non-negative integer, which + // will never exceed 2^32-1, and can be safely downconverted to uint32 in + // languages that support this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value signature_crc32c = 2; + + // Integrity verification field. A flag indicating whether + // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] + // was received by + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used + // for the integrity verification of the + // [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value + // of this field indicates either that + // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] + // was left unset or that it was not delivered to + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've + // set + // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] + // but this field is still false, discard the response and perform a limited + // number of retries. + // + // NOTE: This field is in Beta. + bool verified_digest_crc32c = 3; + + // The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. + // Check this field to verify that the intended resource was used for signing. + // + // NOTE: This field is in Beta. + string name = 4; +} + +// Response message for +// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. +message AsymmetricDecryptResponse { + // The decrypted data originally encrypted with the matching public key. + bytes plaintext = 1; + + // Integrity verification field. A CRC32C checksum of the returned + // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]. + // An integrity check of + // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] + // can be performed by computing the CRC32C checksum of + // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] + // and comparing your results to this field. Discard the response in case of + // non-matching checksum values, and perform a limited number of retries. A + // persistent mismatch may indicate an issue in your computation of the CRC32C + // checksum. Note: This field is defined as int64 for reasons of compatibility + // across different languages. However, it is a non-negative integer, which + // will never exceed 2^32-1, and can be safely downconverted to uint32 in + // languages that support this type. + // + // NOTE: This field is in Beta. + google.protobuf.Int64Value plaintext_crc32c = 2; + + // Integrity verification field. A flag indicating whether + // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] + // was received by + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used + // for the integrity verification of the + // [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A + // false value of this field indicates either that + // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] + // was left unset or that it was not delivered to + // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've + // set + // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] + // but this field is still false, discard the response and perform a limited + // number of retries. + // + // NOTE: This field is in Beta. + bool verified_ciphertext_crc32c = 3; +} + +// Request message for +// [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. +message UpdateCryptoKeyPrimaryVersionRequest { + // Required. The resource name of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKey" + } + ]; + + // Required. The id of the child + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary. + string crypto_key_version_id = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for +// [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. +message DestroyCryptoKeyVersionRequest { + // Required. The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKeyVersion" + } + ]; +} + +// Request message for +// [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. +message RestoreCryptoKeyVersionRequest { + // Required. The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudkms.googleapis.com/CryptoKeyVersion" + } + ]; +} + +// A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest. +message Digest { + // Required. The message digest. + oneof digest { + // A message digest produced with the SHA-256 algorithm. + bytes sha256 = 1; + + // A message digest produced with the SHA-384 algorithm. + bytes sha384 = 2; + + // A message digest produced with the SHA-512 algorithm. + bytes sha512 = 3; + } +} + +// Cloud KMS metadata for the given +// [google.cloud.location.Location][google.cloud.location.Location]. +message LocationMetadata { + // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with + // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] + // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this + // location. + bool hsm_available = 1; + + // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with + // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] + // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in + // this location. + bool ekm_available = 2; +} diff --git a/test/integration/goldens/kms/GrpcKeyManagementServiceStub.java b/test/integration/goldens/kms/GrpcKeyManagementServiceStub.java index 19bac47baf..692563c0a8 100644 --- a/test/integration/goldens/kms/GrpcKeyManagementServiceStub.java +++ b/test/integration/goldens/kms/GrpcKeyManagementServiceStub.java @@ -313,19 +313,19 @@ public class GrpcKeyManagementServiceStub extends KeyManagementServiceStub { .setResponseMarshaller(ProtoUtils.marshaller(CryptoKeyVersion.getDefaultInstance())) .build(); - private static final MethodDescriptor setIamPolicyMethodDescriptor = - MethodDescriptor.newBuilder() + private static final MethodDescriptor getIamPolicyMethodDescriptor = + MethodDescriptor.newBuilder() .setType(MethodDescriptor.MethodType.UNARY) - .setFullMethodName("google.iam.v1.IAMPolicy/SetIamPolicy") - .setRequestMarshaller(ProtoUtils.marshaller(SetIamPolicyRequest.getDefaultInstance())) + .setFullMethodName("google.cloud.kms.v1.KeyManagementService/GetIamPolicy") + .setRequestMarshaller(ProtoUtils.marshaller(GetIamPolicyRequest.getDefaultInstance())) .setResponseMarshaller(ProtoUtils.marshaller(Policy.getDefaultInstance())) .build(); - private static final MethodDescriptor getIamPolicyMethodDescriptor = - MethodDescriptor.newBuilder() + private static final MethodDescriptor setIamPolicyMethodDescriptor = + MethodDescriptor.newBuilder() .setType(MethodDescriptor.MethodType.UNARY) - .setFullMethodName("google.iam.v1.IAMPolicy/GetIamPolicy") - .setRequestMarshaller(ProtoUtils.marshaller(GetIamPolicyRequest.getDefaultInstance())) + .setFullMethodName("google.iam.v1.IAMPolicy/SetIamPolicy") + .setRequestMarshaller(ProtoUtils.marshaller(SetIamPolicyRequest.getDefaultInstance())) .setResponseMarshaller(ProtoUtils.marshaller(Policy.getDefaultInstance())) .build(); @@ -380,8 +380,8 @@ public class GrpcKeyManagementServiceStub extends KeyManagementServiceStub { destroyCryptoKeyVersionCallable; private final UnaryCallable restoreCryptoKeyVersionCallable; - private final UnaryCallable setIamPolicyCallable; private final UnaryCallable getIamPolicyCallable; + private final UnaryCallable setIamPolicyCallable; private final UnaryCallable testIamPermissionsCallable; @@ -744,26 +744,26 @@ public Map extract(RestoreCryptoKeyVersionRequest request) { } }) .build(); - GrpcCallSettings setIamPolicyTransportSettings = - GrpcCallSettings.newBuilder() - .setMethodDescriptor(setIamPolicyMethodDescriptor) + GrpcCallSettings getIamPolicyTransportSettings = + GrpcCallSettings.newBuilder() + .setMethodDescriptor(getIamPolicyMethodDescriptor) .setParamsExtractor( - new RequestParamsExtractor() { + new RequestParamsExtractor() { @Override - public Map extract(SetIamPolicyRequest request) { + public Map extract(GetIamPolicyRequest request) { ImmutableMap.Builder params = ImmutableMap.builder(); params.put("resource", String.valueOf(request.getResource())); return params.build(); } }) .build(); - GrpcCallSettings getIamPolicyTransportSettings = - GrpcCallSettings.newBuilder() - .setMethodDescriptor(getIamPolicyMethodDescriptor) + GrpcCallSettings setIamPolicyTransportSettings = + GrpcCallSettings.newBuilder() + .setMethodDescriptor(setIamPolicyMethodDescriptor) .setParamsExtractor( - new RequestParamsExtractor() { + new RequestParamsExtractor() { @Override - public Map extract(GetIamPolicyRequest request) { + public Map extract(SetIamPolicyRequest request) { ImmutableMap.Builder params = ImmutableMap.builder(); params.put("resource", String.valueOf(request.getResource())); return params.build(); @@ -886,12 +886,12 @@ public Map extract(TestIamPermissionsRequest request) { restoreCryptoKeyVersionTransportSettings, settings.restoreCryptoKeyVersionSettings(), clientContext); - this.setIamPolicyCallable = - callableFactory.createUnaryCallable( - setIamPolicyTransportSettings, settings.setIamPolicySettings(), clientContext); this.getIamPolicyCallable = callableFactory.createUnaryCallable( getIamPolicyTransportSettings, settings.getIamPolicySettings(), clientContext); + this.setIamPolicyCallable = + callableFactory.createUnaryCallable( + setIamPolicyTransportSettings, settings.setIamPolicySettings(), clientContext); this.testIamPermissionsCallable = callableFactory.createUnaryCallable( testIamPermissionsTransportSettings, @@ -1053,13 +1053,13 @@ public UnaryCallable asymmetricSi } @Override - public UnaryCallable setIamPolicyCallable() { - return setIamPolicyCallable; + public UnaryCallable getIamPolicyCallable() { + return getIamPolicyCallable; } @Override - public UnaryCallable getIamPolicyCallable() { - return getIamPolicyCallable; + public UnaryCallable setIamPolicyCallable() { + return setIamPolicyCallable; } @Override diff --git a/test/integration/goldens/kms/KeyManagementServiceClient.java b/test/integration/goldens/kms/KeyManagementServiceClient.java index a1580d3b66..6ce8a338f8 100644 --- a/test/integration/goldens/kms/KeyManagementServiceClient.java +++ b/test/integration/goldens/kms/KeyManagementServiceClient.java @@ -3107,104 +3107,104 @@ public final CryptoKeyVersion restoreCryptoKeyVersion(RestoreCryptoKeyVersionReq // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Sets the access control policy on the specified resource. Replaces any existing policy. + * Gets the access control policy for a resource. ADDED ONLY FOR MIXIN TESTS. Returns an empty + * policy if the resource exists and does not have a policy set. * *

Sample code: * * 

{@code
    * try (KeyManagementServiceClient keyManagementServiceClient =
    *     KeyManagementServiceClient.create()) {
-   *   SetIamPolicyRequest request =
-   *       SetIamPolicyRequest.newBuilder()
+   *   GetIamPolicyRequest request =
+   *       GetIamPolicyRequest.newBuilder()
    *           .setResource(KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]").toString())
-   *           .setPolicy(Policy.newBuilder().build())
+   *           .setOptions(GetPolicyOptions.newBuilder().build())
    *           .build();
-   *   Policy response = keyManagementServiceClient.setIamPolicy(request);
+   *   Policy response = keyManagementServiceClient.getIamPolicy(request);
    * }
    * }
* * @param request The request object containing all of the parameters for the API call. * @throws com.google.api.gax.rpc.ApiException if the remote call fails */ - public final Policy setIamPolicy(SetIamPolicyRequest request) { - return setIamPolicyCallable().call(request); + public final Policy getIamPolicy(GetIamPolicyRequest request) { + return getIamPolicyCallable().call(request); } // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Sets the access control policy on the specified resource. Replaces any existing policy. + * Gets the access control policy for a resource. ADDED ONLY FOR MIXIN TESTS. Returns an empty + * policy if the resource exists and does not have a policy set. * *

Sample code: * * 

{@code
    * try (KeyManagementServiceClient keyManagementServiceClient =
    *     KeyManagementServiceClient.create()) {
-   *   SetIamPolicyRequest request =
-   *       SetIamPolicyRequest.newBuilder()
+   *   GetIamPolicyRequest request =
+   *       GetIamPolicyRequest.newBuilder()
    *           .setResource(KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]").toString())
-   *           .setPolicy(Policy.newBuilder().build())
+   *           .setOptions(GetPolicyOptions.newBuilder().build())
    *           .build();
    *   ApiFuture future =
-   *       keyManagementServiceClient.setIamPolicyCallable().futureCall(request);
+   *       keyManagementServiceClient.getIamPolicyCallable().futureCall(request);
    *   // Do something.
    *   Policy response = future.get();
    * }
    * }
*/ - public final UnaryCallable setIamPolicyCallable() { - return stub.setIamPolicyCallable(); + public final UnaryCallable getIamPolicyCallable() { + return stub.getIamPolicyCallable(); } // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Gets the access control policy for a resource. Returns an empty policy if the resource exists - * and does not have a policy set. + * Sets the access control policy on the specified resource. Replaces any existing policy. * *

Sample code: * * 

{@code
    * try (KeyManagementServiceClient keyManagementServiceClient =
    *     KeyManagementServiceClient.create()) {
-   *   GetIamPolicyRequest request =
-   *       GetIamPolicyRequest.newBuilder()
+   *   SetIamPolicyRequest request =
+   *       SetIamPolicyRequest.newBuilder()
    *           .setResource(KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]").toString())
-   *           .setOptions(GetPolicyOptions.newBuilder().build())
+   *           .setPolicy(Policy.newBuilder().build())
    *           .build();
-   *   Policy response = keyManagementServiceClient.getIamPolicy(request);
+   *   Policy response = keyManagementServiceClient.setIamPolicy(request);
    * }
    * }
* * @param request The request object containing all of the parameters for the API call. * @throws com.google.api.gax.rpc.ApiException if the remote call fails */ - public final Policy getIamPolicy(GetIamPolicyRequest request) { - return getIamPolicyCallable().call(request); + public final Policy setIamPolicy(SetIamPolicyRequest request) { + return setIamPolicyCallable().call(request); } // AUTO-GENERATED DOCUMENTATION AND METHOD. /** - * Gets the access control policy for a resource. Returns an empty policy if the resource exists - * and does not have a policy set. + * Sets the access control policy on the specified resource. Replaces any existing policy. * *

Sample code: * * 

{@code
    * try (KeyManagementServiceClient keyManagementServiceClient =
    *     KeyManagementServiceClient.create()) {
-   *   GetIamPolicyRequest request =
-   *       GetIamPolicyRequest.newBuilder()
+   *   SetIamPolicyRequest request =
+   *       SetIamPolicyRequest.newBuilder()
    *           .setResource(KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]").toString())
-   *           .setOptions(GetPolicyOptions.newBuilder().build())
+   *           .setPolicy(Policy.newBuilder().build())
    *           .build();
    *   ApiFuture future =
-   *       keyManagementServiceClient.getIamPolicyCallable().futureCall(request);
+   *       keyManagementServiceClient.setIamPolicyCallable().futureCall(request);
    *   // Do something.
    *   Policy response = future.get();
    * }
    * }
*/ - public final UnaryCallable getIamPolicyCallable() { - return stub.getIamPolicyCallable(); + public final UnaryCallable setIamPolicyCallable() { + return stub.setIamPolicyCallable(); } // AUTO-GENERATED DOCUMENTATION AND METHOD. diff --git a/test/integration/goldens/kms/KeyManagementServiceClientTest.java b/test/integration/goldens/kms/KeyManagementServiceClientTest.java index e185914bd3..9ed23027e3 100644 --- a/test/integration/goldens/kms/KeyManagementServiceClientTest.java +++ b/test/integration/goldens/kms/KeyManagementServiceClientTest.java @@ -2216,30 +2216,30 @@ public void restoreCryptoKeyVersionExceptionTest2() throws Exception { } @Test - public void setIamPolicyTest() throws Exception { + public void getIamPolicyTest() throws Exception { Policy expectedResponse = Policy.newBuilder() .setVersion(351608024) .addAllBindings(new ArrayList()) .setEtag(ByteString.EMPTY) .build(); - mockIAMPolicy.addResponse(expectedResponse); + mockKeyManagementService.addResponse(expectedResponse); - SetIamPolicyRequest request = - SetIamPolicyRequest.newBuilder() + GetIamPolicyRequest request = + GetIamPolicyRequest.newBuilder() .setResource(KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]").toString()) - .setPolicy(Policy.newBuilder().build()) + .setOptions(GetPolicyOptions.newBuilder().build()) .build(); - Policy actualResponse = client.setIamPolicy(request); + Policy actualResponse = client.getIamPolicy(request); Assert.assertEquals(expectedResponse, actualResponse); - List actualRequests = mockIAMPolicy.getRequests(); + List actualRequests = mockKeyManagementService.getRequests(); Assert.assertEquals(1, actualRequests.size()); - SetIamPolicyRequest actualRequest = ((SetIamPolicyRequest) actualRequests.get(0)); + GetIamPolicyRequest actualRequest = ((GetIamPolicyRequest) actualRequests.get(0)); Assert.assertEquals(request.getResource(), actualRequest.getResource()); - Assert.assertEquals(request.getPolicy(), actualRequest.getPolicy()); + Assert.assertEquals(request.getOptions(), actualRequest.getOptions()); Assert.assertTrue( channelProvider.isHeaderSent( ApiClientHeaderProvider.getDefaultApiClientHeaderKey(), @@ -2247,17 +2247,17 @@ public void setIamPolicyTest() throws Exception { } @Test - public void setIamPolicyExceptionTest() throws Exception { + public void getIamPolicyExceptionTest() throws Exception { StatusRuntimeException exception = new StatusRuntimeException(io.grpc.Status.INVALID_ARGUMENT); - mockIAMPolicy.addException(exception); + mockKeyManagementService.addException(exception); try { - SetIamPolicyRequest request = - SetIamPolicyRequest.newBuilder() + GetIamPolicyRequest request = + GetIamPolicyRequest.newBuilder() .setResource(KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]").toString()) - .setPolicy(Policy.newBuilder().build()) + .setOptions(GetPolicyOptions.newBuilder().build()) .build(); - client.setIamPolicy(request); + client.getIamPolicy(request); Assert.fail("No exception raised"); } catch (InvalidArgumentException e) { // Expected exception. @@ -2265,7 +2265,7 @@ public void setIamPolicyExceptionTest() throws Exception { } @Test - public void getIamPolicyTest() throws Exception { + public void setIamPolicyTest() throws Exception { Policy expectedResponse = Policy.newBuilder() .setVersion(351608024) @@ -2274,21 +2274,21 @@ public void getIamPolicyTest() throws Exception { .build(); mockIAMPolicy.addResponse(expectedResponse); - GetIamPolicyRequest request = - GetIamPolicyRequest.newBuilder() + SetIamPolicyRequest request = + SetIamPolicyRequest.newBuilder() .setResource(KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]").toString()) - .setOptions(GetPolicyOptions.newBuilder().build()) + .setPolicy(Policy.newBuilder().build()) .build(); - Policy actualResponse = client.getIamPolicy(request); + Policy actualResponse = client.setIamPolicy(request); Assert.assertEquals(expectedResponse, actualResponse); List actualRequests = mockIAMPolicy.getRequests(); Assert.assertEquals(1, actualRequests.size()); - GetIamPolicyRequest actualRequest = ((GetIamPolicyRequest) actualRequests.get(0)); + SetIamPolicyRequest actualRequest = ((SetIamPolicyRequest) actualRequests.get(0)); Assert.assertEquals(request.getResource(), actualRequest.getResource()); - Assert.assertEquals(request.getOptions(), actualRequest.getOptions()); + Assert.assertEquals(request.getPolicy(), actualRequest.getPolicy()); Assert.assertTrue( channelProvider.isHeaderSent( ApiClientHeaderProvider.getDefaultApiClientHeaderKey(), @@ -2296,17 +2296,17 @@ public void getIamPolicyTest() throws Exception { } @Test - public void getIamPolicyExceptionTest() throws Exception { + public void setIamPolicyExceptionTest() throws Exception { StatusRuntimeException exception = new StatusRuntimeException(io.grpc.Status.INVALID_ARGUMENT); mockIAMPolicy.addException(exception); try { - GetIamPolicyRequest request = - GetIamPolicyRequest.newBuilder() + SetIamPolicyRequest request = + SetIamPolicyRequest.newBuilder() .setResource(KeyRingName.of("[PROJECT]", "[LOCATION]", "[KEY_RING]").toString()) - .setOptions(GetPolicyOptions.newBuilder().build()) + .setPolicy(Policy.newBuilder().build()) .build(); - client.getIamPolicy(request); + client.setIamPolicy(request); Assert.fail("No exception raised"); } catch (InvalidArgumentException e) { // Expected exception. diff --git a/test/integration/goldens/kms/KeyManagementServiceSettings.java b/test/integration/goldens/kms/KeyManagementServiceSettings.java index acc300034d..862f6ca98d 100644 --- a/test/integration/goldens/kms/KeyManagementServiceSettings.java +++ b/test/integration/goldens/kms/KeyManagementServiceSettings.java @@ -212,16 +212,16 @@ public UnaryCallSettings asymmetr return ((KeyManagementServiceStubSettings) getStubSettings()).restoreCryptoKeyVersionSettings(); } - /** Returns the object with the settings used for calls to setIamPolicy. */ - public UnaryCallSettings setIamPolicySettings() { - return ((KeyManagementServiceStubSettings) getStubSettings()).setIamPolicySettings(); - } - /** Returns the object with the settings used for calls to getIamPolicy. */ public UnaryCallSettings getIamPolicySettings() { return ((KeyManagementServiceStubSettings) getStubSettings()).getIamPolicySettings(); } + /** Returns the object with the settings used for calls to setIamPolicy. */ + public UnaryCallSettings setIamPolicySettings() { + return ((KeyManagementServiceStubSettings) getStubSettings()).setIamPolicySettings(); + } + /** Returns the object with the settings used for calls to testIamPermissions. */ public UnaryCallSettings testIamPermissionsSettings() { @@ -461,16 +461,16 @@ public UnaryCallSettings.Builder decryptSetting return getStubSettingsBuilder().restoreCryptoKeyVersionSettings(); } - /** Returns the builder for the settings used for calls to setIamPolicy. */ - public UnaryCallSettings.Builder setIamPolicySettings() { - return getStubSettingsBuilder().setIamPolicySettings(); - } - /** Returns the builder for the settings used for calls to getIamPolicy. */ public UnaryCallSettings.Builder getIamPolicySettings() { return getStubSettingsBuilder().getIamPolicySettings(); } + /** Returns the builder for the settings used for calls to setIamPolicy. */ + public UnaryCallSettings.Builder setIamPolicySettings() { + return getStubSettingsBuilder().setIamPolicySettings(); + } + /** Returns the builder for the settings used for calls to testIamPermissions. */ public UnaryCallSettings.Builder testIamPermissionsSettings() { diff --git a/test/integration/goldens/kms/KeyManagementServiceStub.java b/test/integration/goldens/kms/KeyManagementServiceStub.java index 837b4b0bab..b180582def 100644 --- a/test/integration/goldens/kms/KeyManagementServiceStub.java +++ b/test/integration/goldens/kms/KeyManagementServiceStub.java @@ -196,14 +196,14 @@ public UnaryCallable asymmetricSi throw new UnsupportedOperationException("Not implemented: restoreCryptoKeyVersionCallable()"); } - public UnaryCallable setIamPolicyCallable() { - throw new UnsupportedOperationException("Not implemented: setIamPolicyCallable()"); - } - public UnaryCallable getIamPolicyCallable() { throw new UnsupportedOperationException("Not implemented: getIamPolicyCallable()"); } + public UnaryCallable setIamPolicyCallable() { + throw new UnsupportedOperationException("Not implemented: setIamPolicyCallable()"); + } + public UnaryCallable testIamPermissionsCallable() { throw new UnsupportedOperationException("Not implemented: testIamPermissionsCallable()"); diff --git a/test/integration/goldens/kms/KeyManagementServiceStubSettings.java b/test/integration/goldens/kms/KeyManagementServiceStubSettings.java index f36350a7ce..efc069c515 100644 --- a/test/integration/goldens/kms/KeyManagementServiceStubSettings.java +++ b/test/integration/goldens/kms/KeyManagementServiceStubSettings.java @@ -178,8 +178,8 @@ public class KeyManagementServiceStubSettings destroyCryptoKeyVersionSettings; private final UnaryCallSettings restoreCryptoKeyVersionSettings; - private final UnaryCallSettings setIamPolicySettings; private final UnaryCallSettings getIamPolicySettings; + private final UnaryCallSettings setIamPolicySettings; private final UnaryCallSettings testIamPermissionsSettings; @@ -541,16 +541,16 @@ public UnaryCallSettings asymmetr return restoreCryptoKeyVersionSettings; } - /** Returns the object with the settings used for calls to setIamPolicy. */ - public UnaryCallSettings setIamPolicySettings() { - return setIamPolicySettings; - } - /** Returns the object with the settings used for calls to getIamPolicy. */ public UnaryCallSettings getIamPolicySettings() { return getIamPolicySettings; } + /** Returns the object with the settings used for calls to setIamPolicy. */ + public UnaryCallSettings setIamPolicySettings() { + return setIamPolicySettings; + } + /** Returns the object with the settings used for calls to testIamPermissions. */ public UnaryCallSettings testIamPermissionsSettings() { @@ -650,8 +650,8 @@ protected KeyManagementServiceStubSettings(Builder settingsBuilder) throws IOExc settingsBuilder.updateCryptoKeyPrimaryVersionSettings().build(); destroyCryptoKeyVersionSettings = settingsBuilder.destroyCryptoKeyVersionSettings().build(); restoreCryptoKeyVersionSettings = settingsBuilder.restoreCryptoKeyVersionSettings().build(); - setIamPolicySettings = settingsBuilder.setIamPolicySettings().build(); getIamPolicySettings = settingsBuilder.getIamPolicySettings().build(); + setIamPolicySettings = settingsBuilder.setIamPolicySettings().build(); testIamPermissionsSettings = settingsBuilder.testIamPermissionsSettings().build(); } @@ -704,8 +704,8 @@ public static class Builder destroyCryptoKeyVersionSettings; private final UnaryCallSettings.Builder restoreCryptoKeyVersionSettings; - private final UnaryCallSettings.Builder setIamPolicySettings; private final UnaryCallSettings.Builder getIamPolicySettings; + private final UnaryCallSettings.Builder setIamPolicySettings; private final UnaryCallSettings.Builder testIamPermissionsSettings; private static final ImmutableMap> @@ -782,8 +782,8 @@ protected Builder(ClientContext clientContext) { updateCryptoKeyPrimaryVersionSettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); destroyCryptoKeyVersionSettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); restoreCryptoKeyVersionSettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); - setIamPolicySettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); getIamPolicySettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); + setIamPolicySettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); testIamPermissionsSettings = UnaryCallSettings.newUnaryCallSettingsBuilder(); unaryMethodSettingsBuilders = @@ -811,8 +811,8 @@ protected Builder(ClientContext clientContext) { updateCryptoKeyPrimaryVersionSettings, destroyCryptoKeyVersionSettings, restoreCryptoKeyVersionSettings, - setIamPolicySettings, getIamPolicySettings, + setIamPolicySettings, testIamPermissionsSettings); initDefaults(this); } @@ -844,8 +844,8 @@ protected Builder(KeyManagementServiceStubSettings settings) { settings.updateCryptoKeyPrimaryVersionSettings.toBuilder(); destroyCryptoKeyVersionSettings = settings.destroyCryptoKeyVersionSettings.toBuilder(); restoreCryptoKeyVersionSettings = settings.restoreCryptoKeyVersionSettings.toBuilder(); - setIamPolicySettings = settings.setIamPolicySettings.toBuilder(); getIamPolicySettings = settings.getIamPolicySettings.toBuilder(); + setIamPolicySettings = settings.setIamPolicySettings.toBuilder(); testIamPermissionsSettings = settings.testIamPermissionsSettings.toBuilder(); unaryMethodSettingsBuilders = @@ -873,8 +873,8 @@ protected Builder(KeyManagementServiceStubSettings settings) { updateCryptoKeyPrimaryVersionSettings, destroyCryptoKeyVersionSettings, restoreCryptoKeyVersionSettings, - setIamPolicySettings, getIamPolicySettings, + setIamPolicySettings, testIamPermissionsSettings); } @@ -1006,12 +1006,12 @@ private static Builder initDefaults(Builder builder) { .setRetrySettings(RETRY_PARAM_DEFINITIONS.get("retry_policy_1_params")); builder - .setIamPolicySettings() + .getIamPolicySettings() .setRetryableCodes(RETRYABLE_CODE_DEFINITIONS.get("retry_policy_1_codes")) .setRetrySettings(RETRY_PARAM_DEFINITIONS.get("retry_policy_1_params")); builder - .getIamPolicySettings() + .setIamPolicySettings() .setRetryableCodes(RETRYABLE_CODE_DEFINITIONS.get("retry_policy_1_codes")) .setRetrySettings(RETRY_PARAM_DEFINITIONS.get("retry_policy_1_params")); @@ -1173,16 +1173,16 @@ public UnaryCallSettings.Builder decryptSetting return restoreCryptoKeyVersionSettings; } - /** Returns the builder for the settings used for calls to setIamPolicy. */ - public UnaryCallSettings.Builder setIamPolicySettings() { - return setIamPolicySettings; - } - /** Returns the builder for the settings used for calls to getIamPolicy. */ public UnaryCallSettings.Builder getIamPolicySettings() { return getIamPolicySettings; } + /** Returns the builder for the settings used for calls to setIamPolicy. */ + public UnaryCallSettings.Builder setIamPolicySettings() { + return setIamPolicySettings; + } + /** Returns the builder for the settings used for calls to testIamPermissions. */ public UnaryCallSettings.Builder testIamPermissionsSettings() { diff --git a/test/integration/goldens/kms/MockKeyManagementServiceImpl.java b/test/integration/goldens/kms/MockKeyManagementServiceImpl.java index d979462264..b6b9fbda5c 100644 --- a/test/integration/goldens/kms/MockKeyManagementServiceImpl.java +++ b/test/integration/goldens/kms/MockKeyManagementServiceImpl.java @@ -18,6 +18,8 @@ import com.google.api.core.BetaApi; import com.google.cloud.kms.v1.KeyManagementServiceGrpc.KeyManagementServiceImplBase; +import com.google.iam.v1.GetIamPolicyRequest; +import com.google.iam.v1.Policy; import com.google.protobuf.AbstractMessage; import io.grpc.stub.StreamObserver; import java.util.ArrayList; @@ -539,4 +541,24 @@ public void restoreCryptoKeyVersion( Exception.class.getName()))); } } + + @Override + public void getIamPolicy(GetIamPolicyRequest request, StreamObserver responseObserver) { + Object response = responses.remove(); + if (response instanceof Policy) { + requests.add(request); + responseObserver.onNext(((Policy) response)); + responseObserver.onCompleted(); + } else if (response instanceof Exception) { + responseObserver.onError(((Exception) response)); + } else { + responseObserver.onError( + new IllegalArgumentException( + String.format( + "Unrecognized response type %s for method GetIamPolicy, expected %s or %s", + response.getClass().getName(), + Policy.class.getName(), + Exception.class.getName()))); + } + } }