1 // Copyright 2024 Google LLC. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Code generated file. DO NOT EDIT. 6 7 // Package binaryauthorization provides access to the Binary Authorization API. 8 // 9 // For product documentation, see: https://cloud.google.com/binary-authorization/ 10 // 11 // # Library status 12 // 13 // These client libraries are officially supported by Google. However, this 14 // library is considered complete and is in maintenance mode. This means 15 // that we will address critical bugs and security issues but will not add 16 // any new features. 17 // 18 // When possible, we recommend using our newer 19 // [Cloud Client Libraries for Go](https://pkg.go.dev/cloud.google.com/go) 20 // that are still actively being worked and iterated on. 21 // 22 // # Creating a client 23 // 24 // Usage example: 25 // 26 // import "google.golang.org/api/binaryauthorization/v1" 27 // ... 28 // ctx := context.Background() 29 // binaryauthorizationService, err := binaryauthorization.NewService(ctx) 30 // 31 // In this example, Google Application Default Credentials are used for 32 // authentication. For information on how to create and obtain Application 33 // Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. 34 // 35 // # Other authentication options 36 // 37 // To use an API key for authentication (note: some APIs do not support API 38 // keys), use [google.golang.org/api/option.WithAPIKey]: 39 // 40 // binaryauthorizationService, err := binaryauthorization.NewService(ctx, option.WithAPIKey("AIza...")) 41 // 42 // To use an OAuth token (e.g., a user token obtained via a three-legged OAuth 43 // flow, use [google.golang.org/api/option.WithTokenSource]: 44 // 45 // config := &oauth2.Config{...} 46 // // ... 47 // token, err := config.Exchange(ctx, ...) 48 // binaryauthorizationService, err := binaryauthorization.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) 49 // 50 // See [google.golang.org/api/option.ClientOption] for details on options. 51 package binaryauthorization // import "google.golang.org/api/binaryauthorization/v1" 52 53 import ( 54 "bytes" 55 "context" 56 "encoding/json" 57 "errors" 58 "fmt" 59 "io" 60 "net/http" 61 "net/url" 62 "strconv" 63 "strings" 64 65 googleapi "google.golang.org/api/googleapi" 66 internal "google.golang.org/api/internal" 67 gensupport "google.golang.org/api/internal/gensupport" 68 option "google.golang.org/api/option" 69 internaloption "google.golang.org/api/option/internaloption" 70 htransport "google.golang.org/api/transport/http" 71 ) 72 73 // Always reference these packages, just in case the auto-generated code 74 // below doesn't. 75 var _ = bytes.NewBuffer 76 var _ = strconv.Itoa 77 var _ = fmt.Sprintf 78 var _ = json.NewDecoder 79 var _ = io.Copy 80 var _ = url.Parse 81 var _ = gensupport.MarshalJSON 82 var _ = googleapi.Version 83 var _ = errors.New 84 var _ = strings.Replace 85 var _ = context.Canceled 86 var _ = internaloption.WithDefaultEndpoint 87 var _ = internal.Version 88 89 const apiId = "binaryauthorization:v1" 90 const apiName = "binaryauthorization" 91 const apiVersion = "v1" 92 const basePath = "https://binaryauthorization.googleapis.com/" 93 const basePathTemplate = "https://binaryauthorization.UNIVERSE_DOMAIN/" 94 const mtlsBasePath = "https://binaryauthorization.mtls.googleapis.com/" 95 96 // OAuth2 scopes used by this API. 97 const ( 98 // See, edit, configure, and delete your Google Cloud data and see the email 99 // address for your Google Account. 100 CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform" 101 ) 102 103 // NewService creates a new Service. 104 func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { 105 scopesOption := internaloption.WithDefaultScopes( 106 "https://www.googleapis.com/auth/cloud-platform", 107 ) 108 // NOTE: prepend, so we don't override user-specified scopes. 109 opts = append([]option.ClientOption{scopesOption}, opts...) 110 opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) 111 opts = append(opts, internaloption.WithDefaultEndpointTemplate(basePathTemplate)) 112 opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) 113 opts = append(opts, internaloption.EnableNewAuthLibrary()) 114 client, endpoint, err := htransport.NewClient(ctx, opts...) 115 if err != nil { 116 return nil, err 117 } 118 s, err := New(client) 119 if err != nil { 120 return nil, err 121 } 122 if endpoint != "" { 123 s.BasePath = endpoint 124 } 125 return s, nil 126 } 127 128 // New creates a new Service. It uses the provided http.Client for requests. 129 // 130 // Deprecated: please use NewService instead. 131 // To provide a custom HTTP client, use option.WithHTTPClient. 132 // If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. 133 func New(client *http.Client) (*Service, error) { 134 if client == nil { 135 return nil, errors.New("client is nil") 136 } 137 s := &Service{client: client, BasePath: basePath} 138 s.Projects = NewProjectsService(s) 139 s.Systempolicy = NewSystempolicyService(s) 140 return s, nil 141 } 142 143 type Service struct { 144 client *http.Client 145 BasePath string // API endpoint base URL 146 UserAgent string // optional additional User-Agent fragment 147 148 Projects *ProjectsService 149 150 Systempolicy *SystempolicyService 151 } 152 153 func (s *Service) userAgent() string { 154 if s.UserAgent == "" { 155 return googleapi.UserAgent 156 } 157 return googleapi.UserAgent + " " + s.UserAgent 158 } 159 160 func NewProjectsService(s *Service) *ProjectsService { 161 rs := &ProjectsService{s: s} 162 rs.Attestors = NewProjectsAttestorsService(s) 163 rs.Platforms = NewProjectsPlatformsService(s) 164 rs.Policy = NewProjectsPolicyService(s) 165 return rs 166 } 167 168 type ProjectsService struct { 169 s *Service 170 171 Attestors *ProjectsAttestorsService 172 173 Platforms *ProjectsPlatformsService 174 175 Policy *ProjectsPolicyService 176 } 177 178 func NewProjectsAttestorsService(s *Service) *ProjectsAttestorsService { 179 rs := &ProjectsAttestorsService{s: s} 180 return rs 181 } 182 183 type ProjectsAttestorsService struct { 184 s *Service 185 } 186 187 func NewProjectsPlatformsService(s *Service) *ProjectsPlatformsService { 188 rs := &ProjectsPlatformsService{s: s} 189 rs.Gke = NewProjectsPlatformsGkeService(s) 190 rs.Policies = NewProjectsPlatformsPoliciesService(s) 191 return rs 192 } 193 194 type ProjectsPlatformsService struct { 195 s *Service 196 197 Gke *ProjectsPlatformsGkeService 198 199 Policies *ProjectsPlatformsPoliciesService 200 } 201 202 func NewProjectsPlatformsGkeService(s *Service) *ProjectsPlatformsGkeService { 203 rs := &ProjectsPlatformsGkeService{s: s} 204 rs.Policies = NewProjectsPlatformsGkePoliciesService(s) 205 return rs 206 } 207 208 type ProjectsPlatformsGkeService struct { 209 s *Service 210 211 Policies *ProjectsPlatformsGkePoliciesService 212 } 213 214 func NewProjectsPlatformsGkePoliciesService(s *Service) *ProjectsPlatformsGkePoliciesService { 215 rs := &ProjectsPlatformsGkePoliciesService{s: s} 216 return rs 217 } 218 219 type ProjectsPlatformsGkePoliciesService struct { 220 s *Service 221 } 222 223 func NewProjectsPlatformsPoliciesService(s *Service) *ProjectsPlatformsPoliciesService { 224 rs := &ProjectsPlatformsPoliciesService{s: s} 225 return rs 226 } 227 228 type ProjectsPlatformsPoliciesService struct { 229 s *Service 230 } 231 232 func NewProjectsPolicyService(s *Service) *ProjectsPolicyService { 233 rs := &ProjectsPolicyService{s: s} 234 return rs 235 } 236 237 type ProjectsPolicyService struct { 238 s *Service 239 } 240 241 func NewSystempolicyService(s *Service) *SystempolicyService { 242 rs := &SystempolicyService{s: s} 243 return rs 244 } 245 246 type SystempolicyService struct { 247 s *Service 248 } 249 250 // AdmissionRule: An admission rule specifies either that all container images 251 // used in a pod creation request must be attested to by one or more attestors, 252 // that all pod creations will be allowed, or that all pod creations will be 253 // denied. Images matching an admission allowlist pattern are exempted from 254 // admission rules and will never block a pod creation. 255 type AdmissionRule struct { 256 // EnforcementMode: Required. The action when a pod creation is denied by the 257 // admission rule. 258 // 259 // Possible values: 260 // "ENFORCEMENT_MODE_UNSPECIFIED" - Do not use. 261 // "ENFORCED_BLOCK_AND_AUDIT_LOG" - Enforce the admission rule by blocking 262 // the pod creation. 263 // "DRYRUN_AUDIT_LOG_ONLY" - Dryrun mode: Audit logging only. This will allow 264 // the pod creation as if the admission request had specified break-glass. 265 EnforcementMode string `json:"enforcementMode,omitempty"` 266 // EvaluationMode: Required. How this admission rule will be evaluated. 267 // 268 // Possible values: 269 // "EVALUATION_MODE_UNSPECIFIED" - Do not use. 270 // "ALWAYS_ALLOW" - This rule allows all pod creations. 271 // "REQUIRE_ATTESTATION" - This rule allows a pod creation if all the 272 // attestors listed in `require_attestations_by` have valid attestations for 273 // all of the images in the pod spec. 274 // "ALWAYS_DENY" - This rule denies all pod creations. 275 EvaluationMode string `json:"evaluationMode,omitempty"` 276 // RequireAttestationsBy: Optional. The resource names of the attestors that 277 // must attest to a container image, in the format `projects/*/attestors/*`. 278 // Each attestor must exist before a policy can reference it. To add an 279 // attestor to a policy the principal issuing the policy change request must be 280 // able to read the attestor resource. Note: this field must be non-empty when 281 // the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it 282 // must be empty. 283 RequireAttestationsBy []string `json:"requireAttestationsBy,omitempty"` 284 // ForceSendFields is a list of field names (e.g. "EnforcementMode") to 285 // unconditionally include in API requests. By default, fields with empty or 286 // default values are omitted from API requests. See 287 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 288 // details. 289 ForceSendFields []string `json:"-"` 290 // NullFields is a list of field names (e.g. "EnforcementMode") to include in 291 // API requests with the JSON null value. By default, fields with empty values 292 // are omitted from API requests. See 293 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 294 NullFields []string `json:"-"` 295 } 296 297 func (s *AdmissionRule) MarshalJSON() ([]byte, error) { 298 type NoMethod AdmissionRule 299 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 300 } 301 302 // AdmissionWhitelistPattern: An admission allowlist pattern exempts images 303 // from checks by admission rules. 304 type AdmissionWhitelistPattern struct { 305 // NamePattern: An image name pattern to allowlist, in the form 306 // `registry/path/to/image`. This supports a trailing `*` wildcard, but this is 307 // allowed only in text after the `registry/` part. This also supports a 308 // trailing `**` wildcard which matches subdirectories of a given entry. 309 NamePattern string `json:"namePattern,omitempty"` 310 // ForceSendFields is a list of field names (e.g. "NamePattern") to 311 // unconditionally include in API requests. By default, fields with empty or 312 // default values are omitted from API requests. See 313 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 314 // details. 315 ForceSendFields []string `json:"-"` 316 // NullFields is a list of field names (e.g. "NamePattern") to include in API 317 // requests with the JSON null value. By default, fields with empty values are 318 // omitted from API requests. See 319 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 320 NullFields []string `json:"-"` 321 } 322 323 func (s *AdmissionWhitelistPattern) MarshalJSON() ([]byte, error) { 324 type NoMethod AdmissionWhitelistPattern 325 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 326 } 327 328 // AllowlistResult: Result of evaluating an image name allowlist. 329 type AllowlistResult struct { 330 // MatchedPattern: The allowlist pattern that the image matched. 331 MatchedPattern string `json:"matchedPattern,omitempty"` 332 // ForceSendFields is a list of field names (e.g. "MatchedPattern") to 333 // unconditionally include in API requests. By default, fields with empty or 334 // default values are omitted from API requests. See 335 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 336 // details. 337 ForceSendFields []string `json:"-"` 338 // NullFields is a list of field names (e.g. "MatchedPattern") to include in 339 // API requests with the JSON null value. By default, fields with empty values 340 // are omitted from API requests. See 341 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 342 NullFields []string `json:"-"` 343 } 344 345 func (s *AllowlistResult) MarshalJSON() ([]byte, error) { 346 type NoMethod AllowlistResult 347 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 348 } 349 350 // AttestationAuthenticator: An attestation authenticator that will be used to 351 // verify attestations. Typically this is just a set of public keys. 352 // Conceptually, an authenticator can be treated as always returning either 353 // "authenticated" or "not authenticated" when presented with a signed 354 // attestation (almost always assumed to be a DSSE 355 // (https://github.com/secure-systems-lab/dsse) attestation). The details of 356 // how an authenticator makes this decision are specific to the type of 357 // 'authenticator' that this message wraps. 358 type AttestationAuthenticator struct { 359 // DisplayName: Optional. A user-provided name for this 360 // `AttestationAuthenticator`. This field has no effect on the policy 361 // evaluation behavior except to improve readability of messages in evaluation 362 // results. 363 DisplayName string `json:"displayName,omitempty"` 364 // PkixPublicKeySet: Optional. A set of raw PKIX SubjectPublicKeyInfo format 365 // public keys. If any public key in the set validates the attestation 366 // signature, then the signature is considered authenticated (i.e. any one key 367 // is sufficient to authenticate). 368 PkixPublicKeySet *PkixPublicKeySet `json:"pkixPublicKeySet,omitempty"` 369 // ForceSendFields is a list of field names (e.g. "DisplayName") to 370 // unconditionally include in API requests. By default, fields with empty or 371 // default values are omitted from API requests. See 372 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 373 // details. 374 ForceSendFields []string `json:"-"` 375 // NullFields is a list of field names (e.g. "DisplayName") to include in API 376 // requests with the JSON null value. By default, fields with empty values are 377 // omitted from API requests. See 378 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 379 NullFields []string `json:"-"` 380 } 381 382 func (s *AttestationAuthenticator) MarshalJSON() ([]byte, error) { 383 type NoMethod AttestationAuthenticator 384 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 385 } 386 387 // AttestationOccurrence: Occurrence that represents a single "attestation". 388 // The authenticity of an attestation can be verified using the attached 389 // signature. If the verifier trusts the public key of the signer, then 390 // verifying the signature is sufficient to establish trust. In this 391 // circumstance, the authority to which this attestation is attached is 392 // primarily useful for lookup (how to find this attestation if you already 393 // know the authority and artifact to be verified) and intent (for which 394 // authority this attestation was intended to sign. 395 type AttestationOccurrence struct { 396 // Jwts: One or more JWTs encoding a self-contained attestation. Each JWT 397 // encodes the payload that it verifies within the JWT itself. Verifier 398 // implementation SHOULD ignore the `serialized_payload` field when verifying 399 // these JWTs. If only JWTs are present on this AttestationOccurrence, then the 400 // `serialized_payload` SHOULD be left empty. Each JWT SHOULD encode a claim 401 // specific to the `resource_uri` of this Occurrence, but this is not validated 402 // by Grafeas metadata API implementations. The JWT itself is opaque to 403 // Grafeas. 404 Jwts []*Jwt `json:"jwts,omitempty"` 405 // SerializedPayload: Required. The serialized payload that is verified by one 406 // or more `signatures`. 407 SerializedPayload string `json:"serializedPayload,omitempty"` 408 // Signatures: One or more signatures over `serialized_payload`. Verifier 409 // implementations should consider this attestation message verified if at 410 // least one `signature` verifies `serialized_payload`. See `Signature` in 411 // common.proto for more details on signature structure and verification. 412 Signatures []*Signature `json:"signatures,omitempty"` 413 // ForceSendFields is a list of field names (e.g. "Jwts") to unconditionally 414 // include in API requests. By default, fields with empty or default values are 415 // omitted from API requests. See 416 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 417 // details. 418 ForceSendFields []string `json:"-"` 419 // NullFields is a list of field names (e.g. "Jwts") to include in API requests 420 // with the JSON null value. By default, fields with empty values are omitted 421 // from API requests. See 422 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 423 NullFields []string `json:"-"` 424 } 425 426 func (s *AttestationOccurrence) MarshalJSON() ([]byte, error) { 427 type NoMethod AttestationOccurrence 428 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 429 } 430 431 // AttestationSource: Specifies the locations for fetching the provenance 432 // attestations. 433 type AttestationSource struct { 434 // ContainerAnalysisAttestationProjects: The IDs of the Google Cloud projects 435 // that store the SLSA attestations as Container Analysis Occurrences, in the 436 // format `projects/[PROJECT_ID]`. Maximum number of 437 // `container_analysis_attestation_projects` allowed in each 438 // `AttestationSource` is 10. 439 ContainerAnalysisAttestationProjects []string `json:"containerAnalysisAttestationProjects,omitempty"` 440 // ForceSendFields is a list of field names (e.g. 441 // "ContainerAnalysisAttestationProjects") to unconditionally include in API 442 // requests. By default, fields with empty or default values are omitted from 443 // API requests. See 444 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 445 // details. 446 ForceSendFields []string `json:"-"` 447 // NullFields is a list of field names (e.g. 448 // "ContainerAnalysisAttestationProjects") to include in API requests with the 449 // JSON null value. By default, fields with empty values are omitted from API 450 // requests. See https://pkg.go.dev/google.golang.org/api#hdr-NullFields for 451 // more details. 452 NullFields []string `json:"-"` 453 } 454 455 func (s *AttestationSource) MarshalJSON() ([]byte, error) { 456 type NoMethod AttestationSource 457 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 458 } 459 460 // Attestor: An attestor that attests to container image artifacts. An existing 461 // attestor cannot be modified except where indicated. 462 type Attestor struct { 463 // Description: Optional. A descriptive comment. This field may be updated. The 464 // field may be displayed in chooser dialogs. 465 Description string `json:"description,omitempty"` 466 // Etag: Optional. A checksum, returned by the server, that can be sent on 467 // update requests to ensure the attestor has an up-to-date value before 468 // attempting to update it. See https://google.aip.dev/154. 469 Etag string `json:"etag,omitempty"` 470 // Name: Required. The resource name, in the format: `projects/*/attestors/*`. 471 // This field may not be updated. 472 Name string `json:"name,omitempty"` 473 // UpdateTime: Output only. Time when the attestor was last updated. 474 UpdateTime string `json:"updateTime,omitempty"` 475 // UserOwnedGrafeasNote: This specifies how an attestation will be read, and 476 // how it will be used during policy enforcement. 477 UserOwnedGrafeasNote *UserOwnedGrafeasNote `json:"userOwnedGrafeasNote,omitempty"` 478 479 // ServerResponse contains the HTTP response code and headers from the server. 480 googleapi.ServerResponse `json:"-"` 481 // ForceSendFields is a list of field names (e.g. "Description") to 482 // unconditionally include in API requests. By default, fields with empty or 483 // default values are omitted from API requests. See 484 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 485 // details. 486 ForceSendFields []string `json:"-"` 487 // NullFields is a list of field names (e.g. "Description") to include in API 488 // requests with the JSON null value. By default, fields with empty values are 489 // omitted from API requests. See 490 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 491 NullFields []string `json:"-"` 492 } 493 494 func (s *Attestor) MarshalJSON() ([]byte, error) { 495 type NoMethod Attestor 496 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 497 } 498 499 // AttestorPublicKey: An attestor public key that will be used to verify 500 // attestations signed by this attestor. 501 type AttestorPublicKey struct { 502 // AsciiArmoredPgpPublicKey: ASCII-armored representation of a PGP public key, 503 // as the entire output by the command `gpg --export --armor foo@example.com` 504 // (either LF or CRLF line endings). When using this field, `id` should be left 505 // blank. The Binary Authorization API handlers will calculate the ID and fill 506 // it in automatically. Binary Authorization computes this ID as the OpenPGP 507 // RFC4880 V4 fingerprint, represented as upper-case hex. If `id` is provided 508 // by the caller, it will be overwritten by the API-calculated ID. 509 AsciiArmoredPgpPublicKey string `json:"asciiArmoredPgpPublicKey,omitempty"` 510 // Comment: Optional. A descriptive comment. This field may be updated. 511 Comment string `json:"comment,omitempty"` 512 // Id: The ID of this public key. Signatures verified by Binary Authorization 513 // must include the ID of the public key that can be used to verify them, and 514 // that ID must match the contents of this field exactly. Additional 515 // restrictions on this field can be imposed based on which public key type is 516 // encapsulated. See the documentation on `public_key` cases below for details. 517 Id string `json:"id,omitempty"` 518 // PkixPublicKey: A raw PKIX SubjectPublicKeyInfo format public key. NOTE: `id` 519 // may be explicitly provided by the caller when using this type of public key, 520 // but it MUST be a valid RFC3986 URI. If `id` is left blank, a default one 521 // will be computed based on the digest of the DER encoding of the public key. 522 PkixPublicKey *PkixPublicKey `json:"pkixPublicKey,omitempty"` 523 // ForceSendFields is a list of field names (e.g. "AsciiArmoredPgpPublicKey") 524 // to unconditionally include in API requests. By default, fields with empty or 525 // default values are omitted from API requests. See 526 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 527 // details. 528 ForceSendFields []string `json:"-"` 529 // NullFields is a list of field names (e.g. "AsciiArmoredPgpPublicKey") to 530 // include in API requests with the JSON null value. By default, fields with 531 // empty values are omitted from API requests. See 532 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 533 NullFields []string `json:"-"` 534 } 535 536 func (s *AttestorPublicKey) MarshalJSON() ([]byte, error) { 537 type NoMethod AttestorPublicKey 538 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 539 } 540 541 // Binding: Associates `members`, or principals, with a `role`. 542 type Binding struct { 543 // Condition: The condition that is associated with this binding. If the 544 // condition evaluates to `true`, then this binding applies to the current 545 // request. If the condition evaluates to `false`, then this binding does not 546 // apply to the current request. However, a different role binding might grant 547 // the same role to one or more of the principals in this binding. To learn 548 // which resources support conditions in their IAM policies, see the IAM 549 // documentation 550 // (https://cloud.google.com/iam/help/conditions/resource-policies). 551 Condition *Expr `json:"condition,omitempty"` 552 // Members: Specifies the principals requesting access for a Google Cloud 553 // resource. `members` can have the following values: * `allUsers`: A special 554 // identifier that represents anyone who is on the internet; with or without a 555 // Google account. * `allAuthenticatedUsers`: A special identifier that 556 // represents anyone who is authenticated with a Google account or a service 557 // account. Does not include identities that come from external identity 558 // providers (IdPs) through identity federation. * `user:{emailid}`: An email 559 // address that represents a specific Google account. For example, 560 // `alice@example.com` . * `serviceAccount:{emailid}`: An email address that 561 // represents a Google service account. For example, 562 // `my-other-app@appspot.gserviceaccount.com`. * 563 // `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An 564 // identifier for a Kubernetes service account 565 // (https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). 566 // For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * 567 // `group:{emailid}`: An email address that represents a Google group. For 568 // example, `admins@example.com`. * `domain:{domain}`: The G Suite domain 569 // (primary) that represents all the users of that domain. For example, 570 // `google.com` or `example.com`. * 571 // `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/sub 572 // ject/{subject_attribute_value}`: A single identity in a workforce identity 573 // pool. * 574 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 575 // group/{group_id}`: All workforce identities in a group. * 576 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 577 // attribute.{attribute_name}/{attribute_value}`: All workforce identities with 578 // a specific attribute value. * 579 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 580 // *`: All identities in a workforce identity pool. * 581 // `principal://iam.googleapis.com/projects/{project_number}/locations/global/wo 582 // rkloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single 583 // identity in a workload identity pool. * 584 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 585 // /workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool 586 // group. * 587 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 588 // /workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value} 589 // `: All identities in a workload identity pool with a certain attribute. * 590 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 591 // /workloadIdentityPools/{pool_id}/*`: All identities in a workload identity 592 // pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus 593 // unique identifier) representing a user that has been recently deleted. For 594 // example, `alice@example.com?uid=123456789012345678901`. If the user is 595 // recovered, this value reverts to `user:{emailid}` and the recovered user 596 // retains the role in the binding. * 597 // `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus 598 // unique identifier) representing a service account that has been recently 599 // deleted. For example, 600 // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the 601 // service account is undeleted, this value reverts to 602 // `serviceAccount:{emailid}` and the undeleted service account retains the 603 // role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email 604 // address (plus unique identifier) representing a Google group that has been 605 // recently deleted. For example, 606 // `admins@example.com?uid=123456789012345678901`. If the group is recovered, 607 // this value reverts to `group:{emailid}` and the recovered group retains the 608 // role in the binding. * 609 // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool 610 // _id}/subject/{subject_attribute_value}`: Deleted single identity in a 611 // workforce identity pool. For example, 612 // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-po 613 // ol-id/subject/my-subject-attribute-value`. 614 Members []string `json:"members,omitempty"` 615 // Role: Role that is assigned to the list of `members`, or principals. For 616 // example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview 617 // of the IAM roles and permissions, see the IAM documentation 618 // (https://cloud.google.com/iam/docs/roles-overview). For a list of the 619 // available pre-defined roles, see here 620 // (https://cloud.google.com/iam/docs/understanding-roles). 621 Role string `json:"role,omitempty"` 622 // ForceSendFields is a list of field names (e.g. "Condition") to 623 // unconditionally include in API requests. By default, fields with empty or 624 // default values are omitted from API requests. See 625 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 626 // details. 627 ForceSendFields []string `json:"-"` 628 // NullFields is a list of field names (e.g. "Condition") to include in API 629 // requests with the JSON null value. By default, fields with empty values are 630 // omitted from API requests. See 631 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 632 NullFields []string `json:"-"` 633 } 634 635 func (s *Binding) MarshalJSON() ([]byte, error) { 636 type NoMethod Binding 637 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 638 } 639 640 // Check: A single check to perform against a Pod. Checks are grouped into 641 // `CheckSet` objects, which are defined by the top-level policy. 642 type Check struct { 643 // AlwaysDeny: Optional. A special-case check that always denies. Note that 644 // this still only applies when the scope of the `CheckSet` applies and the 645 // image isn't exempted by an image allowlist. This check is primarily useful 646 // for testing, or to set the default behavior for all unmatched scopes to 647 // "deny". 648 AlwaysDeny bool `json:"alwaysDeny,omitempty"` 649 // DisplayName: Optional. A user-provided name for this check. This field has 650 // no effect on the policy evaluation behavior except to improve readability of 651 // messages in evaluation results. 652 DisplayName string `json:"displayName,omitempty"` 653 // ImageAllowlist: Optional. Images exempted from this check. If any of the 654 // patterns match the image url, the check will not be evaluated. 655 ImageAllowlist *ImageAllowlist `json:"imageAllowlist,omitempty"` 656 // ImageFreshnessCheck: Optional. Require that an image is no older than a 657 // configured expiration time. Image age is determined by its upload time. 658 ImageFreshnessCheck *ImageFreshnessCheck `json:"imageFreshnessCheck,omitempty"` 659 // SigstoreSignatureCheck: Optional. Require that an image was signed by Cosign 660 // with a trusted key. This check requires that both the image and signature 661 // are stored in Artifact Registry. 662 SigstoreSignatureCheck *SigstoreSignatureCheck `json:"sigstoreSignatureCheck,omitempty"` 663 // SimpleSigningAttestationCheck: Optional. Require a SimpleSigning-type 664 // attestation for every image in the deployment. 665 SimpleSigningAttestationCheck *SimpleSigningAttestationCheck `json:"simpleSigningAttestationCheck,omitempty"` 666 // SlsaCheck: Optional. Require that an image was built by a trusted builder 667 // (such as Google Cloud Build), meets requirements for Supply chain Levels for 668 // Software Artifacts (SLSA), and was built from a trusted source code 669 // repostitory. 670 SlsaCheck *SlsaCheck `json:"slsaCheck,omitempty"` 671 // TrustedDirectoryCheck: Optional. Require that an image lives in a trusted 672 // directory. 673 TrustedDirectoryCheck *TrustedDirectoryCheck `json:"trustedDirectoryCheck,omitempty"` 674 // VulnerabilityCheck: Optional. Require that an image does not contain 675 // vulnerabilities that violate the configured rules, such as based on severity 676 // levels. 677 VulnerabilityCheck *VulnerabilityCheck `json:"vulnerabilityCheck,omitempty"` 678 // ForceSendFields is a list of field names (e.g. "AlwaysDeny") to 679 // unconditionally include in API requests. By default, fields with empty or 680 // default values are omitted from API requests. See 681 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 682 // details. 683 ForceSendFields []string `json:"-"` 684 // NullFields is a list of field names (e.g. "AlwaysDeny") to include in API 685 // requests with the JSON null value. By default, fields with empty values are 686 // omitted from API requests. See 687 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 688 NullFields []string `json:"-"` 689 } 690 691 func (s *Check) MarshalJSON() ([]byte, error) { 692 type NoMethod Check 693 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 694 } 695 696 // CheckResult: Result of evaluating one check. 697 type CheckResult struct { 698 // AllowlistResult: If the image was exempted by an allow_pattern in the check, 699 // contains the pattern that the image name matched. 700 AllowlistResult *AllowlistResult `json:"allowlistResult,omitempty"` 701 // DisplayName: The name of the check. 702 DisplayName string `json:"displayName,omitempty"` 703 // EvaluationResult: If a check was evaluated, contains the result of the 704 // check. 705 EvaluationResult *EvaluationResult `json:"evaluationResult,omitempty"` 706 // Explanation: Explanation of this check result. 707 Explanation string `json:"explanation,omitempty"` 708 // Index: The index of the check. 709 Index int64 `json:"index,omitempty,string"` 710 // Type: The type of the check. 711 Type string `json:"type,omitempty"` 712 // ForceSendFields is a list of field names (e.g. "AllowlistResult") to 713 // unconditionally include in API requests. By default, fields with empty or 714 // default values are omitted from API requests. See 715 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 716 // details. 717 ForceSendFields []string `json:"-"` 718 // NullFields is a list of field names (e.g. "AllowlistResult") to include in 719 // API requests with the JSON null value. By default, fields with empty values 720 // are omitted from API requests. See 721 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 722 NullFields []string `json:"-"` 723 } 724 725 func (s *CheckResult) MarshalJSON() ([]byte, error) { 726 type NoMethod CheckResult 727 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 728 } 729 730 // CheckResults: Result of evaluating one or more checks. 731 type CheckResults struct { 732 // Results: Per-check details. 733 Results []*CheckResult `json:"results,omitempty"` 734 // ForceSendFields is a list of field names (e.g. "Results") to unconditionally 735 // include in API requests. By default, fields with empty or default values are 736 // omitted from API requests. See 737 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 738 // details. 739 ForceSendFields []string `json:"-"` 740 // NullFields is a list of field names (e.g. "Results") to include in API 741 // requests with the JSON null value. By default, fields with empty values are 742 // omitted from API requests. See 743 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 744 NullFields []string `json:"-"` 745 } 746 747 func (s *CheckResults) MarshalJSON() ([]byte, error) { 748 type NoMethod CheckResults 749 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 750 } 751 752 // CheckSet: A conjunction of policy checks, scoped to a particular namespace 753 // or Kubernetes service account. In order for evaluation of a `CheckSet` to 754 // return "allowed" for a given image in a given Pod, one of the following 755 // conditions must be satisfied: * The image is explicitly exempted by an entry 756 // in `image_allowlist`, OR * ALL of the `checks` evaluate to "allowed". 757 type CheckSet struct { 758 // Checks: Optional. The checks to apply. The ultimate result of evaluating the 759 // check set will be "allow" if and only if every check in `checks` evaluates 760 // to "allow". If `checks` is empty, the default behavior is "always allow". 761 Checks []*Check `json:"checks,omitempty"` 762 // DisplayName: Optional. A user-provided name for this `CheckSet`. This field 763 // has no effect on the policy evaluation behavior except to improve 764 // readability of messages in evaluation results. 765 DisplayName string `json:"displayName,omitempty"` 766 // ImageAllowlist: Optional. Images exempted from this `CheckSet`. If any of 767 // the patterns match the image being evaluated, no checks in the `CheckSet` 768 // will be evaluated. 769 ImageAllowlist *ImageAllowlist `json:"imageAllowlist,omitempty"` 770 // Scope: Optional. The scope to which this `CheckSet` applies. If unset or an 771 // empty string (the default), applies to all namespaces and service accounts. 772 // See the `Scope` message documentation for details on scoping rules. 773 Scope *Scope `json:"scope,omitempty"` 774 // ForceSendFields is a list of field names (e.g. "Checks") to unconditionally 775 // include in API requests. By default, fields with empty or default values are 776 // omitted from API requests. See 777 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 778 // details. 779 ForceSendFields []string `json:"-"` 780 // NullFields is a list of field names (e.g. "Checks") to include in API 781 // requests with the JSON null value. By default, fields with empty values are 782 // omitted from API requests. See 783 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 784 NullFields []string `json:"-"` 785 } 786 787 func (s *CheckSet) MarshalJSON() ([]byte, error) { 788 type NoMethod CheckSet 789 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 790 } 791 792 // CheckSetResult: Result of evaluating one check set. 793 type CheckSetResult struct { 794 // AllowlistResult: If the image was exempted by an allow_pattern in the check 795 // set, contains the pattern that the image name matched. 796 AllowlistResult *AllowlistResult `json:"allowlistResult,omitempty"` 797 // CheckResults: If checks were evaluated, contains the results of evaluating 798 // each check. 799 CheckResults *CheckResults `json:"checkResults,omitempty"` 800 // DisplayName: The name of the check set. 801 DisplayName string `json:"displayName,omitempty"` 802 // Explanation: Explanation of this check set result. Only populated if no 803 // checks were evaluated. 804 Explanation string `json:"explanation,omitempty"` 805 // Index: The index of the check set. 806 Index int64 `json:"index,omitempty,string"` 807 // Scope: The scope of the check set. 808 Scope *Scope `json:"scope,omitempty"` 809 // ForceSendFields is a list of field names (e.g. "AllowlistResult") to 810 // unconditionally include in API requests. By default, fields with empty or 811 // default values are omitted from API requests. See 812 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 813 // details. 814 ForceSendFields []string `json:"-"` 815 // NullFields is a list of field names (e.g. "AllowlistResult") to include in 816 // API requests with the JSON null value. By default, fields with empty values 817 // are omitted from API requests. See 818 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 819 NullFields []string `json:"-"` 820 } 821 822 func (s *CheckSetResult) MarshalJSON() ([]byte, error) { 823 type NoMethod CheckSetResult 824 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 825 } 826 827 // Empty: A generic empty message that you can re-use to avoid defining 828 // duplicated empty messages in your APIs. A typical example is to use it as 829 // the request or the response type of an API method. For instance: service Foo 830 // { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } 831 type Empty struct { 832 // ServerResponse contains the HTTP response code and headers from the server. 833 googleapi.ServerResponse `json:"-"` 834 } 835 836 // EvaluateGkePolicyRequest: Request message for 837 // PlatformPolicyEvaluationService.EvaluateGkePolicy. 838 type EvaluateGkePolicyRequest struct { 839 // Resource: Required. JSON or YAML blob representing a Kubernetes resource. 840 Resource googleapi.RawMessage `json:"resource,omitempty"` 841 // ForceSendFields is a list of field names (e.g. "Resource") to 842 // unconditionally include in API requests. By default, fields with empty or 843 // default values are omitted from API requests. See 844 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 845 // details. 846 ForceSendFields []string `json:"-"` 847 // NullFields is a list of field names (e.g. "Resource") to include in API 848 // requests with the JSON null value. By default, fields with empty values are 849 // omitted from API requests. See 850 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 851 NullFields []string `json:"-"` 852 } 853 854 func (s *EvaluateGkePolicyRequest) MarshalJSON() ([]byte, error) { 855 type NoMethod EvaluateGkePolicyRequest 856 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 857 } 858 859 // EvaluateGkePolicyResponse: Response message for 860 // PlatformPolicyEvaluationService.EvaluateGkePolicy. 861 type EvaluateGkePolicyResponse struct { 862 // Results: Evaluation result for each Pod contained in the request. 863 Results []*PodResult `json:"results,omitempty"` 864 // Verdict: The result of evaluating all Pods in the request. 865 // 866 // Possible values: 867 // "VERDICT_UNSPECIFIED" - Not specified. This should never be used. 868 // "CONFORMANT" - All Pods in the request conform to the policy. 869 // "NON_CONFORMANT" - At least one Pod does not conform to the policy. 870 // "ERROR" - Encountered at least one error evaluating a Pod and all other 871 // Pods conform to the policy. Non-conformance has precedence over errors. 872 Verdict string `json:"verdict,omitempty"` 873 874 // ServerResponse contains the HTTP response code and headers from the server. 875 googleapi.ServerResponse `json:"-"` 876 // ForceSendFields is a list of field names (e.g. "Results") to unconditionally 877 // include in API requests. By default, fields with empty or default values are 878 // omitted from API requests. See 879 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 880 // details. 881 ForceSendFields []string `json:"-"` 882 // NullFields is a list of field names (e.g. "Results") to include in API 883 // requests with the JSON null value. By default, fields with empty values are 884 // omitted from API requests. See 885 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 886 NullFields []string `json:"-"` 887 } 888 889 func (s *EvaluateGkePolicyResponse) MarshalJSON() ([]byte, error) { 890 type NoMethod EvaluateGkePolicyResponse 891 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 892 } 893 894 // EvaluationResult: Result of evaluating one check. 895 type EvaluationResult struct { 896 // Verdict: The result of evaluating this check. 897 // 898 // Possible values: 899 // "CHECK_VERDICT_UNSPECIFIED" - Not specified. This should never be used. 900 // "CONFORMANT" - The check was successfully evaluated and the image 901 // satisfied the check. 902 // "NON_CONFORMANT" - The check was successfully evaluated and the image did 903 // not satisfy the check. 904 // "ERROR" - The check was not successfully evaluated. 905 Verdict string `json:"verdict,omitempty"` 906 // ForceSendFields is a list of field names (e.g. "Verdict") to unconditionally 907 // include in API requests. By default, fields with empty or default values are 908 // omitted from API requests. See 909 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 910 // details. 911 ForceSendFields []string `json:"-"` 912 // NullFields is a list of field names (e.g. "Verdict") to include in API 913 // requests with the JSON null value. By default, fields with empty values are 914 // omitted from API requests. See 915 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 916 NullFields []string `json:"-"` 917 } 918 919 func (s *EvaluationResult) MarshalJSON() ([]byte, error) { 920 type NoMethod EvaluationResult 921 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 922 } 923 924 // Expr: Represents a textual expression in the Common Expression Language 925 // (CEL) syntax. CEL is a C-like expression language. The syntax and semantics 926 // of CEL are documented at https://github.com/google/cel-spec. Example 927 // (Comparison): title: "Summary size limit" description: "Determines if a 928 // summary is less than 100 chars" expression: "document.summary.size() < 100" 929 // Example (Equality): title: "Requestor is owner" description: "Determines if 930 // requestor is the document owner" expression: "document.owner == 931 // request.auth.claims.email" Example (Logic): title: "Public documents" 932 // description: "Determine whether the document should be publicly visible" 933 // expression: "document.type != 'private' && document.type != 'internal'" 934 // Example (Data Manipulation): title: "Notification string" description: 935 // "Create a notification string with a timestamp." expression: "'New message 936 // received at ' + string(document.create_time)" The exact variables and 937 // functions that may be referenced within an expression are determined by the 938 // service that evaluates it. See the service documentation for additional 939 // information. 940 type Expr struct { 941 // Description: Optional. Description of the expression. This is a longer text 942 // which describes the expression, e.g. when hovered over it in a UI. 943 Description string `json:"description,omitempty"` 944 // Expression: Textual representation of an expression in Common Expression 945 // Language syntax. 946 Expression string `json:"expression,omitempty"` 947 // Location: Optional. String indicating the location of the expression for 948 // error reporting, e.g. a file name and a position in the file. 949 Location string `json:"location,omitempty"` 950 // Title: Optional. Title for the expression, i.e. a short string describing 951 // its purpose. This can be used e.g. in UIs which allow to enter the 952 // expression. 953 Title string `json:"title,omitempty"` 954 // ForceSendFields is a list of field names (e.g. "Description") to 955 // unconditionally include in API requests. By default, fields with empty or 956 // default values are omitted from API requests. See 957 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 958 // details. 959 ForceSendFields []string `json:"-"` 960 // NullFields is a list of field names (e.g. "Description") to include in API 961 // requests with the JSON null value. By default, fields with empty values are 962 // omitted from API requests. See 963 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 964 NullFields []string `json:"-"` 965 } 966 967 func (s *Expr) MarshalJSON() ([]byte, error) { 968 type NoMethod Expr 969 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 970 } 971 972 // GkePolicy: A Binary Authorization policy for a GKE cluster. This is one type 973 // of policy that can occur as a `PlatformPolicy`. 974 type GkePolicy struct { 975 // CheckSets: Optional. The `CheckSet` objects to apply, scoped by namespace or 976 // namespace and service account. Exactly one `CheckSet` will be evaluated for 977 // a given Pod (unless the list is empty, in which case the behavior is "always 978 // allow"). If multiple `CheckSet` objects have scopes that match the namespace 979 // and service account of the Pod being evaluated, only the `CheckSet` with the 980 // MOST SPECIFIC scope will match. `CheckSet` objects must be listed in order 981 // of decreasing specificity, i.e. if a scope matches a given service account 982 // (which must include the namespace), it must come before a `CheckSet` with a 983 // scope matching just that namespace. This property is enforced by server-side 984 // validation. The purpose of this restriction is to ensure that if more than 985 // one `CheckSet` matches a given Pod, the `CheckSet` that will be evaluated 986 // will always be the first in the list to match (because if any other matches, 987 // it must be less specific). If `check_sets` is empty, the default behavior is 988 // to allow all images. If `check_sets` is non-empty, the last `check_sets` 989 // entry must always be a `CheckSet` with no scope set, i.e. a catchall to 990 // handle any situation not caught by the preceding `CheckSet` objects. 991 CheckSets []*CheckSet `json:"checkSets,omitempty"` 992 // ImageAllowlist: Optional. Images exempted from this policy. If any of the 993 // patterns match the image being evaluated, the rest of the policy will not be 994 // evaluated. 995 ImageAllowlist *ImageAllowlist `json:"imageAllowlist,omitempty"` 996 // ForceSendFields is a list of field names (e.g. "CheckSets") to 997 // unconditionally include in API requests. By default, fields with empty or 998 // default values are omitted from API requests. See 999 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1000 // details. 1001 ForceSendFields []string `json:"-"` 1002 // NullFields is a list of field names (e.g. "CheckSets") to include in API 1003 // requests with the JSON null value. By default, fields with empty values are 1004 // omitted from API requests. See 1005 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1006 NullFields []string `json:"-"` 1007 } 1008 1009 func (s *GkePolicy) MarshalJSON() ([]byte, error) { 1010 type NoMethod GkePolicy 1011 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1012 } 1013 1014 // IamPolicy: An Identity and Access Management (IAM) policy, which specifies 1015 // access controls for Google Cloud resources. A `Policy` is a collection of 1016 // `bindings`. A `binding` binds one or more `members`, or principals, to a 1017 // single `role`. Principals can be user accounts, service accounts, Google 1018 // groups, and domains (such as G Suite). A `role` is a named list of 1019 // permissions; each `role` can be an IAM predefined role or a user-created 1020 // custom role. For some types of Google Cloud resources, a `binding` can also 1021 // specify a `condition`, which is a logical expression that allows access to a 1022 // resource only if the expression evaluates to `true`. A condition can add 1023 // constraints based on attributes of the request, the resource, or both. To 1024 // learn which resources support conditions in their IAM policies, see the IAM 1025 // documentation 1026 // (https://cloud.google.com/iam/help/conditions/resource-policies). **JSON 1027 // example:** ``` { "bindings": [ { "role": 1028 // "roles/resourcemanager.organizationAdmin", "members": [ 1029 // "user:mike@example.com", "group:admins@example.com", "domain:google.com", 1030 // "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": 1031 // "roles/resourcemanager.organizationViewer", "members": [ 1032 // "user:eve@example.com" ], "condition": { "title": "expirable access", 1033 // "description": "Does not grant access after Sep 2020", "expression": 1034 // "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": 1035 // "BwWWja0YfJA=", "version": 3 } ``` **YAML example:** ``` bindings: - 1036 // members: - user:mike@example.com - group:admins@example.com - 1037 // domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com 1038 // role: roles/resourcemanager.organizationAdmin - members: - 1039 // user:eve@example.com role: roles/resourcemanager.organizationViewer 1040 // condition: title: expirable access description: Does not grant access after 1041 // Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') 1042 // etag: BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, 1043 // see the IAM documentation (https://cloud.google.com/iam/docs/). 1044 type IamPolicy struct { 1045 // Bindings: Associates a list of `members`, or principals, with a `role`. 1046 // Optionally, may specify a `condition` that determines how and when the 1047 // `bindings` are applied. Each of the `bindings` must contain at least one 1048 // principal. The `bindings` in a `Policy` can refer to up to 1,500 principals; 1049 // up to 250 of these principals can be Google groups. Each occurrence of a 1050 // principal counts towards these limits. For example, if the `bindings` grant 1051 // 50 different roles to `user:alice@example.com`, and not to any other 1052 // principal, then you can add another 1,450 principals to the `bindings` in 1053 // the `Policy`. 1054 Bindings []*Binding `json:"bindings,omitempty"` 1055 // Etag: `etag` is used for optimistic concurrency control as a way to help 1056 // prevent simultaneous updates of a policy from overwriting each other. It is 1057 // strongly suggested that systems make use of the `etag` in the 1058 // read-modify-write cycle to perform policy updates in order to avoid race 1059 // conditions: An `etag` is returned in the response to `getIamPolicy`, and 1060 // systems are expected to put that etag in the request to `setIamPolicy` to 1061 // ensure that their change will be applied to the same version of the policy. 1062 // **Important:** If you use IAM Conditions, you must include the `etag` field 1063 // whenever you call `setIamPolicy`. If you omit this field, then IAM allows 1064 // you to overwrite a version `3` policy with a version `1` policy, and all of 1065 // the conditions in the version `3` policy are lost. 1066 Etag string `json:"etag,omitempty"` 1067 // Version: Specifies the format of the policy. Valid values are `0`, `1`, and 1068 // `3`. Requests that specify an invalid value are rejected. Any operation that 1069 // affects conditional role bindings must specify version `3`. This requirement 1070 // applies to the following operations: * Getting a policy that includes a 1071 // conditional role binding * Adding a conditional role binding to a policy * 1072 // Changing a conditional role binding in a policy * Removing any role binding, 1073 // with or without a condition, from a policy that includes conditions 1074 // **Important:** If you use IAM Conditions, you must include the `etag` field 1075 // whenever you call `setIamPolicy`. If you omit this field, then IAM allows 1076 // you to overwrite a version `3` policy with a version `1` policy, and all of 1077 // the conditions in the version `3` policy are lost. If a policy does not 1078 // include any conditions, operations on that policy may specify any valid 1079 // version or leave the field unset. To learn which resources support 1080 // conditions in their IAM policies, see the IAM documentation 1081 // (https://cloud.google.com/iam/help/conditions/resource-policies). 1082 Version int64 `json:"version,omitempty"` 1083 1084 // ServerResponse contains the HTTP response code and headers from the server. 1085 googleapi.ServerResponse `json:"-"` 1086 // ForceSendFields is a list of field names (e.g. "Bindings") to 1087 // unconditionally include in API requests. By default, fields with empty or 1088 // default values are omitted from API requests. See 1089 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1090 // details. 1091 ForceSendFields []string `json:"-"` 1092 // NullFields is a list of field names (e.g. "Bindings") to include in API 1093 // requests with the JSON null value. By default, fields with empty values are 1094 // omitted from API requests. See 1095 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1096 NullFields []string `json:"-"` 1097 } 1098 1099 func (s *IamPolicy) MarshalJSON() ([]byte, error) { 1100 type NoMethod IamPolicy 1101 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1102 } 1103 1104 // ImageAllowlist: Images that are exempted from normal checks based on name 1105 // pattern only. 1106 type ImageAllowlist struct { 1107 // AllowPattern: Required. A disjunction of image patterns to allow. If any of 1108 // these patterns match, then the image is considered exempted by this 1109 // allowlist. 1110 AllowPattern []string `json:"allowPattern,omitempty"` 1111 // ForceSendFields is a list of field names (e.g. "AllowPattern") to 1112 // unconditionally include in API requests. By default, fields with empty or 1113 // default values are omitted from API requests. See 1114 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1115 // details. 1116 ForceSendFields []string `json:"-"` 1117 // NullFields is a list of field names (e.g. "AllowPattern") to include in API 1118 // requests with the JSON null value. By default, fields with empty values are 1119 // omitted from API requests. See 1120 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1121 NullFields []string `json:"-"` 1122 } 1123 1124 func (s *ImageAllowlist) MarshalJSON() ([]byte, error) { 1125 type NoMethod ImageAllowlist 1126 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1127 } 1128 1129 // ImageFreshnessCheck: An image freshness check, which rejects images that 1130 // were uploaded before the set number of days ago to the supported 1131 // repositories. 1132 type ImageFreshnessCheck struct { 1133 // MaxUploadAgeDays: Required. The max number of days that is allowed since the 1134 // image was uploaded. Must be greater than zero. 1135 MaxUploadAgeDays int64 `json:"maxUploadAgeDays,omitempty"` 1136 // ForceSendFields is a list of field names (e.g. "MaxUploadAgeDays") to 1137 // unconditionally include in API requests. By default, fields with empty or 1138 // default values are omitted from API requests. See 1139 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1140 // details. 1141 ForceSendFields []string `json:"-"` 1142 // NullFields is a list of field names (e.g. "MaxUploadAgeDays") to include in 1143 // API requests with the JSON null value. By default, fields with empty values 1144 // are omitted from API requests. See 1145 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1146 NullFields []string `json:"-"` 1147 } 1148 1149 func (s *ImageFreshnessCheck) MarshalJSON() ([]byte, error) { 1150 type NoMethod ImageFreshnessCheck 1151 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1152 } 1153 1154 // ImageResult: Result of evaluating one image. 1155 type ImageResult struct { 1156 // AllowlistResult: If the image was exempted by a top-level allow_pattern, 1157 // contains the allowlist pattern that the image name matched. 1158 AllowlistResult *AllowlistResult `json:"allowlistResult,omitempty"` 1159 // CheckSetResult: If a check set was evaluated, contains the result of the 1160 // check set. Empty if there were no check sets. 1161 CheckSetResult *CheckSetResult `json:"checkSetResult,omitempty"` 1162 // Explanation: Explanation of this image result. Only populated if no check 1163 // sets were evaluated. 1164 Explanation string `json:"explanation,omitempty"` 1165 // ImageUri: Image URI from the request. 1166 ImageUri string `json:"imageUri,omitempty"` 1167 // Verdict: The result of evaluating this image. 1168 // 1169 // Possible values: 1170 // "IMAGE_VERDICT_UNSPECIFIED" - Not specified. This should never be used. 1171 // "CONFORMANT" - Image conforms to the policy. 1172 // "NON_CONFORMANT" - Image does not conform to the policy. 1173 // "ERROR" - Error evaluating the image. Non-conformance has precedence over 1174 // errors. 1175 Verdict string `json:"verdict,omitempty"` 1176 // ForceSendFields is a list of field names (e.g. "AllowlistResult") to 1177 // unconditionally include in API requests. By default, fields with empty or 1178 // default values are omitted from API requests. See 1179 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1180 // details. 1181 ForceSendFields []string `json:"-"` 1182 // NullFields is a list of field names (e.g. "AllowlistResult") to include in 1183 // API requests with the JSON null value. By default, fields with empty values 1184 // are omitted from API requests. See 1185 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1186 NullFields []string `json:"-"` 1187 } 1188 1189 func (s *ImageResult) MarshalJSON() ([]byte, error) { 1190 type NoMethod ImageResult 1191 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1192 } 1193 1194 type Jwt struct { 1195 // CompactJwt: The compact encoding of a JWS, which is always three base64 1196 // encoded strings joined by periods. For details, see: 1197 // https://tools.ietf.org/html/rfc7515.html#section-3.1 1198 CompactJwt string `json:"compactJwt,omitempty"` 1199 // ForceSendFields is a list of field names (e.g. "CompactJwt") to 1200 // unconditionally include in API requests. By default, fields with empty or 1201 // default values are omitted from API requests. See 1202 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1203 // details. 1204 ForceSendFields []string `json:"-"` 1205 // NullFields is a list of field names (e.g. "CompactJwt") to include in API 1206 // requests with the JSON null value. By default, fields with empty values are 1207 // omitted from API requests. See 1208 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1209 NullFields []string `json:"-"` 1210 } 1211 1212 func (s *Jwt) MarshalJSON() ([]byte, error) { 1213 type NoMethod Jwt 1214 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1215 } 1216 1217 // ListAttestorsResponse: Response message for 1218 // BinauthzManagementServiceV1.ListAttestors. 1219 type ListAttestorsResponse struct { 1220 // Attestors: The list of attestors. 1221 Attestors []*Attestor `json:"attestors,omitempty"` 1222 // NextPageToken: A token to retrieve the next page of results. Pass this value 1223 // in the ListAttestorsRequest.page_token field in the subsequent call to the 1224 // `ListAttestors` method to retrieve the next page of results. 1225 NextPageToken string `json:"nextPageToken,omitempty"` 1226 1227 // ServerResponse contains the HTTP response code and headers from the server. 1228 googleapi.ServerResponse `json:"-"` 1229 // ForceSendFields is a list of field names (e.g. "Attestors") to 1230 // unconditionally include in API requests. By default, fields with empty or 1231 // default values are omitted from API requests. See 1232 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1233 // details. 1234 ForceSendFields []string `json:"-"` 1235 // NullFields is a list of field names (e.g. "Attestors") to include in API 1236 // requests with the JSON null value. By default, fields with empty values are 1237 // omitted from API requests. See 1238 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1239 NullFields []string `json:"-"` 1240 } 1241 1242 func (s *ListAttestorsResponse) MarshalJSON() ([]byte, error) { 1243 type NoMethod ListAttestorsResponse 1244 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1245 } 1246 1247 // ListPlatformPoliciesResponse: Response message for 1248 // PlatformPolicyManagementService.ListPlatformPolicies. 1249 type ListPlatformPoliciesResponse struct { 1250 // NextPageToken: A token to retrieve the next page of results. Pass this value 1251 // in the ListPlatformPoliciesRequest.page_token field in the subsequent call 1252 // to the `ListPlatformPolicies` method to retrieve the next page of results. 1253 NextPageToken string `json:"nextPageToken,omitempty"` 1254 // PlatformPolicies: The list of platform policies. 1255 PlatformPolicies []*PlatformPolicy `json:"platformPolicies,omitempty"` 1256 1257 // ServerResponse contains the HTTP response code and headers from the server. 1258 googleapi.ServerResponse `json:"-"` 1259 // ForceSendFields is a list of field names (e.g. "NextPageToken") to 1260 // unconditionally include in API requests. By default, fields with empty or 1261 // default values are omitted from API requests. See 1262 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1263 // details. 1264 ForceSendFields []string `json:"-"` 1265 // NullFields is a list of field names (e.g. "NextPageToken") to include in API 1266 // requests with the JSON null value. By default, fields with empty values are 1267 // omitted from API requests. See 1268 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1269 NullFields []string `json:"-"` 1270 } 1271 1272 func (s *ListPlatformPoliciesResponse) MarshalJSON() ([]byte, error) { 1273 type NoMethod ListPlatformPoliciesResponse 1274 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1275 } 1276 1277 // PkixPublicKey: A public key in the PkixPublicKey format 1278 // (https://tools.ietf.org/html/rfc5280#section-4.1.2.7). Public keys of this 1279 // type are typically textually encoded using the PEM format. 1280 type PkixPublicKey struct { 1281 // KeyId: Optional. The ID of this public key. Signatures verified by Binary 1282 // Authorization must include the ID of the public key that can be used to 1283 // verify them, and that ID must match the contents of this field exactly. This 1284 // may be explicitly provided by the caller, but it MUST be a valid RFC3986 1285 // URI. If `key_id` is left blank and this `PkixPublicKey` is not used in the 1286 // context of a wrapper (see next paragraph), a default key ID will be computed 1287 // based on the digest of the DER encoding of the public key. If this 1288 // `PkixPublicKey` is used in the context of a wrapper that has its own notion 1289 // of key ID (e.g. `AttestorPublicKey`), then this field can either: * Match 1290 // that value exactly. * Or be left blank, in which case it behaves exactly as 1291 // though it is equal to that wrapper value. 1292 KeyId string `json:"keyId,omitempty"` 1293 // PublicKeyPem: A PEM-encoded public key, as described in 1294 // https://tools.ietf.org/html/rfc7468#section-13 1295 PublicKeyPem string `json:"publicKeyPem,omitempty"` 1296 // SignatureAlgorithm: The signature algorithm used to verify a message against 1297 // a signature using this key. These signature algorithm must match the 1298 // structure and any object identifiers encoded in `public_key_pem` (i.e. this 1299 // algorithm must match that of the public key). 1300 // 1301 // Possible values: 1302 // "SIGNATURE_ALGORITHM_UNSPECIFIED" - Not specified. 1303 // "RSA_PSS_2048_SHA256" - RSASSA-PSS 2048 bit key with a SHA256 digest. 1304 // "RSA_SIGN_PSS_2048_SHA256" - RSASSA-PSS 2048 bit key with a SHA256 digest. 1305 // "RSA_PSS_3072_SHA256" - RSASSA-PSS 3072 bit key with a SHA256 digest. 1306 // "RSA_SIGN_PSS_3072_SHA256" - RSASSA-PSS 3072 bit key with a SHA256 digest. 1307 // "RSA_PSS_4096_SHA256" - RSASSA-PSS 4096 bit key with a SHA256 digest. 1308 // "RSA_SIGN_PSS_4096_SHA256" - RSASSA-PSS 4096 bit key with a SHA256 digest. 1309 // "RSA_PSS_4096_SHA512" - RSASSA-PSS 4096 bit key with a SHA512 digest. 1310 // "RSA_SIGN_PSS_4096_SHA512" - RSASSA-PSS 4096 bit key with a SHA512 digest. 1311 // "RSA_SIGN_PKCS1_2048_SHA256" - RSASSA-PKCS1-v1_5 with a 2048 bit key and a 1312 // SHA256 digest. 1313 // "RSA_SIGN_PKCS1_3072_SHA256" - RSASSA-PKCS1-v1_5 with a 3072 bit key and a 1314 // SHA256 digest. 1315 // "RSA_SIGN_PKCS1_4096_SHA256" - RSASSA-PKCS1-v1_5 with a 4096 bit key and a 1316 // SHA256 digest. 1317 // "RSA_SIGN_PKCS1_4096_SHA512" - RSASSA-PKCS1-v1_5 with a 4096 bit key and a 1318 // SHA512 digest. 1319 // "ECDSA_P256_SHA256" - ECDSA on the NIST P-256 curve with a SHA256 digest. 1320 // "EC_SIGN_P256_SHA256" - ECDSA on the NIST P-256 curve with a SHA256 1321 // digest. 1322 // "ECDSA_P384_SHA384" - ECDSA on the NIST P-384 curve with a SHA384 digest. 1323 // "EC_SIGN_P384_SHA384" - ECDSA on the NIST P-384 curve with a SHA384 1324 // digest. 1325 // "ECDSA_P521_SHA512" - ECDSA on the NIST P-521 curve with a SHA512 digest. 1326 // "EC_SIGN_P521_SHA512" - ECDSA on the NIST P-521 curve with a SHA512 1327 // digest. 1328 SignatureAlgorithm string `json:"signatureAlgorithm,omitempty"` 1329 // ForceSendFields is a list of field names (e.g. "KeyId") to unconditionally 1330 // include in API requests. By default, fields with empty or default values are 1331 // omitted from API requests. See 1332 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1333 // details. 1334 ForceSendFields []string `json:"-"` 1335 // NullFields is a list of field names (e.g. "KeyId") to include in API 1336 // requests with the JSON null value. By default, fields with empty values are 1337 // omitted from API requests. See 1338 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1339 NullFields []string `json:"-"` 1340 } 1341 1342 func (s *PkixPublicKey) MarshalJSON() ([]byte, error) { 1343 type NoMethod PkixPublicKey 1344 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1345 } 1346 1347 // PkixPublicKeySet: A bundle of PKIX public keys, used to authenticate 1348 // attestation signatures. Generally, a signature is considered to be 1349 // authenticated by a `PkixPublicKeySet` if any of the public keys verify it 1350 // (i.e. it is an "OR" of the keys). 1351 type PkixPublicKeySet struct { 1352 // PkixPublicKeys: Required. `pkix_public_keys` must have at least one entry. 1353 PkixPublicKeys []*PkixPublicKey `json:"pkixPublicKeys,omitempty"` 1354 // ForceSendFields is a list of field names (e.g. "PkixPublicKeys") to 1355 // unconditionally include in API requests. By default, fields with empty or 1356 // default values are omitted from API requests. See 1357 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1358 // details. 1359 ForceSendFields []string `json:"-"` 1360 // NullFields is a list of field names (e.g. "PkixPublicKeys") to include in 1361 // API requests with the JSON null value. By default, fields with empty values 1362 // are omitted from API requests. See 1363 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1364 NullFields []string `json:"-"` 1365 } 1366 1367 func (s *PkixPublicKeySet) MarshalJSON() ([]byte, error) { 1368 type NoMethod PkixPublicKeySet 1369 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1370 } 1371 1372 // PlatformPolicy: A Binary Authorization platform policy for deployments on 1373 // various platforms. 1374 type PlatformPolicy struct { 1375 // Description: Optional. A description comment about the policy. 1376 Description string `json:"description,omitempty"` 1377 // GkePolicy: Optional. GKE platform-specific policy. 1378 GkePolicy *GkePolicy `json:"gkePolicy,omitempty"` 1379 // Name: Output only. The relative resource name of the Binary Authorization 1380 // platform policy, in the form of `projects/*/platforms/*/policies/*`. 1381 Name string `json:"name,omitempty"` 1382 // UpdateTime: Output only. Time when the policy was last updated. 1383 UpdateTime string `json:"updateTime,omitempty"` 1384 1385 // ServerResponse contains the HTTP response code and headers from the server. 1386 googleapi.ServerResponse `json:"-"` 1387 // ForceSendFields is a list of field names (e.g. "Description") to 1388 // unconditionally include in API requests. By default, fields with empty or 1389 // default values are omitted from API requests. See 1390 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1391 // details. 1392 ForceSendFields []string `json:"-"` 1393 // NullFields is a list of field names (e.g. "Description") to include in API 1394 // requests with the JSON null value. By default, fields with empty values are 1395 // omitted from API requests. See 1396 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1397 NullFields []string `json:"-"` 1398 } 1399 1400 func (s *PlatformPolicy) MarshalJSON() ([]byte, error) { 1401 type NoMethod PlatformPolicy 1402 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1403 } 1404 1405 // PodResult: Result of evaluating the whole GKE policy for one Pod. 1406 type PodResult struct { 1407 // ImageResults: Per-image details. 1408 ImageResults []*ImageResult `json:"imageResults,omitempty"` 1409 // KubernetesNamespace: The Kubernetes namespace of the Pod. 1410 KubernetesNamespace string `json:"kubernetesNamespace,omitempty"` 1411 // KubernetesServiceAccount: The Kubernetes service account of the Pod. 1412 KubernetesServiceAccount string `json:"kubernetesServiceAccount,omitempty"` 1413 // PodName: The name of the Pod. 1414 PodName string `json:"podName,omitempty"` 1415 // Verdict: The result of evaluating this Pod. 1416 // 1417 // Possible values: 1418 // "POD_VERDICT_UNSPECIFIED" - Not specified. This should never be used. 1419 // "CONFORMANT" - All images conform to the policy. 1420 // "NON_CONFORMANT" - At least one image does not conform to the policy. 1421 // "ERROR" - Encountered at least one error evaluating an image and all other 1422 // images with non-error verdicts conform to the policy. Non-conformance has 1423 // precedence over errors. 1424 Verdict string `json:"verdict,omitempty"` 1425 // ForceSendFields is a list of field names (e.g. "ImageResults") to 1426 // unconditionally include in API requests. By default, fields with empty or 1427 // default values are omitted from API requests. See 1428 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1429 // details. 1430 ForceSendFields []string `json:"-"` 1431 // NullFields is a list of field names (e.g. "ImageResults") to include in API 1432 // requests with the JSON null value. By default, fields with empty values are 1433 // omitted from API requests. See 1434 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1435 NullFields []string `json:"-"` 1436 } 1437 1438 func (s *PodResult) MarshalJSON() ([]byte, error) { 1439 type NoMethod PodResult 1440 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1441 } 1442 1443 // Policy: A policy for container image binary authorization. 1444 type Policy struct { 1445 // AdmissionWhitelistPatterns: Optional. Admission policy allowlisting. A 1446 // matching admission request will always be permitted. This feature is 1447 // typically used to exclude Google or third-party infrastructure images from 1448 // Binary Authorization policies. 1449 AdmissionWhitelistPatterns []*AdmissionWhitelistPattern `json:"admissionWhitelistPatterns,omitempty"` 1450 // ClusterAdmissionRules: Optional. Per-cluster admission rules. Cluster spec 1451 // format: `location.clusterId`. There can be at most one admission rule per 1452 // cluster spec. A `location` is either a compute zone (e.g. us-central1-a) or 1453 // a region (e.g. us-central1). For `clusterId` syntax restrictions see 1454 // https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters. 1455 ClusterAdmissionRules map[string]AdmissionRule `json:"clusterAdmissionRules,omitempty"` 1456 // DefaultAdmissionRule: Required. Default admission rule for a cluster without 1457 // a per-cluster, per- kubernetes-service-account, or 1458 // per-istio-service-identity admission rule. 1459 DefaultAdmissionRule *AdmissionRule `json:"defaultAdmissionRule,omitempty"` 1460 // Description: Optional. A descriptive comment. 1461 Description string `json:"description,omitempty"` 1462 // Etag: Optional. A checksum, returned by the server, that can be sent on 1463 // update requests to ensure the policy has an up-to-date value before 1464 // attempting to update it. See https://google.aip.dev/154. 1465 Etag string `json:"etag,omitempty"` 1466 // GlobalPolicyEvaluationMode: Optional. Controls the evaluation of a 1467 // Google-maintained global admission policy for common system-level images. 1468 // Images not covered by the global policy will be subject to the project 1469 // admission policy. This setting has no effect when specified inside a global 1470 // admission policy. 1471 // 1472 // Possible values: 1473 // "GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED" - Not specified: `DISABLE` is 1474 // assumed. 1475 // "ENABLE" - Enables system policy evaluation. 1476 // "DISABLE" - Disables system policy evaluation. 1477 GlobalPolicyEvaluationMode string `json:"globalPolicyEvaluationMode,omitempty"` 1478 // IstioServiceIdentityAdmissionRules: Optional. Per-istio-service-identity 1479 // admission rules. Istio service identity spec format: `spiffe:///ns//sa/` or 1480 // `/ns//sa/` e.g. `spiffe://example.com/ns/test-ns/sa/default` 1481 IstioServiceIdentityAdmissionRules map[string]AdmissionRule `json:"istioServiceIdentityAdmissionRules,omitempty"` 1482 // KubernetesNamespaceAdmissionRules: Optional. Per-kubernetes-namespace 1483 // admission rules. K8s namespace spec format: `[a-z.-]+`, e.g. 1484 // `some-namespace` 1485 KubernetesNamespaceAdmissionRules map[string]AdmissionRule `json:"kubernetesNamespaceAdmissionRules,omitempty"` 1486 // KubernetesServiceAccountAdmissionRules: Optional. 1487 // Per-kubernetes-service-account admission rules. Service account spec format: 1488 // `namespace:serviceaccount`. e.g. `test-ns:default` 1489 KubernetesServiceAccountAdmissionRules map[string]AdmissionRule `json:"kubernetesServiceAccountAdmissionRules,omitempty"` 1490 // Name: Output only. The resource name, in the format `projects/*/policy`. 1491 // There is at most one policy per project. 1492 Name string `json:"name,omitempty"` 1493 // UpdateTime: Output only. Time when the policy was last updated. 1494 UpdateTime string `json:"updateTime,omitempty"` 1495 1496 // ServerResponse contains the HTTP response code and headers from the server. 1497 googleapi.ServerResponse `json:"-"` 1498 // ForceSendFields is a list of field names (e.g. "AdmissionWhitelistPatterns") 1499 // to unconditionally include in API requests. By default, fields with empty or 1500 // default values are omitted from API requests. See 1501 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1502 // details. 1503 ForceSendFields []string `json:"-"` 1504 // NullFields is a list of field names (e.g. "AdmissionWhitelistPatterns") to 1505 // include in API requests with the JSON null value. By default, fields with 1506 // empty values are omitted from API requests. See 1507 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1508 NullFields []string `json:"-"` 1509 } 1510 1511 func (s *Policy) MarshalJSON() ([]byte, error) { 1512 type NoMethod Policy 1513 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1514 } 1515 1516 // Scope: A scope specifier for `CheckSet` objects. 1517 type Scope struct { 1518 // KubernetesNamespace: Optional. Matches all Kubernetes service accounts in 1519 // the provided namespace, unless a more specific `kubernetes_service_account` 1520 // scope already matched. 1521 KubernetesNamespace string `json:"kubernetesNamespace,omitempty"` 1522 // KubernetesServiceAccount: Optional. Matches a single Kubernetes service 1523 // account, e.g. `my-namespace:my-service-account`. 1524 // `kubernetes_service_account` scope is always more specific than 1525 // `kubernetes_namespace` scope for the same namespace. 1526 KubernetesServiceAccount string `json:"kubernetesServiceAccount,omitempty"` 1527 // ForceSendFields is a list of field names (e.g. "KubernetesNamespace") to 1528 // unconditionally include in API requests. By default, fields with empty or 1529 // default values are omitted from API requests. See 1530 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1531 // details. 1532 ForceSendFields []string `json:"-"` 1533 // NullFields is a list of field names (e.g. "KubernetesNamespace") to include 1534 // in API requests with the JSON null value. By default, fields with empty 1535 // values are omitted from API requests. See 1536 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1537 NullFields []string `json:"-"` 1538 } 1539 1540 func (s *Scope) MarshalJSON() ([]byte, error) { 1541 type NoMethod Scope 1542 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1543 } 1544 1545 // SetIamPolicyRequest: Request message for `SetIamPolicy` method. 1546 type SetIamPolicyRequest struct { 1547 // Policy: REQUIRED: The complete policy to be applied to the `resource`. The 1548 // size of the policy is limited to a few 10s of KB. An empty policy is a valid 1549 // policy but certain Google Cloud services (such as Projects) might reject 1550 // them. 1551 Policy *IamPolicy `json:"policy,omitempty"` 1552 // ForceSendFields is a list of field names (e.g. "Policy") to unconditionally 1553 // include in API requests. By default, fields with empty or default values are 1554 // omitted from API requests. See 1555 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1556 // details. 1557 ForceSendFields []string `json:"-"` 1558 // NullFields is a list of field names (e.g. "Policy") to include in API 1559 // requests with the JSON null value. By default, fields with empty values are 1560 // omitted from API requests. See 1561 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1562 NullFields []string `json:"-"` 1563 } 1564 1565 func (s *SetIamPolicyRequest) MarshalJSON() ([]byte, error) { 1566 type NoMethod SetIamPolicyRequest 1567 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1568 } 1569 1570 // Signature: Verifiers (e.g. Kritis implementations) MUST verify signatures 1571 // with respect to the trust anchors defined in policy (e.g. a Kritis policy). 1572 // Typically this means that the verifier has been configured with a map from 1573 // `public_key_id` to public key material (and any required parameters, e.g. 1574 // signing algorithm). In particular, verification implementations MUST NOT 1575 // treat the signature `public_key_id` as anything more than a key lookup hint. 1576 // The `public_key_id` DOES NOT validate or authenticate a public key; it only 1577 // provides a mechanism for quickly selecting a public key ALREADY CONFIGURED 1578 // on the verifier through a trusted channel. Verification implementations MUST 1579 // reject signatures in any of the following circumstances: * The 1580 // `public_key_id` is not recognized by the verifier. * The public key that 1581 // `public_key_id` refers to does not verify the signature with respect to the 1582 // payload. The `signature` contents SHOULD NOT be "attached" (where the 1583 // payload is included with the serialized `signature` bytes). Verifiers MUST 1584 // ignore any "attached" payload and only verify signatures with respect to 1585 // explicitly provided payload (e.g. a `payload` field on the proto message 1586 // that holds this Signature, or the canonical serialization of the proto 1587 // message that holds this signature). 1588 type Signature struct { 1589 // PublicKeyId: The identifier for the public key that verifies this signature. 1590 // * The `public_key_id` is required. * The `public_key_id` SHOULD be an 1591 // RFC3986 conformant URI. * When possible, the `public_key_id` SHOULD be an 1592 // immutable reference, such as a cryptographic digest. Examples of valid 1593 // `public_key_id`s: OpenPGP V4 public key fingerprint: * 1594 // "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" See 1595 // https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 1596 // details on this scheme. RFC6920 digest-named SubjectPublicKeyInfo (digest of 1597 // the DER serialization): * 1598 // "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" * 1599 // "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a127158 1600 // 9a5" 1601 PublicKeyId string `json:"publicKeyId,omitempty"` 1602 // Signature: The content of the signature, an opaque bytestring. The payload 1603 // that this signature verifies MUST be unambiguously provided with the 1604 // Signature during verification. A wrapper message might provide the payload 1605 // explicitly. Alternatively, a message might have a canonical serialization 1606 // that can always be unambiguously computed to derive the payload. 1607 Signature string `json:"signature,omitempty"` 1608 // ForceSendFields is a list of field names (e.g. "PublicKeyId") to 1609 // unconditionally include in API requests. By default, fields with empty or 1610 // default values are omitted from API requests. See 1611 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1612 // details. 1613 ForceSendFields []string `json:"-"` 1614 // NullFields is a list of field names (e.g. "PublicKeyId") to include in API 1615 // requests with the JSON null value. By default, fields with empty values are 1616 // omitted from API requests. See 1617 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1618 NullFields []string `json:"-"` 1619 } 1620 1621 func (s *Signature) MarshalJSON() ([]byte, error) { 1622 type NoMethod Signature 1623 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1624 } 1625 1626 // SigstoreAuthority: A Sigstore authority, used to verify signatures that are 1627 // created by Sigstore. An authority is analogous to an attestation 1628 // authenticator, verifying that a signature is valid or invalid. 1629 type SigstoreAuthority struct { 1630 // DisplayName: Optional. A user-provided name for this `SigstoreAuthority`. 1631 // This field has no effect on the policy evaluation behavior except to improve 1632 // readability of messages in evaluation results. 1633 DisplayName string `json:"displayName,omitempty"` 1634 // PublicKeySet: Required. A simple set of public keys. A signature is 1635 // considered valid if any keys in the set validate the signature. 1636 PublicKeySet *SigstorePublicKeySet `json:"publicKeySet,omitempty"` 1637 // ForceSendFields is a list of field names (e.g. "DisplayName") to 1638 // unconditionally include in API requests. By default, fields with empty or 1639 // default values are omitted from API requests. See 1640 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1641 // details. 1642 ForceSendFields []string `json:"-"` 1643 // NullFields is a list of field names (e.g. "DisplayName") to include in API 1644 // requests with the JSON null value. By default, fields with empty values are 1645 // omitted from API requests. See 1646 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1647 NullFields []string `json:"-"` 1648 } 1649 1650 func (s *SigstoreAuthority) MarshalJSON() ([]byte, error) { 1651 type NoMethod SigstoreAuthority 1652 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1653 } 1654 1655 // SigstorePublicKey: A Sigstore public key. `SigstorePublicKey` is the public 1656 // key material used to authenticate Sigstore signatures. 1657 type SigstorePublicKey struct { 1658 // PublicKeyPem: The public key material in PEM format. 1659 PublicKeyPem string `json:"publicKeyPem,omitempty"` 1660 // ForceSendFields is a list of field names (e.g. "PublicKeyPem") to 1661 // unconditionally include in API requests. By default, fields with empty or 1662 // default values are omitted from API requests. See 1663 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1664 // details. 1665 ForceSendFields []string `json:"-"` 1666 // NullFields is a list of field names (e.g. "PublicKeyPem") to include in API 1667 // requests with the JSON null value. By default, fields with empty values are 1668 // omitted from API requests. See 1669 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1670 NullFields []string `json:"-"` 1671 } 1672 1673 func (s *SigstorePublicKey) MarshalJSON() ([]byte, error) { 1674 type NoMethod SigstorePublicKey 1675 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1676 } 1677 1678 // SigstorePublicKeySet: A bundle of Sigstore public keys, used to verify 1679 // Sigstore signatures. A signature is authenticated by a 1680 // `SigstorePublicKeySet` if any of the keys verify it. 1681 type SigstorePublicKeySet struct { 1682 // PublicKeys: Required. `public_keys` must have at least one entry. 1683 PublicKeys []*SigstorePublicKey `json:"publicKeys,omitempty"` 1684 // ForceSendFields is a list of field names (e.g. "PublicKeys") to 1685 // unconditionally include in API requests. By default, fields with empty or 1686 // default values are omitted from API requests. See 1687 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1688 // details. 1689 ForceSendFields []string `json:"-"` 1690 // NullFields is a list of field names (e.g. "PublicKeys") to include in API 1691 // requests with the JSON null value. By default, fields with empty values are 1692 // omitted from API requests. See 1693 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1694 NullFields []string `json:"-"` 1695 } 1696 1697 func (s *SigstorePublicKeySet) MarshalJSON() ([]byte, error) { 1698 type NoMethod SigstorePublicKeySet 1699 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1700 } 1701 1702 // SigstoreSignatureCheck: A Sigstore signature check, which verifies the 1703 // Sigstore signature associated with an image. 1704 type SigstoreSignatureCheck struct { 1705 // SigstoreAuthorities: Required. The authorities required by this check to 1706 // verify the signature. A signature only needs to be verified by one authority 1707 // to pass the check. 1708 SigstoreAuthorities []*SigstoreAuthority `json:"sigstoreAuthorities,omitempty"` 1709 // ForceSendFields is a list of field names (e.g. "SigstoreAuthorities") to 1710 // unconditionally include in API requests. By default, fields with empty or 1711 // default values are omitted from API requests. See 1712 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1713 // details. 1714 ForceSendFields []string `json:"-"` 1715 // NullFields is a list of field names (e.g. "SigstoreAuthorities") to include 1716 // in API requests with the JSON null value. By default, fields with empty 1717 // values are omitted from API requests. See 1718 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1719 NullFields []string `json:"-"` 1720 } 1721 1722 func (s *SigstoreSignatureCheck) MarshalJSON() ([]byte, error) { 1723 type NoMethod SigstoreSignatureCheck 1724 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1725 } 1726 1727 // SimpleSigningAttestationCheck: Require a signed DSSE 1728 // (https://github.com/secure-systems-lab/dsse) attestation with type 1729 // SimpleSigning. 1730 type SimpleSigningAttestationCheck struct { 1731 // AttestationAuthenticators: Required. The authenticators required by this 1732 // check to verify an attestation. Typically this is one or more PKIX public 1733 // keys for signature verification. Only one authenticator needs to consider an 1734 // attestation verified in order for an attestation to be considered fully 1735 // authenticated. In otherwords, this list of authenticators is an "OR" of the 1736 // authenticator results. At least one authenticator is required. 1737 AttestationAuthenticators []*AttestationAuthenticator `json:"attestationAuthenticators,omitempty"` 1738 // ContainerAnalysisAttestationProjects: Optional. The projects where 1739 // attestations are stored as Container Analysis Occurrences, in the format 1740 // `projects/[PROJECT_ID]`. Only one attestation needs to successfully verify 1741 // an image for this check to pass, so a single verified attestation found in 1742 // any of `container_analysis_attestation_projects` is sufficient for the check 1743 // to pass. When fetching Occurrences from Container Analysis, only 1744 // `AttestationOccurrence` kinds are considered. In the future, additional 1745 // Occurrence kinds may be added to the query. Maximum number of 1746 // `container_analysis_attestation_projects` allowed in each 1747 // `SimpleSigningAttestationCheck` is 10. 1748 ContainerAnalysisAttestationProjects []string `json:"containerAnalysisAttestationProjects,omitempty"` 1749 // ForceSendFields is a list of field names (e.g. "AttestationAuthenticators") 1750 // to unconditionally include in API requests. By default, fields with empty or 1751 // default values are omitted from API requests. See 1752 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1753 // details. 1754 ForceSendFields []string `json:"-"` 1755 // NullFields is a list of field names (e.g. "AttestationAuthenticators") to 1756 // include in API requests with the JSON null value. By default, fields with 1757 // empty values are omitted from API requests. See 1758 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1759 NullFields []string `json:"-"` 1760 } 1761 1762 func (s *SimpleSigningAttestationCheck) MarshalJSON() ([]byte, error) { 1763 type NoMethod SimpleSigningAttestationCheck 1764 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1765 } 1766 1767 // SlsaCheck: A SLSA provenance attestation check, which ensures that images 1768 // are built by a trusted builder using source code from its trusted 1769 // repositories only. 1770 type SlsaCheck struct { 1771 // Rules: Specifies a list of verification rules for the SLSA attestations. An 1772 // image is considered compliant with the SlsaCheck if any of the rules are 1773 // satisfied. 1774 Rules []*VerificationRule `json:"rules,omitempty"` 1775 // ForceSendFields is a list of field names (e.g. "Rules") to unconditionally 1776 // include in API requests. By default, fields with empty or default values are 1777 // omitted from API requests. See 1778 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1779 // details. 1780 ForceSendFields []string `json:"-"` 1781 // NullFields is a list of field names (e.g. "Rules") to include in API 1782 // requests with the JSON null value. By default, fields with empty values are 1783 // omitted from API requests. See 1784 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1785 NullFields []string `json:"-"` 1786 } 1787 1788 func (s *SlsaCheck) MarshalJSON() ([]byte, error) { 1789 type NoMethod SlsaCheck 1790 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1791 } 1792 1793 // TestIamPermissionsRequest: Request message for `TestIamPermissions` method. 1794 type TestIamPermissionsRequest struct { 1795 // Permissions: The set of permissions to check for the `resource`. Permissions 1796 // with wildcards (such as `*` or `storage.*`) are not allowed. For more 1797 // information see IAM Overview 1798 // (https://cloud.google.com/iam/docs/overview#permissions). 1799 Permissions []string `json:"permissions,omitempty"` 1800 // ForceSendFields is a list of field names (e.g. "Permissions") to 1801 // unconditionally include in API requests. By default, fields with empty or 1802 // default values are omitted from API requests. See 1803 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1804 // details. 1805 ForceSendFields []string `json:"-"` 1806 // NullFields is a list of field names (e.g. "Permissions") to include in API 1807 // requests with the JSON null value. By default, fields with empty values are 1808 // omitted from API requests. See 1809 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1810 NullFields []string `json:"-"` 1811 } 1812 1813 func (s *TestIamPermissionsRequest) MarshalJSON() ([]byte, error) { 1814 type NoMethod TestIamPermissionsRequest 1815 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1816 } 1817 1818 // TestIamPermissionsResponse: Response message for `TestIamPermissions` 1819 // method. 1820 type TestIamPermissionsResponse struct { 1821 // Permissions: A subset of `TestPermissionsRequest.permissions` that the 1822 // caller is allowed. 1823 Permissions []string `json:"permissions,omitempty"` 1824 1825 // ServerResponse contains the HTTP response code and headers from the server. 1826 googleapi.ServerResponse `json:"-"` 1827 // ForceSendFields is a list of field names (e.g. "Permissions") to 1828 // unconditionally include in API requests. By default, fields with empty or 1829 // default values are omitted from API requests. See 1830 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1831 // details. 1832 ForceSendFields []string `json:"-"` 1833 // NullFields is a list of field names (e.g. "Permissions") to include in API 1834 // requests with the JSON null value. By default, fields with empty values are 1835 // omitted from API requests. See 1836 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1837 NullFields []string `json:"-"` 1838 } 1839 1840 func (s *TestIamPermissionsResponse) MarshalJSON() ([]byte, error) { 1841 type NoMethod TestIamPermissionsResponse 1842 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1843 } 1844 1845 // TrustedDirectoryCheck: A trusted directory check, which rejects images that 1846 // do not come from the set of user-configured trusted directories. 1847 type TrustedDirectoryCheck struct { 1848 // TrustedDirPatterns: Required. List of trusted directory patterns. A pattern 1849 // is in the form "registry/path/to/directory". The registry domain part is 1850 // defined as two or more dot-separated words, e.g., `us.pkg.dev`, or `gcr.io`. 1851 // Additionally, `*` can be used in three ways as wildcards: 1. leading `*` to 1852 // match varying prefixes in registry subdomain (useful for location prefixes); 1853 // 2. trailing `*` after registry/ to match varying endings; 3. trailing `**` 1854 // after registry/ to match "/" as well. For example: -- 1855 // `gcr.io/my-project/my-repo` is valid to match a single directory -- 1856 // `*-docker.pkg.dev/my-project/my-repo` or `*.gcr.io/my-project` are valid to 1857 // match varying prefixes -- `gcr.io/my-project/*` will match all direct 1858 // directories in `my-project` -- `gcr.io/my-project/**` would match all 1859 // directories in `my-project` -- `gcr.i*` is not allowed since the registry is 1860 // not completely specified -- `sub*domain.gcr.io/nginx` is not valid because 1861 // only leading `*` or trailing `*` are allowed. -- 1862 // `*pkg.dev/my-project/my-repo` is not valid because leading `*` can only 1863 // match subdomain -- `**-docker.pkg.dev` is not valid because one leading `*` 1864 // is allowed, and that it cannot match `/` 1865 TrustedDirPatterns []string `json:"trustedDirPatterns,omitempty"` 1866 // ForceSendFields is a list of field names (e.g. "TrustedDirPatterns") to 1867 // unconditionally include in API requests. By default, fields with empty or 1868 // default values are omitted from API requests. See 1869 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1870 // details. 1871 ForceSendFields []string `json:"-"` 1872 // NullFields is a list of field names (e.g. "TrustedDirPatterns") to include 1873 // in API requests with the JSON null value. By default, fields with empty 1874 // values are omitted from API requests. See 1875 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1876 NullFields []string `json:"-"` 1877 } 1878 1879 func (s *TrustedDirectoryCheck) MarshalJSON() ([]byte, error) { 1880 type NoMethod TrustedDirectoryCheck 1881 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1882 } 1883 1884 // UserOwnedGrafeasNote: An user owned Grafeas note references a Grafeas 1885 // Attestation.Authority Note created by the user. 1886 type UserOwnedGrafeasNote struct { 1887 // DelegationServiceAccountEmail: Output only. This field will contain the 1888 // service account email address that this attestor will use as the principal 1889 // when querying Container Analysis. Attestor administrators must grant this 1890 // service account the IAM role needed to read attestations from the 1891 // note_reference in Container Analysis 1892 // (`containeranalysis.notes.occurrences.viewer`). This email address is fixed 1893 // for the lifetime of the attestor, but callers should not make any other 1894 // assumptions about the service account email; future versions may use an 1895 // email based on a different naming pattern. 1896 DelegationServiceAccountEmail string `json:"delegationServiceAccountEmail,omitempty"` 1897 // NoteReference: Required. The Grafeas resource name of a 1898 // Attestation.Authority Note, created by the user, in the format: 1899 // `projects/*/notes/*`. This field may not be updated. An attestation by this 1900 // attestor is stored as a Grafeas Attestation.Authority Occurrence that names 1901 // a container image and that links to this Note. Grafeas is an external 1902 // dependency. 1903 NoteReference string `json:"noteReference,omitempty"` 1904 // PublicKeys: Optional. Public keys that verify attestations signed by this 1905 // attestor. This field may be updated. If this field is non-empty, one of the 1906 // specified public keys must verify that an attestation was signed by this 1907 // attestor for the image specified in the admission request. If this field is 1908 // empty, this attestor always returns that no valid attestations exist. 1909 PublicKeys []*AttestorPublicKey `json:"publicKeys,omitempty"` 1910 // ForceSendFields is a list of field names (e.g. 1911 // "DelegationServiceAccountEmail") to unconditionally include in API requests. 1912 // By default, fields with empty or default values are omitted from API 1913 // requests. See https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields 1914 // for more details. 1915 ForceSendFields []string `json:"-"` 1916 // NullFields is a list of field names (e.g. "DelegationServiceAccountEmail") 1917 // to include in API requests with the JSON null value. By default, fields with 1918 // empty values are omitted from API requests. See 1919 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1920 NullFields []string `json:"-"` 1921 } 1922 1923 func (s *UserOwnedGrafeasNote) MarshalJSON() ([]byte, error) { 1924 type NoMethod UserOwnedGrafeasNote 1925 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1926 } 1927 1928 // ValidateAttestationOccurrenceRequest: Request message for 1929 // ValidationHelperV1.ValidateAttestationOccurrence. 1930 type ValidateAttestationOccurrenceRequest struct { 1931 // Attestation: Required. An AttestationOccurrence to be checked that it can be 1932 // verified by the `Attestor`. It does not have to be an existing entity in 1933 // Container Analysis. It must otherwise be a valid `AttestationOccurrence`. 1934 Attestation *AttestationOccurrence `json:"attestation,omitempty"` 1935 // OccurrenceNote: Required. The resource name of the Note to which the 1936 // containing Occurrence is associated. 1937 OccurrenceNote string `json:"occurrenceNote,omitempty"` 1938 // OccurrenceResourceUri: Required. The URI of the artifact (e.g. container 1939 // image) that is the subject of the containing Occurrence. 1940 OccurrenceResourceUri string `json:"occurrenceResourceUri,omitempty"` 1941 // ForceSendFields is a list of field names (e.g. "Attestation") to 1942 // unconditionally include in API requests. By default, fields with empty or 1943 // default values are omitted from API requests. See 1944 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1945 // details. 1946 ForceSendFields []string `json:"-"` 1947 // NullFields is a list of field names (e.g. "Attestation") to include in API 1948 // requests with the JSON null value. By default, fields with empty values are 1949 // omitted from API requests. See 1950 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1951 NullFields []string `json:"-"` 1952 } 1953 1954 func (s *ValidateAttestationOccurrenceRequest) MarshalJSON() ([]byte, error) { 1955 type NoMethod ValidateAttestationOccurrenceRequest 1956 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1957 } 1958 1959 // ValidateAttestationOccurrenceResponse: Response message for 1960 // ValidationHelperV1.ValidateAttestationOccurrence. 1961 type ValidateAttestationOccurrenceResponse struct { 1962 // DenialReason: The reason for denial if the Attestation couldn't be 1963 // validated. 1964 DenialReason string `json:"denialReason,omitempty"` 1965 // Result: The result of the Attestation validation. 1966 // 1967 // Possible values: 1968 // "RESULT_UNSPECIFIED" - Unspecified. 1969 // "VERIFIED" - The Attestation was able to verified by the Attestor. 1970 // "ATTESTATION_NOT_VERIFIABLE" - The Attestation was not able to verified by 1971 // the Attestor. 1972 Result string `json:"result,omitempty"` 1973 1974 // ServerResponse contains the HTTP response code and headers from the server. 1975 googleapi.ServerResponse `json:"-"` 1976 // ForceSendFields is a list of field names (e.g. "DenialReason") to 1977 // unconditionally include in API requests. By default, fields with empty or 1978 // default values are omitted from API requests. See 1979 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 1980 // details. 1981 ForceSendFields []string `json:"-"` 1982 // NullFields is a list of field names (e.g. "DenialReason") to include in API 1983 // requests with the JSON null value. By default, fields with empty values are 1984 // omitted from API requests. See 1985 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 1986 NullFields []string `json:"-"` 1987 } 1988 1989 func (s *ValidateAttestationOccurrenceResponse) MarshalJSON() ([]byte, error) { 1990 type NoMethod ValidateAttestationOccurrenceResponse 1991 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 1992 } 1993 1994 // VerificationRule: Specifies verification rules for evaluating the SLSA 1995 // attestations including: which builders to trust, where to fetch the SLSA 1996 // attestations generated by those builders, and other builder-specific 1997 // evaluation rules such as which source repositories are trusted. An image is 1998 // considered verified by the rule if any of the fetched SLSA attestations is 1999 // verified. 2000 type VerificationRule struct { 2001 // AttestationSource: Specifies where to fetch the provenances attestations 2002 // generated by the builder (group). 2003 AttestationSource *AttestationSource `json:"attestationSource,omitempty"` 2004 // ConfigBasedBuildRequired: If true, require the image to be built from a 2005 // top-level configuration. `trusted_source_repo_patterns` specifies the 2006 // repositories containing this configuration. 2007 ConfigBasedBuildRequired bool `json:"configBasedBuildRequired,omitempty"` 2008 // TrustedBuilder: Each verification rule is used for evaluation against 2009 // provenances generated by a specific builder (group). For some of the 2010 // builders, such as the Google Cloud Build, users don't need to explicitly 2011 // specify their roots of trust in the policy since the evaluation service can 2012 // automatically fetch them based on the builder (group). 2013 // 2014 // Possible values: 2015 // "BUILDER_UNSPECIFIED" - Should never happen. 2016 // "GOOGLE_CLOUD_BUILD" - The whole Google Cloud Build (GCB) builder group, 2017 // including all GCB builder types. 2018 TrustedBuilder string `json:"trustedBuilder,omitempty"` 2019 // TrustedSourceRepoPatterns: List of trusted source code repository URL 2020 // patterns. These patterns match the full repository URL without its scheme 2021 // (e.g. `https://`). The patterns must not include schemes. For example, the 2022 // pattern `source.cloud.google.com/my-project/my-repo-name` matches the 2023 // following URLs: - `source.cloud.google.com/my-project/my-repo-name` - 2024 // `git+ssh://source.cloud.google.com/my-project/my-repo-name` - 2025 // `https://source.cloud.google.com/my-project/my-repo-name` A pattern matches 2026 // a URL either exactly or with `*` wildcards. `*` can be used in only two 2027 // ways: 1. trailing `*` after hosturi/ to match varying endings; 2. trailing 2028 // `**` after hosturi/ to match `/` as well. `*` and `**` can only be used as 2029 // wildcards and can only occur at the end of the pattern after a `/`. (So it's 2030 // not possible to match a URL that contains literal `*`.) For example: - 2031 // `github.com/my-project/my-repo` is valid to match a single repo - 2032 // `github.com/my-project/*` will match all direct repos in `my-project` - 2033 // `github.com/**` matches all repos in GitHub 2034 TrustedSourceRepoPatterns []string `json:"trustedSourceRepoPatterns,omitempty"` 2035 // ForceSendFields is a list of field names (e.g. "AttestationSource") to 2036 // unconditionally include in API requests. By default, fields with empty or 2037 // default values are omitted from API requests. See 2038 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 2039 // details. 2040 ForceSendFields []string `json:"-"` 2041 // NullFields is a list of field names (e.g. "AttestationSource") to include in 2042 // API requests with the JSON null value. By default, fields with empty values 2043 // are omitted from API requests. See 2044 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 2045 NullFields []string `json:"-"` 2046 } 2047 2048 func (s *VerificationRule) MarshalJSON() ([]byte, error) { 2049 type NoMethod VerificationRule 2050 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 2051 } 2052 2053 // VulnerabilityCheck: An image vulnerability check, which rejects images that 2054 // violate the configured vulnerability rules. 2055 type VulnerabilityCheck struct { 2056 // AllowedCves: Optional. A list of specific CVEs to ignore even if the 2057 // vulnerability level violates `maximumUnfixableSeverity` or 2058 // `maximumFixableSeverity`. CVEs are listed in the format of Container 2059 // Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs 2060 // are applicable regardless of note provider project, e.g., an entry of 2061 // `CVE-2021-20305` will allow vulnerabilities with a note name of either 2062 // `projects/goog-vulnz/notes/CVE-2021-20305` or 2063 // `projects/CUSTOM-PROJECT/notes/CVE-2021-20305`. 2064 AllowedCves []string `json:"allowedCves,omitempty"` 2065 // BlockedCves: Optional. A list of specific CVEs to always raise warnings 2066 // about even if the vulnerability level meets `maximumUnfixableSeverity` or 2067 // `maximumFixableSeverity`. CVEs are listed in the format of Container 2068 // Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs 2069 // are applicable regardless of note provider project, e.g., an entry of 2070 // `CVE-2021-20305` will block vulnerabilities with a note name of either 2071 // `projects/goog-vulnz/notes/CVE-2021-20305` or 2072 // `projects/CUSTOM-PROJECT/notes/CVE-2021-20305`. 2073 BlockedCves []string `json:"blockedCves,omitempty"` 2074 // ContainerAnalysisVulnerabilityProjects: Optional. The projects where 2075 // vulnerabilities are stored as Container Analysis Occurrences. Each project 2076 // is expressed in the resource format of `projects/[PROJECT_ID]`, e.g., 2077 // `projects/my-gcp-project`. An attempt will be made for each project to fetch 2078 // vulnerabilities, and all valid vulnerabilities will be used to check against 2079 // the vulnerability policy. If no valid scan is found in all projects 2080 // configured here, an error will be returned for the check. Maximum number of 2081 // `container_analysis_vulnerability_projects` allowed in each 2082 // `VulnerabilityCheck` is 10. 2083 ContainerAnalysisVulnerabilityProjects []string `json:"containerAnalysisVulnerabilityProjects,omitempty"` 2084 // MaximumFixableSeverity: Required. The threshold for severity for which a fix 2085 // is currently available. This field is required and must be set. 2086 // 2087 // Possible values: 2088 // "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED" - Not specified. 2089 // "BLOCK_ALL" - Block any vulnerability. 2090 // "MINIMAL" - Allow only minimal severity. 2091 // "LOW" - Allow only low severity and lower. 2092 // "MEDIUM" - Allow medium severity and lower. 2093 // "HIGH" - Allow high severity and lower. 2094 // "CRITICAL" - Allow critical severity and lower. 2095 // "ALLOW_ALL" - Allow all severity, even vulnerability with unspecified 2096 // severity. 2097 MaximumFixableSeverity string `json:"maximumFixableSeverity,omitempty"` 2098 // MaximumUnfixableSeverity: Required. The threshold for severity for which a 2099 // fix isn't currently available. This field is required and must be set. 2100 // 2101 // Possible values: 2102 // "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED" - Not specified. 2103 // "BLOCK_ALL" - Block any vulnerability. 2104 // "MINIMAL" - Allow only minimal severity. 2105 // "LOW" - Allow only low severity and lower. 2106 // "MEDIUM" - Allow medium severity and lower. 2107 // "HIGH" - Allow high severity and lower. 2108 // "CRITICAL" - Allow critical severity and lower. 2109 // "ALLOW_ALL" - Allow all severity, even vulnerability with unspecified 2110 // severity. 2111 MaximumUnfixableSeverity string `json:"maximumUnfixableSeverity,omitempty"` 2112 // ForceSendFields is a list of field names (e.g. "AllowedCves") to 2113 // unconditionally include in API requests. By default, fields with empty or 2114 // default values are omitted from API requests. See 2115 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 2116 // details. 2117 ForceSendFields []string `json:"-"` 2118 // NullFields is a list of field names (e.g. "AllowedCves") to include in API 2119 // requests with the JSON null value. By default, fields with empty values are 2120 // omitted from API requests. See 2121 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 2122 NullFields []string `json:"-"` 2123 } 2124 2125 func (s *VulnerabilityCheck) MarshalJSON() ([]byte, error) { 2126 type NoMethod VulnerabilityCheck 2127 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 2128 } 2129 2130 type ProjectsGetPolicyCall struct { 2131 s *Service 2132 name string 2133 urlParams_ gensupport.URLParams 2134 ifNoneMatch_ string 2135 ctx_ context.Context 2136 header_ http.Header 2137 } 2138 2139 // GetPolicy: A policy specifies the attestors that must attest to a container 2140 // image, before the project is allowed to deploy that image. There is at most 2141 // one policy per project. All image admission requests are permitted if a 2142 // project has no policy. Gets the policy for this project. Returns a default 2143 // policy if the project does not have one. 2144 // 2145 // - name: The resource name of the policy to retrieve, in the format 2146 // `projects/*/policy`. 2147 func (r *ProjectsService) GetPolicy(name string) *ProjectsGetPolicyCall { 2148 c := &ProjectsGetPolicyCall{s: r.s, urlParams_: make(gensupport.URLParams)} 2149 c.name = name 2150 return c 2151 } 2152 2153 // Fields allows partial responses to be retrieved. See 2154 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 2155 // details. 2156 func (c *ProjectsGetPolicyCall) Fields(s ...googleapi.Field) *ProjectsGetPolicyCall { 2157 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 2158 return c 2159 } 2160 2161 // IfNoneMatch sets an optional parameter which makes the operation fail if the 2162 // object's ETag matches the given value. This is useful for getting updates 2163 // only after the object has changed since the last request. 2164 func (c *ProjectsGetPolicyCall) IfNoneMatch(entityTag string) *ProjectsGetPolicyCall { 2165 c.ifNoneMatch_ = entityTag 2166 return c 2167 } 2168 2169 // Context sets the context to be used in this call's Do method. 2170 func (c *ProjectsGetPolicyCall) Context(ctx context.Context) *ProjectsGetPolicyCall { 2171 c.ctx_ = ctx 2172 return c 2173 } 2174 2175 // Header returns a http.Header that can be modified by the caller to add 2176 // headers to the request. 2177 func (c *ProjectsGetPolicyCall) Header() http.Header { 2178 if c.header_ == nil { 2179 c.header_ = make(http.Header) 2180 } 2181 return c.header_ 2182 } 2183 2184 func (c *ProjectsGetPolicyCall) doRequest(alt string) (*http.Response, error) { 2185 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 2186 if c.ifNoneMatch_ != "" { 2187 reqHeaders.Set("If-None-Match", c.ifNoneMatch_) 2188 } 2189 var body io.Reader = nil 2190 c.urlParams_.Set("alt", alt) 2191 c.urlParams_.Set("prettyPrint", "false") 2192 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}") 2193 urls += "?" + c.urlParams_.Encode() 2194 req, err := http.NewRequest("GET", urls, body) 2195 if err != nil { 2196 return nil, err 2197 } 2198 req.Header = reqHeaders 2199 googleapi.Expand(req.URL, map[string]string{ 2200 "name": c.name, 2201 }) 2202 return gensupport.SendRequest(c.ctx_, c.s.client, req) 2203 } 2204 2205 // Do executes the "binaryauthorization.projects.getPolicy" call. 2206 // Any non-2xx status code is an error. Response headers are in either 2207 // *Policy.ServerResponse.Header or (if a response was returned at all) in 2208 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 2209 // whether the returned error was because http.StatusNotModified was returned. 2210 func (c *ProjectsGetPolicyCall) Do(opts ...googleapi.CallOption) (*Policy, error) { 2211 gensupport.SetOptions(c.urlParams_, opts...) 2212 res, err := c.doRequest("json") 2213 if res != nil && res.StatusCode == http.StatusNotModified { 2214 if res.Body != nil { 2215 res.Body.Close() 2216 } 2217 return nil, gensupport.WrapError(&googleapi.Error{ 2218 Code: res.StatusCode, 2219 Header: res.Header, 2220 }) 2221 } 2222 if err != nil { 2223 return nil, err 2224 } 2225 defer googleapi.CloseBody(res) 2226 if err := googleapi.CheckResponse(res); err != nil { 2227 return nil, gensupport.WrapError(err) 2228 } 2229 ret := &Policy{ 2230 ServerResponse: googleapi.ServerResponse{ 2231 Header: res.Header, 2232 HTTPStatusCode: res.StatusCode, 2233 }, 2234 } 2235 target := &ret 2236 if err := gensupport.DecodeResponse(target, res); err != nil { 2237 return nil, err 2238 } 2239 return ret, nil 2240 } 2241 2242 type ProjectsUpdatePolicyCall struct { 2243 s *Service 2244 name string 2245 policy *Policy 2246 urlParams_ gensupport.URLParams 2247 ctx_ context.Context 2248 header_ http.Header 2249 } 2250 2251 // UpdatePolicy: Creates or updates a project's policy, and returns a copy of 2252 // the new policy. A policy is always updated as a whole, to avoid race 2253 // conditions with concurrent policy enforcement (or management!) requests. 2254 // Returns `NOT_FOUND` if the project does not exist, `INVALID_ARGUMENT` if the 2255 // request is malformed. 2256 // 2257 // - name: Output only. The resource name, in the format `projects/*/policy`. 2258 // There is at most one policy per project. 2259 func (r *ProjectsService) UpdatePolicy(name string, policy *Policy) *ProjectsUpdatePolicyCall { 2260 c := &ProjectsUpdatePolicyCall{s: r.s, urlParams_: make(gensupport.URLParams)} 2261 c.name = name 2262 c.policy = policy 2263 return c 2264 } 2265 2266 // Fields allows partial responses to be retrieved. See 2267 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 2268 // details. 2269 func (c *ProjectsUpdatePolicyCall) Fields(s ...googleapi.Field) *ProjectsUpdatePolicyCall { 2270 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 2271 return c 2272 } 2273 2274 // Context sets the context to be used in this call's Do method. 2275 func (c *ProjectsUpdatePolicyCall) Context(ctx context.Context) *ProjectsUpdatePolicyCall { 2276 c.ctx_ = ctx 2277 return c 2278 } 2279 2280 // Header returns a http.Header that can be modified by the caller to add 2281 // headers to the request. 2282 func (c *ProjectsUpdatePolicyCall) Header() http.Header { 2283 if c.header_ == nil { 2284 c.header_ = make(http.Header) 2285 } 2286 return c.header_ 2287 } 2288 2289 func (c *ProjectsUpdatePolicyCall) doRequest(alt string) (*http.Response, error) { 2290 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 2291 var body io.Reader = nil 2292 body, err := googleapi.WithoutDataWrapper.JSONReader(c.policy) 2293 if err != nil { 2294 return nil, err 2295 } 2296 c.urlParams_.Set("alt", alt) 2297 c.urlParams_.Set("prettyPrint", "false") 2298 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}") 2299 urls += "?" + c.urlParams_.Encode() 2300 req, err := http.NewRequest("PUT", urls, body) 2301 if err != nil { 2302 return nil, err 2303 } 2304 req.Header = reqHeaders 2305 googleapi.Expand(req.URL, map[string]string{ 2306 "name": c.name, 2307 }) 2308 return gensupport.SendRequest(c.ctx_, c.s.client, req) 2309 } 2310 2311 // Do executes the "binaryauthorization.projects.updatePolicy" call. 2312 // Any non-2xx status code is an error. Response headers are in either 2313 // *Policy.ServerResponse.Header or (if a response was returned at all) in 2314 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 2315 // whether the returned error was because http.StatusNotModified was returned. 2316 func (c *ProjectsUpdatePolicyCall) Do(opts ...googleapi.CallOption) (*Policy, error) { 2317 gensupport.SetOptions(c.urlParams_, opts...) 2318 res, err := c.doRequest("json") 2319 if res != nil && res.StatusCode == http.StatusNotModified { 2320 if res.Body != nil { 2321 res.Body.Close() 2322 } 2323 return nil, gensupport.WrapError(&googleapi.Error{ 2324 Code: res.StatusCode, 2325 Header: res.Header, 2326 }) 2327 } 2328 if err != nil { 2329 return nil, err 2330 } 2331 defer googleapi.CloseBody(res) 2332 if err := googleapi.CheckResponse(res); err != nil { 2333 return nil, gensupport.WrapError(err) 2334 } 2335 ret := &Policy{ 2336 ServerResponse: googleapi.ServerResponse{ 2337 Header: res.Header, 2338 HTTPStatusCode: res.StatusCode, 2339 }, 2340 } 2341 target := &ret 2342 if err := gensupport.DecodeResponse(target, res); err != nil { 2343 return nil, err 2344 } 2345 return ret, nil 2346 } 2347 2348 type ProjectsAttestorsCreateCall struct { 2349 s *Service 2350 parent string 2351 attestor *Attestor 2352 urlParams_ gensupport.URLParams 2353 ctx_ context.Context 2354 header_ http.Header 2355 } 2356 2357 // Create: Creates an attestor, and returns a copy of the new attestor. Returns 2358 // `NOT_FOUND` if the project does not exist, `INVALID_ARGUMENT` if the request 2359 // is malformed, `ALREADY_EXISTS` if the attestor already exists. 2360 // 2361 // - parent: The parent of this attestor. 2362 func (r *ProjectsAttestorsService) Create(parent string, attestor *Attestor) *ProjectsAttestorsCreateCall { 2363 c := &ProjectsAttestorsCreateCall{s: r.s, urlParams_: make(gensupport.URLParams)} 2364 c.parent = parent 2365 c.attestor = attestor 2366 return c 2367 } 2368 2369 // AttestorId sets the optional parameter "attestorId": Required. The attestors 2370 // ID. 2371 func (c *ProjectsAttestorsCreateCall) AttestorId(attestorId string) *ProjectsAttestorsCreateCall { 2372 c.urlParams_.Set("attestorId", attestorId) 2373 return c 2374 } 2375 2376 // Fields allows partial responses to be retrieved. See 2377 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 2378 // details. 2379 func (c *ProjectsAttestorsCreateCall) Fields(s ...googleapi.Field) *ProjectsAttestorsCreateCall { 2380 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 2381 return c 2382 } 2383 2384 // Context sets the context to be used in this call's Do method. 2385 func (c *ProjectsAttestorsCreateCall) Context(ctx context.Context) *ProjectsAttestorsCreateCall { 2386 c.ctx_ = ctx 2387 return c 2388 } 2389 2390 // Header returns a http.Header that can be modified by the caller to add 2391 // headers to the request. 2392 func (c *ProjectsAttestorsCreateCall) Header() http.Header { 2393 if c.header_ == nil { 2394 c.header_ = make(http.Header) 2395 } 2396 return c.header_ 2397 } 2398 2399 func (c *ProjectsAttestorsCreateCall) doRequest(alt string) (*http.Response, error) { 2400 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 2401 var body io.Reader = nil 2402 body, err := googleapi.WithoutDataWrapper.JSONReader(c.attestor) 2403 if err != nil { 2404 return nil, err 2405 } 2406 c.urlParams_.Set("alt", alt) 2407 c.urlParams_.Set("prettyPrint", "false") 2408 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+parent}/attestors") 2409 urls += "?" + c.urlParams_.Encode() 2410 req, err := http.NewRequest("POST", urls, body) 2411 if err != nil { 2412 return nil, err 2413 } 2414 req.Header = reqHeaders 2415 googleapi.Expand(req.URL, map[string]string{ 2416 "parent": c.parent, 2417 }) 2418 return gensupport.SendRequest(c.ctx_, c.s.client, req) 2419 } 2420 2421 // Do executes the "binaryauthorization.projects.attestors.create" call. 2422 // Any non-2xx status code is an error. Response headers are in either 2423 // *Attestor.ServerResponse.Header or (if a response was returned at all) in 2424 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 2425 // whether the returned error was because http.StatusNotModified was returned. 2426 func (c *ProjectsAttestorsCreateCall) Do(opts ...googleapi.CallOption) (*Attestor, error) { 2427 gensupport.SetOptions(c.urlParams_, opts...) 2428 res, err := c.doRequest("json") 2429 if res != nil && res.StatusCode == http.StatusNotModified { 2430 if res.Body != nil { 2431 res.Body.Close() 2432 } 2433 return nil, gensupport.WrapError(&googleapi.Error{ 2434 Code: res.StatusCode, 2435 Header: res.Header, 2436 }) 2437 } 2438 if err != nil { 2439 return nil, err 2440 } 2441 defer googleapi.CloseBody(res) 2442 if err := googleapi.CheckResponse(res); err != nil { 2443 return nil, gensupport.WrapError(err) 2444 } 2445 ret := &Attestor{ 2446 ServerResponse: googleapi.ServerResponse{ 2447 Header: res.Header, 2448 HTTPStatusCode: res.StatusCode, 2449 }, 2450 } 2451 target := &ret 2452 if err := gensupport.DecodeResponse(target, res); err != nil { 2453 return nil, err 2454 } 2455 return ret, nil 2456 } 2457 2458 type ProjectsAttestorsDeleteCall struct { 2459 s *Service 2460 name string 2461 urlParams_ gensupport.URLParams 2462 ctx_ context.Context 2463 header_ http.Header 2464 } 2465 2466 // Delete: Deletes an attestor. Returns `NOT_FOUND` if the attestor does not 2467 // exist. 2468 // 2469 // - name: The name of the attestors to delete, in the format 2470 // `projects/*/attestors/*`. 2471 func (r *ProjectsAttestorsService) Delete(name string) *ProjectsAttestorsDeleteCall { 2472 c := &ProjectsAttestorsDeleteCall{s: r.s, urlParams_: make(gensupport.URLParams)} 2473 c.name = name 2474 return c 2475 } 2476 2477 // Fields allows partial responses to be retrieved. See 2478 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 2479 // details. 2480 func (c *ProjectsAttestorsDeleteCall) Fields(s ...googleapi.Field) *ProjectsAttestorsDeleteCall { 2481 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 2482 return c 2483 } 2484 2485 // Context sets the context to be used in this call's Do method. 2486 func (c *ProjectsAttestorsDeleteCall) Context(ctx context.Context) *ProjectsAttestorsDeleteCall { 2487 c.ctx_ = ctx 2488 return c 2489 } 2490 2491 // Header returns a http.Header that can be modified by the caller to add 2492 // headers to the request. 2493 func (c *ProjectsAttestorsDeleteCall) Header() http.Header { 2494 if c.header_ == nil { 2495 c.header_ = make(http.Header) 2496 } 2497 return c.header_ 2498 } 2499 2500 func (c *ProjectsAttestorsDeleteCall) doRequest(alt string) (*http.Response, error) { 2501 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 2502 var body io.Reader = nil 2503 c.urlParams_.Set("alt", alt) 2504 c.urlParams_.Set("prettyPrint", "false") 2505 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}") 2506 urls += "?" + c.urlParams_.Encode() 2507 req, err := http.NewRequest("DELETE", urls, body) 2508 if err != nil { 2509 return nil, err 2510 } 2511 req.Header = reqHeaders 2512 googleapi.Expand(req.URL, map[string]string{ 2513 "name": c.name, 2514 }) 2515 return gensupport.SendRequest(c.ctx_, c.s.client, req) 2516 } 2517 2518 // Do executes the "binaryauthorization.projects.attestors.delete" call. 2519 // Any non-2xx status code is an error. Response headers are in either 2520 // *Empty.ServerResponse.Header or (if a response was returned at all) in 2521 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 2522 // whether the returned error was because http.StatusNotModified was returned. 2523 func (c *ProjectsAttestorsDeleteCall) Do(opts ...googleapi.CallOption) (*Empty, error) { 2524 gensupport.SetOptions(c.urlParams_, opts...) 2525 res, err := c.doRequest("json") 2526 if res != nil && res.StatusCode == http.StatusNotModified { 2527 if res.Body != nil { 2528 res.Body.Close() 2529 } 2530 return nil, gensupport.WrapError(&googleapi.Error{ 2531 Code: res.StatusCode, 2532 Header: res.Header, 2533 }) 2534 } 2535 if err != nil { 2536 return nil, err 2537 } 2538 defer googleapi.CloseBody(res) 2539 if err := googleapi.CheckResponse(res); err != nil { 2540 return nil, gensupport.WrapError(err) 2541 } 2542 ret := &Empty{ 2543 ServerResponse: googleapi.ServerResponse{ 2544 Header: res.Header, 2545 HTTPStatusCode: res.StatusCode, 2546 }, 2547 } 2548 target := &ret 2549 if err := gensupport.DecodeResponse(target, res); err != nil { 2550 return nil, err 2551 } 2552 return ret, nil 2553 } 2554 2555 type ProjectsAttestorsGetCall struct { 2556 s *Service 2557 name string 2558 urlParams_ gensupport.URLParams 2559 ifNoneMatch_ string 2560 ctx_ context.Context 2561 header_ http.Header 2562 } 2563 2564 // Get: Gets an attestor. Returns `NOT_FOUND` if the attestor does not exist. 2565 // 2566 // - name: The name of the attestor to retrieve, in the format 2567 // `projects/*/attestors/*`. 2568 func (r *ProjectsAttestorsService) Get(name string) *ProjectsAttestorsGetCall { 2569 c := &ProjectsAttestorsGetCall{s: r.s, urlParams_: make(gensupport.URLParams)} 2570 c.name = name 2571 return c 2572 } 2573 2574 // Fields allows partial responses to be retrieved. See 2575 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 2576 // details. 2577 func (c *ProjectsAttestorsGetCall) Fields(s ...googleapi.Field) *ProjectsAttestorsGetCall { 2578 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 2579 return c 2580 } 2581 2582 // IfNoneMatch sets an optional parameter which makes the operation fail if the 2583 // object's ETag matches the given value. This is useful for getting updates 2584 // only after the object has changed since the last request. 2585 func (c *ProjectsAttestorsGetCall) IfNoneMatch(entityTag string) *ProjectsAttestorsGetCall { 2586 c.ifNoneMatch_ = entityTag 2587 return c 2588 } 2589 2590 // Context sets the context to be used in this call's Do method. 2591 func (c *ProjectsAttestorsGetCall) Context(ctx context.Context) *ProjectsAttestorsGetCall { 2592 c.ctx_ = ctx 2593 return c 2594 } 2595 2596 // Header returns a http.Header that can be modified by the caller to add 2597 // headers to the request. 2598 func (c *ProjectsAttestorsGetCall) Header() http.Header { 2599 if c.header_ == nil { 2600 c.header_ = make(http.Header) 2601 } 2602 return c.header_ 2603 } 2604 2605 func (c *ProjectsAttestorsGetCall) doRequest(alt string) (*http.Response, error) { 2606 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 2607 if c.ifNoneMatch_ != "" { 2608 reqHeaders.Set("If-None-Match", c.ifNoneMatch_) 2609 } 2610 var body io.Reader = nil 2611 c.urlParams_.Set("alt", alt) 2612 c.urlParams_.Set("prettyPrint", "false") 2613 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}") 2614 urls += "?" + c.urlParams_.Encode() 2615 req, err := http.NewRequest("GET", urls, body) 2616 if err != nil { 2617 return nil, err 2618 } 2619 req.Header = reqHeaders 2620 googleapi.Expand(req.URL, map[string]string{ 2621 "name": c.name, 2622 }) 2623 return gensupport.SendRequest(c.ctx_, c.s.client, req) 2624 } 2625 2626 // Do executes the "binaryauthorization.projects.attestors.get" call. 2627 // Any non-2xx status code is an error. Response headers are in either 2628 // *Attestor.ServerResponse.Header or (if a response was returned at all) in 2629 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 2630 // whether the returned error was because http.StatusNotModified was returned. 2631 func (c *ProjectsAttestorsGetCall) Do(opts ...googleapi.CallOption) (*Attestor, error) { 2632 gensupport.SetOptions(c.urlParams_, opts...) 2633 res, err := c.doRequest("json") 2634 if res != nil && res.StatusCode == http.StatusNotModified { 2635 if res.Body != nil { 2636 res.Body.Close() 2637 } 2638 return nil, gensupport.WrapError(&googleapi.Error{ 2639 Code: res.StatusCode, 2640 Header: res.Header, 2641 }) 2642 } 2643 if err != nil { 2644 return nil, err 2645 } 2646 defer googleapi.CloseBody(res) 2647 if err := googleapi.CheckResponse(res); err != nil { 2648 return nil, gensupport.WrapError(err) 2649 } 2650 ret := &Attestor{ 2651 ServerResponse: googleapi.ServerResponse{ 2652 Header: res.Header, 2653 HTTPStatusCode: res.StatusCode, 2654 }, 2655 } 2656 target := &ret 2657 if err := gensupport.DecodeResponse(target, res); err != nil { 2658 return nil, err 2659 } 2660 return ret, nil 2661 } 2662 2663 type ProjectsAttestorsGetIamPolicyCall struct { 2664 s *Service 2665 resource string 2666 urlParams_ gensupport.URLParams 2667 ifNoneMatch_ string 2668 ctx_ context.Context 2669 header_ http.Header 2670 } 2671 2672 // GetIamPolicy: Gets the access control policy for a resource. Returns an 2673 // empty policy if the resource exists and does not have a policy set. 2674 // 2675 // - resource: REQUIRED: The resource for which the policy is being requested. 2676 // See Resource names (https://cloud.google.com/apis/design/resource_names) 2677 // for the appropriate value for this field. 2678 func (r *ProjectsAttestorsService) GetIamPolicy(resource string) *ProjectsAttestorsGetIamPolicyCall { 2679 c := &ProjectsAttestorsGetIamPolicyCall{s: r.s, urlParams_: make(gensupport.URLParams)} 2680 c.resource = resource 2681 return c 2682 } 2683 2684 // OptionsRequestedPolicyVersion sets the optional parameter 2685 // "options.requestedPolicyVersion": The maximum policy version that will be 2686 // used to format the policy. Valid values are 0, 1, and 3. Requests specifying 2687 // an invalid value will be rejected. Requests for policies with any 2688 // conditional role bindings must specify version 3. Policies with no 2689 // conditional role bindings may specify any valid value or leave the field 2690 // unset. The policy in the response might use the policy version that you 2691 // specified, or it might use a lower policy version. For example, if you 2692 // specify version 3, but the policy has no conditional role bindings, the 2693 // response uses version 1. To learn which resources support conditions in 2694 // their IAM policies, see the IAM documentation 2695 // (https://cloud.google.com/iam/help/conditions/resource-policies). 2696 func (c *ProjectsAttestorsGetIamPolicyCall) OptionsRequestedPolicyVersion(optionsRequestedPolicyVersion int64) *ProjectsAttestorsGetIamPolicyCall { 2697 c.urlParams_.Set("options.requestedPolicyVersion", fmt.Sprint(optionsRequestedPolicyVersion)) 2698 return c 2699 } 2700 2701 // Fields allows partial responses to be retrieved. See 2702 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 2703 // details. 2704 func (c *ProjectsAttestorsGetIamPolicyCall) Fields(s ...googleapi.Field) *ProjectsAttestorsGetIamPolicyCall { 2705 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 2706 return c 2707 } 2708 2709 // IfNoneMatch sets an optional parameter which makes the operation fail if the 2710 // object's ETag matches the given value. This is useful for getting updates 2711 // only after the object has changed since the last request. 2712 func (c *ProjectsAttestorsGetIamPolicyCall) IfNoneMatch(entityTag string) *ProjectsAttestorsGetIamPolicyCall { 2713 c.ifNoneMatch_ = entityTag 2714 return c 2715 } 2716 2717 // Context sets the context to be used in this call's Do method. 2718 func (c *ProjectsAttestorsGetIamPolicyCall) Context(ctx context.Context) *ProjectsAttestorsGetIamPolicyCall { 2719 c.ctx_ = ctx 2720 return c 2721 } 2722 2723 // Header returns a http.Header that can be modified by the caller to add 2724 // headers to the request. 2725 func (c *ProjectsAttestorsGetIamPolicyCall) Header() http.Header { 2726 if c.header_ == nil { 2727 c.header_ = make(http.Header) 2728 } 2729 return c.header_ 2730 } 2731 2732 func (c *ProjectsAttestorsGetIamPolicyCall) doRequest(alt string) (*http.Response, error) { 2733 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 2734 if c.ifNoneMatch_ != "" { 2735 reqHeaders.Set("If-None-Match", c.ifNoneMatch_) 2736 } 2737 var body io.Reader = nil 2738 c.urlParams_.Set("alt", alt) 2739 c.urlParams_.Set("prettyPrint", "false") 2740 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+resource}:getIamPolicy") 2741 urls += "?" + c.urlParams_.Encode() 2742 req, err := http.NewRequest("GET", urls, body) 2743 if err != nil { 2744 return nil, err 2745 } 2746 req.Header = reqHeaders 2747 googleapi.Expand(req.URL, map[string]string{ 2748 "resource": c.resource, 2749 }) 2750 return gensupport.SendRequest(c.ctx_, c.s.client, req) 2751 } 2752 2753 // Do executes the "binaryauthorization.projects.attestors.getIamPolicy" call. 2754 // Any non-2xx status code is an error. Response headers are in either 2755 // *IamPolicy.ServerResponse.Header or (if a response was returned at all) in 2756 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 2757 // whether the returned error was because http.StatusNotModified was returned. 2758 func (c *ProjectsAttestorsGetIamPolicyCall) Do(opts ...googleapi.CallOption) (*IamPolicy, error) { 2759 gensupport.SetOptions(c.urlParams_, opts...) 2760 res, err := c.doRequest("json") 2761 if res != nil && res.StatusCode == http.StatusNotModified { 2762 if res.Body != nil { 2763 res.Body.Close() 2764 } 2765 return nil, gensupport.WrapError(&googleapi.Error{ 2766 Code: res.StatusCode, 2767 Header: res.Header, 2768 }) 2769 } 2770 if err != nil { 2771 return nil, err 2772 } 2773 defer googleapi.CloseBody(res) 2774 if err := googleapi.CheckResponse(res); err != nil { 2775 return nil, gensupport.WrapError(err) 2776 } 2777 ret := &IamPolicy{ 2778 ServerResponse: googleapi.ServerResponse{ 2779 Header: res.Header, 2780 HTTPStatusCode: res.StatusCode, 2781 }, 2782 } 2783 target := &ret 2784 if err := gensupport.DecodeResponse(target, res); err != nil { 2785 return nil, err 2786 } 2787 return ret, nil 2788 } 2789 2790 type ProjectsAttestorsListCall struct { 2791 s *Service 2792 parent string 2793 urlParams_ gensupport.URLParams 2794 ifNoneMatch_ string 2795 ctx_ context.Context 2796 header_ http.Header 2797 } 2798 2799 // List: Lists attestors. Returns `INVALID_ARGUMENT` if the project does not 2800 // exist. 2801 // 2802 // - parent: The resource name of the project associated with the attestors, in 2803 // the format `projects/*`. 2804 func (r *ProjectsAttestorsService) List(parent string) *ProjectsAttestorsListCall { 2805 c := &ProjectsAttestorsListCall{s: r.s, urlParams_: make(gensupport.URLParams)} 2806 c.parent = parent 2807 return c 2808 } 2809 2810 // PageSize sets the optional parameter "pageSize": Requested page size. The 2811 // server may return fewer results than requested. If unspecified, the server 2812 // will pick an appropriate default. 2813 func (c *ProjectsAttestorsListCall) PageSize(pageSize int64) *ProjectsAttestorsListCall { 2814 c.urlParams_.Set("pageSize", fmt.Sprint(pageSize)) 2815 return c 2816 } 2817 2818 // PageToken sets the optional parameter "pageToken": A token identifying a 2819 // page of results the server should return. Typically, this is the value of 2820 // ListAttestorsResponse.next_page_token returned from the previous call to the 2821 // `ListAttestors` method. 2822 func (c *ProjectsAttestorsListCall) PageToken(pageToken string) *ProjectsAttestorsListCall { 2823 c.urlParams_.Set("pageToken", pageToken) 2824 return c 2825 } 2826 2827 // Fields allows partial responses to be retrieved. See 2828 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 2829 // details. 2830 func (c *ProjectsAttestorsListCall) Fields(s ...googleapi.Field) *ProjectsAttestorsListCall { 2831 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 2832 return c 2833 } 2834 2835 // IfNoneMatch sets an optional parameter which makes the operation fail if the 2836 // object's ETag matches the given value. This is useful for getting updates 2837 // only after the object has changed since the last request. 2838 func (c *ProjectsAttestorsListCall) IfNoneMatch(entityTag string) *ProjectsAttestorsListCall { 2839 c.ifNoneMatch_ = entityTag 2840 return c 2841 } 2842 2843 // Context sets the context to be used in this call's Do method. 2844 func (c *ProjectsAttestorsListCall) Context(ctx context.Context) *ProjectsAttestorsListCall { 2845 c.ctx_ = ctx 2846 return c 2847 } 2848 2849 // Header returns a http.Header that can be modified by the caller to add 2850 // headers to the request. 2851 func (c *ProjectsAttestorsListCall) Header() http.Header { 2852 if c.header_ == nil { 2853 c.header_ = make(http.Header) 2854 } 2855 return c.header_ 2856 } 2857 2858 func (c *ProjectsAttestorsListCall) doRequest(alt string) (*http.Response, error) { 2859 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 2860 if c.ifNoneMatch_ != "" { 2861 reqHeaders.Set("If-None-Match", c.ifNoneMatch_) 2862 } 2863 var body io.Reader = nil 2864 c.urlParams_.Set("alt", alt) 2865 c.urlParams_.Set("prettyPrint", "false") 2866 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+parent}/attestors") 2867 urls += "?" + c.urlParams_.Encode() 2868 req, err := http.NewRequest("GET", urls, body) 2869 if err != nil { 2870 return nil, err 2871 } 2872 req.Header = reqHeaders 2873 googleapi.Expand(req.URL, map[string]string{ 2874 "parent": c.parent, 2875 }) 2876 return gensupport.SendRequest(c.ctx_, c.s.client, req) 2877 } 2878 2879 // Do executes the "binaryauthorization.projects.attestors.list" call. 2880 // Any non-2xx status code is an error. Response headers are in either 2881 // *ListAttestorsResponse.ServerResponse.Header or (if a response was returned 2882 // at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to 2883 // check whether the returned error was because http.StatusNotModified was 2884 // returned. 2885 func (c *ProjectsAttestorsListCall) Do(opts ...googleapi.CallOption) (*ListAttestorsResponse, error) { 2886 gensupport.SetOptions(c.urlParams_, opts...) 2887 res, err := c.doRequest("json") 2888 if res != nil && res.StatusCode == http.StatusNotModified { 2889 if res.Body != nil { 2890 res.Body.Close() 2891 } 2892 return nil, gensupport.WrapError(&googleapi.Error{ 2893 Code: res.StatusCode, 2894 Header: res.Header, 2895 }) 2896 } 2897 if err != nil { 2898 return nil, err 2899 } 2900 defer googleapi.CloseBody(res) 2901 if err := googleapi.CheckResponse(res); err != nil { 2902 return nil, gensupport.WrapError(err) 2903 } 2904 ret := &ListAttestorsResponse{ 2905 ServerResponse: googleapi.ServerResponse{ 2906 Header: res.Header, 2907 HTTPStatusCode: res.StatusCode, 2908 }, 2909 } 2910 target := &ret 2911 if err := gensupport.DecodeResponse(target, res); err != nil { 2912 return nil, err 2913 } 2914 return ret, nil 2915 } 2916 2917 // Pages invokes f for each page of results. 2918 // A non-nil error returned from f will halt the iteration. 2919 // The provided context supersedes any context provided to the Context method. 2920 func (c *ProjectsAttestorsListCall) Pages(ctx context.Context, f func(*ListAttestorsResponse) error) error { 2921 c.ctx_ = ctx 2922 defer c.PageToken(c.urlParams_.Get("pageToken")) 2923 for { 2924 x, err := c.Do() 2925 if err != nil { 2926 return err 2927 } 2928 if err := f(x); err != nil { 2929 return err 2930 } 2931 if x.NextPageToken == "" { 2932 return nil 2933 } 2934 c.PageToken(x.NextPageToken) 2935 } 2936 } 2937 2938 type ProjectsAttestorsSetIamPolicyCall struct { 2939 s *Service 2940 resource string 2941 setiampolicyrequest *SetIamPolicyRequest 2942 urlParams_ gensupport.URLParams 2943 ctx_ context.Context 2944 header_ http.Header 2945 } 2946 2947 // SetIamPolicy: Sets the access control policy on the specified resource. 2948 // Replaces any existing policy. Can return `NOT_FOUND`, `INVALID_ARGUMENT`, 2949 // and `PERMISSION_DENIED` errors. 2950 // 2951 // - resource: REQUIRED: The resource for which the policy is being specified. 2952 // See Resource names (https://cloud.google.com/apis/design/resource_names) 2953 // for the appropriate value for this field. 2954 func (r *ProjectsAttestorsService) SetIamPolicy(resource string, setiampolicyrequest *SetIamPolicyRequest) *ProjectsAttestorsSetIamPolicyCall { 2955 c := &ProjectsAttestorsSetIamPolicyCall{s: r.s, urlParams_: make(gensupport.URLParams)} 2956 c.resource = resource 2957 c.setiampolicyrequest = setiampolicyrequest 2958 return c 2959 } 2960 2961 // Fields allows partial responses to be retrieved. See 2962 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 2963 // details. 2964 func (c *ProjectsAttestorsSetIamPolicyCall) Fields(s ...googleapi.Field) *ProjectsAttestorsSetIamPolicyCall { 2965 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 2966 return c 2967 } 2968 2969 // Context sets the context to be used in this call's Do method. 2970 func (c *ProjectsAttestorsSetIamPolicyCall) Context(ctx context.Context) *ProjectsAttestorsSetIamPolicyCall { 2971 c.ctx_ = ctx 2972 return c 2973 } 2974 2975 // Header returns a http.Header that can be modified by the caller to add 2976 // headers to the request. 2977 func (c *ProjectsAttestorsSetIamPolicyCall) Header() http.Header { 2978 if c.header_ == nil { 2979 c.header_ = make(http.Header) 2980 } 2981 return c.header_ 2982 } 2983 2984 func (c *ProjectsAttestorsSetIamPolicyCall) doRequest(alt string) (*http.Response, error) { 2985 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 2986 var body io.Reader = nil 2987 body, err := googleapi.WithoutDataWrapper.JSONReader(c.setiampolicyrequest) 2988 if err != nil { 2989 return nil, err 2990 } 2991 c.urlParams_.Set("alt", alt) 2992 c.urlParams_.Set("prettyPrint", "false") 2993 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+resource}:setIamPolicy") 2994 urls += "?" + c.urlParams_.Encode() 2995 req, err := http.NewRequest("POST", urls, body) 2996 if err != nil { 2997 return nil, err 2998 } 2999 req.Header = reqHeaders 3000 googleapi.Expand(req.URL, map[string]string{ 3001 "resource": c.resource, 3002 }) 3003 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3004 } 3005 3006 // Do executes the "binaryauthorization.projects.attestors.setIamPolicy" call. 3007 // Any non-2xx status code is an error. Response headers are in either 3008 // *IamPolicy.ServerResponse.Header or (if a response was returned at all) in 3009 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 3010 // whether the returned error was because http.StatusNotModified was returned. 3011 func (c *ProjectsAttestorsSetIamPolicyCall) Do(opts ...googleapi.CallOption) (*IamPolicy, error) { 3012 gensupport.SetOptions(c.urlParams_, opts...) 3013 res, err := c.doRequest("json") 3014 if res != nil && res.StatusCode == http.StatusNotModified { 3015 if res.Body != nil { 3016 res.Body.Close() 3017 } 3018 return nil, gensupport.WrapError(&googleapi.Error{ 3019 Code: res.StatusCode, 3020 Header: res.Header, 3021 }) 3022 } 3023 if err != nil { 3024 return nil, err 3025 } 3026 defer googleapi.CloseBody(res) 3027 if err := googleapi.CheckResponse(res); err != nil { 3028 return nil, gensupport.WrapError(err) 3029 } 3030 ret := &IamPolicy{ 3031 ServerResponse: googleapi.ServerResponse{ 3032 Header: res.Header, 3033 HTTPStatusCode: res.StatusCode, 3034 }, 3035 } 3036 target := &ret 3037 if err := gensupport.DecodeResponse(target, res); err != nil { 3038 return nil, err 3039 } 3040 return ret, nil 3041 } 3042 3043 type ProjectsAttestorsTestIamPermissionsCall struct { 3044 s *Service 3045 resource string 3046 testiampermissionsrequest *TestIamPermissionsRequest 3047 urlParams_ gensupport.URLParams 3048 ctx_ context.Context 3049 header_ http.Header 3050 } 3051 3052 // TestIamPermissions: Returns permissions that a caller has on the specified 3053 // resource. If the resource does not exist, this will return an empty set of 3054 // permissions, not a `NOT_FOUND` error. Note: This operation is designed to be 3055 // used for building permission-aware UIs and command-line tools, not for 3056 // authorization checking. This operation may "fail open" without warning. 3057 // 3058 // - resource: REQUIRED: The resource for which the policy detail is being 3059 // requested. See Resource names 3060 // (https://cloud.google.com/apis/design/resource_names) for the appropriate 3061 // value for this field. 3062 func (r *ProjectsAttestorsService) TestIamPermissions(resource string, testiampermissionsrequest *TestIamPermissionsRequest) *ProjectsAttestorsTestIamPermissionsCall { 3063 c := &ProjectsAttestorsTestIamPermissionsCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3064 c.resource = resource 3065 c.testiampermissionsrequest = testiampermissionsrequest 3066 return c 3067 } 3068 3069 // Fields allows partial responses to be retrieved. See 3070 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 3071 // details. 3072 func (c *ProjectsAttestorsTestIamPermissionsCall) Fields(s ...googleapi.Field) *ProjectsAttestorsTestIamPermissionsCall { 3073 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3074 return c 3075 } 3076 3077 // Context sets the context to be used in this call's Do method. 3078 func (c *ProjectsAttestorsTestIamPermissionsCall) Context(ctx context.Context) *ProjectsAttestorsTestIamPermissionsCall { 3079 c.ctx_ = ctx 3080 return c 3081 } 3082 3083 // Header returns a http.Header that can be modified by the caller to add 3084 // headers to the request. 3085 func (c *ProjectsAttestorsTestIamPermissionsCall) Header() http.Header { 3086 if c.header_ == nil { 3087 c.header_ = make(http.Header) 3088 } 3089 return c.header_ 3090 } 3091 3092 func (c *ProjectsAttestorsTestIamPermissionsCall) doRequest(alt string) (*http.Response, error) { 3093 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 3094 var body io.Reader = nil 3095 body, err := googleapi.WithoutDataWrapper.JSONReader(c.testiampermissionsrequest) 3096 if err != nil { 3097 return nil, err 3098 } 3099 c.urlParams_.Set("alt", alt) 3100 c.urlParams_.Set("prettyPrint", "false") 3101 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+resource}:testIamPermissions") 3102 urls += "?" + c.urlParams_.Encode() 3103 req, err := http.NewRequest("POST", urls, body) 3104 if err != nil { 3105 return nil, err 3106 } 3107 req.Header = reqHeaders 3108 googleapi.Expand(req.URL, map[string]string{ 3109 "resource": c.resource, 3110 }) 3111 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3112 } 3113 3114 // Do executes the "binaryauthorization.projects.attestors.testIamPermissions" call. 3115 // Any non-2xx status code is an error. Response headers are in either 3116 // *TestIamPermissionsResponse.ServerResponse.Header or (if a response was 3117 // returned at all) in error.(*googleapi.Error).Header. Use 3118 // googleapi.IsNotModified to check whether the returned error was because 3119 // http.StatusNotModified was returned. 3120 func (c *ProjectsAttestorsTestIamPermissionsCall) Do(opts ...googleapi.CallOption) (*TestIamPermissionsResponse, error) { 3121 gensupport.SetOptions(c.urlParams_, opts...) 3122 res, err := c.doRequest("json") 3123 if res != nil && res.StatusCode == http.StatusNotModified { 3124 if res.Body != nil { 3125 res.Body.Close() 3126 } 3127 return nil, gensupport.WrapError(&googleapi.Error{ 3128 Code: res.StatusCode, 3129 Header: res.Header, 3130 }) 3131 } 3132 if err != nil { 3133 return nil, err 3134 } 3135 defer googleapi.CloseBody(res) 3136 if err := googleapi.CheckResponse(res); err != nil { 3137 return nil, gensupport.WrapError(err) 3138 } 3139 ret := &TestIamPermissionsResponse{ 3140 ServerResponse: googleapi.ServerResponse{ 3141 Header: res.Header, 3142 HTTPStatusCode: res.StatusCode, 3143 }, 3144 } 3145 target := &ret 3146 if err := gensupport.DecodeResponse(target, res); err != nil { 3147 return nil, err 3148 } 3149 return ret, nil 3150 } 3151 3152 type ProjectsAttestorsUpdateCall struct { 3153 s *Service 3154 name string 3155 attestor *Attestor 3156 urlParams_ gensupport.URLParams 3157 ctx_ context.Context 3158 header_ http.Header 3159 } 3160 3161 // Update: Updates an attestor. Returns `NOT_FOUND` if the attestor does not 3162 // exist. 3163 // 3164 // - name: The resource name, in the format: `projects/*/attestors/*`. This 3165 // field may not be updated. 3166 func (r *ProjectsAttestorsService) Update(name string, attestor *Attestor) *ProjectsAttestorsUpdateCall { 3167 c := &ProjectsAttestorsUpdateCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3168 c.name = name 3169 c.attestor = attestor 3170 return c 3171 } 3172 3173 // Fields allows partial responses to be retrieved. See 3174 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 3175 // details. 3176 func (c *ProjectsAttestorsUpdateCall) Fields(s ...googleapi.Field) *ProjectsAttestorsUpdateCall { 3177 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3178 return c 3179 } 3180 3181 // Context sets the context to be used in this call's Do method. 3182 func (c *ProjectsAttestorsUpdateCall) Context(ctx context.Context) *ProjectsAttestorsUpdateCall { 3183 c.ctx_ = ctx 3184 return c 3185 } 3186 3187 // Header returns a http.Header that can be modified by the caller to add 3188 // headers to the request. 3189 func (c *ProjectsAttestorsUpdateCall) Header() http.Header { 3190 if c.header_ == nil { 3191 c.header_ = make(http.Header) 3192 } 3193 return c.header_ 3194 } 3195 3196 func (c *ProjectsAttestorsUpdateCall) doRequest(alt string) (*http.Response, error) { 3197 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 3198 var body io.Reader = nil 3199 body, err := googleapi.WithoutDataWrapper.JSONReader(c.attestor) 3200 if err != nil { 3201 return nil, err 3202 } 3203 c.urlParams_.Set("alt", alt) 3204 c.urlParams_.Set("prettyPrint", "false") 3205 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}") 3206 urls += "?" + c.urlParams_.Encode() 3207 req, err := http.NewRequest("PUT", urls, body) 3208 if err != nil { 3209 return nil, err 3210 } 3211 req.Header = reqHeaders 3212 googleapi.Expand(req.URL, map[string]string{ 3213 "name": c.name, 3214 }) 3215 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3216 } 3217 3218 // Do executes the "binaryauthorization.projects.attestors.update" call. 3219 // Any non-2xx status code is an error. Response headers are in either 3220 // *Attestor.ServerResponse.Header or (if a response was returned at all) in 3221 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 3222 // whether the returned error was because http.StatusNotModified was returned. 3223 func (c *ProjectsAttestorsUpdateCall) Do(opts ...googleapi.CallOption) (*Attestor, error) { 3224 gensupport.SetOptions(c.urlParams_, opts...) 3225 res, err := c.doRequest("json") 3226 if res != nil && res.StatusCode == http.StatusNotModified { 3227 if res.Body != nil { 3228 res.Body.Close() 3229 } 3230 return nil, gensupport.WrapError(&googleapi.Error{ 3231 Code: res.StatusCode, 3232 Header: res.Header, 3233 }) 3234 } 3235 if err != nil { 3236 return nil, err 3237 } 3238 defer googleapi.CloseBody(res) 3239 if err := googleapi.CheckResponse(res); err != nil { 3240 return nil, gensupport.WrapError(err) 3241 } 3242 ret := &Attestor{ 3243 ServerResponse: googleapi.ServerResponse{ 3244 Header: res.Header, 3245 HTTPStatusCode: res.StatusCode, 3246 }, 3247 } 3248 target := &ret 3249 if err := gensupport.DecodeResponse(target, res); err != nil { 3250 return nil, err 3251 } 3252 return ret, nil 3253 } 3254 3255 type ProjectsAttestorsValidateAttestationOccurrenceCall struct { 3256 s *Service 3257 attestor string 3258 validateattestationoccurrencerequest *ValidateAttestationOccurrenceRequest 3259 urlParams_ gensupport.URLParams 3260 ctx_ context.Context 3261 header_ http.Header 3262 } 3263 3264 // ValidateAttestationOccurrence: Returns whether the given `Attestation` for 3265 // the given image URI was signed by the given `Attestor` 3266 // 3267 // - attestor: The resource name of the Attestor of the occurrence, in the 3268 // format `projects/*/attestors/*`. 3269 func (r *ProjectsAttestorsService) ValidateAttestationOccurrence(attestor string, validateattestationoccurrencerequest *ValidateAttestationOccurrenceRequest) *ProjectsAttestorsValidateAttestationOccurrenceCall { 3270 c := &ProjectsAttestorsValidateAttestationOccurrenceCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3271 c.attestor = attestor 3272 c.validateattestationoccurrencerequest = validateattestationoccurrencerequest 3273 return c 3274 } 3275 3276 // Fields allows partial responses to be retrieved. See 3277 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 3278 // details. 3279 func (c *ProjectsAttestorsValidateAttestationOccurrenceCall) Fields(s ...googleapi.Field) *ProjectsAttestorsValidateAttestationOccurrenceCall { 3280 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3281 return c 3282 } 3283 3284 // Context sets the context to be used in this call's Do method. 3285 func (c *ProjectsAttestorsValidateAttestationOccurrenceCall) Context(ctx context.Context) *ProjectsAttestorsValidateAttestationOccurrenceCall { 3286 c.ctx_ = ctx 3287 return c 3288 } 3289 3290 // Header returns a http.Header that can be modified by the caller to add 3291 // headers to the request. 3292 func (c *ProjectsAttestorsValidateAttestationOccurrenceCall) Header() http.Header { 3293 if c.header_ == nil { 3294 c.header_ = make(http.Header) 3295 } 3296 return c.header_ 3297 } 3298 3299 func (c *ProjectsAttestorsValidateAttestationOccurrenceCall) doRequest(alt string) (*http.Response, error) { 3300 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 3301 var body io.Reader = nil 3302 body, err := googleapi.WithoutDataWrapper.JSONReader(c.validateattestationoccurrencerequest) 3303 if err != nil { 3304 return nil, err 3305 } 3306 c.urlParams_.Set("alt", alt) 3307 c.urlParams_.Set("prettyPrint", "false") 3308 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+attestor}:validateAttestationOccurrence") 3309 urls += "?" + c.urlParams_.Encode() 3310 req, err := http.NewRequest("POST", urls, body) 3311 if err != nil { 3312 return nil, err 3313 } 3314 req.Header = reqHeaders 3315 googleapi.Expand(req.URL, map[string]string{ 3316 "attestor": c.attestor, 3317 }) 3318 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3319 } 3320 3321 // Do executes the "binaryauthorization.projects.attestors.validateAttestationOccurrence" call. 3322 // Any non-2xx status code is an error. Response headers are in either 3323 // *ValidateAttestationOccurrenceResponse.ServerResponse.Header or (if a 3324 // response was returned at all) in error.(*googleapi.Error).Header. Use 3325 // googleapi.IsNotModified to check whether the returned error was because 3326 // http.StatusNotModified was returned. 3327 func (c *ProjectsAttestorsValidateAttestationOccurrenceCall) Do(opts ...googleapi.CallOption) (*ValidateAttestationOccurrenceResponse, error) { 3328 gensupport.SetOptions(c.urlParams_, opts...) 3329 res, err := c.doRequest("json") 3330 if res != nil && res.StatusCode == http.StatusNotModified { 3331 if res.Body != nil { 3332 res.Body.Close() 3333 } 3334 return nil, gensupport.WrapError(&googleapi.Error{ 3335 Code: res.StatusCode, 3336 Header: res.Header, 3337 }) 3338 } 3339 if err != nil { 3340 return nil, err 3341 } 3342 defer googleapi.CloseBody(res) 3343 if err := googleapi.CheckResponse(res); err != nil { 3344 return nil, gensupport.WrapError(err) 3345 } 3346 ret := &ValidateAttestationOccurrenceResponse{ 3347 ServerResponse: googleapi.ServerResponse{ 3348 Header: res.Header, 3349 HTTPStatusCode: res.StatusCode, 3350 }, 3351 } 3352 target := &ret 3353 if err := gensupport.DecodeResponse(target, res); err != nil { 3354 return nil, err 3355 } 3356 return ret, nil 3357 } 3358 3359 type ProjectsPlatformsGkePoliciesEvaluateCall struct { 3360 s *Service 3361 name string 3362 evaluategkepolicyrequest *EvaluateGkePolicyRequest 3363 urlParams_ gensupport.URLParams 3364 ctx_ context.Context 3365 header_ http.Header 3366 } 3367 3368 // Evaluate: Evaluates a Kubernetes object versus a GKE platform policy. 3369 // Returns `NOT_FOUND` if the policy doesn't exist, `INVALID_ARGUMENT` if the 3370 // policy or request is malformed and `PERMISSION_DENIED` if the client does 3371 // not have sufficient permissions. 3372 // 3373 // - name: The name of the platform policy to evaluate in the format 3374 // `projects/*/platforms/*/policies/*`. 3375 func (r *ProjectsPlatformsGkePoliciesService) Evaluate(name string, evaluategkepolicyrequest *EvaluateGkePolicyRequest) *ProjectsPlatformsGkePoliciesEvaluateCall { 3376 c := &ProjectsPlatformsGkePoliciesEvaluateCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3377 c.name = name 3378 c.evaluategkepolicyrequest = evaluategkepolicyrequest 3379 return c 3380 } 3381 3382 // Fields allows partial responses to be retrieved. See 3383 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 3384 // details. 3385 func (c *ProjectsPlatformsGkePoliciesEvaluateCall) Fields(s ...googleapi.Field) *ProjectsPlatformsGkePoliciesEvaluateCall { 3386 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3387 return c 3388 } 3389 3390 // Context sets the context to be used in this call's Do method. 3391 func (c *ProjectsPlatformsGkePoliciesEvaluateCall) Context(ctx context.Context) *ProjectsPlatformsGkePoliciesEvaluateCall { 3392 c.ctx_ = ctx 3393 return c 3394 } 3395 3396 // Header returns a http.Header that can be modified by the caller to add 3397 // headers to the request. 3398 func (c *ProjectsPlatformsGkePoliciesEvaluateCall) Header() http.Header { 3399 if c.header_ == nil { 3400 c.header_ = make(http.Header) 3401 } 3402 return c.header_ 3403 } 3404 3405 func (c *ProjectsPlatformsGkePoliciesEvaluateCall) doRequest(alt string) (*http.Response, error) { 3406 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 3407 var body io.Reader = nil 3408 body, err := googleapi.WithoutDataWrapper.JSONReader(c.evaluategkepolicyrequest) 3409 if err != nil { 3410 return nil, err 3411 } 3412 c.urlParams_.Set("alt", alt) 3413 c.urlParams_.Set("prettyPrint", "false") 3414 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}:evaluate") 3415 urls += "?" + c.urlParams_.Encode() 3416 req, err := http.NewRequest("POST", urls, body) 3417 if err != nil { 3418 return nil, err 3419 } 3420 req.Header = reqHeaders 3421 googleapi.Expand(req.URL, map[string]string{ 3422 "name": c.name, 3423 }) 3424 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3425 } 3426 3427 // Do executes the "binaryauthorization.projects.platforms.gke.policies.evaluate" call. 3428 // Any non-2xx status code is an error. Response headers are in either 3429 // *EvaluateGkePolicyResponse.ServerResponse.Header or (if a response was 3430 // returned at all) in error.(*googleapi.Error).Header. Use 3431 // googleapi.IsNotModified to check whether the returned error was because 3432 // http.StatusNotModified was returned. 3433 func (c *ProjectsPlatformsGkePoliciesEvaluateCall) Do(opts ...googleapi.CallOption) (*EvaluateGkePolicyResponse, error) { 3434 gensupport.SetOptions(c.urlParams_, opts...) 3435 res, err := c.doRequest("json") 3436 if res != nil && res.StatusCode == http.StatusNotModified { 3437 if res.Body != nil { 3438 res.Body.Close() 3439 } 3440 return nil, gensupport.WrapError(&googleapi.Error{ 3441 Code: res.StatusCode, 3442 Header: res.Header, 3443 }) 3444 } 3445 if err != nil { 3446 return nil, err 3447 } 3448 defer googleapi.CloseBody(res) 3449 if err := googleapi.CheckResponse(res); err != nil { 3450 return nil, gensupport.WrapError(err) 3451 } 3452 ret := &EvaluateGkePolicyResponse{ 3453 ServerResponse: googleapi.ServerResponse{ 3454 Header: res.Header, 3455 HTTPStatusCode: res.StatusCode, 3456 }, 3457 } 3458 target := &ret 3459 if err := gensupport.DecodeResponse(target, res); err != nil { 3460 return nil, err 3461 } 3462 return ret, nil 3463 } 3464 3465 type ProjectsPlatformsPoliciesCreateCall struct { 3466 s *Service 3467 parent string 3468 platformpolicy *PlatformPolicy 3469 urlParams_ gensupport.URLParams 3470 ctx_ context.Context 3471 header_ http.Header 3472 } 3473 3474 // Create: Creates a platform policy, and returns a copy of it. Returns 3475 // `NOT_FOUND` if the project or platform doesn't exist, `INVALID_ARGUMENT` if 3476 // the request is malformed, `ALREADY_EXISTS` if the policy already exists, and 3477 // `INVALID_ARGUMENT` if the policy contains a platform-specific policy that 3478 // does not match the platform value specified in the URL. 3479 // 3480 // - parent: The parent of this platform policy. 3481 func (r *ProjectsPlatformsPoliciesService) Create(parent string, platformpolicy *PlatformPolicy) *ProjectsPlatformsPoliciesCreateCall { 3482 c := &ProjectsPlatformsPoliciesCreateCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3483 c.parent = parent 3484 c.platformpolicy = platformpolicy 3485 return c 3486 } 3487 3488 // PolicyId sets the optional parameter "policyId": Required. The platform 3489 // policy ID. 3490 func (c *ProjectsPlatformsPoliciesCreateCall) PolicyId(policyId string) *ProjectsPlatformsPoliciesCreateCall { 3491 c.urlParams_.Set("policyId", policyId) 3492 return c 3493 } 3494 3495 // Fields allows partial responses to be retrieved. See 3496 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 3497 // details. 3498 func (c *ProjectsPlatformsPoliciesCreateCall) Fields(s ...googleapi.Field) *ProjectsPlatformsPoliciesCreateCall { 3499 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3500 return c 3501 } 3502 3503 // Context sets the context to be used in this call's Do method. 3504 func (c *ProjectsPlatformsPoliciesCreateCall) Context(ctx context.Context) *ProjectsPlatformsPoliciesCreateCall { 3505 c.ctx_ = ctx 3506 return c 3507 } 3508 3509 // Header returns a http.Header that can be modified by the caller to add 3510 // headers to the request. 3511 func (c *ProjectsPlatformsPoliciesCreateCall) Header() http.Header { 3512 if c.header_ == nil { 3513 c.header_ = make(http.Header) 3514 } 3515 return c.header_ 3516 } 3517 3518 func (c *ProjectsPlatformsPoliciesCreateCall) doRequest(alt string) (*http.Response, error) { 3519 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 3520 var body io.Reader = nil 3521 body, err := googleapi.WithoutDataWrapper.JSONReader(c.platformpolicy) 3522 if err != nil { 3523 return nil, err 3524 } 3525 c.urlParams_.Set("alt", alt) 3526 c.urlParams_.Set("prettyPrint", "false") 3527 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+parent}/policies") 3528 urls += "?" + c.urlParams_.Encode() 3529 req, err := http.NewRequest("POST", urls, body) 3530 if err != nil { 3531 return nil, err 3532 } 3533 req.Header = reqHeaders 3534 googleapi.Expand(req.URL, map[string]string{ 3535 "parent": c.parent, 3536 }) 3537 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3538 } 3539 3540 // Do executes the "binaryauthorization.projects.platforms.policies.create" call. 3541 // Any non-2xx status code is an error. Response headers are in either 3542 // *PlatformPolicy.ServerResponse.Header or (if a response was returned at all) 3543 // in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 3544 // whether the returned error was because http.StatusNotModified was returned. 3545 func (c *ProjectsPlatformsPoliciesCreateCall) Do(opts ...googleapi.CallOption) (*PlatformPolicy, error) { 3546 gensupport.SetOptions(c.urlParams_, opts...) 3547 res, err := c.doRequest("json") 3548 if res != nil && res.StatusCode == http.StatusNotModified { 3549 if res.Body != nil { 3550 res.Body.Close() 3551 } 3552 return nil, gensupport.WrapError(&googleapi.Error{ 3553 Code: res.StatusCode, 3554 Header: res.Header, 3555 }) 3556 } 3557 if err != nil { 3558 return nil, err 3559 } 3560 defer googleapi.CloseBody(res) 3561 if err := googleapi.CheckResponse(res); err != nil { 3562 return nil, gensupport.WrapError(err) 3563 } 3564 ret := &PlatformPolicy{ 3565 ServerResponse: googleapi.ServerResponse{ 3566 Header: res.Header, 3567 HTTPStatusCode: res.StatusCode, 3568 }, 3569 } 3570 target := &ret 3571 if err := gensupport.DecodeResponse(target, res); err != nil { 3572 return nil, err 3573 } 3574 return ret, nil 3575 } 3576 3577 type ProjectsPlatformsPoliciesDeleteCall struct { 3578 s *Service 3579 name string 3580 urlParams_ gensupport.URLParams 3581 ctx_ context.Context 3582 header_ http.Header 3583 } 3584 3585 // Delete: Deletes a platform policy. Returns `NOT_FOUND` if the policy doesn't 3586 // exist. 3587 // 3588 // - name: The name of the platform policy to delete, in the format 3589 // `projects/*/platforms/*/policies/*`. 3590 func (r *ProjectsPlatformsPoliciesService) Delete(name string) *ProjectsPlatformsPoliciesDeleteCall { 3591 c := &ProjectsPlatformsPoliciesDeleteCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3592 c.name = name 3593 return c 3594 } 3595 3596 // Fields allows partial responses to be retrieved. See 3597 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 3598 // details. 3599 func (c *ProjectsPlatformsPoliciesDeleteCall) Fields(s ...googleapi.Field) *ProjectsPlatformsPoliciesDeleteCall { 3600 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3601 return c 3602 } 3603 3604 // Context sets the context to be used in this call's Do method. 3605 func (c *ProjectsPlatformsPoliciesDeleteCall) Context(ctx context.Context) *ProjectsPlatformsPoliciesDeleteCall { 3606 c.ctx_ = ctx 3607 return c 3608 } 3609 3610 // Header returns a http.Header that can be modified by the caller to add 3611 // headers to the request. 3612 func (c *ProjectsPlatformsPoliciesDeleteCall) Header() http.Header { 3613 if c.header_ == nil { 3614 c.header_ = make(http.Header) 3615 } 3616 return c.header_ 3617 } 3618 3619 func (c *ProjectsPlatformsPoliciesDeleteCall) doRequest(alt string) (*http.Response, error) { 3620 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 3621 var body io.Reader = nil 3622 c.urlParams_.Set("alt", alt) 3623 c.urlParams_.Set("prettyPrint", "false") 3624 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}") 3625 urls += "?" + c.urlParams_.Encode() 3626 req, err := http.NewRequest("DELETE", urls, body) 3627 if err != nil { 3628 return nil, err 3629 } 3630 req.Header = reqHeaders 3631 googleapi.Expand(req.URL, map[string]string{ 3632 "name": c.name, 3633 }) 3634 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3635 } 3636 3637 // Do executes the "binaryauthorization.projects.platforms.policies.delete" call. 3638 // Any non-2xx status code is an error. Response headers are in either 3639 // *Empty.ServerResponse.Header or (if a response was returned at all) in 3640 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 3641 // whether the returned error was because http.StatusNotModified was returned. 3642 func (c *ProjectsPlatformsPoliciesDeleteCall) Do(opts ...googleapi.CallOption) (*Empty, error) { 3643 gensupport.SetOptions(c.urlParams_, opts...) 3644 res, err := c.doRequest("json") 3645 if res != nil && res.StatusCode == http.StatusNotModified { 3646 if res.Body != nil { 3647 res.Body.Close() 3648 } 3649 return nil, gensupport.WrapError(&googleapi.Error{ 3650 Code: res.StatusCode, 3651 Header: res.Header, 3652 }) 3653 } 3654 if err != nil { 3655 return nil, err 3656 } 3657 defer googleapi.CloseBody(res) 3658 if err := googleapi.CheckResponse(res); err != nil { 3659 return nil, gensupport.WrapError(err) 3660 } 3661 ret := &Empty{ 3662 ServerResponse: googleapi.ServerResponse{ 3663 Header: res.Header, 3664 HTTPStatusCode: res.StatusCode, 3665 }, 3666 } 3667 target := &ret 3668 if err := gensupport.DecodeResponse(target, res); err != nil { 3669 return nil, err 3670 } 3671 return ret, nil 3672 } 3673 3674 type ProjectsPlatformsPoliciesGetCall struct { 3675 s *Service 3676 name string 3677 urlParams_ gensupport.URLParams 3678 ifNoneMatch_ string 3679 ctx_ context.Context 3680 header_ http.Header 3681 } 3682 3683 // Get: Gets a platform policy. Returns `NOT_FOUND` if the policy doesn't 3684 // exist. 3685 // 3686 // - name: The name of the platform policy to retrieve in the format 3687 // `projects/*/platforms/*/policies/*`. 3688 func (r *ProjectsPlatformsPoliciesService) Get(name string) *ProjectsPlatformsPoliciesGetCall { 3689 c := &ProjectsPlatformsPoliciesGetCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3690 c.name = name 3691 return c 3692 } 3693 3694 // Fields allows partial responses to be retrieved. See 3695 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 3696 // details. 3697 func (c *ProjectsPlatformsPoliciesGetCall) Fields(s ...googleapi.Field) *ProjectsPlatformsPoliciesGetCall { 3698 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3699 return c 3700 } 3701 3702 // IfNoneMatch sets an optional parameter which makes the operation fail if the 3703 // object's ETag matches the given value. This is useful for getting updates 3704 // only after the object has changed since the last request. 3705 func (c *ProjectsPlatformsPoliciesGetCall) IfNoneMatch(entityTag string) *ProjectsPlatformsPoliciesGetCall { 3706 c.ifNoneMatch_ = entityTag 3707 return c 3708 } 3709 3710 // Context sets the context to be used in this call's Do method. 3711 func (c *ProjectsPlatformsPoliciesGetCall) Context(ctx context.Context) *ProjectsPlatformsPoliciesGetCall { 3712 c.ctx_ = ctx 3713 return c 3714 } 3715 3716 // Header returns a http.Header that can be modified by the caller to add 3717 // headers to the request. 3718 func (c *ProjectsPlatformsPoliciesGetCall) Header() http.Header { 3719 if c.header_ == nil { 3720 c.header_ = make(http.Header) 3721 } 3722 return c.header_ 3723 } 3724 3725 func (c *ProjectsPlatformsPoliciesGetCall) doRequest(alt string) (*http.Response, error) { 3726 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 3727 if c.ifNoneMatch_ != "" { 3728 reqHeaders.Set("If-None-Match", c.ifNoneMatch_) 3729 } 3730 var body io.Reader = nil 3731 c.urlParams_.Set("alt", alt) 3732 c.urlParams_.Set("prettyPrint", "false") 3733 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}") 3734 urls += "?" + c.urlParams_.Encode() 3735 req, err := http.NewRequest("GET", urls, body) 3736 if err != nil { 3737 return nil, err 3738 } 3739 req.Header = reqHeaders 3740 googleapi.Expand(req.URL, map[string]string{ 3741 "name": c.name, 3742 }) 3743 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3744 } 3745 3746 // Do executes the "binaryauthorization.projects.platforms.policies.get" call. 3747 // Any non-2xx status code is an error. Response headers are in either 3748 // *PlatformPolicy.ServerResponse.Header or (if a response was returned at all) 3749 // in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 3750 // whether the returned error was because http.StatusNotModified was returned. 3751 func (c *ProjectsPlatformsPoliciesGetCall) Do(opts ...googleapi.CallOption) (*PlatformPolicy, error) { 3752 gensupport.SetOptions(c.urlParams_, opts...) 3753 res, err := c.doRequest("json") 3754 if res != nil && res.StatusCode == http.StatusNotModified { 3755 if res.Body != nil { 3756 res.Body.Close() 3757 } 3758 return nil, gensupport.WrapError(&googleapi.Error{ 3759 Code: res.StatusCode, 3760 Header: res.Header, 3761 }) 3762 } 3763 if err != nil { 3764 return nil, err 3765 } 3766 defer googleapi.CloseBody(res) 3767 if err := googleapi.CheckResponse(res); err != nil { 3768 return nil, gensupport.WrapError(err) 3769 } 3770 ret := &PlatformPolicy{ 3771 ServerResponse: googleapi.ServerResponse{ 3772 Header: res.Header, 3773 HTTPStatusCode: res.StatusCode, 3774 }, 3775 } 3776 target := &ret 3777 if err := gensupport.DecodeResponse(target, res); err != nil { 3778 return nil, err 3779 } 3780 return ret, nil 3781 } 3782 3783 type ProjectsPlatformsPoliciesListCall struct { 3784 s *Service 3785 parent string 3786 urlParams_ gensupport.URLParams 3787 ifNoneMatch_ string 3788 ctx_ context.Context 3789 header_ http.Header 3790 } 3791 3792 // List: Lists platform policies owned by a project in the specified platform. 3793 // Returns `INVALID_ARGUMENT` if the project or the platform doesn't exist. 3794 // 3795 // - parent: The resource name of the platform associated with the platform 3796 // policies using the format `projects/*/platforms/*`. 3797 func (r *ProjectsPlatformsPoliciesService) List(parent string) *ProjectsPlatformsPoliciesListCall { 3798 c := &ProjectsPlatformsPoliciesListCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3799 c.parent = parent 3800 return c 3801 } 3802 3803 // PageSize sets the optional parameter "pageSize": Requested page size. The 3804 // server may return fewer results than requested. If unspecified, the server 3805 // picks an appropriate default. 3806 func (c *ProjectsPlatformsPoliciesListCall) PageSize(pageSize int64) *ProjectsPlatformsPoliciesListCall { 3807 c.urlParams_.Set("pageSize", fmt.Sprint(pageSize)) 3808 return c 3809 } 3810 3811 // PageToken sets the optional parameter "pageToken": A token identifying a 3812 // page of results the server should return. Typically, this is the value of 3813 // ListPlatformPoliciesResponse.next_page_token returned from the previous call 3814 // to the `ListPlatformPolicies` method. 3815 func (c *ProjectsPlatformsPoliciesListCall) PageToken(pageToken string) *ProjectsPlatformsPoliciesListCall { 3816 c.urlParams_.Set("pageToken", pageToken) 3817 return c 3818 } 3819 3820 // Fields allows partial responses to be retrieved. See 3821 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 3822 // details. 3823 func (c *ProjectsPlatformsPoliciesListCall) Fields(s ...googleapi.Field) *ProjectsPlatformsPoliciesListCall { 3824 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3825 return c 3826 } 3827 3828 // IfNoneMatch sets an optional parameter which makes the operation fail if the 3829 // object's ETag matches the given value. This is useful for getting updates 3830 // only after the object has changed since the last request. 3831 func (c *ProjectsPlatformsPoliciesListCall) IfNoneMatch(entityTag string) *ProjectsPlatformsPoliciesListCall { 3832 c.ifNoneMatch_ = entityTag 3833 return c 3834 } 3835 3836 // Context sets the context to be used in this call's Do method. 3837 func (c *ProjectsPlatformsPoliciesListCall) Context(ctx context.Context) *ProjectsPlatformsPoliciesListCall { 3838 c.ctx_ = ctx 3839 return c 3840 } 3841 3842 // Header returns a http.Header that can be modified by the caller to add 3843 // headers to the request. 3844 func (c *ProjectsPlatformsPoliciesListCall) Header() http.Header { 3845 if c.header_ == nil { 3846 c.header_ = make(http.Header) 3847 } 3848 return c.header_ 3849 } 3850 3851 func (c *ProjectsPlatformsPoliciesListCall) doRequest(alt string) (*http.Response, error) { 3852 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 3853 if c.ifNoneMatch_ != "" { 3854 reqHeaders.Set("If-None-Match", c.ifNoneMatch_) 3855 } 3856 var body io.Reader = nil 3857 c.urlParams_.Set("alt", alt) 3858 c.urlParams_.Set("prettyPrint", "false") 3859 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+parent}/policies") 3860 urls += "?" + c.urlParams_.Encode() 3861 req, err := http.NewRequest("GET", urls, body) 3862 if err != nil { 3863 return nil, err 3864 } 3865 req.Header = reqHeaders 3866 googleapi.Expand(req.URL, map[string]string{ 3867 "parent": c.parent, 3868 }) 3869 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3870 } 3871 3872 // Do executes the "binaryauthorization.projects.platforms.policies.list" call. 3873 // Any non-2xx status code is an error. Response headers are in either 3874 // *ListPlatformPoliciesResponse.ServerResponse.Header or (if a response was 3875 // returned at all) in error.(*googleapi.Error).Header. Use 3876 // googleapi.IsNotModified to check whether the returned error was because 3877 // http.StatusNotModified was returned. 3878 func (c *ProjectsPlatformsPoliciesListCall) Do(opts ...googleapi.CallOption) (*ListPlatformPoliciesResponse, error) { 3879 gensupport.SetOptions(c.urlParams_, opts...) 3880 res, err := c.doRequest("json") 3881 if res != nil && res.StatusCode == http.StatusNotModified { 3882 if res.Body != nil { 3883 res.Body.Close() 3884 } 3885 return nil, gensupport.WrapError(&googleapi.Error{ 3886 Code: res.StatusCode, 3887 Header: res.Header, 3888 }) 3889 } 3890 if err != nil { 3891 return nil, err 3892 } 3893 defer googleapi.CloseBody(res) 3894 if err := googleapi.CheckResponse(res); err != nil { 3895 return nil, gensupport.WrapError(err) 3896 } 3897 ret := &ListPlatformPoliciesResponse{ 3898 ServerResponse: googleapi.ServerResponse{ 3899 Header: res.Header, 3900 HTTPStatusCode: res.StatusCode, 3901 }, 3902 } 3903 target := &ret 3904 if err := gensupport.DecodeResponse(target, res); err != nil { 3905 return nil, err 3906 } 3907 return ret, nil 3908 } 3909 3910 // Pages invokes f for each page of results. 3911 // A non-nil error returned from f will halt the iteration. 3912 // The provided context supersedes any context provided to the Context method. 3913 func (c *ProjectsPlatformsPoliciesListCall) Pages(ctx context.Context, f func(*ListPlatformPoliciesResponse) error) error { 3914 c.ctx_ = ctx 3915 defer c.PageToken(c.urlParams_.Get("pageToken")) 3916 for { 3917 x, err := c.Do() 3918 if err != nil { 3919 return err 3920 } 3921 if err := f(x); err != nil { 3922 return err 3923 } 3924 if x.NextPageToken == "" { 3925 return nil 3926 } 3927 c.PageToken(x.NextPageToken) 3928 } 3929 } 3930 3931 type ProjectsPlatformsPoliciesReplacePlatformPolicyCall struct { 3932 s *Service 3933 name string 3934 platformpolicy *PlatformPolicy 3935 urlParams_ gensupport.URLParams 3936 ctx_ context.Context 3937 header_ http.Header 3938 } 3939 3940 // ReplacePlatformPolicy: Replaces a platform policy. Returns `NOT_FOUND` if 3941 // the policy doesn't exist. 3942 // 3943 // - name: Output only. The relative resource name of the Binary Authorization 3944 // platform policy, in the form of `projects/*/platforms/*/policies/*`. 3945 func (r *ProjectsPlatformsPoliciesService) ReplacePlatformPolicy(name string, platformpolicy *PlatformPolicy) *ProjectsPlatformsPoliciesReplacePlatformPolicyCall { 3946 c := &ProjectsPlatformsPoliciesReplacePlatformPolicyCall{s: r.s, urlParams_: make(gensupport.URLParams)} 3947 c.name = name 3948 c.platformpolicy = platformpolicy 3949 return c 3950 } 3951 3952 // Fields allows partial responses to be retrieved. See 3953 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 3954 // details. 3955 func (c *ProjectsPlatformsPoliciesReplacePlatformPolicyCall) Fields(s ...googleapi.Field) *ProjectsPlatformsPoliciesReplacePlatformPolicyCall { 3956 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 3957 return c 3958 } 3959 3960 // Context sets the context to be used in this call's Do method. 3961 func (c *ProjectsPlatformsPoliciesReplacePlatformPolicyCall) Context(ctx context.Context) *ProjectsPlatformsPoliciesReplacePlatformPolicyCall { 3962 c.ctx_ = ctx 3963 return c 3964 } 3965 3966 // Header returns a http.Header that can be modified by the caller to add 3967 // headers to the request. 3968 func (c *ProjectsPlatformsPoliciesReplacePlatformPolicyCall) Header() http.Header { 3969 if c.header_ == nil { 3970 c.header_ = make(http.Header) 3971 } 3972 return c.header_ 3973 } 3974 3975 func (c *ProjectsPlatformsPoliciesReplacePlatformPolicyCall) doRequest(alt string) (*http.Response, error) { 3976 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 3977 var body io.Reader = nil 3978 body, err := googleapi.WithoutDataWrapper.JSONReader(c.platformpolicy) 3979 if err != nil { 3980 return nil, err 3981 } 3982 c.urlParams_.Set("alt", alt) 3983 c.urlParams_.Set("prettyPrint", "false") 3984 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}") 3985 urls += "?" + c.urlParams_.Encode() 3986 req, err := http.NewRequest("PUT", urls, body) 3987 if err != nil { 3988 return nil, err 3989 } 3990 req.Header = reqHeaders 3991 googleapi.Expand(req.URL, map[string]string{ 3992 "name": c.name, 3993 }) 3994 return gensupport.SendRequest(c.ctx_, c.s.client, req) 3995 } 3996 3997 // Do executes the "binaryauthorization.projects.platforms.policies.replacePlatformPolicy" call. 3998 // Any non-2xx status code is an error. Response headers are in either 3999 // *PlatformPolicy.ServerResponse.Header or (if a response was returned at all) 4000 // in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 4001 // whether the returned error was because http.StatusNotModified was returned. 4002 func (c *ProjectsPlatformsPoliciesReplacePlatformPolicyCall) Do(opts ...googleapi.CallOption) (*PlatformPolicy, error) { 4003 gensupport.SetOptions(c.urlParams_, opts...) 4004 res, err := c.doRequest("json") 4005 if res != nil && res.StatusCode == http.StatusNotModified { 4006 if res.Body != nil { 4007 res.Body.Close() 4008 } 4009 return nil, gensupport.WrapError(&googleapi.Error{ 4010 Code: res.StatusCode, 4011 Header: res.Header, 4012 }) 4013 } 4014 if err != nil { 4015 return nil, err 4016 } 4017 defer googleapi.CloseBody(res) 4018 if err := googleapi.CheckResponse(res); err != nil { 4019 return nil, gensupport.WrapError(err) 4020 } 4021 ret := &PlatformPolicy{ 4022 ServerResponse: googleapi.ServerResponse{ 4023 Header: res.Header, 4024 HTTPStatusCode: res.StatusCode, 4025 }, 4026 } 4027 target := &ret 4028 if err := gensupport.DecodeResponse(target, res); err != nil { 4029 return nil, err 4030 } 4031 return ret, nil 4032 } 4033 4034 type ProjectsPolicyGetIamPolicyCall struct { 4035 s *Service 4036 resource string 4037 urlParams_ gensupport.URLParams 4038 ifNoneMatch_ string 4039 ctx_ context.Context 4040 header_ http.Header 4041 } 4042 4043 // GetIamPolicy: Gets the access control policy for a resource. Returns an 4044 // empty policy if the resource exists and does not have a policy set. 4045 // 4046 // - resource: REQUIRED: The resource for which the policy is being requested. 4047 // See Resource names (https://cloud.google.com/apis/design/resource_names) 4048 // for the appropriate value for this field. 4049 func (r *ProjectsPolicyService) GetIamPolicy(resource string) *ProjectsPolicyGetIamPolicyCall { 4050 c := &ProjectsPolicyGetIamPolicyCall{s: r.s, urlParams_: make(gensupport.URLParams)} 4051 c.resource = resource 4052 return c 4053 } 4054 4055 // OptionsRequestedPolicyVersion sets the optional parameter 4056 // "options.requestedPolicyVersion": The maximum policy version that will be 4057 // used to format the policy. Valid values are 0, 1, and 3. Requests specifying 4058 // an invalid value will be rejected. Requests for policies with any 4059 // conditional role bindings must specify version 3. Policies with no 4060 // conditional role bindings may specify any valid value or leave the field 4061 // unset. The policy in the response might use the policy version that you 4062 // specified, or it might use a lower policy version. For example, if you 4063 // specify version 3, but the policy has no conditional role bindings, the 4064 // response uses version 1. To learn which resources support conditions in 4065 // their IAM policies, see the IAM documentation 4066 // (https://cloud.google.com/iam/help/conditions/resource-policies). 4067 func (c *ProjectsPolicyGetIamPolicyCall) OptionsRequestedPolicyVersion(optionsRequestedPolicyVersion int64) *ProjectsPolicyGetIamPolicyCall { 4068 c.urlParams_.Set("options.requestedPolicyVersion", fmt.Sprint(optionsRequestedPolicyVersion)) 4069 return c 4070 } 4071 4072 // Fields allows partial responses to be retrieved. See 4073 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 4074 // details. 4075 func (c *ProjectsPolicyGetIamPolicyCall) Fields(s ...googleapi.Field) *ProjectsPolicyGetIamPolicyCall { 4076 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 4077 return c 4078 } 4079 4080 // IfNoneMatch sets an optional parameter which makes the operation fail if the 4081 // object's ETag matches the given value. This is useful for getting updates 4082 // only after the object has changed since the last request. 4083 func (c *ProjectsPolicyGetIamPolicyCall) IfNoneMatch(entityTag string) *ProjectsPolicyGetIamPolicyCall { 4084 c.ifNoneMatch_ = entityTag 4085 return c 4086 } 4087 4088 // Context sets the context to be used in this call's Do method. 4089 func (c *ProjectsPolicyGetIamPolicyCall) Context(ctx context.Context) *ProjectsPolicyGetIamPolicyCall { 4090 c.ctx_ = ctx 4091 return c 4092 } 4093 4094 // Header returns a http.Header that can be modified by the caller to add 4095 // headers to the request. 4096 func (c *ProjectsPolicyGetIamPolicyCall) Header() http.Header { 4097 if c.header_ == nil { 4098 c.header_ = make(http.Header) 4099 } 4100 return c.header_ 4101 } 4102 4103 func (c *ProjectsPolicyGetIamPolicyCall) doRequest(alt string) (*http.Response, error) { 4104 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 4105 if c.ifNoneMatch_ != "" { 4106 reqHeaders.Set("If-None-Match", c.ifNoneMatch_) 4107 } 4108 var body io.Reader = nil 4109 c.urlParams_.Set("alt", alt) 4110 c.urlParams_.Set("prettyPrint", "false") 4111 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+resource}:getIamPolicy") 4112 urls += "?" + c.urlParams_.Encode() 4113 req, err := http.NewRequest("GET", urls, body) 4114 if err != nil { 4115 return nil, err 4116 } 4117 req.Header = reqHeaders 4118 googleapi.Expand(req.URL, map[string]string{ 4119 "resource": c.resource, 4120 }) 4121 return gensupport.SendRequest(c.ctx_, c.s.client, req) 4122 } 4123 4124 // Do executes the "binaryauthorization.projects.policy.getIamPolicy" call. 4125 // Any non-2xx status code is an error. Response headers are in either 4126 // *IamPolicy.ServerResponse.Header or (if a response was returned at all) in 4127 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 4128 // whether the returned error was because http.StatusNotModified was returned. 4129 func (c *ProjectsPolicyGetIamPolicyCall) Do(opts ...googleapi.CallOption) (*IamPolicy, error) { 4130 gensupport.SetOptions(c.urlParams_, opts...) 4131 res, err := c.doRequest("json") 4132 if res != nil && res.StatusCode == http.StatusNotModified { 4133 if res.Body != nil { 4134 res.Body.Close() 4135 } 4136 return nil, gensupport.WrapError(&googleapi.Error{ 4137 Code: res.StatusCode, 4138 Header: res.Header, 4139 }) 4140 } 4141 if err != nil { 4142 return nil, err 4143 } 4144 defer googleapi.CloseBody(res) 4145 if err := googleapi.CheckResponse(res); err != nil { 4146 return nil, gensupport.WrapError(err) 4147 } 4148 ret := &IamPolicy{ 4149 ServerResponse: googleapi.ServerResponse{ 4150 Header: res.Header, 4151 HTTPStatusCode: res.StatusCode, 4152 }, 4153 } 4154 target := &ret 4155 if err := gensupport.DecodeResponse(target, res); err != nil { 4156 return nil, err 4157 } 4158 return ret, nil 4159 } 4160 4161 type ProjectsPolicySetIamPolicyCall struct { 4162 s *Service 4163 resource string 4164 setiampolicyrequest *SetIamPolicyRequest 4165 urlParams_ gensupport.URLParams 4166 ctx_ context.Context 4167 header_ http.Header 4168 } 4169 4170 // SetIamPolicy: Sets the access control policy on the specified resource. 4171 // Replaces any existing policy. Can return `NOT_FOUND`, `INVALID_ARGUMENT`, 4172 // and `PERMISSION_DENIED` errors. 4173 // 4174 // - resource: REQUIRED: The resource for which the policy is being specified. 4175 // See Resource names (https://cloud.google.com/apis/design/resource_names) 4176 // for the appropriate value for this field. 4177 func (r *ProjectsPolicyService) SetIamPolicy(resource string, setiampolicyrequest *SetIamPolicyRequest) *ProjectsPolicySetIamPolicyCall { 4178 c := &ProjectsPolicySetIamPolicyCall{s: r.s, urlParams_: make(gensupport.URLParams)} 4179 c.resource = resource 4180 c.setiampolicyrequest = setiampolicyrequest 4181 return c 4182 } 4183 4184 // Fields allows partial responses to be retrieved. See 4185 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 4186 // details. 4187 func (c *ProjectsPolicySetIamPolicyCall) Fields(s ...googleapi.Field) *ProjectsPolicySetIamPolicyCall { 4188 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 4189 return c 4190 } 4191 4192 // Context sets the context to be used in this call's Do method. 4193 func (c *ProjectsPolicySetIamPolicyCall) Context(ctx context.Context) *ProjectsPolicySetIamPolicyCall { 4194 c.ctx_ = ctx 4195 return c 4196 } 4197 4198 // Header returns a http.Header that can be modified by the caller to add 4199 // headers to the request. 4200 func (c *ProjectsPolicySetIamPolicyCall) Header() http.Header { 4201 if c.header_ == nil { 4202 c.header_ = make(http.Header) 4203 } 4204 return c.header_ 4205 } 4206 4207 func (c *ProjectsPolicySetIamPolicyCall) doRequest(alt string) (*http.Response, error) { 4208 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 4209 var body io.Reader = nil 4210 body, err := googleapi.WithoutDataWrapper.JSONReader(c.setiampolicyrequest) 4211 if err != nil { 4212 return nil, err 4213 } 4214 c.urlParams_.Set("alt", alt) 4215 c.urlParams_.Set("prettyPrint", "false") 4216 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+resource}:setIamPolicy") 4217 urls += "?" + c.urlParams_.Encode() 4218 req, err := http.NewRequest("POST", urls, body) 4219 if err != nil { 4220 return nil, err 4221 } 4222 req.Header = reqHeaders 4223 googleapi.Expand(req.URL, map[string]string{ 4224 "resource": c.resource, 4225 }) 4226 return gensupport.SendRequest(c.ctx_, c.s.client, req) 4227 } 4228 4229 // Do executes the "binaryauthorization.projects.policy.setIamPolicy" call. 4230 // Any non-2xx status code is an error. Response headers are in either 4231 // *IamPolicy.ServerResponse.Header or (if a response was returned at all) in 4232 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 4233 // whether the returned error was because http.StatusNotModified was returned. 4234 func (c *ProjectsPolicySetIamPolicyCall) Do(opts ...googleapi.CallOption) (*IamPolicy, error) { 4235 gensupport.SetOptions(c.urlParams_, opts...) 4236 res, err := c.doRequest("json") 4237 if res != nil && res.StatusCode == http.StatusNotModified { 4238 if res.Body != nil { 4239 res.Body.Close() 4240 } 4241 return nil, gensupport.WrapError(&googleapi.Error{ 4242 Code: res.StatusCode, 4243 Header: res.Header, 4244 }) 4245 } 4246 if err != nil { 4247 return nil, err 4248 } 4249 defer googleapi.CloseBody(res) 4250 if err := googleapi.CheckResponse(res); err != nil { 4251 return nil, gensupport.WrapError(err) 4252 } 4253 ret := &IamPolicy{ 4254 ServerResponse: googleapi.ServerResponse{ 4255 Header: res.Header, 4256 HTTPStatusCode: res.StatusCode, 4257 }, 4258 } 4259 target := &ret 4260 if err := gensupport.DecodeResponse(target, res); err != nil { 4261 return nil, err 4262 } 4263 return ret, nil 4264 } 4265 4266 type ProjectsPolicyTestIamPermissionsCall struct { 4267 s *Service 4268 resource string 4269 testiampermissionsrequest *TestIamPermissionsRequest 4270 urlParams_ gensupport.URLParams 4271 ctx_ context.Context 4272 header_ http.Header 4273 } 4274 4275 // TestIamPermissions: Returns permissions that a caller has on the specified 4276 // resource. If the resource does not exist, this will return an empty set of 4277 // permissions, not a `NOT_FOUND` error. Note: This operation is designed to be 4278 // used for building permission-aware UIs and command-line tools, not for 4279 // authorization checking. This operation may "fail open" without warning. 4280 // 4281 // - resource: REQUIRED: The resource for which the policy detail is being 4282 // requested. See Resource names 4283 // (https://cloud.google.com/apis/design/resource_names) for the appropriate 4284 // value for this field. 4285 func (r *ProjectsPolicyService) TestIamPermissions(resource string, testiampermissionsrequest *TestIamPermissionsRequest) *ProjectsPolicyTestIamPermissionsCall { 4286 c := &ProjectsPolicyTestIamPermissionsCall{s: r.s, urlParams_: make(gensupport.URLParams)} 4287 c.resource = resource 4288 c.testiampermissionsrequest = testiampermissionsrequest 4289 return c 4290 } 4291 4292 // Fields allows partial responses to be retrieved. See 4293 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 4294 // details. 4295 func (c *ProjectsPolicyTestIamPermissionsCall) Fields(s ...googleapi.Field) *ProjectsPolicyTestIamPermissionsCall { 4296 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 4297 return c 4298 } 4299 4300 // Context sets the context to be used in this call's Do method. 4301 func (c *ProjectsPolicyTestIamPermissionsCall) Context(ctx context.Context) *ProjectsPolicyTestIamPermissionsCall { 4302 c.ctx_ = ctx 4303 return c 4304 } 4305 4306 // Header returns a http.Header that can be modified by the caller to add 4307 // headers to the request. 4308 func (c *ProjectsPolicyTestIamPermissionsCall) Header() http.Header { 4309 if c.header_ == nil { 4310 c.header_ = make(http.Header) 4311 } 4312 return c.header_ 4313 } 4314 4315 func (c *ProjectsPolicyTestIamPermissionsCall) doRequest(alt string) (*http.Response, error) { 4316 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 4317 var body io.Reader = nil 4318 body, err := googleapi.WithoutDataWrapper.JSONReader(c.testiampermissionsrequest) 4319 if err != nil { 4320 return nil, err 4321 } 4322 c.urlParams_.Set("alt", alt) 4323 c.urlParams_.Set("prettyPrint", "false") 4324 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+resource}:testIamPermissions") 4325 urls += "?" + c.urlParams_.Encode() 4326 req, err := http.NewRequest("POST", urls, body) 4327 if err != nil { 4328 return nil, err 4329 } 4330 req.Header = reqHeaders 4331 googleapi.Expand(req.URL, map[string]string{ 4332 "resource": c.resource, 4333 }) 4334 return gensupport.SendRequest(c.ctx_, c.s.client, req) 4335 } 4336 4337 // Do executes the "binaryauthorization.projects.policy.testIamPermissions" call. 4338 // Any non-2xx status code is an error. Response headers are in either 4339 // *TestIamPermissionsResponse.ServerResponse.Header or (if a response was 4340 // returned at all) in error.(*googleapi.Error).Header. Use 4341 // googleapi.IsNotModified to check whether the returned error was because 4342 // http.StatusNotModified was returned. 4343 func (c *ProjectsPolicyTestIamPermissionsCall) Do(opts ...googleapi.CallOption) (*TestIamPermissionsResponse, error) { 4344 gensupport.SetOptions(c.urlParams_, opts...) 4345 res, err := c.doRequest("json") 4346 if res != nil && res.StatusCode == http.StatusNotModified { 4347 if res.Body != nil { 4348 res.Body.Close() 4349 } 4350 return nil, gensupport.WrapError(&googleapi.Error{ 4351 Code: res.StatusCode, 4352 Header: res.Header, 4353 }) 4354 } 4355 if err != nil { 4356 return nil, err 4357 } 4358 defer googleapi.CloseBody(res) 4359 if err := googleapi.CheckResponse(res); err != nil { 4360 return nil, gensupport.WrapError(err) 4361 } 4362 ret := &TestIamPermissionsResponse{ 4363 ServerResponse: googleapi.ServerResponse{ 4364 Header: res.Header, 4365 HTTPStatusCode: res.StatusCode, 4366 }, 4367 } 4368 target := &ret 4369 if err := gensupport.DecodeResponse(target, res); err != nil { 4370 return nil, err 4371 } 4372 return ret, nil 4373 } 4374 4375 type SystempolicyGetPolicyCall struct { 4376 s *Service 4377 name string 4378 urlParams_ gensupport.URLParams 4379 ifNoneMatch_ string 4380 ctx_ context.Context 4381 header_ http.Header 4382 } 4383 4384 // GetPolicy: Gets the current system policy in the specified location. 4385 // 4386 // - name: The resource name, in the format `locations/*/policy`. Note that the 4387 // system policy is not associated with a project. 4388 func (r *SystempolicyService) GetPolicy(name string) *SystempolicyGetPolicyCall { 4389 c := &SystempolicyGetPolicyCall{s: r.s, urlParams_: make(gensupport.URLParams)} 4390 c.name = name 4391 return c 4392 } 4393 4394 // Fields allows partial responses to be retrieved. See 4395 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 4396 // details. 4397 func (c *SystempolicyGetPolicyCall) Fields(s ...googleapi.Field) *SystempolicyGetPolicyCall { 4398 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 4399 return c 4400 } 4401 4402 // IfNoneMatch sets an optional parameter which makes the operation fail if the 4403 // object's ETag matches the given value. This is useful for getting updates 4404 // only after the object has changed since the last request. 4405 func (c *SystempolicyGetPolicyCall) IfNoneMatch(entityTag string) *SystempolicyGetPolicyCall { 4406 c.ifNoneMatch_ = entityTag 4407 return c 4408 } 4409 4410 // Context sets the context to be used in this call's Do method. 4411 func (c *SystempolicyGetPolicyCall) Context(ctx context.Context) *SystempolicyGetPolicyCall { 4412 c.ctx_ = ctx 4413 return c 4414 } 4415 4416 // Header returns a http.Header that can be modified by the caller to add 4417 // headers to the request. 4418 func (c *SystempolicyGetPolicyCall) Header() http.Header { 4419 if c.header_ == nil { 4420 c.header_ = make(http.Header) 4421 } 4422 return c.header_ 4423 } 4424 4425 func (c *SystempolicyGetPolicyCall) doRequest(alt string) (*http.Response, error) { 4426 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "", c.header_) 4427 if c.ifNoneMatch_ != "" { 4428 reqHeaders.Set("If-None-Match", c.ifNoneMatch_) 4429 } 4430 var body io.Reader = nil 4431 c.urlParams_.Set("alt", alt) 4432 c.urlParams_.Set("prettyPrint", "false") 4433 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/{+name}") 4434 urls += "?" + c.urlParams_.Encode() 4435 req, err := http.NewRequest("GET", urls, body) 4436 if err != nil { 4437 return nil, err 4438 } 4439 req.Header = reqHeaders 4440 googleapi.Expand(req.URL, map[string]string{ 4441 "name": c.name, 4442 }) 4443 return gensupport.SendRequest(c.ctx_, c.s.client, req) 4444 } 4445 4446 // Do executes the "binaryauthorization.systempolicy.getPolicy" call. 4447 // Any non-2xx status code is an error. Response headers are in either 4448 // *Policy.ServerResponse.Header or (if a response was returned at all) in 4449 // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 4450 // whether the returned error was because http.StatusNotModified was returned. 4451 func (c *SystempolicyGetPolicyCall) Do(opts ...googleapi.CallOption) (*Policy, error) { 4452 gensupport.SetOptions(c.urlParams_, opts...) 4453 res, err := c.doRequest("json") 4454 if res != nil && res.StatusCode == http.StatusNotModified { 4455 if res.Body != nil { 4456 res.Body.Close() 4457 } 4458 return nil, gensupport.WrapError(&googleapi.Error{ 4459 Code: res.StatusCode, 4460 Header: res.Header, 4461 }) 4462 } 4463 if err != nil { 4464 return nil, err 4465 } 4466 defer googleapi.CloseBody(res) 4467 if err := googleapi.CheckResponse(res); err != nil { 4468 return nil, gensupport.WrapError(err) 4469 } 4470 ret := &Policy{ 4471 ServerResponse: googleapi.ServerResponse{ 4472 Header: res.Header, 4473 HTTPStatusCode: res.StatusCode, 4474 }, 4475 } 4476 target := &ret 4477 if err := gensupport.DecodeResponse(target, res); err != nil { 4478 return nil, err 4479 } 4480 return ret, nil 4481 } 4482