googleapis

/// <reference types="node" /> import { OAuth2Client, JWT, Compute, UserRefreshClient, BaseExternalAccountClient, GaxiosPromise, GoogleConfigurable, MethodOptions, StreamMethodOptions, GlobalOptions, GoogleAuth, BodyResponseCallback, APIRequestContext } from 'googleapis-common'; import { Readable } from 'stream'; export declare namespace privateca_v1 { export interface Options extends GlobalOptions { version: 'v1'; } interface StandardParameters { /** * Auth client or API Key for the request */ auth?: string | OAuth2Client | JWT | Compute | UserRefreshClient | BaseExternalAccountClient | GoogleAuth; /** * V1 error format. */ '$.xgafv'?: string; /** * OAuth access token. */ access_token?: string; /** * Data format for response. */ alt?: string; /** * JSONP */ callback?: string; /** * Selector specifying which fields to include in a partial response. */ fields?: string; /** * API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token. */ key?: string; /** * OAuth 2.0 token for the current user. */ oauth_token?: string; /** * Returns response with indentations and line breaks. */ prettyPrint?: boolean; /** * Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. */ quotaUser?: string; /** * Legacy upload protocol for media (e.g. "media", "multipart"). */ uploadType?: string; /** * Upload protocol for media (e.g. "raw", "multipart"). */ upload_protocol?: string; } /** * Certificate Authority API * * The Certificate Authority Service API is a highly-available, scalable service that enables you to simplify and automate the management of private certificate authorities (CAs) while staying in control of your private keys. * * @example * ```js * const {google} = require('googleapis'); * const privateca = google.privateca('v1'); * ``` */ export class Privateca { context: APIRequestContext; projects: Resource$Projects; constructor(options: GlobalOptions, google?: GoogleConfigurable); } /** * URLs where a CertificateAuthority will publish content. */ export interface Schema$AccessUrls { /** * The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated. */ caCertificateAccessUrl?: string | null; /** * The URLs where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated. */ crlAccessUrls?: string[] | null; } /** * Request message for CertificateAuthorityService.ActivateCertificateAuthority. */ export interface Schema$ActivateCertificateAuthorityRequest { /** * Required. The signed CA certificate issued from FetchCertificateAuthorityCsrResponse.pem_csr. */ pemCaCertificate?: string | null; /** * Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). */ requestId?: string | null; /** * Required. Must include information about the issuer of 'pem_ca_certificate', and any further issuers until the self-signed CA. */ subordinateConfig?: Schema$SubordinateConfig; } /** * Describes a "type" of key that may be used in a Certificate issued from a CaPool. Note that a single AllowedKeyType may refer to either a fully-qualified key algorithm, such as RSA 4096, or a family of key algorithms, such as any RSA key. */ export interface Schema$AllowedKeyType { /** * Represents an allowed Elliptic Curve key type. */ ellipticCurve?: Schema$EcKeyType; /** * Represents an allowed RSA key type. */ rsa?: Schema$RsaKeyType; } /** * Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] \}, { "log_type": "DATA_WRITE" \}, { "log_type": "ADMIN_READ" \} ] \}, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" \}, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] \} ] \} ] \} For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts `jose@example.com` from DATA_READ logging, and `aliya@example.com` from DATA_WRITE logging. */ export interface Schema$AuditConfig { /** * The configuration for logging of each type of permission. */ auditLogConfigs?: Schema$AuditLogConfig[]; /** * Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. */ service?: string | null; } /** * Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] \}, { "log_type": "DATA_WRITE" \} ] \} This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging. */ export interface Schema$AuditLogConfig { /** * Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members. */ exemptedMembers?: string[] | null; /** * The log type that this config enables. */ logType?: string | null; } /** * Associates `members`, or principals, with a `role`. */ export interface Schema$Binding { /** * The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). */ condition?: Schema$Expr; /** * Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid\}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid\}`: An email address that represents a Google service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid\}.svc.id.goog[{namespace\}/{kubernetes-sa\}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid\}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain\}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. * `deleted:user:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid\}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid\}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid\}` and the recovered group retains the role in the binding. */ members?: string[] | null; /** * Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. */ role?: string | null; } /** * The request message for Operations.CancelOperation. */ export interface Schema$CancelOperationRequest { } /** * Describes values that are relevant in a CA certificate. */ export interface Schema$CaOptions { /** * Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate. */ isCa?: boolean | null; /** * Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate. */ maxIssuerPathLength?: number | null; } /** * A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor. */ export interface Schema$CaPool { /** * Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool. */ issuancePolicy?: Schema$IssuancePolicy; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Output only. The resource name for this CaPool in the format `projects/x/locations/x/caPools/x`. */ name?: string | null; /** * Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. */ publishingOptions?: Schema$PublishingOptions; /** * Required. Immutable. The Tier of this CaPool. */ tier?: string | null; } export interface Schema$CertChain { /** * The certificates that form the CA chain, from leaf to root order. */ certificates?: string[] | null; } /** * A Certificate corresponds to a signed X.509 certificate issued by a CertificateAuthority. */ export interface Schema$Certificate { /** * Output only. A structured description of the issued X.509 certificate. */ certificateDescription?: Schema$CertificateDescription; /** * Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format `projects/x/locations/x/certificateTemplates/x`. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. */ certificateTemplate?: string | null; /** * Immutable. A description of the certificate and key that does not require X.509 or ASN.1. */ config?: Schema$CertificateConfig; /** * Output only. The time at which this Certificate was created. */ createTime?: string | null; /** * Output only. The resource name of the issuing CertificateAuthority in the format `projects/x/locations/x/caPools/x/certificateAuthorities/x`. */ issuerCertificateAuthority?: string | null; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain. */ lifetime?: string | null; /** * Output only. The resource name for this Certificate in the format `projects/x/locations/x/caPools/x/certificates/x`. */ name?: string | null; /** * Output only. The pem-encoded, signed X.509 certificate. */ pemCertificate?: string | null; /** * Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246. */ pemCertificateChain?: string[] | null; /** * Immutable. A pem-encoded X.509 certificate signing request (CSR). */ pemCsr?: string | null; /** * Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. */ revocationDetails?: Schema$RevocationDetails; /** * Immutable. Specifies how the Certificate's identity fields are to be decided. If this is omitted, the `DEFAULT` subject mode will be used. */ subjectMode?: string | null; /** * Output only. The time at which this Certificate was updated. */ updateTime?: string | null; } /** * A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates. */ export interface Schema$CertificateAuthority { /** * Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs. */ accessUrls?: Schema$AccessUrls; /** * Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root. */ caCertificateDescriptions?: Schema$CertificateDescription[]; /** * Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. */ config?: Schema$CertificateConfig; /** * Output only. The time at which this CertificateAuthority was created. */ createTime?: string | null; /** * Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state. */ deleteTime?: string | null; /** * Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state. */ expireTime?: string | null; /** * Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named `my-bucket`, you would simply specify `my-bucket`. If not specified, a managed bucket will be created. */ gcsBucket?: string | null; /** * Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. */ keySpec?: Schema$KeyVersionSpec; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. */ lifetime?: string | null; /** * Output only. The resource name for this CertificateAuthority in the format `projects/x/locations/x/caPools/x/certificateAuthorities/x`. */ name?: string | null; /** * Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. */ pemCaCertificates?: string[] | null; /** * Output only. The State for this CertificateAuthority. */ state?: string | null; /** * Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate. */ subordinateConfig?: Schema$SubordinateConfig; /** * Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority. */ tier?: string | null; /** * Required. Immutable. The Type of this CertificateAuthority. */ type?: string | null; /** * Output only. The time at which this CertificateAuthority was last updated. */ updateTime?: string | null; } /** * A CertificateConfig describes an X.509 certificate or CSR that is to be created, as an alternative to using ASN.1. */ export interface Schema$CertificateConfig { /** * Optional. The public key that corresponds to this config. This is, for example, used when issuing Certificates, but not when creating a self-signed CertificateAuthority or CertificateAuthority CSR. */ publicKey?: Schema$PublicKey; /** * Required. Specifies some of the values in a certificate that are related to the subject. */ subjectConfig?: Schema$SubjectConfig; /** * Required. Describes how some of the technical X.509 fields in a certificate should be populated. */ x509Config?: Schema$X509Parameters; } /** * A CertificateDescription describes an X.509 certificate or CSR that has been issued, as an alternative to using ASN.1 / X.509. */ export interface Schema$CertificateDescription { /** * Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate. */ aiaIssuingCertificateUrls?: string[] | null; /** * Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 */ authorityKeyId?: Schema$KeyId; /** * The hash of the x.509 certificate. */ certFingerprint?: Schema$CertificateFingerprint; /** * Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13 */ crlDistributionPoints?: string[] | null; /** * The public key that corresponds to an issued certificate. */ publicKey?: Schema$PublicKey; /** * Describes some of the values in a certificate that are related to the subject and lifetime. */ subjectDescription?: Schema$SubjectDescription; /** * Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. */ subjectKeyId?: Schema$KeyId; /** * Describes some of the technical X.509 fields in a certificate. */ x509Description?: Schema$X509Parameters; } /** * Describes a set of X.509 extensions that may be part of some certificate issuance controls. */ export interface Schema$CertificateExtensionConstraints { /** * Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions. */ additionalExtensions?: Schema$ObjectId[]; /** * Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions. */ knownExtensions?: string[] | null; } /** * A group of fingerprints for the x509 certificate. */ export interface Schema$CertificateFingerprint { /** * The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate. */ sha256Hash?: string | null; } /** * Describes constraints on a Certificate's Subject and SubjectAltNames. */ export interface Schema$CertificateIdentityConstraints { /** * Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded. */ allowSubjectAltNamesPassthrough?: boolean | null; /** * Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded. */ allowSubjectPassthrough?: boolean | null; /** * Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel */ celExpression?: Schema$Expr; } /** * A CertificateRevocationList corresponds to a signed X.509 certificate Revocation List (CRL). A CRL contains the serial numbers of certificates that should no longer be trusted. */ export interface Schema$CertificateRevocationList { /** * Output only. The location where 'pem_crl' can be accessed. */ accessUrl?: string | null; /** * Output only. The time at which this CertificateRevocationList was created. */ createTime?: string | null; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Output only. The resource name for this CertificateRevocationList in the format `projects/x/locations/x/caPools/xcertificateAuthorities/x/ certificateRevocationLists/x`. */ name?: string | null; /** * Output only. The PEM-encoded X.509 CRL. */ pemCrl?: string | null; /** * Output only. The revision ID of this CertificateRevocationList. A new revision is committed whenever a new CRL is published. The format is an 8-character hexadecimal string. */ revisionId?: string | null; /** * Output only. The revoked serial numbers that appear in pem_crl. */ revokedCertificates?: Schema$RevokedCertificate[]; /** * Output only. The CRL sequence number that appears in pem_crl. */ sequenceNumber?: string | null; /** * Output only. The State for this CertificateRevocationList. */ state?: string | null; /** * Output only. The time at which this CertificateRevocationList was updated. */ updateTime?: string | null; } /** * A CertificateTemplate refers to a managed template for certificate issuance. */ export interface Schema$CertificateTemplate { /** * Output only. The time at which this CertificateTemplate was created. */ createTime?: string | null; /** * Optional. A human-readable description of scenarios this template is intended for. */ description?: string | null; /** * Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity. */ identityConstraints?: Schema$CertificateIdentityConstraints; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Output only. The resource name for this CertificateTemplate in the format `projects/x/locations/x/certificateTemplates/x`. */ name?: string | null; /** * Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baseline_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values. */ passthroughExtensions?: Schema$CertificateExtensionConstraints; /** * Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail. */ predefinedValues?: Schema$X509Parameters; /** * Output only. The time at which this CertificateTemplate was updated. */ updateTime?: string | null; } /** * Request message for CertificateAuthorityService.DisableCertificateAuthority. */ export interface Schema$DisableCertificateAuthorityRequest { /** * Optional. This field allows this CA to be disabled even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resource(s) since the CA will no longer be able to issue certificates. */ ignoreDependentResources?: boolean | null; /** * Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). */ requestId?: string | null; } /** * Describes an Elliptic Curve key that may be used in a Certificate issued from a CaPool. */ export interface Schema$EcKeyType { /** * Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed. */ signatureAlgorithm?: string | null; } /** * A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); \} */ export interface Schema$Empty { } /** * Request message for CertificateAuthorityService.EnableCertificateAuthority. */ export interface Schema$EnableCertificateAuthorityRequest { /** * Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). */ requestId?: string | null; } /** * Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. */ export interface Schema$Expr { /** * Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. */ description?: string | null; /** * Textual representation of an expression in Common Expression Language syntax. */ expression?: string | null; /** * Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. */ location?: string | null; /** * Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. */ title?: string | null; } /** * KeyUsage.ExtendedKeyUsageOptions has fields that correspond to certain common OIDs that could be specified as an extended key usage value. */ export interface Schema$ExtendedKeyUsageOptions { /** * Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. */ clientAuth?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". */ codeSigning?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". */ emailProtection?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". */ ocspSigning?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. */ serverAuth?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". */ timeStamping?: boolean | null; } /** * Request message for CertificateAuthorityService.FetchCaCerts. */ export interface Schema$FetchCaCertsRequest { /** * Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). */ requestId?: string | null; } /** * Response message for CertificateAuthorityService.FetchCaCerts. */ export interface Schema$FetchCaCertsResponse { /** * The PEM encoded CA certificate chains of all ACTIVE CertificateAuthority resources in this CaPool. */ caCerts?: Schema$CertChain[]; } /** * Response message for CertificateAuthorityService.FetchCertificateAuthorityCsr. */ export interface Schema$FetchCertificateAuthorityCsrResponse { /** * Output only. The PEM-encoded signed certificate signing request (CSR). */ pemCsr?: string | null; } /** * IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. */ export interface Schema$IssuanceModes { /** * Optional. When true, allows callers to create Certificates by specifying a CertificateConfig. */ allowConfigBasedIssuance?: boolean | null; /** * Optional. When true, allows callers to create Certificates by specifying a CSR. */ allowCsrBasedIssuance?: boolean | null; } /** * Defines controls over all certificate issuance within a CaPool. */ export interface Schema$IssuancePolicy { /** * Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates. */ allowedIssuanceModes?: Schema$IssuanceModes; /** * Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. */ allowedKeyTypes?: Schema$AllowedKeyType[]; /** * Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail. */ baselineValues?: Schema$X509Parameters; /** * Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. */ identityConstraints?: Schema$CertificateIdentityConstraints; /** * Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it. */ maximumLifetime?: string | null; /** * Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values. */ passthroughExtensions?: Schema$CertificateExtensionConstraints; } /** * A KeyId identifies a specific public key, usually by hashing the public key. */ export interface Schema$KeyId { /** * Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. */ keyId?: string | null; } /** * A KeyUsage describes key usage values that may appear in an X.509 certificate. */ export interface Schema$KeyUsage { /** * Describes high-level ways in which a key may be used. */ baseKeyUsage?: Schema$KeyUsageOptions; /** * Detailed scenarios in which a key may be used. */ extendedKeyUsage?: Schema$ExtendedKeyUsageOptions; /** * Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message. */ unknownExtendedKeyUsages?: Schema$ObjectId[]; } /** * KeyUsage.KeyUsageOptions corresponds to the key usage values described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3. */ export interface Schema$KeyUsageOptions { /** * The key may be used to sign certificates. */ certSign?: boolean | null; /** * The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". */ contentCommitment?: boolean | null; /** * The key may be used sign certificate revocation lists. */ crlSign?: boolean | null; /** * The key may be used to encipher data. */ dataEncipherment?: boolean | null; /** * The key may be used to decipher only. */ decipherOnly?: boolean | null; /** * The key may be used for digital signatures. */ digitalSignature?: boolean | null; /** * The key may be used to encipher only. */ encipherOnly?: boolean | null; /** * The key may be used in a key agreement protocol. */ keyAgreement?: boolean | null; /** * The key may be used to encipher other keys. */ keyEncipherment?: boolean | null; } /** * A Cloud KMS key configuration that a CertificateAuthority will use. */ export interface Schema$KeyVersionSpec { /** * The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as `HSM`. */ algorithm?: string | null; /** * The resource name for an existing Cloud KMS CryptoKeyVersion in the format `projects/x/locations/x/keyRings/x/cryptoKeys/x/cryptoKeyVersions/x`. This option enables full flexibility in the key's capabilities and properties. */ cloudKmsKeyVersion?: string | null; } /** * Response message for CertificateAuthorityService.ListCaPools. */ export interface Schema$ListCaPoolsResponse { /** * The list of CaPools. */ caPools?: Schema$CaPool[]; /** * A token to retrieve next page of results. Pass this value in ListCertificateAuthoritiesRequest.next_page_token to retrieve the next page of results. */ nextPageToken?: string | null; /** * A list of locations (e.g. "us-west1") that could not be reached. */ unreachable?: string[] | null; } /** * Response message for CertificateAuthorityService.ListCertificateAuthorities. */ export interface Schema$ListCertificateAuthoritiesResponse { /** * The list of CertificateAuthorities. */ certificateAuthorities?: Schema$CertificateAuthority[]; /** * A token to retrieve next page of results. Pass this value in ListCertificateAuthoritiesRequest.next_page_token to retrieve the next page of results. */ nextPageToken?: string | null; /** * A list of locations (e.g. "us-west1") that could not be reached. */ unreachable?: string[] | null; } /** * Response message for CertificateAuthorityService.ListCertificateRevocationLists. */ export interface Schema$ListCertificateRevocationListsResponse { /** * The list of CertificateRevocationLists. */ certificateRevocationLists?: Schema$CertificateRevocationList[]; /** * A token to retrieve next page of results. Pass this value in ListCertificateRevocationListsRequest.next_page_token to retrieve the next page of results. */ nextPageToken?: string | null; /** * A list of locations (e.g. "us-west1") that could not be reached. */ unreachable?: string[] | null; } /** * Response message for CertificateAuthorityService.ListCertificates. */ export interface Schema$ListCertificatesResponse { /** * The list of Certificates. */ certificates?: Schema$Certificate[]; /** * A token to retrieve next page of results. Pass this value in ListCertificatesRequest.next_page_token to retrieve the next page of results. */ nextPageToken?: string | null; /** * A list of locations (e.g. "us-west1") that could not be reached. */ unreachable?: string[] | null; } /** * Response message for CertificateAuthorityService.ListCertificateTemplates. */ export interface Schema$ListCertificateTemplatesResponse { /** * The list of CertificateTemplates. */ certificateTemplates?: Schema$CertificateTemplate[]; /** * A token to retrieve next page of results. Pass this value in ListCertificateTemplatesRequest.next_page_token to retrieve the next page of results. */ nextPageToken?: string | null; /** * A list of locations (e.g. "us-west1") that could not be reached. */ unreachable?: string[] | null; } /** * The response message for Locations.ListLocations. */ export interface Schema$ListLocationsResponse { /** * A list of locations that matches the specified filter in the request. */ locations?: Schema$Location[]; /** * The standard List next-page token. */ nextPageToken?: string | null; } /** * The response message for Operations.ListOperations. */ export interface Schema$ListOperationsResponse { /** * The standard List next-page token. */ nextPageToken?: string | null; /** * A list of operations that matches the specified filter in the request. */ operations?: Schema$Operation[]; } /** * A resource that represents a Google Cloud location. */ export interface Schema$Location { /** * The friendly name for this location, typically a nearby city name. For example, "Tokyo". */ displayName?: string | null; /** * Cross-service attributes for the location. For example {"cloud.googleapis.com/region": "us-east1"\} */ labels?: { [key: string]: string; } | null; /** * The canonical id for this location. For example: `"us-east1"`. */ locationId?: string | null; /** * Service-specific metadata. For example the available capacity at the given location. */ metadata?: { [key: string]: any; } | null; /** * Resource name for the location, which may vary between implementations. For example: `"projects/example-project/locations/us-east1"` */ name?: string | null; } /** * Describes the X.509 name constraints extension, per https://tools.ietf.org/html/rfc5280#section-4.2.1.10 */ export interface Schema$NameConstraints { /** * Indicates whether or not the name constraints are marked critical. */ critical?: boolean | null; /** * Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, `example.com`, `www.example.com`, `www.sub.example.com` would satisfy `example.com` while `example1.com` does not. */ excludedDnsNames?: string[] | null; /** * Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. `.example.com`) to indicate all email addresses in that domain. */ excludedEmailAddresses?: string[] | null; /** * Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. */ excludedIpRanges?: string[] | null; /** * Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like `.example.com`) */ excludedUris?: string[] | null; /** * Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, `example.com`, `www.example.com`, `www.sub.example.com` would satisfy `example.com` while `example1.com` does not. */ permittedDnsNames?: string[] | null; /** * Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. `.example.com`) to indicate all email addresses in that domain. */ permittedEmailAddresses?: string[] | null; /** * Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. */ permittedIpRanges?: string[] | null; /** * Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like `.example.com`) */ permittedUris?: string[] | null; } /** * An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. */ export interface Schema$ObjectId { /** * Required. The parts of an OID path. The most significant parts of the path come first.