googleapis

import { OAuth2Client, JWT, Compute, UserRefreshClient, BaseExternalAccountClient, GaxiosResponseWithHTTP2, GoogleConfigurable, MethodOptions, StreamMethodOptions, GlobalOptions, GoogleAuth, BodyResponseCallback, APIRequestContext } from 'googleapis-common'; import { Readable } from 'stream'; export declare namespace privateca_v1 { export interface Options extends GlobalOptions { version: 'v1'; } interface StandardParameters { /** * Auth client or API Key for the request */ auth?: string | OAuth2Client | JWT | Compute | UserRefreshClient | BaseExternalAccountClient | GoogleAuth; /** * V1 error format. */ '$.xgafv'?: string; /** * OAuth access token. */ access_token?: string; /** * Data format for response. */ alt?: string; /** * JSONP */ callback?: string; /** * Selector specifying which fields to include in a partial response. */ fields?: string; /** * API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token. */ key?: string; /** * OAuth 2.0 token for the current user. */ oauth_token?: string; /** * Returns response with indentations and line breaks. */ prettyPrint?: boolean; /** * Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. */ quotaUser?: string; /** * Legacy upload protocol for media (e.g. "media", "multipart"). */ uploadType?: string; /** * Upload protocol for media (e.g. "raw", "multipart"). */ upload_protocol?: string; } /** * Certificate Authority API * * The Certificate Authority Service API is a highly-available, scalable service that enables you to simplify and automate the management of private certificate authorities (CAs) while staying in control of your private keys. * * @example * ```js * const {google} = require('googleapis'); * const privateca = google.privateca('v1'); * ``` */ export class Privateca { context: APIRequestContext; projects: Resource$Projects; constructor(options: GlobalOptions, google?: GoogleConfigurable); } /** * URLs where a CertificateAuthority will publish content. */ export interface Schema$AccessUrls { /** * The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated. */ caCertificateAccessUrl?: string | null; /** * The URLs where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated. */ crlAccessUrls?: string[] | null; } /** * Request message for CertificateAuthorityService.ActivateCertificateAuthority. */ export interface Schema$ActivateCertificateAuthorityRequest { /** * Required. The signed CA certificate issued from FetchCertificateAuthorityCsrResponse.pem_csr. */ pemCaCertificate?: string | null; /** * Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). */ requestId?: string | null; /** * Required. Must include information about the issuer of 'pem_ca_certificate', and any further issuers until the self-signed CA. */ subordinateConfig?: Schema$SubordinateConfig; } /** * Describes a "type" of key that may be used in a Certificate issued from a CaPool. Note that a single AllowedKeyType may refer to either a fully-qualified key algorithm, such as RSA 4096, or a family of key algorithms, such as any RSA key. */ export interface Schema$AllowedKeyType { /** * Represents an allowed Elliptic Curve key type. */ ellipticCurve?: Schema$EcKeyType; /** * Represents an allowed RSA key type. */ rsa?: Schema$RsaKeyType; } /** * AttributeTypeAndValue specifies an attribute type and value. It can use either a OID or enum value to specify the attribute type. */ export interface Schema$AttributeTypeAndValue { /** * Object ID for an attribute type of an attribute and value pair. */ objectId?: Schema$ObjectId; /** * The attribute type of the attribute and value pair. */ type?: string | null; /** * The value for the attribute type. */ value?: string | null; } /** * Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both `allServices` and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { "audit_configs": [ { "service": "allServices", "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] \}, { "log_type": "DATA_WRITE" \}, { "log_type": "ADMIN_READ" \} ] \}, { "service": "sampleservice.googleapis.com", "audit_log_configs": [ { "log_type": "DATA_READ" \}, { "log_type": "DATA_WRITE", "exempted_members": [ "user:aliya@example.com" ] \} ] \} ] \} For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts `jose@example.com` from DATA_READ logging, and `aliya@example.com` from DATA_WRITE logging. */ export interface Schema$AuditConfig { /** * The configuration for logging of each type of permission. */ auditLogConfigs?: Schema$AuditLogConfig[]; /** * Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services. */ service?: string | null; } /** * Provides the configuration for logging a type of permissions. Example: { "audit_log_configs": [ { "log_type": "DATA_READ", "exempted_members": [ "user:jose@example.com" ] \}, { "log_type": "DATA_WRITE" \} ] \} This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging. */ export interface Schema$AuditLogConfig { /** * Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members. */ exemptedMembers?: string[] | null; /** * The log type that this config enables. */ logType?: string | null; } /** * Associates `members`, or principals, with a `role`. */ export interface Schema$Binding { /** * The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). */ condition?: Schema$Expr; /** * Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid\}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid\}`: An email address that represents a Google service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid\}.svc.id.goog[{namespace\}/{kubernetes-sa\}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid\}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain\}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/subject/{subject_attribute_value\}`: A single identity in a workforce identity pool. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/group/{group_id\}`: All workforce identities in a group. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/attribute.{attribute_name\}/{attribute_value\}`: All workforce identities with a specific attribute value. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/x`: All identities in a workforce identity pool. * `principal://iam.googleapis.com/projects/{project_number\}/locations/global/workloadIdentityPools/{pool_id\}/subject/{subject_attribute_value\}`: A single identity in a workload identity pool. * `principalSet://iam.googleapis.com/projects/{project_number\}/locations/global/workloadIdentityPools/{pool_id\}/group/{group_id\}`: A workload identity pool group. * `principalSet://iam.googleapis.com/projects/{project_number\}/locations/global/workloadIdentityPools/{pool_id\}/attribute.{attribute_name\}/{attribute_value\}`: All identities in a workload identity pool with a certain attribute. * `principalSet://iam.googleapis.com/projects/{project_number\}/locations/global/workloadIdentityPools/{pool_id\}/x`: All identities in a workload identity pool. * `deleted:user:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid\}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid\}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid\}?uid={uniqueid\}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid\}` and the recovered group retains the role in the binding. * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id\}/subject/{subject_attribute_value\}`: Deleted single identity in a workforce identity pool. For example, `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. */ members?: string[] | null; /** * Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For a list of the available pre-defined roles, see [here](https://cloud.google.com/iam/docs/understanding-roles). */ role?: string | null; } /** * The request message for Operations.CancelOperation. */ export interface Schema$CancelOperationRequest { } /** * Describes the X.509 basic constraints extension, per [RFC 5280 section 4.2.1.9](https://tools.ietf.org/html/rfc5280#section-4.2.1.9) */ export interface Schema$CaOptions { /** * Optional. Refers to the "CA" boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate. */ isCa?: boolean | null; /** * Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate. */ maxIssuerPathLength?: number | null; } /** * A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor. */ export interface Schema$CaPool { /** * Optional. When EncryptionSpec is provided, the Subject, SubjectAltNames, and the PEM-encoded certificate fields will be encrypted at rest. */ encryptionSpec?: Schema$EncryptionSpec; /** * Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool. */ issuancePolicy?: Schema$IssuancePolicy; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Identifier. The resource name for this CaPool in the format `projects/x/locations/x/caPools/x`. */ name?: string | null; /** * Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. */ publishingOptions?: Schema$PublishingOptions; /** * Required. Immutable. The Tier of this CaPool. */ tier?: string | null; } export interface Schema$CertChain { /** * The certificates that form the CA chain, from leaf to root order. */ certificates?: string[] | null; } /** * A Certificate corresponds to a signed X.509 certificate issued by a CertificateAuthority. */ export interface Schema$Certificate { /** * Output only. A structured description of the issued X.509 certificate. */ certificateDescription?: Schema$CertificateDescription; /** * Immutable. The resource name for a CertificateTemplate used to issue this certificate, in the format `projects/x/locations/x/certificateTemplates/x`. If this is specified, the caller must have the necessary permission to use this template. If this is omitted, no template will be used. This template must be in the same location as the Certificate. */ certificateTemplate?: string | null; /** * Immutable. A description of the certificate and key that does not require X.509 or ASN.1. */ config?: Schema$CertificateConfig; /** * Output only. The time at which this Certificate was created. */ createTime?: string | null; /** * Output only. The resource name of the issuing CertificateAuthority in the format `projects/x/locations/x/caPools/x/certificateAuthorities/x`. */ issuerCertificateAuthority?: string | null; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Required. Immutable. The desired lifetime of a certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain. */ lifetime?: string | null; /** * Identifier. The resource name for this Certificate in the format `projects/x/locations/x/caPools/x/certificates/x`. */ name?: string | null; /** * Output only. The pem-encoded, signed X.509 certificate. */ pemCertificate?: string | null; /** * Output only. The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246. */ pemCertificateChain?: string[] | null; /** * Immutable. A pem-encoded X.509 certificate signing request (CSR). */ pemCsr?: string | null; /** * Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. */ revocationDetails?: Schema$RevocationDetails; /** * Immutable. Specifies how the Certificate's identity fields are to be decided. If this is omitted, the `DEFAULT` subject mode will be used. */ subjectMode?: string | null; /** * Output only. The time at which this Certificate was updated. */ updateTime?: string | null; } /** * A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates. */ export interface Schema$CertificateAuthority { /** * Output only. URLs for accessing content published by this CA, such as the CA certificate and CRLs. */ accessUrls?: Schema$AccessUrls; /** * Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root. */ caCertificateDescriptions?: Schema$CertificateDescription[]; /** * Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. */ config?: Schema$CertificateConfig; /** * Output only. The time at which this CertificateAuthority was created. */ createTime?: string | null; /** * Output only. The time at which this CertificateAuthority was soft deleted, if it is in the DELETED state. */ deleteTime?: string | null; /** * Output only. The time at which this CertificateAuthority will be permanently purged, if it is in the DELETED state. */ expireTime?: string | null; /** * Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named `my-bucket`, you would simply specify `my-bucket`. If not specified, a managed bucket will be created. */ gcsBucket?: string | null; /** * Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. */ keySpec?: Schema$KeyVersionSpec; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Required. Immutable. The desired lifetime of the CA certificate. Used to create the "not_before_time" and "not_after_time" fields inside an X.509 certificate. */ lifetime?: string | null; /** * Identifier. The resource name for this CertificateAuthority in the format `projects/x/locations/x/caPools/x/certificateAuthorities/x`. */ name?: string | null; /** * Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. */ pemCaCertificates?: string[] | null; /** * Output only. Reserved for future use. */ satisfiesPzi?: boolean | null; /** * Output only. Reserved for future use. */ satisfiesPzs?: boolean | null; /** * Output only. The State for this CertificateAuthority. */ state?: string | null; /** * Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate. */ subordinateConfig?: Schema$SubordinateConfig; /** * Output only. The CaPool.Tier of the CaPool that includes this CertificateAuthority. */ tier?: string | null; /** * Required. Immutable. The Type of this CertificateAuthority. */ type?: string | null; /** * Output only. The time at which this CertificateAuthority was last updated. */ updateTime?: string | null; /** * Optional. User-defined URLs for CA certificate and CRLs. The service does not publish content to these URLs. It is up to the user to mirror content to these URLs. */ userDefinedAccessUrls?: Schema$UserDefinedAccessUrls; } /** * A CertificateConfig describes an X.509 certificate or CSR that is to be created, as an alternative to using ASN.1. */ export interface Schema$CertificateConfig { /** * Optional. The public key that corresponds to this config. This is, for example, used when issuing Certificates, but not when creating a self-signed CertificateAuthority or CertificateAuthority CSR. */ publicKey?: Schema$PublicKey; /** * Required. Specifies some of the values in a certificate that are related to the subject. */ subjectConfig?: Schema$SubjectConfig; /** * Optional. When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2. */ subjectKeyId?: Schema$CertificateConfigKeyId; /** * Required. Describes how some of the technical X.509 fields in a certificate should be populated. */ x509Config?: Schema$X509Parameters; } /** * A KeyId identifies a specific public key, usually by hashing the public key. */ export interface Schema$CertificateConfigKeyId { /** * Required. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. */ keyId?: string | null; } /** * A CertificateDescription describes an X.509 certificate or CSR that has been issued, as an alternative to using ASN.1 / X.509. */ export interface Schema$CertificateDescription { /** * Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate. */ aiaIssuingCertificateUrls?: string[] | null; /** * Identifies the subject_key_id of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 */ authorityKeyId?: Schema$KeyId; /** * The hash of the x.509 certificate. */ certFingerprint?: Schema$CertificateFingerprint; /** * Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13 */ crlDistributionPoints?: string[] | null; /** * The public key that corresponds to an issued certificate. */ publicKey?: Schema$PublicKey; /** * Describes some of the values in a certificate that are related to the subject and lifetime. */ subjectDescription?: Schema$SubjectDescription; /** * Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. */ subjectKeyId?: Schema$KeyId; /** * The hash of the pre-signed certificate, which will be signed by the CA. Corresponds to the TBS Certificate in https://tools.ietf.org/html/rfc5280#section-4.1.2. The field will always be populated. */ tbsCertificateDigest?: string | null; /** * Describes some of the technical X.509 fields in a certificate. */ x509Description?: Schema$X509Parameters; } /** * Describes a set of X.509 extensions that may be part of some certificate issuance controls. */ export interface Schema$CertificateExtensionConstraints { /** * Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions. */ additionalExtensions?: Schema$ObjectId[]; /** * Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions. */ knownExtensions?: string[] | null; } /** * A group of fingerprints for the x509 certificate. */ export interface Schema$CertificateFingerprint { /** * The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate. */ sha256Hash?: string | null; } /** * Describes constraints on a Certificate's Subject and SubjectAltNames. */ export interface Schema$CertificateIdentityConstraints { /** * Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded. */ allowSubjectAltNamesPassthrough?: boolean | null; /** * Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded. */ allowSubjectPassthrough?: boolean | null; /** * Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel */ celExpression?: Schema$Expr; } /** * A CertificateRevocationList corresponds to a signed X.509 certificate Revocation List (CRL). A CRL contains the serial numbers of certificates that should no longer be trusted. */ export interface Schema$CertificateRevocationList { /** * Output only. The location where 'pem_crl' can be accessed. */ accessUrl?: string | null; /** * Output only. The time at which this CertificateRevocationList was created. */ createTime?: string | null; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Identifier. The resource name for this CertificateRevocationList in the format `projects/x/locations/x/caPools/xcertificateAuthorities/x/ certificateRevocationLists/x`. */ name?: string | null; /** * Output only. The PEM-encoded X.509 CRL. */ pemCrl?: string | null; /** * Output only. The revision ID of this CertificateRevocationList. A new revision is committed whenever a new CRL is published. The format is an 8-character hexadecimal string. */ revisionId?: string | null; /** * Output only. The revoked serial numbers that appear in pem_crl. */ revokedCertificates?: Schema$RevokedCertificate[]; /** * Output only. The CRL sequence number that appears in pem_crl. */ sequenceNumber?: string | null; /** * Output only. The State for this CertificateRevocationList. */ state?: string | null; /** * Output only. The time at which this CertificateRevocationList was updated. */ updateTime?: string | null; } /** * A CertificateTemplate refers to a managed template for certificate issuance. */ export interface Schema$CertificateTemplate { /** * Output only. The time at which this CertificateTemplate was created. */ createTime?: string | null; /** * Optional. A human-readable description of scenarios this template is intended for. */ description?: string | null; /** * Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity. */ identityConstraints?: Schema$CertificateIdentityConstraints; /** * Optional. Labels with user-defined metadata. */ labels?: { [key: string]: string; } | null; /** * Optional. The maximum lifetime allowed for issued Certificates that use this template. If the issuing CaPool resource's IssuancePolicy specifies a maximum_lifetime the minimum of the two durations will be the maximum lifetime for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it. */ maximumLifetime?: string | null; /** * Identifier. The resource name for this CertificateTemplate in the format `projects/x/locations/x/certificateTemplates/x`. */ name?: string | null; /** * Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baseline_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values. */ passthroughExtensions?: Schema$CertificateExtensionConstraints; /** * Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail. */ predefinedValues?: Schema$X509Parameters; /** * Output only. The time at which this CertificateTemplate was updated. */ updateTime?: string | null; } /** * Request message for CertificateAuthorityService.DisableCertificateAuthority. */ export interface Schema$DisableCertificateAuthorityRequest { /** * Optional. This field allows this CA to be disabled even if it's being depended on by another resource. However, doing so may result in unintended and unrecoverable effects on any dependent resources since the CA will no longer be able to issue certificates. */ ignoreDependentResources?: boolean | null; /** * Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). */ requestId?: string | null; } /** * Describes an Elliptic Curve key that may be used in a Certificate issued from a CaPool. */ export interface Schema$EcKeyType { /** * Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed. */ signatureAlgorithm?: string | null; } /** * A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); \} */ export interface Schema$Empty { } /** * Request message for CertificateAuthorityService.EnableCertificateAuthority. */ export interface Schema$EnableCertificateAuthorityRequest { /** * Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). */ requestId?: string | null; } /** * The configuration used for encrypting data at rest. */ export interface Schema$EncryptionSpec { /** * The resource name for a Cloud KMS key in the format `projects/x/locations/x/keyRings/x/cryptoKeys/x`. */ cloudKmsKey?: string | null; } /** * Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. */ export interface Schema$Expr { /** * Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. */ description?: string | null; /** * Textual representation of an expression in Common Expression Language syntax. */ expression?: string | null; /** * Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. */ location?: string | null; /** * Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. */ title?: string | null; } /** * KeyUsage.ExtendedKeyUsageOptions has fields that correspond to certain common OIDs that could be specified as an extended key usage value. */ export interface Schema$ExtendedKeyUsageOptions { /** * Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. */ clientAuth?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". */ codeSigning?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". */ emailProtection?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". */ ocspSigning?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. */ serverAuth?: boolean | null; /** * Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". */ timeStamping?: boolean | null; } /** * Request message for CertificateAuthorityService.FetchCaCerts. */ export interface Schema$FetchCaCertsRequest { /** * Optional. An ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes since the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). */ requestId?: string | null; } /** * Response message for CertificateAuthorityService.FetchCaCerts. */ export interface Schema$FetchCaCertsResponse { /** * The PEM encoded CA certificate chains of all certificate authorities in this CaPool in the ENABLED, DISABLED, or STAGED states. */ caCerts?: Schema$CertChain[]; } /** * Response message for CertificateAuthorityService.FetchCertificateAuthorityCsr. */ export interface Schema$FetchCertificateAuthorityCsrResponse { /** * Output only. The PEM-encoded signed certificate signing request (CSR). */ pemCsr?: string | null; } /** * IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. */ export interface Schema$IssuanceModes { /** * Optional. When true, allows callers to create Certificates by specifying a CertificateConfig. */ allowConfigBasedIssuance?: boolean | null; /** * Optional. When true, allows callers to create Certificates by specifying a CSR. */ allowCsrBasedIssuance?: boolean | null; } /** * Defines controls over all certificate issuance within a CaPool. */ export interface Schema$IssuancePolicy { /** * Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates. */ allowedIssuanceModes?: Schema$IssuanceModes; /** * Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. */ allowedKeyTypes?: Schema$AllowedKeyType[]; /** * Optional. If set, all certificates issued from this CaPool will be backdated by this duration. The 'not_before_time' will be the issuance time minus this backdate_duration, and the 'not_after_time' will be adjusted to preserve the requested lifetime. The maximum duration that a certificate can be backdated with these options is 48 hours in the past. This option cannot be set if allow_requester_specified_not_before_time is set. */ backdateDuration?: string | null; /** * Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail. */ baselineValues?: Schema$X509Parameters; /** * Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. */ identityConstraints?: Schema$CertificateIdentityConstraints; /** * Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate resource's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it. */ maximumLifetime?: string | null; /** * Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values. */ passthroughExtensions?: Schema$CertificateExtensionConstraints; } /** * A KeyId identifies a specific public key, usually by hashing the public key. */ export interface Schema$KeyId { /** * Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. */ keyId?: string | null; } /** * A KeyUsage describes key usage values that may appear in an X.509 certificate. */ export interface Schema$KeyUsage { /** * Describes high-level ways in which a key may be used. */ baseKeyUsage?: Schema$KeyUsageOptions; /** * Detailed scenarios in which a key may be used. */ extendedKeyUsage?: Schema$ExtendedKeyUsageOptions; /** * Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message. */ unknownExtendedKeyUsages?: Schema$ObjectId[]; } /** * KeyUsage.KeyUsageOptions corresponds to the key usage values described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3. */ export interface Schema$KeyUsageOptions { /** * The key may be used to sign certificates. */ certSign?: boolean | null; /** * The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". */ contentCommitment?: boolean | null; /** * The key may be used sign certificate revocation lists. */ crlSign?: boolean | null; /** * The key may be used to encipher data. */ dataEncipherment?: boolean | null; /** * The key may be used to decipher only. */ decipherOnly?: boolean | null; /** * The key may be used for digital signatures. */ digitalSignature?: boolean | null; /** * The key may be used to encipher only. */ encipherOnly?: boolean | null; /** * The key may be used in a key agreement protocol. */ keyAgreement?: boolean | null; /** * The key may be used to encipher other keys. */ keyEncipherment?: boolean | null; } /** * A Cloud KMS key configuration that a CertificateAuthority will use. */ export interface Schema$KeyVersionSpec { /** * The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as `HSM`. */ algorithm?: string | null; /** * The resource name for an existing Cloud KMS CryptoKeyVersion in the format `projects/x/locations/x/keyRings/x/cryptoKeys/x/cryptoKeyVersions/x`. This option enables full flexibility in the key's capabilities and properties. */ cloudKmsKeyVersion?: string | null; } /** * Response message for CertificateAuthorityService.ListCaPools. */ export interface Schema$ListCaPoolsResponse { /** * The list of CaPools. */ caPools?: Schema$CaPool[]; /** * A token to retrieve next page of results. Pass this value in ListCertificateAuthoritiesRequest.page_token to retrieve the next page of results. */ nextPageToken?: string | null; /** * A list of locations (e.g. "us-west1") that could not be reached. */ unreachable?: string[] | null; } /** * Response message for CertificateAuthorityService.ListCertificateAuthorities. */ export interface Schema$ListCertificateAuthoritiesResponse { /** * The list of CertificateAuthorities. */ certificateAuthorities?: Schema$CertificateAuthority[]; /** * A token to retrieve next page of results. Pass this value in ListCertificateAuthoritiesRequest.page_token to retrieve the next page of results. */ nextPageToken?: string | null; /** * A list of locations (e.g. "us-west1") that could not be reached. */ unreachable?: string[] | null; } /** * Response message for CertificateAuthorityService.ListCertificateRevocationLists. */ export interface Schema$ListCertificateRevocationListsResponse { /** * The list of CertificateRevocationLists. */ certificateRevocationLists?: Schema$CertificateRevocationList[]; /** * A token to retrieve next page of results. Pass this value in ListCertificateRevocationListsRequest.page_token to retrieve the next page of results. */ nextPageToken?: string | null; /** * A list of locations (e.g. "us-west1") that could not be reached. */ unreachable?: string[] | null; } /** * Response message for CertificateAuthorityService.ListCertificates. */ export interface Schema$ListCertificatesResponse { /** * The list of Certificates. */ certificates?: Schema$Certificate[]; /** * A token to retrieve next page of results. Pass this value in ListCertificatesRequest.page_token to retrieve the next page of results. */ nextPageToken?: string | null; /** * A list of locations (e.g. "us-west1") that cou