diff options
Diffstat (limited to 'third_party/googleapis/google/cloud/securitycenter')
68 files changed, 11031 insertions, 0 deletions
diff --git a/third_party/googleapis/google/cloud/securitycenter/BUILD.bazel b/third_party/googleapis/google/cloud/securitycenter/BUILD.bazel new file mode 100644 index 0000000..bc432b3 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/BUILD.bazel @@ -0,0 +1,41 @@ +# This build file includes a target for the Ruby wrapper library for +# google-cloud-security_center. + +# This is an API workspace, having public visibility by default makes perfect sense. +package(default_visibility = ["//visibility:public"]) + +# Export yaml configs. +exports_files(glob(["*.yaml"])) + +load( + "@com_google_googleapis_imports//:imports.bzl", + "ruby_cloud_gapic_library", + "ruby_gapic_assembly_pkg", +) + +# Generates a Ruby wrapper client for securitycenter. +# Ruby wrapper clients are versionless, but are generated from source protos +# for a particular service version, v1 in this case. +ruby_cloud_gapic_library( + name = "securitycenter_ruby_wrapper", + srcs = ["//google/cloud/securitycenter/v1:securitycenter_proto_with_info"], + extra_protoc_parameters = [ + "ruby-cloud-gem-name=google-cloud-security_center", + "ruby-cloud-env-prefix=SECURITY_CENTER", + "ruby-cloud-wrapper-of=v1:0.0;v1p1beta1:0.0", + "ruby-cloud-product-url=https://cloud.google.com/security-command-center", + "ruby-cloud-api-id=securitycenter.googleapis.com", + "ruby-cloud-api-shortname=securitycenter", + "ruby-cloud-migration-version=1.0", + ], + ruby_cloud_description = "Security Command Center API provides access to temporal views of assets and findings within an organization.", + ruby_cloud_title = "Security Command Center", +) + +# Open Source package. +ruby_gapic_assembly_pkg( + name = "google-cloud-securitycenter-ruby", + deps = [ + ":securitycenter_ruby_wrapper", + ], +) diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/BUILD.bazel b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/BUILD.bazel new file mode 100644 index 0000000..a82544e --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/BUILD.bazel @@ -0,0 +1,346 @@ +# This file was automatically generated by BuildFileGenerator +# https://github.com/googleapis/gapic-generator/tree/master/rules_gapic/bazel + +# Most of the manual changes to this file will be overwritten. +# It's **only** allowed to change the following rule attribute values: +# - names of *_gapic_assembly_* rules +# - certain parameters of *_gapic_library rules, including but not limited to: +# * extra_protoc_parameters +# * extra_protoc_file_parameters +# The complete list of preserved parameters can be found in the source code. + +# This is an API workspace, having public visibility by default makes perfect sense. +package(default_visibility = ["//visibility:public"]) + +############################################################################## +# Common +############################################################################## +load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_googleapis_imports//:imports.bzl", "proto_library_with_info") + +proto_library( + name = "settings_proto", + srcs = [ + "billing_settings.proto", + "component_settings.proto", + "detector.proto", + "securitycenter_settings_service.proto", + "settings.proto", + "sink_settings.proto", + ], + deps = [ + "//google/api:annotations_proto", + "//google/api:client_proto", + "//google/api:field_behavior_proto", + "//google/api:resource_proto", + "@com_google_protobuf//:empty_proto", + "@com_google_protobuf//:field_mask_proto", + "@com_google_protobuf//:timestamp_proto", + ], +) + +proto_library_with_info( + name = "settings_proto_with_info", + deps = [ + ":settings_proto", + "//google/cloud:common_resources_proto", + ], +) + +############################################################################## +# Java +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "java_gapic_assembly_gradle_pkg", + "java_gapic_library", + "java_gapic_test", + "java_grpc_library", + "java_proto_library", +) + +java_proto_library( + name = "settings_java_proto", + deps = [":settings_proto"], +) + +java_grpc_library( + name = "settings_java_grpc", + srcs = [":settings_proto"], + deps = [":settings_java_proto"], +) + +java_gapic_library( + name = "settings_java_gapic", + srcs = [":settings_proto_with_info"], + grpc_service_config = "securitycenter_settings_grpc_service_config.json", + test_deps = [ + ":settings_java_grpc", + ], + deps = [ + ":settings_java_proto", + ], +) + +java_gapic_test( + name = "settings_java_gapic_test_suite", + test_classes = [ + "com.google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsServiceClientTest", + ], + runtime_deps = [":settings_java_gapic_test"], +) + +# Open Source Packages +java_gapic_assembly_gradle_pkg( + name = "google-cloud-securitycenter-settings-v1beta1-java", + deps = [ + ":settings_java_gapic", + ":settings_java_grpc", + ":settings_java_proto", + ":settings_proto", + ], +) + +############################################################################## +# Go +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "go_gapic_assembly_pkg", + "go_gapic_library", + "go_proto_library", + "go_test", +) + +go_proto_library( + name = "settings_go_proto", + compilers = ["@io_bazel_rules_go//proto:go_grpc"], + importpath = "google.golang.org/genproto/googleapis/cloud/securitycenter/settings/v1beta1", + protos = [":settings_proto"], + deps = [ + "//google/api:annotations_go_proto", + ], +) + +go_gapic_library( + name = "settings_go_gapic", + srcs = [":settings_proto_with_info"], + grpc_service_config = "securitycenter_settings_grpc_service_config.json", + importpath = "cloud.google.com/go/securitycenter/settings/apiv1beta1;settings", + service_yaml = "securitycenter_settings.yaml", + deps = [ + ":settings_go_proto", + ], +) + +go_test( + name = "settings_go_gapic_test", + srcs = [":settings_go_gapic_srcjar_test"], + embed = [":settings_go_gapic"], + importpath = "cloud.google.com/go/securitycenter/settings/apiv1beta1", +) + +# Open Source Packages +go_gapic_assembly_pkg( + name = "gapi-cloud-securitycenter-settings-v1beta1-go", + deps = [ + ":settings_go_gapic", + ":settings_go_gapic_srcjar-test.srcjar", + ":settings_go_proto", + ], +) + +############################################################################## +# Python +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "py_gapic_assembly_pkg", + "py_gapic_library", + "py_test", +) + +py_gapic_library( + name = "settings_py_gapic", + srcs = [":settings_proto"], + grpc_service_config = "securitycenter_settings_grpc_service_config.json", + transport = "grpc", +) + +py_test( + name = "settings_py_gapic_test", + srcs = [ + "settings_py_gapic_pytest.py", + "settings_py_gapic_test.py", + ], + legacy_create_init = False, + deps = [":settings_py_gapic"], +) + +# Open Source Packages +py_gapic_assembly_pkg( + name = "securitycenter-settings-v1beta1-py", + deps = [ + ":settings_py_gapic", + ], +) + +############################################################################## +# PHP +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "php_gapic_assembly_pkg", + "php_gapic_library", + "php_grpc_library", + "php_proto_library", +) + +php_proto_library( + name = "settings_php_proto", + deps = [":settings_proto"], +) + +php_grpc_library( + name = "settings_php_grpc", + srcs = [":settings_proto"], + deps = [":settings_php_proto"], +) + +php_gapic_library( + name = "settings_php_gapic", + srcs = [":settings_proto_with_info"], + grpc_service_config = "securitycenter_settings_grpc_service_config.json", + deps = [ + ":settings_php_grpc", + ":settings_php_proto", + ], +) + +# Open Source Packages +php_gapic_assembly_pkg( + name = "google-cloud-securitycenter-settings-v1beta1-php", + deps = [ + ":settings_php_gapic", + ":settings_php_grpc", + ":settings_php_proto", + ], +) + +############################################################################## +# Node.js +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "nodejs_gapic_assembly_pkg", + "nodejs_gapic_library", +) + +nodejs_gapic_library( + name = "settings_nodejs_gapic", + src = ":settings_proto_with_info", + extra_protoc_parameters = ["metadata"], + grpc_service_config = "securitycenter_settings_grpc_service_config.json", + package = "google.cloud.securitycenter.settings.v1beta1", + service_yaml = "securitycenter_settings.yaml", + deps = [], +) + +nodejs_gapic_assembly_pkg( + name = "securitycenter-settings-v1beta1-nodejs", + deps = [ + ":settings_nodejs_gapic", + ":settings_proto", + ], +) + +############################################################################## +# Ruby +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "ruby_cloud_gapic_library", + "ruby_gapic_assembly_pkg", + "ruby_grpc_library", + "ruby_proto_library", +) + +ruby_proto_library( + name = "settings_ruby_proto", + deps = [":settings_proto"], +) + +ruby_grpc_library( + name = "settings_ruby_grpc", + srcs = [":settings_proto"], + deps = [":settings_ruby_proto"], +) + +ruby_cloud_gapic_library( + name = "settings_ruby_gapic", + srcs = [":settings_proto_with_info"], + extra_protoc_parameters = ["ruby-cloud-gem-name=google-cloud-settings-v1beta1"], + deps = [ + ":settings_ruby_grpc", + ":settings_ruby_proto", + ], +) + +# Open Source Packages +ruby_gapic_assembly_pkg( + name = "google-cloud-securitycenter-settings-v1beta1-ruby", + deps = [ + ":settings_ruby_gapic", + ":settings_ruby_grpc", + ":settings_ruby_proto", + ], +) + +############################################################################## +# C# +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "csharp_gapic_assembly_pkg", + "csharp_gapic_library", + "csharp_grpc_library", + "csharp_proto_library", +) + +csharp_proto_library( + name = "settings_csharp_proto", + deps = [":settings_proto"], +) + +csharp_grpc_library( + name = "settings_csharp_grpc", + srcs = [":settings_proto"], + deps = [":settings_csharp_proto"], +) + +csharp_gapic_library( + name = "settings_csharp_gapic", + srcs = [":settings_proto_with_info"], + common_resources_config = "@gax_dotnet//:Google.Api.Gax/ResourceNames/CommonResourcesConfig.json", + grpc_service_config = "securitycenter_settings_grpc_service_config.json", + service_yaml = "securitycenter_settings.yaml", + deps = [ + ":settings_csharp_grpc", + ":settings_csharp_proto", + ], +) + +# Open Source Packages +csharp_gapic_assembly_pkg( + name = "google-cloud-securitycenter-settings-v1beta1-csharp", + deps = [ + ":settings_csharp_gapic", + ":settings_csharp_grpc", + ":settings_csharp_proto", + ], +) + +############################################################################## +# C++ +############################################################################## +# Put your C++ rules here diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/billing_settings.proto b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/billing_settings.proto new file mode 100644 index 0000000..976ebbd --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/billing_settings.proto @@ -0,0 +1,78 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.settings.v1beta1; + +import "google/api/field_behavior.proto"; +import "google/protobuf/timestamp.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.SecurityCenter.Settings.V1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/settings/v1beta1;settings"; +option java_multiple_files = true; +option java_outer_classname = "BillingSettingsProto"; +option java_package = "com.google.cloud.securitycenter.settings.v1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\Settings\\V1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::Settings::V1beta1"; + +// If this field is populated and billing_tier is STANDARD, this is +// indication of a point in the _past_ when a PREMIUM access ended. + +// Billing settings +message BillingSettings { + // Output only. Billing tier selected by customer + BillingTier billing_tier = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. Type of billing method + BillingType billing_type = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The absolute point in time when the subscription became effective. + // Can be compared to expire_time value to determine full contract duration + google.protobuf.Timestamp start_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The absolute point in time when the subscription expires. + // + // If this field is populated and billing_tier is STANDARD, this is + // indication of a point in the _past_ when a PREMIUM access ended. + google.protobuf.Timestamp expire_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; +} + +// Billing tier options +enum BillingTier { + // Default value. This value is unused. + BILLING_TIER_UNSPECIFIED = 0; + + // The standard billing tier. + STANDARD = 1; + + // The premium billing tier. + PREMIUM = 2; +} + +// Billing type +enum BillingType { + // Default billing type + BILLING_TYPE_UNSPECIFIED = 0; + + // Subscription for Premium billing tier + SUBSCRIPTION = 1; + + // Trial subscription for Premium billing tier + TRIAL_SUBSCRIPTION = 2; + + // Alpha customer for Premium billing tier + ALPHA = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/component_settings.proto b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/component_settings.proto new file mode 100644 index 0000000..8b352e3 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/component_settings.proto @@ -0,0 +1,170 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.settings.v1beta1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/protobuf/timestamp.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.SecurityCenter.Settings.V1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/settings/v1beta1;settings"; +option java_multiple_files = true; +option java_outer_classname = "ComponentSettingsProto"; +option java_package = "com.google.cloud.securitycenter.settings.v1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\Settings\\V1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::Settings::V1beta1"; + +// Component Settings for Security Command Center +message ComponentSettings { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/ComponentSettings" + pattern: "organizations/{organization}/components/{component}/settings" + pattern: "folders/{folder}/components/{component}/settings" + pattern: "projects/{project}/components/{component}/settings" + pattern: "projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings" + pattern: "projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings" + pattern: "projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings" + }; + + // Settings for each detector. + message DetectorSettings { + // ENABLE to enable component, DISABLE to disable and INHERIT to inherit + // setting from ancestors. + ComponentEnablementState state = 1; + } + + // The relative resource name of the component settings. + // Formats: + // * `organizations/{organization}/components/{component}/settings` + // * `folders/{folder}/components/{component}/settings` + // * `projects/{project}/components/{component}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings` + string name = 1; + + // ENABLE to enable component, DISABLE to disable and INHERIT to inherit + // setting from ancestors. + ComponentEnablementState state = 2; + + // Output only. The service account to be used for security center component. + // The component must have permission to "act as" the service account. + string project_service_account = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Settings for detectors. Not all detectors must have settings present at + // each and every level in the hierarchy. If it is not present the setting + // will be inherited from its ancestors folders, organizations or the + // defaults. + map<string, DetectorSettings> detector_settings = 4; + + // Output only. An fingerprint used for optimistic concurrency. If none is provided + // on updates then the existing metadata will be blindly overwritten. + string etag = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The time these settings were last updated. + google.protobuf.Timestamp update_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Component specific settings. This must match the component value. + oneof specific_settings { + // Container Threate Detection specific settings + // For component, expect CONTAINER_THREAT_DETECTION + ContainerThreatDetectionSettings container_threat_detection_settings = 41; + + // Event Threat Detection specific settings + // For component, expect EVENT_THREAT_DETECTION + EventThreatDetectionSettings event_threat_detection_settings = 42; + + // Security Health Analytics specific settings + // For component, expect SECURITY_HEALTH_ANALYTICS + SecurityHealthAnalyticsSettings security_health_analytics_settings = 44; + + // Web Security Scanner specific settings + // For component, expect WEB_SECURITY_SCANNER + WebSecurityScanner web_security_scanner_settings = 40; + } +} + +// User specified settings for Web Security Scanner +message WebSecurityScanner { + +} + +// User specified settings for KTD +message ContainerThreatDetectionSettings { + +} + +// User specified settings for ETD +message EventThreatDetectionSettings { + +} + +// User specified settings for Security Health Analytics +message SecurityHealthAnalyticsSettings { + // Settings for "NON_ORG_IAM_MEMBER" scanner. + message NonOrgIamMemberSettings { + // User emails ending in the provided identities are allowed to have IAM + // permissions on a project or the organization. Otherwise a finding will + // be created. + // A valid identity can be: + // * a domain that starts with "@", e.g. "@yourdomain.com". + // * a fully specified email address that does not start with "@", e.g. + // "abc@gmail.com" + // Regular expressions are not supported. + // Service accounts are not examined by the scanner and will be omitted if + // added to the list. + // If not specified, only Gmail accounts will be considered as non-approved. + repeated string approved_identities = 1; + } + + // Settings for "ADMIN_SERVICE_ACCOUNT" scanner. + message AdminServiceAccountSettings { + // User-created service accounts ending in the provided identities are + // allowed to have Admin, Owner or Editor roles granted to them. Otherwise + // a finding will be created. + // A valid identity can be: + // * a partilly specified service account that starts with "@", e.g. + // "@myproject.iam.gserviceaccount.com". This approves all the service + // accounts suffixed with the specified identity. + // * a fully specified service account that does not start with "@", e.g. + // "myadmin@myproject.iam.gserviceaccount.com". + // Google-created service accounts are all approved. + repeated string approved_identities = 1; + } + + // Settings for "NON_ORG_IAM_MEMBER" scanner. + NonOrgIamMemberSettings non_org_iam_member_settings = 1; + + // Settings for "ADMIN_SERVICE_ACCOUNT" scanner. + AdminServiceAccountSettings admin_service_account_settings = 2; +} + +// Valid states for a component +enum ComponentEnablementState { + // No state specified, equivalent of INHERIT + COMPONENT_ENABLEMENT_STATE_UNSPECIFIED = 0; + + // Disable the component + DISABLE = 1; + + // Enable the component + ENABLE = 2; + + // Inherit the state from resources parent folder or organization. + INHERIT = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/detector.proto b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/detector.proto new file mode 100644 index 0000000..65c7631 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/detector.proto @@ -0,0 +1,56 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.settings.v1beta1; + +import "google/api/field_behavior.proto"; +import "google/cloud/securitycenter/settings/v1beta1/billing_settings.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.SecurityCenter.Settings.V1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/settings/v1beta1;settings"; +option java_multiple_files = true; +option java_outer_classname = "DetectorsProto"; +option java_package = "com.google.cloud.securitycenter.settings.v1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\Settings\\V1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::Settings::V1beta1"; + +// Detector is a set of detectors or scanners act as individual checks done +// within a component e.g. bad IP, bad domains, IAM anomaly, cryptomining, open +// firewall, etc. Detector is independent of Organization, meaning each detector +// must be defined for a given Security Center component under a specified +// billing tier. Organizations can configure the list of detectors based on +// their subscribed billing tier. +// +// Defines a detector, its billing tier and any applicable labels. +message Detector { + // Output only. Detector Identifier + string detector = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. Component that supports detector type. Multiple components may support the + // same detector. + string component = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The billing tier may be different for a detector of the same name in + // another component. + BillingTier billing_tier = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. Google curated detector labels. These are alphanumeric tags that are not + // necessarily human readable. Labels can be used to group detectors together + // in the future. An example might be tagging all detectors “PCI” that help + // with PCI compliance. + repeated string detector_labels = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings.yaml b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings.yaml new file mode 100644 index 0000000..ba20595 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings.yaml @@ -0,0 +1,29 @@ +type: google.api.Service +config_version: 3 +name: securitycenter.googleapis.com +title: Cloud Security Command Center API + +apis: +- name: google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService + +documentation: + summary: |- + Cloud Security Command Center Settings API provides functionality to retrieve and update configurations. + +backend: + rules: + - selector: 'google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService.*' + deadline: 480.0 + - selector: 'google.longrunning.Operations.*' + deadline: 60.0 + +authentication: + rules: + - selector: 'google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform + - selector: 'google.longrunning.Operations.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings_gapic.yaml b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings_gapic.yaml new file mode 100644 index 0000000..b96b551 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings_gapic.yaml @@ -0,0 +1,16 @@ +type: com.google.api.codegen.ConfigProto +config_schema_version: 2.0.0 +language_settings: + python: + package_name: google.cloud.securitycenter.settings_v1beta1.gapic + go: + package_name: cloud.google.com/go/securitycenter/settings/apiv1beta1 + csharp: + package_name: Google.Cloud.SecurityCenter.Settings.V1Beta1 + ruby: + package_name: Google::Cloud::SecurityCenter::Settings::V1beta1 + php: + package_name: Google\Cloud\SecurityCenter\Settings\V1beta1 + nodejs: + package_name: security-center.settings.v1beta1 + domain_layer_location: google-cloud diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings_grpc_service_config.json b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings_grpc_service_config.json new file mode 100644 index 0000000..83b7fc8 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings_grpc_service_config.json @@ -0,0 +1,70 @@ +{ + "methodConfig": [ + { + "name": [ + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "GetServiceAccount" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "GetSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "UpdateSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "ResetSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "BatchGetSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "CalculateEffectiveSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "BatchCalculateEffectiveSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "GetComponentSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "UpdateComponentSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "ResetComponentSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "CalculateEffectiveComponentSettings" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "ListDetectors" + }, + { + "service": "google.cloud.securitycenter.settings.v1beta1.SecurityCenterSettingsService", + "method": "ListComponents" + } + ], + "timeout": "600s", + "retryPolicy": { + "initialBackoff": "0.100s", + "maxBackoff": "60s", + "backoffMultiplier": 1.3, + "retryableStatusCodes": [ + "DEADLINE_EXCEEDED", + "UNAVAILABLE" + ] + } + } + ] +} diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings_service.proto b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings_service.proto new file mode 100644 index 0000000..e526369 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/securitycenter_settings_service.proto @@ -0,0 +1,650 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.settings.v1beta1; + +import "google/api/annotations.proto"; +import "google/api/client.proto"; +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/cloud/securitycenter/settings/v1beta1/component_settings.proto"; +import "google/cloud/securitycenter/settings/v1beta1/detector.proto"; +import "google/cloud/securitycenter/settings/v1beta1/settings.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/field_mask.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.SecurityCenter.Settings.V1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/settings/v1beta1;settings"; +option java_multiple_files = true; +option java_outer_classname = "SettingsServiceProto"; +option java_package = "com.google.cloud.securitycenter.settings.v1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\Settings\\V1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::Settings::V1beta1"; + +// ## API Overview +// +// The SecurityCenterSettingsService is a sub-api of +// `securitycenter.googleapis.com`. The service provides methods to manage +// Security Center Settings, and Component Settings for GCP organizations, +// folders, projects, and clusters. +service SecurityCenterSettingsService { + option (google.api.default_host) = "securitycenter.googleapis.com"; + option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; + + // Retrieves the organizations service account, if it exists, otherwise it + // creates the organization service account. This API is idempotent and + // will only create a service account once. On subsequent calls it will + // return the previously created service account. SHA, SCC and CTD Infra + // Automation will use this SA. This SA will not have any permissions when + // created. The UI will provision this via IAM or the user will using + // their own internal process. This API only creates SAs on the organization. + // Folders are not supported and projects will use per-project SAs associated + // with APIs enabled on a project. This API will be called by the UX + // onboarding workflow. + rpc GetServiceAccount(GetServiceAccountRequest) returns (ServiceAccount) { + option (google.api.http) = { + get: "/settings/v1beta1/{name=organizations/*/serviceAccount}" + }; + option (google.api.method_signature) = "name"; + } + + // Gets the Settings. + rpc GetSettings(GetSettingsRequest) returns (Settings) { + option (google.api.http) = { + get: "/settings/v1beta1/{name=organizations/*/settings}" + additional_bindings { + get: "/settings/v1beta1/{name=folders/*/settings}" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/settings}" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/locations/*/clusters/*/settings}" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/regions/*/clusters/*/settings}" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/zones/*/clusters/*/settings}" + } + }; + option (google.api.method_signature) = "name"; + } + + // Updates the Settings. + rpc UpdateSettings(UpdateSettingsRequest) returns (Settings) { + option (google.api.http) = { + patch: "/settings/v1beta1/{settings.name=organizations/*/settings}" + body: "settings" + additional_bindings { + patch: "/settings/v1beta1/{settings.name=folders/*/settings}" + body: "settings" + } + additional_bindings { + patch: "/settings/v1beta1/{settings.name=projects/*/settings}" + body: "settings" + } + additional_bindings { + patch: "/settings/v1beta1/{settings.name=projects/*/locations/*/clusters/*/settings}" + body: "settings" + } + additional_bindings { + patch: "/settings/v1beta1/{settings.name=projects/*/regions/*/clusters/*/settings}" + body: "settings" + } + additional_bindings { + patch: "/settings/v1beta1/{settings.name=projects/*/zones/*/clusters/*/settings}" + body: "settings" + } + }; + option (google.api.method_signature) = "settings,update_mask"; + } + + // Reset the organization, folder or project's settings and return + // the settings of just that resource to the default. + // + // Settings are present at the organization, folder, project, and cluster + // levels. Using Reset on a sub-organization level will remove that resource's + // override and result in the parent's settings being used (eg: if Reset on a + // cluster, project settings will be used). + // + // Using Reset on organization will remove the override that was set and + // result in default settings being used. + rpc ResetSettings(ResetSettingsRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { + post: "/settings/v1beta1/{name=organizations/*/settings}:reset" + body: "*" + additional_bindings { + post: "/settings/v1beta1/{name=folders/*/settings}:reset" + body: "*" + } + additional_bindings { + post: "/settings/v1beta1/{name=projects/*/settings}:reset" + body: "*" + } + additional_bindings { + post: "/settings/v1beta1/{name=projects/*/locations/*/clusters/*/settings}:reset" + body: "*" + } + additional_bindings { + post: "/settings/v1beta1/{name=projects/*/regions/*/clusters/*/settings}:reset" + body: "*" + } + additional_bindings { + post: "/settings/v1beta1/{name=projects/*/zones/*/clusters/*/settings}:reset" + body: "*" + } + }; + } + + // Gets a list of settings. + rpc BatchGetSettings(BatchGetSettingsRequest) returns (BatchGetSettingsResponse) { + option (google.api.http) = { + get: "/settings/v1beta1/{parent=organizations/*}/settings:batchGet" + }; + } + + // CalculateEffectiveSettings looks up all of the Security Center + // Settings resources in the GCP resource hierarchy, and calculates the + // effective settings on that resource by applying the following rules: + // * Settings provided closer to the target resource take precedence over + // those further away (e.g. folder will override organization level + // settings). + // * Product defaults can be overridden at org, folder, project, and cluster + // levels. + // * Detectors will be filtered out if they belong to a billing tier the + // customer + // has not configured. + rpc CalculateEffectiveSettings(CalculateEffectiveSettingsRequest) returns (Settings) { + option (google.api.http) = { + get: "/settings/v1beta1/{name=organizations/*/effectiveSettings}:calculate" + additional_bindings { + get: "/settings/v1beta1/{name=folders/*/effectiveSettings}:calculate" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/effectiveSettings}:calculate" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/locations/*/clusters/*/effectiveSettings}:calculate" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/regions/*/clusters/*/effectiveSettings}:calculate" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/zones/*/clusters/*/effectiveSettings}:calculate" + } + }; + option (google.api.method_signature) = "name"; + } + + // Gets a list of effective settings. + rpc BatchCalculateEffectiveSettings(BatchCalculateEffectiveSettingsRequest) returns (BatchCalculateEffectiveSettingsResponse) { + option (google.api.http) = { + post: "/settings/v1beta1/{parent=organizations/*}/effectiveSettings:batchCalculate" + body: "*" + }; + } + + // Gets the Component Settings. + rpc GetComponentSettings(GetComponentSettingsRequest) returns (ComponentSettings) { + option (google.api.http) = { + get: "/settings/v1beta1/{name=organizations/*/components/*/settings}" + additional_bindings { + get: "/settings/v1beta1/{name=folders/*/components/*/settings}" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/components/*/settings}" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/locations/*/clusters/*/components/*/settings}" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/regions/*/clusters/*/components/*/settings}" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/zones/*/clusters/*/components/*/settings}" + } + }; + option (google.api.method_signature) = "name"; + } + + // Updates the Component Settings. + rpc UpdateComponentSettings(UpdateComponentSettingsRequest) returns (ComponentSettings) { + option (google.api.http) = { + patch: "/settings/v1beta1/{component_settings.name=organizations/*/components/*/settings}" + body: "component_settings" + additional_bindings { + patch: "/settings/v1beta1/{component_settings.name=folders/*/components/*/settings}" + body: "component_settings" + } + additional_bindings { + patch: "/settings/v1beta1/{component_settings.name=projects/*/components/*/settings}" + body: "component_settings" + } + additional_bindings { + patch: "/settings/v1beta1/{component_settings.name=projects/*/locations/*/clusters/*/components/*/settings}" + body: "component_settings" + } + additional_bindings { + patch: "/settings/v1beta1/{component_settings.name=projects/*/regions/*/clusters/*/components/*/settings}" + body: "component_settings" + } + additional_bindings { + patch: "/settings/v1beta1/{component_settings.name=projects/*/zones/*/clusters/*/components/*/settings}" + body: "component_settings" + } + }; + option (google.api.method_signature) = "component_settings,update_mask"; + } + + // Reset the organization, folder or project's component settings and return + // the settings to the default. Settings are present at the + // organization, folder and project levels. Using Reset for a folder or + // project will remove the override that was set and result in the + // organization-level settings being used. + rpc ResetComponentSettings(ResetComponentSettingsRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { + post: "/settings/v1beta1/{name=organizations/*/components/*/settings}:reset" + body: "*" + additional_bindings { + post: "/settings/v1beta1/{name=folders/*/components/*/settings}:reset" + body: "*" + } + additional_bindings { + post: "/settings/v1beta1/{name=projects/*/components/*/settings}:reset" + body: "*" + } + additional_bindings { + post: "/settings/v1beta1/{name=projects/*/locations/*/clusters/*/components/*/settings}:reset" + body: "*" + } + additional_bindings { + post: "/settings/v1beta1/{name=projects/*/regions/*/clusters/*/components/*/settings}:reset" + body: "*" + } + additional_bindings { + post: "/settings/v1beta1/{name=projects/*/zones/*/clusters/*/components/*/settings}:reset" + body: "*" + } + }; + } + + // Gets the Effective Component Settings. + rpc CalculateEffectiveComponentSettings(CalculateEffectiveComponentSettingsRequest) returns (ComponentSettings) { + option (google.api.http) = { + get: "/settings/v1beta1/{name=organizations/*/components/*/effectiveSettings}:calculate" + additional_bindings { + get: "/settings/v1beta1/{name=folders/*/components/*/effectiveSettings}:calculate" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/components/*/effectiveSettings}:calculate" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/locations/*/clusters/*/components/*/effectiveSettings}:calculate" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/regions/*/clusters/*/components/*/effectiveSettings}:calculate" + } + additional_bindings { + get: "/settings/v1beta1/{name=projects/*/zones/*/clusters/*/components/*/effectiveSettings}:calculate" + } + }; + option (google.api.method_signature) = "name"; + } + + // Retrieves an unordered list of available detectors. + rpc ListDetectors(ListDetectorsRequest) returns (ListDetectorsResponse) { + option (google.api.http) = { + get: "/settings/v1beta1/{parent=organizations/*}/detectors" + }; + option (google.api.method_signature) = "parent"; + } + + // Retrieves an unordered list of available SCC components. + rpc ListComponents(ListComponentsRequest) returns (ListComponentsResponse) { + option (google.api.http) = { + get: "/settings/v1beta1/{parent=organizations/*}/components" + }; + option (google.api.method_signature) = "parent"; + } +} + +// Request message for GetServiceAccount. +message GetServiceAccountRequest { + // Required. The relative resource name of the service account resource. + // Format: + // * `organizations/{organization}/serviceAccount` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/ServiceAccount" + } + ]; +} + +// An organization-level service account to be used by threat detection +// components. +message ServiceAccount { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/ServiceAccount" + pattern: "organizations/{organization}/serviceAccount" + }; + + // The relative resource name of the service account resource. + // Format: + // * `organizations/{organization}/serviceAccount` + string name = 1; + + // Security Center managed service account for the organization + // example service-org-1234@scc.iam.gserviceaccount.com + // This service_account will be stored in the ComponentSettings field for the + // SCC, SHA, and Infra Automation components. + string service_account = 2; +} + +// Request message for GetSettings. +message GetSettingsRequest { + // Required. The name of the settings to retrieve. + // Formats: + // * `organizations/{organization}/settings` + // * `folders/{folder}/settings` + // * `projects/{project}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/settings` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Settings" + } + ]; +} + +// Request message for UpdateSettings. +message UpdateSettingsRequest { + // Required. The settings to update. + // + // The settings' `name` field is used to identify the settings to be updated. + // Formats: + // * `organizations/{organization}/settings` + // * `folders/{folder}/settings` + // * `projects/{project}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/settings` + Settings settings = 1 [(google.api.field_behavior) = REQUIRED]; + + // The list of fields to be updated on the settings. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for ResetSettings. +message ResetSettingsRequest { + // Required. The name of the settings to reset. + // Formats: + // * `organizations/{organization}/settings` + // * `folders/{folder}/settings` + // * `projects/{project}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/settings` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Settings" + } + ]; + + // A fingerprint used for optimistic concurrency. If none is provided, + // then the existing settings will be blindly overwritten. + string etag = 2; +} + +// Request message for BatchGetSettings. +message BatchGetSettingsRequest { + // Required. The relative resource name of the organization shared by all of the + // settings being retrieved. + // Format: + // * `organizations/{organization}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // The names of the settings to retrieve. + // A maximum of 1000 settings can be retrieved in a batch. + // Formats: + // * `organizations/{organization}/settings` + // * `folders/{folder}/settings` + // * `projects/{project}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/settings` + repeated string names = 2; +} + +// Response message for BatchGetSettings. +message BatchGetSettingsResponse { + // Settings requested. + repeated Settings settings = 1; +} + +// Request message for CalculateEffectiveSettings. +message CalculateEffectiveSettingsRequest { + // Required. The name of the effective settings to retrieve. + // Formats: + // * `organizations/{organization}/effectiveSettings` + // * `folders/{folder}/effectiveSettings` + // * `projects/{project}/effectiveSettings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/effectiveSettings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/effectiveSettings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/effectiveSettings` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Settings" + } + ]; +} + +// Request message for BatchGetEffectiveSettings. +message BatchCalculateEffectiveSettingsRequest { + // Required. The relative resource name of the organization shared by all of the + // settings being retrieved. + // Format: + // * `organizations/{organization}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // The requests specifying the effective settings to retrieve. + // A maximum of 1000 effective settings can be retrieved in a batch. + repeated CalculateEffectiveSettingsRequest requests = 2; +} + +// Response message for BatchGetEffectiveSettings. +message BatchCalculateEffectiveSettingsResponse { + // Settings requested. + repeated Settings settings = 1; +} + +// Request message for GetComponentSettings. +message GetComponentSettingsRequest { + // Required. The component settings to retrieve. + // + // Formats: + // * `organizations/{organization}/components/{component}/settings` + // * `folders/{folder}/components/{component}/settings` + // * `projects/{project}/components/{component}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/ComponentSettings" + } + ]; +} + +// Request message for UpdateComponentSettings. +message UpdateComponentSettingsRequest { + // Required. The component settings to update. + // + // The component settings' `name` field is used to identify the component + // settings to be updated. Formats: + // * `organizations/{organization}/components/{component}/settings` + // * `folders/{folder}/components/{component}/settings` + // * `projects/{project}/components/{component}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings` + ComponentSettings component_settings = 1 [(google.api.field_behavior) = REQUIRED]; + + // The list of fields to be updated on the component settings resource. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for ResetComponentSettings. +message ResetComponentSettingsRequest { + // Required. The component settings to reset. + // + // Formats: + // * `organizations/{organization}/components/{component}/settings` + // * `folders/{folder}/components/{component}/settings` + // * `projects/{project}/components/{component}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/ComponentSettings" + } + ]; + + // An fingerprint used for optimistic concurrency. If none is provided, + // then the existing settings will be blindly overwritten. + string etag = 2; +} + +// Request message for CalculateEffectiveComponentSettings. +message CalculateEffectiveComponentSettingsRequest { + // Required. The effective component settings to retrieve. + // + // Formats: + // * `organizations/{organization}/components/{component}/settings` + // * `folders/{folder}/components/{component}/settings` + // * `projects/{project}/components/{component}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings` + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/ComponentSettings" + } + ]; +} + +// Request message for ListDetectors. +message ListDetectorsRequest { + // Required. The parent, which owns this collection of detectors. + // Format: + // * `organizations/{organization}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Filters to apply on the response. Filters can be applied on: + // * components + // * labels + // * billing tiers + // + // Component filters will retrieve only detectors for the components + // specified. Label filters will retrieve only detectors that match one of the + // labels specified. Billing tier filters will retrieve only detectors for + // that billing tier. + // + // The filters + string filter = 2; + + // The maximum number of detectors to return. The service may return fewer + // than this value. If unspecified, at most 100 detectors will be returned. + // The maximum value is 1000; values above 1000 will be coerced to 1000. + int32 page_size = 3; + + // A page token, received from a previous `ListDetectors` call. + // Provide this to retrieve the subsequent page. + // + // When paginating, all other parameters provided to `ListDetectors` must + // match the call that provided the page token. + string page_token = 4; +} + +// Response message for ListDetectors. +message ListDetectorsResponse { + // The detectors from the specified organization. + repeated Detector detectors = 1; + + // A token that can be sent as `page_token` to retrieve the next page. + // If this field is omitted, there are no subsequent pages. + string next_page_token = 2; +} + +// Request message for ListComponents. +message ListComponentsRequest { + // Required. The parent, which owns this collection of components. + // Format: + // * `organizations/{organization}` + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // The maximum number of components to return. The service may return fewer + // than this value. If unspecified, at most 100 components will be returned. + // The maximum value is 1000; values above 1000 will be coerced to 1000. + int32 page_size = 2; + + // A page token, received from a previous `ListComponents` call. + // Provide this to retrieve the subsequent page. + // + // When paginating, all other parameters provided to `ListComponents` must + // match the call that provided the page token. + string page_token = 3; +} + +// Response message for ListComponents. +message ListComponentsResponse { + // The components from the specified organization. + repeated string components = 1; + + // A token that can be sent as `page_token` to retrieve the next page. + // If this field is omitted, there are no subsequent pages. + string next_page_token = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/settings.proto b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/settings.proto new file mode 100644 index 0000000..7f6b8da --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/settings.proto @@ -0,0 +1,120 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.settings.v1beta1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/cloud/securitycenter/settings/v1beta1/billing_settings.proto"; +import "google/cloud/securitycenter/settings/v1beta1/component_settings.proto"; +import "google/cloud/securitycenter/settings/v1beta1/sink_settings.proto"; +import "google/protobuf/timestamp.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.SecurityCenter.Settings.V1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/settings/v1beta1;settings"; +option java_multiple_files = true; +option java_outer_classname = "SettingsProto"; +option java_package = "com.google.cloud.securitycenter.settings.v1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\Settings\\V1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::Settings::V1beta1"; + +// Common configuration settings for all of Security Center. +message Settings { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Settings" + pattern: "organizations/{organization}/settings" + pattern: "folders/{folder}/settings" + pattern: "projects/{project}/settings" + pattern: "projects/{project}/locations/{location}/clusters/{cluster}/settings" + pattern: "projects/{project}/regions/{region}/clusters/{cluster}/settings" + pattern: "projects/{project}/zones/{zone}/clusters/{cluster}/settings" + }; + + // The DetectorGroupSettings define the configuration for a detector group. + message DetectorGroupSettings { + // The state determines if the group is enabled or not. + ComponentEnablementState state = 1; + } + + // Defines the onboarding states for SCC + // + // Potentially is just an indicator that a user has reviewed some subset of + // our configuration surface, even if it's still currently set to its + // API-default state. + enum OnboardingState { + // No onboarding state has been set. Should not be seen in practice, but + // should be functionally equivalent to DISABLED. + ONBOARDING_STATE_UNSPECIFIED = 0; + + // SCC is fully on boarded + ENABLED = 1; + + // SCC has been disabled after being on boarded + DISABLED = 2; + + // SCC's onboarding tier has been explicitly set + BILLING_SELECTED = 3; + + // SCC's CTD FindingsProviders have been chosen + PROVIDERS_SELECTED = 4; + + // SCC's Service-Resource mappings have been set + RESOURCES_SELECTED = 5; + + // SCC's core Service Account was created + ORG_SERVICE_ACCOUNT_CREATED = 6; + } + + // The relative resource name of the settings resource. + // Formats: + // * `organizations/{organization}/settings` + // * `folders/{folder}/settings` + // * `projects/{project}/settings` + // * `projects/{project}/locations/{location}/clusters/{cluster}/settings` + // * `projects/{project}/regions/{region}/clusters/{cluster}/settings` + // * `projects/{project}/zones/{zone}/clusters/{cluster}/settings` + string name = 1; + + // Billing settings + BillingSettings billing_settings = 2; + + // An enum representing the current on boarding state of SCC. + OnboardingState state = 3; + + // Output only. The organization-level service account to be used for security center + // components. The component must have permission to "act as" the service + // account. + string org_service_account = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Sink settings. + SinkSettings sink_settings = 6; + + // The settings for detectors and/or scanners. + map<string, ComponentSettings> component_settings = 7; + + // Detector group settings for all Security Center components. + // The key is the name of the detector group and the value is the settings for + // that group. + map<string, DetectorGroupSettings> detector_group_settings = 8; + + // A fingerprint used for optimistic concurrency. If none is provided + // on updates then the existing metadata will be blindly overwritten. + string etag = 9; + + // Output only. The time these settings were last updated. + google.protobuf.Timestamp update_time = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/sink_settings.proto b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/sink_settings.proto new file mode 100644 index 0000000..1912af5 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/settings/v1beta1/sink_settings.proto @@ -0,0 +1,37 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.settings.v1beta1; + + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.SecurityCenter.Settings.V1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/settings/v1beta1;settings"; +option java_multiple_files = true; +option java_outer_classname = "SinkProto"; +option java_package = "com.google.cloud.securitycenter.settings.v1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\Settings\\V1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::Settings::V1beta1"; + +// Sink Settings for Security Command Center +message SinkSettings { + // The resource name of the project to send logs to. This project must be + // part of the same organization where the Security Center API is + // enabled. The format is `projects/{project}`. If it is empty, we do + // not output logs. If a project ID is provided it will be normalized to a + // project number. + string logging_sink_project = 1; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/BUILD.bazel b/third_party/googleapis/google/cloud/securitycenter/v1/BUILD.bazel new file mode 100644 index 0000000..d9d8a38 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/BUILD.bazel @@ -0,0 +1,371 @@ +# This file was automatically generated by BuildFileGenerator +# https://github.com/googleapis/rules_gapic/tree/master/bazel + +# Most of the manual changes to this file will be overwritten. +# It's **only** allowed to change the following rule attribute values: +# - names of *_gapic_assembly_* rules +# - certain parameters of *_gapic_library rules, including but not limited to: +# * extra_protoc_parameters +# * extra_protoc_file_parameters +# The complete list of preserved parameters can be found in the source code. + +############################################################################## +# Common +############################################################################## +load("@rules_proto//proto:defs.bzl", "proto_library") +load( + "@com_google_googleapis_imports//:imports.bzl", + "cc_grpc_library", + "cc_proto_library", + "csharp_gapic_assembly_pkg", + "csharp_gapic_library", + "csharp_grpc_library", + "csharp_proto_library", + "go_gapic_assembly_pkg", + "go_gapic_library", + "go_proto_library", + "go_test", + "java_gapic_assembly_gradle_pkg", + "java_gapic_library", + "java_gapic_test", + "java_grpc_library", + "java_proto_library", + "nodejs_gapic_assembly_pkg", + "nodejs_gapic_library", + "php_gapic_assembly_pkg", + "php_gapic_library", + "php_grpc_library", + "php_proto_library", + "proto_library_with_info", + "py_gapic_assembly_pkg", + "py_gapic_library", + "py_test", + "ruby_cloud_gapic_library", + "ruby_gapic_assembly_pkg", + "ruby_grpc_library", + "ruby_proto_library", +) + +# This is an API workspace, having public visibility by default makes perfect sense. +package(default_visibility = ["//visibility:public"]) + +proto_library( + name = "securitycenter_proto", + srcs = [ + "access.proto", + "asset.proto", + "bigquery_export.proto", + "compliance.proto", + "connection.proto", + "contact_details.proto", + "container.proto", + "database.proto", + "exfiltration.proto", + "external_system.proto", + "file.proto", + "finding.proto", + "folder.proto", + "iam_binding.proto", + "indicator.proto", + "kubernetes.proto", + "label.proto", + "mitre_attack.proto", + "mute_config.proto", + "notification_config.proto", + "notification_message.proto", + "organization_settings.proto", + "process.proto", + "resource.proto", + "run_asset_discovery_response.proto", + "security_marks.proto", + "securitycenter_service.proto", + "source.proto", + "vulnerability.proto", + ], + deps = [ + "//google/api:annotations_proto", + "//google/api:client_proto", + "//google/api:field_behavior_proto", + "//google/api:resource_proto", + "//google/iam/v1:iam_policy_proto", + "//google/iam/v1:policy_proto", + "//google/longrunning:operations_proto", + "@com_google_protobuf//:duration_proto", + "@com_google_protobuf//:empty_proto", + "@com_google_protobuf//:field_mask_proto", + "@com_google_protobuf//:struct_proto", + "@com_google_protobuf//:timestamp_proto", + ], +) + +proto_library_with_info( + name = "securitycenter_proto_with_info", + deps = [ + ":securitycenter_proto", + "//google/cloud:common_resources_proto", + ], +) + +java_proto_library( + name = "securitycenter_java_proto", + deps = [":securitycenter_proto"], +) + +java_grpc_library( + name = "securitycenter_java_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_java_proto"], +) + +java_gapic_library( + name = "securitycenter_java_gapic", + srcs = [":securitycenter_proto_with_info"], + gapic_yaml = None, + grpc_service_config = "securitycenter_grpc_service_config.json", + service_yaml = "securitycenter_v1.yaml", + test_deps = [ + ":securitycenter_java_grpc", + "//google/iam/v1:iam_java_grpc", + ], + transport = "grpc+rest", + deps = [ + ":securitycenter_java_proto", + "//google/api:api_java_proto", + "//google/iam/v1:iam_java_proto", + ], +) + +java_gapic_test( + name = "securitycenter_java_gapic_test_suite", + test_classes = [ + "com.google.cloud.securitycenter.v1.SecurityCenterClientHttpJsonTest", + "com.google.cloud.securitycenter.v1.SecurityCenterClientTest", + ], + runtime_deps = [":securitycenter_java_gapic_test"], +) + +# Open Source Packages +java_gapic_assembly_gradle_pkg( + name = "google-cloud-securitycenter-v1-java", + include_samples = True, + transport = "grpc+rest", + deps = [ + ":securitycenter_java_gapic", + ":securitycenter_java_grpc", + ":securitycenter_java_proto", + ":securitycenter_proto", + ], +) + +go_proto_library( + name = "securitycenter_go_proto", + compilers = ["@io_bazel_rules_go//proto:go_grpc"], + importpath = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1", + protos = [":securitycenter_proto"], + deps = [ + "//google/api:annotations_go_proto", + "//google/iam/v1:iam_go_proto", + "//google/longrunning:longrunning_go_proto", + ], +) + +go_gapic_library( + name = "securitycenter_go_gapic", + srcs = [":securitycenter_proto_with_info"], + grpc_service_config = "securitycenter_grpc_service_config.json", + importpath = "cloud.google.com/go/securitycenter/apiv1;securitycenter", + metadata = True, + service_yaml = "securitycenter_v1.yaml", + transport = "grpc+rest", + deps = [ + ":securitycenter_go_proto", + "//google/iam/v1:iam_go_proto", + "//google/longrunning:longrunning_go_proto", + "@com_google_cloud_go//longrunning:go_default_library", + "@com_google_cloud_go//longrunning/autogen:go_default_library", + "@io_bazel_rules_go//proto/wkt:duration_go_proto", + "@io_bazel_rules_go//proto/wkt:struct_go_proto", + ], +) + +go_test( + name = "securitycenter_go_gapic_test", + srcs = [":securitycenter_go_gapic_srcjar_test"], + embed = [":securitycenter_go_gapic"], + importpath = "cloud.google.com/go/securitycenter/apiv1", +) + +# Open Source Packages +go_gapic_assembly_pkg( + name = "gapi-cloud-securitycenter-v1-go", + deps = [ + ":securitycenter_go_gapic", + ":securitycenter_go_gapic_srcjar-metadata.srcjar", + ":securitycenter_go_gapic_srcjar-test.srcjar", + ":securitycenter_go_proto", + ], +) + +py_gapic_library( + name = "securitycenter_py_gapic", + srcs = [":securitycenter_proto"], + grpc_service_config = "securitycenter_grpc_service_config.json", + transport = "grpc", + deps = [ + "//google/iam/v1:iam_policy_py_proto", + ], +) + +py_test( + name = "securitycenter_py_gapic_test", + srcs = [ + "securitycenter_py_gapic_pytest.py", + "securitycenter_py_gapic_test.py", + ], + legacy_create_init = False, + deps = [":securitycenter_py_gapic"], +) + +# Open Source Packages +py_gapic_assembly_pkg( + name = "securitycenter-v1-py", + deps = [ + ":securitycenter_py_gapic", + ], +) + +php_proto_library( + name = "securitycenter_php_proto", + deps = [":securitycenter_proto"], +) + +php_grpc_library( + name = "securitycenter_php_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_php_proto"], +) + +php_gapic_library( + name = "securitycenter_php_gapic", + srcs = [":securitycenter_proto_with_info"], + grpc_service_config = "securitycenter_grpc_service_config.json", + service_yaml = "securitycenter_v1.yaml", + deps = [ + ":securitycenter_php_grpc", + ":securitycenter_php_proto", + ], +) + +# Open Source Packages +php_gapic_assembly_pkg( + name = "google-cloud-securitycenter-v1-php", + deps = [ + ":securitycenter_php_gapic", + ":securitycenter_php_grpc", + ":securitycenter_php_proto", + ], +) + +nodejs_gapic_library( + name = "securitycenter_nodejs_gapic", + package_name = "@google-cloud/security-center", + src = ":securitycenter_proto_with_info", + extra_protoc_parameters = ["metadata"], + grpc_service_config = "securitycenter_grpc_service_config.json", + package = "google.cloud.securitycenter.v1", + service_yaml = "securitycenter_v1.yaml", + deps = [], +) + +nodejs_gapic_assembly_pkg( + name = "securitycenter-v1-nodejs", + deps = [ + ":securitycenter_nodejs_gapic", + ":securitycenter_proto", + ], +) + +ruby_proto_library( + name = "securitycenter_ruby_proto", + deps = [":securitycenter_proto"], +) + +ruby_grpc_library( + name = "securitycenter_ruby_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_ruby_proto"], +) + +ruby_cloud_gapic_library( + name = "securitycenter_ruby_gapic", + srcs = [":securitycenter_proto_with_info"], + extra_protoc_parameters = [ + "ruby-cloud-api-id=securitycenter.googleapis.com", + "ruby-cloud-api-shortname=securitycenter", + "ruby-cloud-env-prefix=SECURITY_CENTER", + "ruby-cloud-gem-name=google-cloud-security_center-v1", + "ruby-cloud-product-url=https://cloud.google.com/security-command-center", + ], + grpc_service_config = "securitycenter_grpc_service_config.json", + ruby_cloud_description = "Security Command Center API provides access to temporal views of assets and findings within an organization.", + ruby_cloud_title = "Cloud Security Command Center V1", + deps = [ + ":securitycenter_ruby_grpc", + ":securitycenter_ruby_proto", + ], +) + +# Open Source Packages +ruby_gapic_assembly_pkg( + name = "google-cloud-securitycenter-v1-ruby", + deps = [ + ":securitycenter_ruby_gapic", + ":securitycenter_ruby_grpc", + ":securitycenter_ruby_proto", + ], +) + +csharp_proto_library( + name = "securitycenter_csharp_proto", + deps = [":securitycenter_proto"], +) + +csharp_grpc_library( + name = "securitycenter_csharp_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_csharp_proto"], +) + +csharp_gapic_library( + name = "securitycenter_csharp_gapic", + srcs = [":securitycenter_proto_with_info"], + common_resources_config = "@gax_dotnet//:Google.Api.Gax/ResourceNames/CommonResourcesConfig.json", + grpc_service_config = "securitycenter_grpc_service_config.json", + service_yaml = "securitycenter_v1.yaml", + deps = [ + ":securitycenter_csharp_grpc", + ":securitycenter_csharp_proto", + ], +) + +# Open Source Packages +csharp_gapic_assembly_pkg( + name = "google-cloud-securitycenter-v1-csharp", + deps = [ + ":securitycenter_csharp_gapic", + ":securitycenter_csharp_grpc", + ":securitycenter_csharp_proto", + ], +) + +cc_proto_library( + name = "securitycenter_cc_proto", + deps = [":securitycenter_proto"], +) + +cc_grpc_library( + name = "securitycenter_cc_grpc", + srcs = [":securitycenter_proto"], + grpc_only = True, + deps = [":securitycenter_cc_proto"], +) diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/access.proto b/third_party/googleapis/google/cloud/securitycenter/v1/access.proto new file mode 100644 index 0000000..799b84f --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/access.proto @@ -0,0 +1,100 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "AccessProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Represents an access event. +message Access { + // Associated email, such as "foo@google.com". + // + // The email address of the authenticated user (or service account on behalf + // of third party principal) making the request. For third party identity + // callers, the `principal_subject` field is populated instead of this field. + // For privacy reasons, the principal email address is sometimes redacted. + // For more information, see [Caller identities in audit + // logs](https://cloud.google.com/logging/docs/audit#user-id). + string principal_email = 1; + + // Caller's IP address, such as "1.1.1.1". + string caller_ip = 2; + + // The caller IP's geolocation, which identifies where the call came from. + Geolocation caller_ip_geo = 3; + + // What kind of user agent is associated, e.g. operating system shells, + // embedded or stand-alone applications, etc. + string user_agent_family = 4; + + // This is the API service that the service account made a call to, e.g. + // "iam.googleapis.com" + string service_name = 5; + + // The method that the service account called, e.g. "SetIamPolicy". + string method_name = 6; + + // A string representing the principal_subject associated with the identity. + // As compared to `principal_email`, supports principals that aren't + // associated with email addresses, such as third party principals. For most + // identities, the format will be `principal://iam.googleapis.com/{identity + // pool name}/subjects/{subject}` except for some GKE identities + // (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy + // format `serviceAccount:{identity pool name}[{subject}]` + string principal_subject = 7; + + // The name of the service account key used to create or exchange + // credentials for authenticating the service account making the request. + // This is a scheme-less URI full resource name. For example: + // + // "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}" + // + string service_account_key_name = 8; + + // Identity delegation history of an authenticated service account that makes + // the request. It contains information on the real authorities that try to + // access GCP resources by delegating on a service account. When multiple + // authorities are present, they are guaranteed to be sorted based on the + // original ordering of the identity delegation events. + repeated ServiceAccountDelegationInfo service_account_delegation_info = 9; +} + +// Identity delegation history of an authenticated service account. +message ServiceAccountDelegationInfo { + // The email address of a Google account. + string principal_email = 1; + + // A string representing the principal_subject associated with the identity. + // As compared to `principal_email`, supports principals that aren't + // associated with email addresses, such as third party principals. For most + // identities, the format will be `principal://iam.googleapis.com/{identity + // pool name}/subjects/{subject}` except for some GKE identities + // (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy + // format `serviceAccount:{identity pool name}[{subject}]` + string principal_subject = 2; +} + +// Represents a geographical location for a given access. +message Geolocation { + // A CLDR. + string region_code = 1; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/asset.proto b/third_party/googleapis/google/cloud/securitycenter/v1/asset.proto new file mode 100644 index 0000000..55ba564 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/asset.proto @@ -0,0 +1,134 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/resource.proto"; +import "google/cloud/securitycenter/v1/folder.proto"; +import "google/cloud/securitycenter/v1/security_marks.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Security Command Center representation of a Google Cloud +// resource. +// +// The Asset is a Security Command Center resource that captures information +// about a single Google Cloud resource. All modifications to an Asset are only +// within the context of Security Command Center and don't affect the referenced +// Google Cloud resource. +message Asset { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Asset" + pattern: "organizations/{organization}/assets/{asset}" + pattern: "folders/{folder}/assets/{asset}" + pattern: "projects/{project}/assets/{asset}" + }; + + // Security Command Center managed properties. These properties are managed by + // Security Command Center and cannot be modified by the user. + message SecurityCenterProperties { + // The full resource name of the Google Cloud resource this asset + // represents. This field is immutable after create time. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_name = 1; + + // The type of the Google Cloud resource. Examples include: APPLICATION, + // PROJECT, and ORGANIZATION. This is a case insensitive field defined by + // Security Command Center and/or the producer of the resource and is + // immutable after create time. + string resource_type = 2; + + // The full resource name of the immediate parent of the resource. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_parent = 3; + + // The full resource name of the project the resource belongs to. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_project = 4; + + // Owners of the Google Cloud resource. + repeated string resource_owners = 5; + + // The user defined display name for this resource. + string resource_display_name = 6; + + // The user defined display name for the parent of this resource. + string resource_parent_display_name = 7; + + // The user defined display name for the project of this resource. + string resource_project_display_name = 8; + + // Contains a Folder message for each folder in the assets ancestry. + // The first folder is the deepest nested folder, and the last folder is the + // folder directly under the Organization. + repeated Folder folders = 10; + } + + // Cloud IAM Policy information associated with the Google Cloud resource + // described by the Security Command Center asset. This information is managed + // and defined by the Google Cloud resource and cannot be modified by the + // user. + message IamPolicy { + // The JSON representation of the Policy associated with the asset. + // See https://cloud.google.com/iam/reference/rest/v1/Policy for format + // details. + string policy_blob = 1; + } + + // The relative resource name of this asset. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/assets/{asset_id}". + string name = 1; + + // Security Command Center managed properties. These properties are managed by + // Security Command Center and cannot be modified by the user. + SecurityCenterProperties security_center_properties = 2; + + // Resource managed properties. These properties are managed and defined by + // the Google Cloud resource and cannot be modified by the user. + map<string, google.protobuf.Value> resource_properties = 7; + + // User specified security marks. These marks are entirely managed by the user + // and come from the SecurityMarks resource that belongs to the asset. + SecurityMarks security_marks = 8; + + // The time at which the asset was created in Security Command Center. + google.protobuf.Timestamp create_time = 9; + + // The time at which the asset was last updated or added in Cloud SCC. + google.protobuf.Timestamp update_time = 10; + + // Cloud IAM Policy information associated with the Google Cloud resource + // described by the Security Command Center asset. This information is managed + // and defined by the Google Cloud resource and cannot be modified by the + // user. + IamPolicy iam_policy = 11; + + // The canonical name of the resource. It's either + // "organizations/{organization_id}/assets/{asset_id}", + // "folders/{folder_id}/assets/{asset_id}" or + // "projects/{project_number}/assets/{asset_id}", depending on the closest CRM + // ancestor of the resource. + string canonical_name = 13; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/bigquery_export.proto b/third_party/googleapis/google/cloud/securitycenter/v1/bigquery_export.proto new file mode 100644 index 0000000..850c66e --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/bigquery_export.proto @@ -0,0 +1,99 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "BigQueryExportProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Configures how to deliver Findings to BigQuery Instance. +message BigQueryExport { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/BigQueryExport" + pattern: "organizations/{organization}/bigQueryExports/{export}" + pattern: "folders/{folder}/bigQueryExports/{export}" + pattern: "projects/{project}/bigQueryExports/{export}" + }; + + // The relative resource name of this export. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name. + // Example format: + // "organizations/{organization_id}/bigQueryExports/{export_id}" Example + // format: "folders/{folder_id}/bigQueryExports/{export_id}" Example format: + // "projects/{project_id}/bigQueryExports/{export_id}" + // This field is provided in responses, and is ignored when provided in create + // requests. + string name = 1; + + // The description of the export (max of 1024 characters). + string description = 2; + + // Expression that defines the filter to apply across create/update events + // of findings. The expression is a list of zero or more restrictions combined + // via logical operators `AND` and `OR`. Parentheses are supported, and `OR` + // has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a + // `-` character in front of them to indicate negation. The fields map to + // those defined in the corresponding resource. + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + string filter = 3; + + // The dataset to write findings' updates to. Its format is + // "projects/[project_id]/datasets/[bigquery_dataset_id]". + // BigQuery Dataset unique ID must contain only letters (a-z, A-Z), numbers + // (0-9), or underscores (_). + string dataset = 4; + + // Output only. The time at which the big query export was created. + // This field is set by the server and will be ignored if provided on export + // on creation. + google.protobuf.Timestamp create_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The most recent time at which the big export was updated. + // This field is set by the server and will be ignored if provided on export + // creation or update. + google.protobuf.Timestamp update_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. Email address of the user who last edited the big query export. + // This field is set by the server and will be ignored if provided on export + // creation or update. + string most_recent_editor = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The service account that needs permission to create table, upload data to + // the big query dataset. + string principal = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/compliance.proto b/third_party/googleapis/google/cloud/securitycenter/v1/compliance.proto new file mode 100644 index 0000000..ca1353b --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/compliance.proto @@ -0,0 +1,39 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ComplianceProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Contains compliance information about a security standard indicating unmet +// recommendations. +message Compliance { + // Refers to industry wide standards or benchmarks e.g. "cis", "pci", "owasp", + // etc. + string standard = 1; + + // Version of the standard/benchmark e.g. 1.1 + string version = 2; + + // Policies within the standard/benchmark e.g. A.12.4.1 + repeated string ids = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/connection.proto b/third_party/googleapis/google/cloud/securitycenter/v1/connection.proto new file mode 100644 index 0000000..29e9554 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/connection.proto @@ -0,0 +1,66 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ConnectionProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Contains information about the IP connection associated with the finding. +message Connection { + // IANA Internet Protocol Number such as TCP(6) and UDP(17). + enum Protocol { + // Unspecified protocol (not HOPOPT). + PROTOCOL_UNSPECIFIED = 0; + + // Internet Control Message Protocol. + ICMP = 1; + + // Transmission Control Protocol. + TCP = 6; + + // User Datagram Protocol. + UDP = 17; + + // Generic Routing Encapsulation. + GRE = 47; + + // Encap Security Payload. + ESP = 50; + } + + // Destination IP address. Not present for sockets that are listening and not + // connected. + string destination_ip = 1; + + // Destination port. Not present for sockets that are listening and not + // connected. + int32 destination_port = 2; + + // Source IP address. + string source_ip = 3; + + // Source port. + int32 source_port = 4; + + // IANA Internet Protocol Number such as TCP(6) and UDP(17). + Protocol protocol = 5; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/contact_details.proto b/third_party/googleapis/google/cloud/securitycenter/v1/contact_details.proto new file mode 100644 index 0000000..c282d32 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/contact_details.proto @@ -0,0 +1,37 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ContactDetailsProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// The details pertaining to specific contacts +message ContactDetails { + // A list of contacts + repeated Contact contacts = 1; +} + +// Representa a single contact's email address +message Contact { + // An email address e.g. "person123@company.com" + string email = 1; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/container.proto b/third_party/googleapis/google/cloud/securitycenter/v1/container.proto new file mode 100644 index 0000000..65ca458 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/container.proto @@ -0,0 +1,45 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/cloud/securitycenter/v1/label.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ContainerProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Container associated with the finding. +message Container { + // Container name. + string name = 1; + + // Container image URI provided when configuring a pod/container. + // May identify a container image version using mutable tags. + string uri = 2; + + // Optional container image id, when provided by the container runtime. + // Uniquely identifies the container image launched using a container image + // digest. + string image_id = 3; + + // Container labels, as provided by the container runtime. + repeated Label labels = 4; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/database.proto b/third_party/googleapis/google/cloud/securitycenter/v1/database.proto new file mode 100644 index 0000000..276b310 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/database.proto @@ -0,0 +1,52 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "DatabaseProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Represents database access information, such as queries. +// A database may be a sub-resource of an instance (as in the case of CloudSQL +// instances or Cloud Spanner instances), or the database instance itself. +// Some database resources may not have the full resource name populated +// because these resource types are not yet supported by Cloud Asset Inventory +// (e.g. CloudSQL databases). In these cases only the display name will be +// provided. +message Database { + // The full resource name of the database the user connected to, if it is + // supported by CAI. (https://google.aip.dev/122#full-resource-names) + string name = 1; + + // The human readable name of the database the user connected to. + string display_name = 2; + + // The username used to connect to the DB. This may not necessarily be an IAM + // principal, and has no required format. + string user_name = 3; + + // The SQL statement associated with the relevant access. + string query = 4; + + // The target usernames/roles/groups of a SQL privilege grant (not an IAM + // policy change). + repeated string grantees = 5; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/exfiltration.proto b/third_party/googleapis/google/cloud/securitycenter/v1/exfiltration.proto new file mode 100644 index 0000000..14e644f --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/exfiltration.proto @@ -0,0 +1,52 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ExfiltrationProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Exfiltration represents a data exfiltration attempt of one or more +// sources to one or more targets. Sources represent the source +// of data that is exfiltrated, and Targets represents the destination the +// data was copied to. +message Exfiltration { + // If there are multiple sources, then the data is considered "joined" between + // them. For instance, BigQuery can join multiple tables, and each + // table would be considered a source. + repeated ExfilResource sources = 1; + + // If there are multiple targets, each target would get a complete copy of the + // "joined" source data. + repeated ExfilResource targets = 2; +} + +// Resource that has been exfiltrated or exfiltrated_to. +message ExfilResource { + // Resource's URI (https://google.aip.dev/122#full-resource-names) + string name = 1; + + // Subcomponents of the asset that is exfiltrated - these could be + // URIs used during exfiltration, table names, databases, filenames, etc. + // For example, multiple tables may be exfiltrated from the same CloudSQL + // instance, or multiple files from the same Cloud Storage bucket. + repeated string components = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/external_system.proto b/third_party/googleapis/google/cloud/securitycenter/v1/external_system.proto new file mode 100644 index 0000000..8ba6981 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/external_system.proto @@ -0,0 +1,59 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/resource.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ExternalSystemProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Representation of third party SIEM/SOAR fields within SCC. +message ExternalSystem { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/ExternalSystem" + pattern: "organizations/{organization}/sources/{source}/findings/{finding}/externalSystems/{externalsystem}" + pattern: "folders/{folder}/sources/{source}/findings/{finding}/externalSystems/{externalsystem}" + pattern: "projects/{project}/sources/{source}/findings/{finding}/externalSystems/{externalsystem}" + }; + + // External System Name e.g. jira, demisto, etc. + // e.g.: + // `organizations/1234/sources/5678/findings/123456/externalSystems/jira` + // `folders/1234/sources/5678/findings/123456/externalSystems/jira` + // `projects/1234/sources/5678/findings/123456/externalSystems/jira` + string name = 1; + + // References primary/secondary etc assignees in the external system. + repeated string assignees = 2; + + // Identifier that's used to track the given finding in the external system. + string external_uid = 3; + + // Most recent status of the corresponding finding's ticket/tracker in the + // external system. + string status = 4; + + // The most recent time when the corresponding finding's ticket/tracker was + // updated in the external system. + google.protobuf.Timestamp external_system_update_time = 5; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/file.proto b/third_party/googleapis/google/cloud/securitycenter/v1/file.proto new file mode 100644 index 0000000..d802dda --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/file.proto @@ -0,0 +1,52 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "FileProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// File information about the related binary/library used by an executable, or +// the script used by a script interpreter +message File { + // Absolute path of the file as a JSON encoded string. + string path = 1; + + // Size of the file in bytes. + int64 size = 2; + + // SHA256 hash of the first hashed_size bytes of the file encoded as a + // hex string. If hashed_size == size, sha256 represents the SHA256 hash + // of the entire file. + string sha256 = 3; + + // The length in bytes of the file prefix that was hashed. If + // hashed_size == size, any hashes reported represent the entire + // file. + int64 hashed_size = 4; + + // True when the hash covers only a prefix of the file. + bool partially_hashed = 5; + + // Prefix of the file contents as a JSON encoded string. + // (Currently only populated for Malicious Script Executed findings.) + string contents = 6; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/finding.proto b/third_party/googleapis/google/cloud/securitycenter/v1/finding.proto new file mode 100644 index 0000000..126d5e5 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/finding.proto @@ -0,0 +1,335 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/cloud/securitycenter/v1/access.proto"; +import "google/cloud/securitycenter/v1/compliance.proto"; +import "google/cloud/securitycenter/v1/connection.proto"; +import "google/cloud/securitycenter/v1/contact_details.proto"; +import "google/cloud/securitycenter/v1/container.proto"; +import "google/cloud/securitycenter/v1/database.proto"; +import "google/cloud/securitycenter/v1/exfiltration.proto"; +import "google/cloud/securitycenter/v1/external_system.proto"; +import "google/cloud/securitycenter/v1/iam_binding.proto"; +import "google/cloud/securitycenter/v1/indicator.proto"; +import "google/cloud/securitycenter/v1/kubernetes.proto"; +import "google/cloud/securitycenter/v1/mitre_attack.proto"; +import "google/cloud/securitycenter/v1/process.proto"; +import "google/cloud/securitycenter/v1/security_marks.proto"; +import "google/cloud/securitycenter/v1/vulnerability.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Security Command Center finding. +// +// A finding is a record of assessment data like security, risk, health, or +// privacy, that is ingested into Security Command Center for presentation, +// notification, analysis, policy testing, and enforcement. For example, a +// cross-site scripting (XSS) vulnerability in an App Engine application is a +// finding. +message Finding { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Finding" + pattern: "organizations/{organization}/sources/{source}/findings/{finding}" + pattern: "folders/{folder}/sources/{source}/findings/{finding}" + pattern: "projects/{project}/sources/{source}/findings/{finding}" + }; + + // The state of the finding. + enum State { + // Unspecified state. + STATE_UNSPECIFIED = 0; + + // The finding requires attention and has not been addressed yet. + ACTIVE = 1; + + // The finding has been fixed, triaged as a non-issue or otherwise addressed + // and is no longer active. + INACTIVE = 2; + } + + // The severity of the finding. + enum Severity { + // This value is used for findings when a source doesn't write a severity + // value. + SEVERITY_UNSPECIFIED = 0; + + // Vulnerability: + // A critical vulnerability is easily discoverable by an external actor, + // exploitable, and results in the direct ability to execute arbitrary code, + // exfiltrate data, and otherwise gain additional access and privileges to + // cloud resources and workloads. Examples include publicly accessible + // unprotected user data, public SSH access with weak or no passwords, etc. + // + // Threat: + // Indicates a threat that is able to access, modify, or delete data or + // execute unauthorized code within existing resources. + CRITICAL = 1; + + // Vulnerability: + // A high risk vulnerability can be easily discovered and exploited in + // combination with other vulnerabilities in order to gain direct access and + // the ability to execute arbitrary code, exfiltrate data, and otherwise + // gain additional access and privileges to cloud resources and workloads. + // An example is a database with weak or no passwords that is only + // accessible internally. This database could easily be compromised by an + // actor that had access to the internal network. + // + // Threat: + // Indicates a threat that is able to create new computational resources in + // an environment but not able to access data or execute code in existing + // resources. + HIGH = 2; + + // Vulnerability: + // A medium risk vulnerability could be used by an actor to gain access to + // resources or privileges that enable them to eventually (through multiple + // steps or a complex exploit) gain access and the ability to execute + // arbitrary code or exfiltrate data. An example is a service account with + // access to more projects than it should have. If an actor gains access to + // the service account, they could potentially use that access to manipulate + // a project the service account was not intended to. + // + // Threat: + // Indicates a threat that is able to cause operational impact but may not + // access data or execute unauthorized code. + MEDIUM = 3; + + // Vulnerability: + // A low risk vulnerability hampers a security organization's ability to + // detect vulnerabilities or active threats in their deployment, or prevents + // the root cause investigation of security issues. An example is monitoring + // and logs being disabled for resource configurations and access. + // + // Threat: + // Indicates a threat that has obtained minimal access to an environment but + // is not able to access data, execute code, or create resources. + LOW = 4; + } + + // Mute state a finding can be in. + enum Mute { + // Unspecified. + MUTE_UNSPECIFIED = 0; + + // Finding has been muted. + MUTED = 1; + + // Finding has been unmuted. + UNMUTED = 2; + + // Finding has never been muted/unmuted. + UNDEFINED = 4; + } + + // Represents what kind of Finding it is. + enum FindingClass { + // Unspecified finding class. + FINDING_CLASS_UNSPECIFIED = 0; + + // Describes unwanted or malicious activity. + THREAT = 1; + + // Describes a potential weakness in software that increases risk to + // Confidentiality & Integrity & Availability. + VULNERABILITY = 2; + + // Describes a potential weakness in cloud resource/asset configuration that + // increases risk. + MISCONFIGURATION = 3; + + // Describes a security observation that is for informational purposes. + OBSERVATION = 4; + + // Describes an error that prevents some SCC functionality. + SCC_ERROR = 5; + } + + // The relative resource name of this finding. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" + string name = 1; + + // The relative resource name of the source the finding belongs to. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // This field is immutable after creation time. + // For example: + // "organizations/{organization_id}/sources/{source_id}" + string parent = 2; + + // For findings on Google Cloud resources, the full resource + // name of the Google Cloud resource this finding is for. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + // When the finding is for a non-Google Cloud resource, the resourceName can + // be a customer or partner defined string. This field is immutable after + // creation time. + string resource_name = 3; + + // The state of the finding. + State state = 4; + + // The additional taxonomy group within findings from a given source. + // This field is immutable after creation time. + // Example: "XSS_FLASH_INJECTION" + string category = 5; + + // The URI that, if available, points to a web page outside of Security + // Command Center where additional information about the finding can be found. + // This field is guaranteed to be either empty or a well formed URL. + string external_uri = 6; + + // Source specific properties. These properties are managed by the source + // that writes the finding. The key names in the source_properties map must be + // between 1 and 255 characters, and must start with a letter and contain + // alphanumeric characters or underscores only. + map<string, google.protobuf.Value> source_properties = 7; + + // Output only. User specified security marks. These marks are entirely + // managed by the user and come from the SecurityMarks resource that belongs + // to the finding. + SecurityMarks security_marks = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // The time the finding was first detected. If an existing finding is updated, + // then this is the time the update occurred. + // For example, if the finding represents an open firewall, this property + // captures the time the detector believes the firewall became open. The + // accuracy is determined by the detector. If the finding is later resolved, + // then this time reflects when the finding was resolved. This must not + // be set to a value greater than the current timestamp. + google.protobuf.Timestamp event_time = 9; + + // The time at which the finding was created in Security Command Center. + google.protobuf.Timestamp create_time = 10; + + // The severity of the finding. This field is managed by the source that + // writes the finding. + Severity severity = 12; + + // The canonical name of the finding. It's either + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", + // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or + // "projects/{project_number}/sources/{source_id}/findings/{finding_id}", + // depending on the closest CRM ancestor of the resource associated with the + // finding. + string canonical_name = 14; + + // Indicates the mute state of a finding (either muted, unmuted + // or undefined). Unlike other attributes of a finding, a finding provider + // shouldn't set the value of mute. + Mute mute = 15; + + // The class of the finding. + FindingClass finding_class = 17; + + // Represents what's commonly known as an Indicator of compromise (IoC) in + // computer forensics. This is an artifact observed on a network or in an + // operating system that, with high confidence, indicates a computer + // intrusion. + // Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise + Indicator indicator = 18; + + // Represents vulnerability specific fields like cve, cvss scores etc. + // CVE stands for Common Vulnerabilities and Exposures + // (https://cve.mitre.org/about/) + Vulnerability vulnerability = 20; + + // Output only. The most recent time this finding was muted or unmuted. + google.protobuf.Timestamp mute_update_time = 21 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. Third party SIEM/SOAR fields within SCC, contains external system + // information and external system finding fields. + map<string, ExternalSystem> external_systems = 22 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // MITRE ATT&CK tactics and techniques related to this finding. + // See: https://attack.mitre.org + MitreAttack mitre_attack = 25; + + // Access details associated to the Finding, such as more information on the + // caller, which method was accessed, from where, etc. + Access access = 26; + + // Contains information about the IP connection associated with the finding. + repeated Connection connections = 31; + + // First known as mute_annotation. Records additional information about the + // mute operation e.g. mute config that muted the finding, user who muted the + // finding, etc. Unlike other attributes of a finding, a finding provider + // shouldn't set the value of mute. + string mute_initiator = 28; + + // Represents operating system processes associated with the Finding. + repeated Process processes = 30; + + // Output only. Map containing the points of contact for the given finding. The key + // represents the type of contact, while the value contains a list of all the + // contacts that pertain. Please refer to: + // https://cloud.google.com/resource-manager/docs/managing-notification-contacts#notification-categories + // + // { + // "security": { + // "contacts": [ + // { + // "email": "person1@company.com" + // }, + // { + // "email": "person2@company.com" + // } + // ] + // } + // } + map<string, ContactDetails> contacts = 33 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Contains compliance information for security standards associated to the + // finding. + repeated Compliance compliances = 34; + + // Output only. The human readable display name of the finding source such as + // "Event Threat Detection" or "Security Health Analytics". + string parent_display_name = 36 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Contains more detail about the finding. + string description = 37; + + // Represents exfiltration associated with the Finding. + Exfiltration exfiltration = 38; + + // Represents IAM bindings associated with the Finding. + repeated IamBinding iam_bindings = 39; + + // Next steps associate to the finding. + string next_steps = 40; + + // Containers associated with the finding. containers provides information + // for both Kubernetes and non-Kubernetes containers. + repeated Container containers = 42; + + // Kubernetes resources associated with the finding. + Kubernetes kubernetes = 43; + + // Database associated with the finding. + Database database = 44; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/folder.proto b/third_party/googleapis/google/cloud/securitycenter/v1/folder.proto new file mode 100644 index 0000000..4078a52 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/folder.proto @@ -0,0 +1,36 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "FolderProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Message that contains the resource name and display name of a folder +// resource. +message Folder { + // Full resource name of this folder. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_folder = 1; + + // The user defined display name for this folder. + string resource_folder_display_name = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/iam_binding.proto b/third_party/googleapis/google/cloud/securitycenter/v1/iam_binding.proto new file mode 100644 index 0000000..c1e57a3 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/iam_binding.proto @@ -0,0 +1,52 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "IamBindingProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Represents a particular IAM binding, which captures a member's role addition, +// removal, or state. +message IamBinding { + // The type of action performed on a Binding in a policy. + enum Action { + // Unspecified. + ACTION_UNSPECIFIED = 0; + + // Addition of a Binding. + ADD = 1; + + // Removal of a Binding. + REMOVE = 2; + } + + // The action that was performed on a Binding. + Action action = 1; + + // Role that is assigned to "members". + // For example, "roles/viewer", "roles/editor", or "roles/owner". + string role = 2; + + // A single identity requesting access for a Cloud Platform resource, + // e.g. "foo@google.com". + string member = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/indicator.proto b/third_party/googleapis/google/cloud/securitycenter/v1/indicator.proto new file mode 100644 index 0000000..1cbfdfa --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/indicator.proto @@ -0,0 +1,82 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "IndicatorProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Represents what's commonly known as an Indicator of compromise (IoC) in +// computer forensics. This is an artifact observed on a network or in an +// operating system that, with high confidence, indicates a computer intrusion. +// Reference: https://en.wikipedia.org/wiki/Indicator_of_compromise +message Indicator { + // Indicates what signature matched this process. + message ProcessSignature { + // A signature corresponding to memory page hashes. + message MemoryHashSignature { + // Memory hash detection contributing to the binary family match. + message Detection { + // The name of the binary associated with the memory hash + // signature detection. + string binary = 2; + + // The percentage of memory page hashes in the signature + // that were matched. + double percent_pages_matched = 3; + } + + // The binary family. + string binary_family = 1; + + // The list of memory hash detections contributing to the binary family + // match. + repeated Detection detections = 4; + } + + // A signature corresponding to a YARA rule. + message YaraRuleSignature { + // The name of the YARA rule. + string yara_rule = 5; + } + + oneof signature { + // Signature indicating that a binary family was matched. + MemoryHashSignature memory_hash_signature = 6; + + // Signature indicating that a YARA rule was matched. + YaraRuleSignature yara_rule_signature = 7; + } + } + + // List of ip addresses associated to the Finding. + repeated string ip_addresses = 1; + + // List of domains associated to the Finding. + repeated string domains = 2; + + // The list of matched signatures indicating that the given + // process is present in the environment. + repeated ProcessSignature signatures = 3; + + // The list of URIs associated to the Findings. + repeated string uris = 4; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/kubernetes.proto b/third_party/googleapis/google/cloud/securitycenter/v1/kubernetes.proto new file mode 100644 index 0000000..bf3bc36 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/kubernetes.proto @@ -0,0 +1,181 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/cloud/securitycenter/v1/container.proto"; +import "google/cloud/securitycenter/v1/label.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "KubernetesProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Kubernetes related attributes. +message Kubernetes { + // Kubernetes Pod. + message Pod { + // Kubernetes Pod namespace. + string ns = 1; + + // Kubernetes Pod name. + string name = 2; + + // Pod labels. For Kubernetes containers, these are applied to the + // container. + repeated Label labels = 3; + + // Pod containers associated with this finding, if any. + repeated Container containers = 4; + } + + // Kubernetes Nodes associated with the finding. + message Node { + // Full Resource name of the Compute Engine VM running the + // cluster node. + string name = 1; + } + + // Provides GKE Node Pool information. + message NodePool { + // Kubernetes Node pool name. + string name = 1; + + // Nodes associated with the finding. + repeated Node nodes = 2; + } + + // Kubernetes Role or ClusterRole. + message Role { + // Types of Kubernetes roles. + enum Kind { + // Role type is not specified. + KIND_UNSPECIFIED = 0; + + // Kubernetes Role. + ROLE = 1; + + // Kubernetes ClusterRole. + CLUSTER_ROLE = 2; + } + + // Role type. + Kind kind = 1; + + // Role namespace. + string ns = 2; + + // Role name. + string name = 3; + } + + // Represents a Kubernetes RoleBinding or ClusterRoleBinding. + message Binding { + // Namespace for binding. + string ns = 1; + + // Name for binding. + string name = 2; + + // The Role or ClusterRole referenced by the binding. + Role role = 3; + + // Represents the subjects(s) bound to the role. Not always available + // for PATCH requests. + repeated Subject subjects = 4; + } + + // Represents a Kubernetes Subject. + message Subject { + // Auth types that can be used for Subject's kind field. + enum AuthType { + // Authentication is not specified. + AUTH_TYPE_UNSPECIFIED = 0; + + // User with valid certificate. + USER = 1; + + // Users managed by Kubernetes API with credentials stored as Secrets. + SERVICEACCOUNT = 2; + + // Collection of users. + GROUP = 3; + } + + // Authentication type for subject. + AuthType kind = 1; + + // Namespace for subject. + string ns = 2; + + // Name for subject. + string name = 3; + } + + // Conveys information about a Kubernetes access review (e.g. kubectl auth + // can-i ...) that was involved in a finding. + message AccessReview { + // Group is the API Group of the Resource. "*" means all. + string group = 1; + + // Namespace of the action being requested. Currently, there is no + // distinction between no namespace and all namespaces. Both + // are represented by "" (empty). + string ns = 2; + + // Name is the name of the resource being requested. Empty means all. + string name = 3; + + // Resource is the optional resource type requested. "*" means all. + string resource = 4; + + // Subresource is the optional subresource type. + string subresource = 5; + + // Verb is a Kubernetes resource API verb, like: get, list, watch, create, + // update, delete, proxy. "*" means all. + string verb = 6; + + // Version is the API Version of the Resource. "*" means all. + string version = 7; + } + + // Kubernetes Pods associated with the finding. This field will contain Pod + // records for each container that is owned by a Pod. + repeated Pod pods = 1; + + // Provides Kubernetes Node information. + repeated Node nodes = 2; + + // GKE Node Pools associated with the finding. This field will + // contain NodePool information for each Node, when it is available. + repeated NodePool node_pools = 3; + + // Provides Kubernetes role information for findings that involve + // Roles or ClusterRoles. + repeated Role roles = 4; + + // Provides Kubernetes role binding information for findings that involve + // RoleBindings or ClusterRoleBindings. + repeated Binding bindings = 5; + + // Provides information on any Kubernetes access reviews (i.e. privilege + // checks) relevant to the finding. + repeated AccessReview access_reviews = 6; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/label.proto b/third_party/googleapis/google/cloud/securitycenter/v1/label.proto new file mode 100644 index 0000000..30321d9 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/label.proto @@ -0,0 +1,35 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "LabelProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Label represents a generic name=value label. Label has separate name and +// value fields to support filtering with contains(). +message Label { + // Label name. + string name = 1; + + // Label value. + string value = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/mitre_attack.proto b/third_party/googleapis/google/cloud/securitycenter/v1/mitre_attack.proto new file mode 100644 index 0000000..ba65482 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/mitre_attack.proto @@ -0,0 +1,208 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "MitreAttackProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// MITRE ATT&CK tactics and techniques related to this finding. +// See: https://attack.mitre.org +message MitreAttack { + // MITRE ATT&CK tactics that can be referenced by SCC findings. + // See: https://attack.mitre.org/tactics/enterprise/ + enum Tactic { + // Unspecified value. + TACTIC_UNSPECIFIED = 0; + + // TA0043 + RECONNAISSANCE = 1; + + // TA0042 + RESOURCE_DEVELOPMENT = 2; + + // TA0001 + INITIAL_ACCESS = 5; + + // TA0002 + EXECUTION = 3; + + // TA0003 + PERSISTENCE = 6; + + // TA0004 + PRIVILEGE_ESCALATION = 8; + + // TA0005 + DEFENSE_EVASION = 7; + + // TA0006 + CREDENTIAL_ACCESS = 9; + + // TA0007 + DISCOVERY = 10; + + // TA0008 + LATERAL_MOVEMENT = 11; + + // TA0009 + COLLECTION = 12; + + // TA0011 + COMMAND_AND_CONTROL = 4; + + // TA0010 + EXFILTRATION = 13; + + // TA0040 + IMPACT = 14; + } + + // MITRE ATT&CK techniques that can be referenced by SCC findings. + // See: https://attack.mitre.org/techniques/enterprise/ + enum Technique { + // Unspecified value. + TECHNIQUE_UNSPECIFIED = 0; + + // T1595 + ACTIVE_SCANNING = 1; + + // T1595.001 + SCANNING_IP_BLOCKS = 2; + + // T1105 + INGRESS_TOOL_TRANSFER = 3; + + // T1106 + NATIVE_API = 4; + + // T1129 + SHARED_MODULES = 5; + + // T1059 + COMMAND_AND_SCRIPTING_INTERPRETER = 6; + + // T1059.004 + UNIX_SHELL = 7; + + // T1496 + RESOURCE_HIJACKING = 8; + + // T1090 + PROXY = 9; + + // T1090.002 + EXTERNAL_PROXY = 10; + + // T1090.003 + MULTI_HOP_PROXY = 11; + + // T1568 + DYNAMIC_RESOLUTION = 12; + + // T1552 + UNSECURED_CREDENTIALS = 13; + + // T1078 + VALID_ACCOUNTS = 14; + + // T1078.003 + LOCAL_ACCOUNTS = 15; + + // T1078.004 + CLOUD_ACCOUNTS = 16; + + // T1498 + NETWORK_DENIAL_OF_SERVICE = 17; + + // T1069 + PERMISSION_GROUPS_DISCOVERY = 18; + + // T1069.003 + CLOUD_GROUPS = 19; + + // T1567 + EXFILTRATION_OVER_WEB_SERVICE = 20; + + // T1567.002 + EXFILTRATION_TO_CLOUD_STORAGE = 21; + + // T1098 + ACCOUNT_MANIPULATION = 22; + + // T1098.004 + SSH_AUTHORIZED_KEYS = 23; + + // T1543 + CREATE_OR_MODIFY_SYSTEM_PROCESS = 24; + + // T1539 + STEAL_WEB_SESSION_COOKIE = 25; + + // T1578 + MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE = 26; + + // T1190 + EXPLOIT_PUBLIC_FACING_APPLICATION = 27; + + // T1556 + MODIFY_AUTHENTICATION_PROCESS = 28; + + // T1485 + DATA_DESTRUCTION = 29; + + // T1484 + DOMAIN_POLICY_MODIFICATION = 30; + + // T1562 + IMPAIR_DEFENSES = 31; + + // T1046 + NETWORK_SERVICE_DISCOVERY = 32; + + // T1134 + ACCESS_TOKEN_MANIPULATION = 33; + + // T1548 + ABUSE_ELEVATION_CONTROL_MECHANISM = 34; + } + + // The MITRE ATT&CK tactic most closely represented by this finding, if any. + Tactic primary_tactic = 1; + + // The MITRE ATT&CK technique most closely represented by this finding, if + // any. primary_techniques is a repeated field because there are multiple + // levels of MITRE ATT&CK techniques. If the technique most closely + // represented by this finding is a sub-technique (e.g. `SCANNING_IP_BLOCKS`), + // both the sub-technique and its parent technique(s) will be listed (e.g. + // `SCANNING_IP_BLOCKS`, `ACTIVE_SCANNING`). + repeated Technique primary_techniques = 2; + + // Additional MITRE ATT&CK tactics related to this finding, if any. + repeated Tactic additional_tactics = 3; + + // Additional MITRE ATT&CK techniques related to this finding, if any, along + // with any of their respective parent techniques. + repeated Technique additional_techniques = 4; + + // The MITRE ATT&CK version referenced by the above fields. E.g. "8". + string version = 5; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/mute_config.proto b/third_party/googleapis/google/cloud/securitycenter/v1/mute_config.proto new file mode 100644 index 0000000..7442695 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/mute_config.proto @@ -0,0 +1,89 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "MuteConfigProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// A mute config is a Cloud SCC resource that contains the configuration +// to mute create/update events of findings. +message MuteConfig { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/MuteConfig" + pattern: "organizations/{organization}/muteConfigs/{mute_config}" + pattern: "folders/{folder}/muteConfigs/{mute_config}" + pattern: "projects/{project}/muteConfigs/{mute_config}" + }; + + // This field will be ignored if provided on config creation. Format + // "organizations/{organization}/muteConfigs/{mute_config}" + // "folders/{folder}/muteConfigs/{mute_config}" + // "projects/{project}/muteConfigs/{mute_config}" + string name = 1; + + // The human readable name to be displayed for the mute config. + string display_name = 2 [deprecated = true]; + + // A description of the mute config. + string description = 3; + + // Required. An expression that defines the filter to apply across create/update events + // of findings. While creating a filter string, be mindful of the + // scope in which the mute configuration is being created. E.g., If a filter + // contains project = X but is created under the project = Y scope, it might + // not match any findings. + // + // The following field and operator combinations are supported: + // + // * severity: `=`, `:` + // * category: `=`, `:` + // * resource.name: `=`, `:` + // * resource.project_name: `=`, `:` + // * resource.project_display_name: `=`, `:` + // * resource.folders.resource_folder: `=`, `:` + // * resource.parent_name: `=`, `:` + // * resource.parent_display_name: `=`, `:` + // * resource.type: `=`, `:` + // * finding_class: `=`, `:` + // * indicator.ip_addresses: `=`, `:` + // * indicator.domains: `=`, `:` + string filter = 4 [(google.api.field_behavior) = REQUIRED]; + + // Output only. The time at which the mute config was created. + // This field is set by the server and will be ignored if provided on config + // creation. + google.protobuf.Timestamp create_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The most recent time at which the mute config was updated. + // This field is set by the server and will be ignored if provided on config + // creation or update. + google.protobuf.Timestamp update_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. Email address of the user who last edited the mute config. + // This field is set by the server and will be ignored if provided on config + // creation or update. + string most_recent_editor = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/notification_config.proto b/third_party/googleapis/google/cloud/securitycenter/v1/notification_config.proto new file mode 100644 index 0000000..7ab9466 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/notification_config.proto @@ -0,0 +1,95 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "NotificationConfigProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; +option (google.api.resource_definition) = { + type: "pubsub.googleapis.com/Topic" + pattern: "projects/{project}/topics/{topic}" +}; + +// Cloud Security Command Center (Cloud SCC) notification configs. +// +// A notification config is a Cloud SCC resource that contains the configuration +// to send notifications for create/update events of findings, assets and etc. +message NotificationConfig { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/NotificationConfig" + pattern: "organizations/{organization}/notificationConfigs/{notification_config}" + }; + + // The config for streaming-based notifications, which send each event as soon + // as it is detected. + message StreamingConfig { + // Expression that defines the filter to apply across create/update events + // of assets or findings as specified by the event type. The expression is a + // list of zero or more restrictions combined via logical operators `AND` + // and `OR`. Parentheses are supported, and `OR` has higher precedence than + // `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a + // `-` character in front of them to indicate negation. The fields map to + // those defined in the corresponding resource. + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + string filter = 1; + } + + // The relative resource name of this notification config. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/notificationConfigs/notify_public_bucket". + string name = 1; + + // The description of the notification config (max of 1024 characters). + string description = 2; + + // The Pub/Sub topic to send notifications to. Its format is + // "projects/[project_id]/topics/[topic]". + string pubsub_topic = 3 [(google.api.resource_reference) = { + type: "pubsub.googleapis.com/Topic" + }]; + + // Output only. The service account that needs "pubsub.topics.publish" + // permission to publish to the Pub/Sub topic. + string service_account = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // The config for triggering notifications. + oneof notify_config { + // The config for triggering streaming-based notifications. + StreamingConfig streaming_config = 5; + } +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/notification_message.proto b/third_party/googleapis/google/cloud/securitycenter/v1/notification_message.proto new file mode 100644 index 0000000..3605dfb --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/notification_message.proto @@ -0,0 +1,44 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/cloud/securitycenter/v1/finding.proto"; +import "google/cloud/securitycenter/v1/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "NotificationMessageProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Cloud SCC's Notification +message NotificationMessage { + // Name of the notification config that generated current notification. + string notification_config_name = 1; + + // Notification Event. + oneof event { + // If it's a Finding based notification config, this field will be + // populated. + Finding finding = 2; + } + + // The Cloud resource tied to this notification's Finding. + Resource resource = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/organization_settings.proto b/third_party/googleapis/google/cloud/securitycenter/v1/organization_settings.proto new file mode 100644 index 0000000..e8bc968 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/organization_settings.proto @@ -0,0 +1,85 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// User specified settings that are attached to the Security Command +// Center organization. +message OrganizationSettings { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/OrganizationSettings" + pattern: "organizations/{organization}/organizationSettings" + }; + + // The configuration used for Asset Discovery runs. + message AssetDiscoveryConfig { + // The mode of inclusion when running Asset Discovery. + // Asset discovery can be limited by explicitly identifying projects to be + // included or excluded. If INCLUDE_ONLY is set, then only those projects + // within the organization and their children are discovered during asset + // discovery. If EXCLUDE is set, then projects that don't match those + // projects are discovered during asset discovery. If neither are set, then + // all projects within the organization are discovered during asset + // discovery. + enum InclusionMode { + // Unspecified. Setting the mode with this value will disable + // inclusion/exclusion filtering for Asset Discovery. + INCLUSION_MODE_UNSPECIFIED = 0; + + // Asset Discovery will capture only the resources within the projects + // specified. All other resources will be ignored. + INCLUDE_ONLY = 1; + + // Asset Discovery will ignore all resources under the projects specified. + // All other resources will be retrieved. + EXCLUDE = 2; + } + + // The project ids to use for filtering asset discovery. + repeated string project_ids = 1; + + // The mode to use for filtering asset discovery. + InclusionMode inclusion_mode = 2; + + // The folder ids to use for filtering asset discovery. + // It consists of only digits, e.g., 756619654966. + repeated string folder_ids = 3; + } + + // The relative resource name of the settings. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/organizationSettings". + string name = 1; + + // A flag that indicates if Asset Discovery should be enabled. If the flag is + // set to `true`, then discovery of assets will occur. If it is set to `false, + // all historical assets will remain, but discovery of future assets will not + // occur. + bool enable_asset_discovery = 2; + + // The configuration used for Asset Discovery runs. + AssetDiscoveryConfig asset_discovery_config = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/process.proto b/third_party/googleapis/google/cloud/securitycenter/v1/process.proto new file mode 100644 index 0000000..480714b --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/process.proto @@ -0,0 +1,74 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/cloud/securitycenter/v1/file.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ProcessProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Represents an operating system process. +message Process { + // The process name visible in utilities like `top` and `ps`; it can + // be accessed via `/proc/[pid]/comm` and changed with `prctl(PR_SET_NAME)`. + string name = 12; + + // File information for the process executable. + File binary = 3; + + // File information for libraries loaded by the process. + repeated File libraries = 4; + + // When the process represents the invocation of a script, + // `binary` provides information about the interpreter while `script` + // provides information about the script file provided to the + // interpreter. + File script = 5; + + // Process arguments as JSON encoded strings. + repeated string args = 6; + + // True if `args` is incomplete. + bool arguments_truncated = 7; + + // Process environment variables. + repeated EnvironmentVariable env_variables = 8; + + // True if `env_variables` is incomplete. + bool env_variables_truncated = 9; + + // The process id. + int64 pid = 10; + + // The parent process id. + int64 parent_pid = 11; +} + +// EnvironmentVariable is a name-value pair to store environment variables for +// Process. +message EnvironmentVariable { + // Environment variable name as a JSON encoded string. + string name = 1; + + // Environment variable value as a JSON encoded string. + string val = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/resource.proto b/third_party/googleapis/google/cloud/securitycenter/v1/resource.proto new file mode 100644 index 0000000..ab241d8 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/resource.proto @@ -0,0 +1,58 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/field_behavior.proto"; +import "google/cloud/securitycenter/v1/folder.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ResourceProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Information related to the Google Cloud resource. +message Resource { + // The full resource name of the resource. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string name = 1; + + // The human readable name of the resource. + string display_name = 8; + + // The full resource type of the resource. + string type = 6; + + // The full resource name of project that the resource belongs to. + string project = 2; + + // The project ID that the resource belongs to. + string project_display_name = 3; + + // The full resource name of resource's parent. + string parent = 4; + + // The human readable name of resource's parent. + string parent_display_name = 5; + + // Output only. Contains a Folder message for each folder in the assets ancestry. + // The first folder is the deepest nested folder, and the last folder is the + // folder directly under the Organization. + repeated Folder folders = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/run_asset_discovery_response.proto b/third_party/googleapis/google/cloud/securitycenter/v1/run_asset_discovery_response.proto new file mode 100644 index 0000000..70088c0 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/run_asset_discovery_response.proto @@ -0,0 +1,51 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/protobuf/duration.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Response of asset discovery run +message RunAssetDiscoveryResponse { + // The state of an asset discovery run. + enum State { + // Asset discovery run state was unspecified. + STATE_UNSPECIFIED = 0; + + // Asset discovery run completed successfully. + COMPLETED = 1; + + // Asset discovery run was cancelled with tasks still pending, as another + // run for the same organization was started with a higher priority. + SUPERSEDED = 2; + + // Asset discovery run was killed and terminated. + TERMINATED = 3; + } + + // The state of an asset discovery run. + State state = 1; + + // The duration between asset discovery run start and end + google.protobuf.Duration duration = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/security_marks.proto b/third_party/googleapis/google/cloud/securitycenter/v1/security_marks.proto new file mode 100644 index 0000000..15c9769 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/security_marks.proto @@ -0,0 +1,69 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// User specified security marks that are attached to the parent Security +// Command Center resource. Security marks are scoped within a Security Command +// Center organization -- they can be modified and viewed by all users who have +// proper permissions on the organization. +message SecurityMarks { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/SecurityMarks" + pattern: "organizations/{organization}/assets/{asset}/securityMarks" + pattern: "organizations/{organization}/sources/{source}/findings/{finding}/securityMarks" + pattern: "folders/{folder}/assets/{asset}/securityMarks" + pattern: "projects/{project}/assets/{asset}/securityMarks" + pattern: "folders/{folder}/sources/{source}/findings/{finding}/securityMarks" + pattern: "projects/{project}/sources/{source}/findings/{finding}/securityMarks" + }; + + // The relative resource name of the SecurityMarks. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Examples: + // "organizations/{organization_id}/assets/{asset_id}/securityMarks" + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". + string name = 1; + + // Mutable user specified security marks belonging to the parent resource. + // Constraints are as follows: + // + // * Keys and values are treated as case insensitive + // * Keys must be between 1 - 256 characters (inclusive) + // * Keys must be letters, numbers, underscores, or dashes + // * Values have leading and trailing whitespace trimmed, remaining + // characters must be between 1 - 4096 characters (inclusive) + map<string, string> marks = 2; + + // The canonical name of the marks. + // Examples: + // "organizations/{organization_id}/assets/{asset_id}/securityMarks" + // "folders/{folder_id}/assets/{asset_id}/securityMarks" + // "projects/{project_number}/assets/{asset_id}/securityMarks" + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" + // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" + // "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" + string canonical_name = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/securitycenter_grpc_service_config.json b/third_party/googleapis/google/cloud/securitycenter/v1/securitycenter_grpc_service_config.json new file mode 100755 index 0000000..10775c3 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/securitycenter_grpc_service_config.json @@ -0,0 +1,136 @@ +{ + "methodConfig": [ + { + "name": [ + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "CreateSource" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "CreateFinding" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "CreateNotificationConfig" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "DeleteNotificationConfig" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "RunAssetDiscovery" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "SetFindingState" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "SetIamPolicy" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "UpdateFinding" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "UpdateNotificationConfig" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "UpdateOrganizationSettings" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "UpdateSource" + } + ], + "timeout": "60s" + }, + { + "name": [ + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "GetIamPolicy" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "GetNotificationConfig" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "GetOrganizationSettings" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "GetSource" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "ListNotificationConfigs" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "ListSources" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "TestIamPermissions" + } + ], + "timeout": "60s", + "retryPolicy": { + "maxAttempts": 5, + "initialBackoff": "0.100s", + "maxBackoff": "60s", + "backoffMultiplier": 1.3, + "retryableStatusCodes": [ + "DEADLINE_EXCEEDED", + "UNAVAILABLE" + ] + } + }, + { + "name": [ + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "UpdateSecurityMarks" + } + ], + "timeout": "480s" + }, + { + "name": [ + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "GroupAssets" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "GroupFindings" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "ListAssets" + }, + { + "service": "google.cloud.securitycenter.v1.SecurityCenter", + "method": "ListFindings" + } + ], + "timeout": "480s", + "retryPolicy": { + "maxAttempts": 5, + "initialBackoff": "0.100s", + "maxBackoff": "60s", + "backoffMultiplier": 1.3, + "retryableStatusCodes": [ + "DEADLINE_EXCEEDED", + "UNAVAILABLE" + ] + } + } + ] +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/securitycenter_service.proto b/third_party/googleapis/google/cloud/securitycenter/v1/securitycenter_service.proto new file mode 100644 index 0000000..cc4d3fb --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/securitycenter_service.proto @@ -0,0 +1,1865 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import public "google/cloud/securitycenter/v1/run_asset_discovery_response.proto"; + +import "google/api/annotations.proto"; +import "google/api/client.proto"; +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/cloud/securitycenter/v1/asset.proto"; +import "google/cloud/securitycenter/v1/bigquery_export.proto"; +import "google/cloud/securitycenter/v1/external_system.proto"; +import "google/cloud/securitycenter/v1/finding.proto"; +import "google/cloud/securitycenter/v1/folder.proto"; +import "google/cloud/securitycenter/v1/mute_config.proto"; +import "google/cloud/securitycenter/v1/notification_config.proto"; +import "google/cloud/securitycenter/v1/organization_settings.proto"; +import "google/cloud/securitycenter/v1/security_marks.proto"; +import "google/cloud/securitycenter/v1/source.proto"; +import "google/iam/v1/iam_policy.proto"; +import "google/iam/v1/policy.proto"; +import "google/longrunning/operations.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/field_mask.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// V1 APIs for Security Center service. +service SecurityCenter { + option (google.api.default_host) = "securitycenter.googleapis.com"; + option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; + + // Kicks off an LRO to bulk mute findings for a parent based on a filter. The + // parent can be either an organization, folder or project. The findings + // matched by the filter will be muted after the LRO is done. + rpc BulkMuteFindings(BulkMuteFindingsRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*}/findings:bulkMute" + body: "*" + additional_bindings { + post: "/v1/{parent=folders/*}/findings:bulkMute" + body: "*" + } + additional_bindings { + post: "/v1/{parent=projects/*}/findings:bulkMute" + body: "*" + } + }; + option (google.api.method_signature) = "parent"; + option (google.longrunning.operation_info) = { + response_type: "google.cloud.securitycenter.v1.BulkMuteFindingsResponse" + metadata_type: "google.protobuf.Empty" + }; + } + + // Creates a source. + rpc CreateSource(CreateSourceRequest) returns (Source) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*}/sources" + body: "source" + }; + option (google.api.method_signature) = "parent,source"; + } + + // Creates a finding. The corresponding source must exist for finding creation + // to succeed. + rpc CreateFinding(CreateFindingRequest) returns (Finding) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*/sources/*}/findings" + body: "finding" + }; + option (google.api.method_signature) = "parent,finding_id,finding"; + } + + // Creates a mute config. + rpc CreateMuteConfig(CreateMuteConfigRequest) returns (MuteConfig) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*}/muteConfigs" + body: "mute_config" + additional_bindings { + post: "/v1/{parent=folders/*}/muteConfigs" + body: "mute_config" + } + additional_bindings { + post: "/v1/{parent=projects/*}/muteConfigs" + body: "mute_config" + } + }; + option (google.api.method_signature) = "parent,mute_config"; + option (google.api.method_signature) = "parent,mute_config,mute_config_id"; + } + + // Creates a notification config. + rpc CreateNotificationConfig(CreateNotificationConfigRequest) returns (NotificationConfig) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*}/notificationConfigs" + body: "notification_config" + }; + option (google.api.method_signature) = "parent,config_id,notification_config"; + option (google.api.method_signature) = "parent,notification_config"; + } + + // Deletes an existing mute config. + rpc DeleteMuteConfig(DeleteMuteConfigRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { + delete: "/v1/{name=organizations/*/muteConfigs/*}" + additional_bindings { + delete: "/v1/{name=folders/*/muteConfigs/*}" + } + additional_bindings { + delete: "/v1/{name=projects/*/muteConfigs/*}" + } + }; + option (google.api.method_signature) = "name"; + } + + // Deletes a notification config. + rpc DeleteNotificationConfig(DeleteNotificationConfigRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { + delete: "/v1/{name=organizations/*/notificationConfigs/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Gets a big query export. + rpc GetBigQueryExport(GetBigQueryExportRequest) returns (BigQueryExport) { + option (google.api.http) = { + get: "/v1/{name=organizations/*/bigQueryExports/*}" + additional_bindings { + get: "/v1/{name=folders/*/bigQueryExports/*}" + } + additional_bindings { + get: "/v1/{name=projects/*/bigQueryExports/*}" + } + }; + option (google.api.method_signature) = "name"; + } + + // Gets the access control policy on the specified Source. + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { + post: "/v1/{resource=organizations/*/sources/*}:getIamPolicy" + body: "*" + }; + option (google.api.method_signature) = "resource"; + } + + // Gets a mute config. + rpc GetMuteConfig(GetMuteConfigRequest) returns (MuteConfig) { + option (google.api.http) = { + get: "/v1/{name=organizations/*/muteConfigs/*}" + additional_bindings { + get: "/v1/{name=folders/*/muteConfigs/*}" + } + additional_bindings { + get: "/v1/{name=projects/*/muteConfigs/*}" + } + }; + option (google.api.method_signature) = "name"; + } + + // Gets a notification config. + rpc GetNotificationConfig(GetNotificationConfigRequest) returns (NotificationConfig) { + option (google.api.http) = { + get: "/v1/{name=organizations/*/notificationConfigs/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Gets the settings for an organization. + rpc GetOrganizationSettings(GetOrganizationSettingsRequest) returns (OrganizationSettings) { + option (google.api.http) = { + get: "/v1/{name=organizations/*/organizationSettings}" + }; + option (google.api.method_signature) = "name"; + } + + // Gets a source. + rpc GetSource(GetSourceRequest) returns (Source) { + option (google.api.http) = { + get: "/v1/{name=organizations/*/sources/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Filters an organization's assets and groups them by their specified + // properties. + rpc GroupAssets(GroupAssetsRequest) returns (GroupAssetsResponse) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*}/assets:group" + body: "*" + additional_bindings { + post: "/v1/{parent=folders/*}/assets:group" + body: "*" + } + additional_bindings { + post: "/v1/{parent=projects/*}/assets:group" + body: "*" + } + }; + } + + // Filters an organization or source's findings and groups them by their + // specified properties. + // + // To group across all sources provide a `-` as the source id. + // Example: /v1/organizations/{organization_id}/sources/-/findings, + // /v1/folders/{folder_id}/sources/-/findings, + // /v1/projects/{project_id}/sources/-/findings + rpc GroupFindings(GroupFindingsRequest) returns (GroupFindingsResponse) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*/sources/*}/findings:group" + body: "*" + additional_bindings { + post: "/v1/{parent=folders/*/sources/*}/findings:group" + body: "*" + } + additional_bindings { + post: "/v1/{parent=projects/*/sources/*}/findings:group" + body: "*" + } + }; + option (google.api.method_signature) = "parent,group_by"; + } + + // Lists an organization's assets. + rpc ListAssets(ListAssetsRequest) returns (ListAssetsResponse) { + option (google.api.http) = { + get: "/v1/{parent=organizations/*}/assets" + additional_bindings { + get: "/v1/{parent=folders/*}/assets" + } + additional_bindings { + get: "/v1/{parent=projects/*}/assets" + } + }; + } + + // Lists an organization or source's findings. + // + // To list across all sources provide a `-` as the source id. + // Example: /v1/organizations/{organization_id}/sources/-/findings + rpc ListFindings(ListFindingsRequest) returns (ListFindingsResponse) { + option (google.api.http) = { + get: "/v1/{parent=organizations/*/sources/*}/findings" + additional_bindings { + get: "/v1/{parent=folders/*/sources/*}/findings" + } + additional_bindings { + get: "/v1/{parent=projects/*/sources/*}/findings" + } + }; + } + + // Lists mute configs. + rpc ListMuteConfigs(ListMuteConfigsRequest) returns (ListMuteConfigsResponse) { + option (google.api.http) = { + get: "/v1/{parent=organizations/*}/muteConfigs" + additional_bindings { + get: "/v1/{parent=folders/*}/muteConfigs" + } + additional_bindings { + get: "/v1/{parent=projects/*}/muteConfigs" + } + }; + option (google.api.method_signature) = "parent"; + } + + // Lists notification configs. + rpc ListNotificationConfigs(ListNotificationConfigsRequest) returns (ListNotificationConfigsResponse) { + option (google.api.http) = { + get: "/v1/{parent=organizations/*}/notificationConfigs" + }; + option (google.api.method_signature) = "parent"; + } + + // Lists all sources belonging to an organization. + rpc ListSources(ListSourcesRequest) returns (ListSourcesResponse) { + option (google.api.http) = { + get: "/v1/{parent=organizations/*}/sources" + additional_bindings { + get: "/v1/{parent=folders/*}/sources" + } + additional_bindings { + get: "/v1/{parent=projects/*}/sources" + } + }; + option (google.api.method_signature) = "parent"; + } + + // Runs asset discovery. The discovery is tracked with a long-running + // operation. + // + // This API can only be called with limited frequency for an organization. If + // it is called too frequently the caller will receive a TOO_MANY_REQUESTS + // error. + rpc RunAssetDiscovery(RunAssetDiscoveryRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*}/assets:runDiscovery" + body: "*" + }; + option (google.api.method_signature) = "parent"; + option (google.longrunning.operation_info) = { + response_type: "google.cloud.securitycenter.v1.RunAssetDiscoveryResponse" + metadata_type: "google.protobuf.Empty" + }; + } + + // Updates the state of a finding. + rpc SetFindingState(SetFindingStateRequest) returns (Finding) { + option (google.api.http) = { + post: "/v1/{name=organizations/*/sources/*/findings/*}:setState" + body: "*" + additional_bindings { + post: "/v1/{name=folders/*/sources/*/findings/*}:setState" + body: "*" + } + additional_bindings { + post: "/v1/{name=projects/*/sources/*/findings/*}:setState" + body: "*" + } + }; + option (google.api.method_signature) = "name,state,start_time"; + } + + // Updates the mute state of a finding. + rpc SetMute(SetMuteRequest) returns (Finding) { + option (google.api.http) = { + post: "/v1/{name=organizations/*/sources/*/findings/*}:setMute" + body: "*" + additional_bindings { + post: "/v1/{name=folders/*/sources/*/findings/*}:setMute" + body: "*" + } + additional_bindings { + post: "/v1/{name=projects/*/sources/*/findings/*}:setMute" + body: "*" + } + }; + option (google.api.method_signature) = "name,mute"; + } + + // Sets the access control policy on the specified Source. + rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { + post: "/v1/{resource=organizations/*/sources/*}:setIamPolicy" + body: "*" + }; + option (google.api.method_signature) = "resource,policy"; + } + + // Returns the permissions that a caller has on the specified source. + rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { + option (google.api.http) = { + post: "/v1/{resource=organizations/*/sources/*}:testIamPermissions" + body: "*" + }; + option (google.api.method_signature) = "resource,permissions"; + } + + // Updates external system. This is for a given finding. + rpc UpdateExternalSystem(UpdateExternalSystemRequest) returns (ExternalSystem) { + option (google.api.http) = { + patch: "/v1/{external_system.name=organizations/*/sources/*/findings/*/externalSystems/*}" + body: "external_system" + additional_bindings { + patch: "/v1/{external_system.name=folders/*/sources/*/findings/*/externalSystems/*}" + body: "external_system" + } + additional_bindings { + patch: "/v1/{external_system.name=projects/*/sources/*/findings/*/externalSystems/*}" + body: "external_system" + } + }; + option (google.api.method_signature) = "external_system,update_mask"; + } + + // Creates or updates a finding. The corresponding source must exist for a + // finding creation to succeed. + rpc UpdateFinding(UpdateFindingRequest) returns (Finding) { + option (google.api.http) = { + patch: "/v1/{finding.name=organizations/*/sources/*/findings/*}" + body: "finding" + additional_bindings { + patch: "/v1/{finding.name=folders/*/sources/*/findings/*}" + body: "finding" + } + additional_bindings { + patch: "/v1/{finding.name=projects/*/sources/*/findings/*}" + body: "finding" + } + }; + option (google.api.method_signature) = "finding"; + } + + // Updates a mute config. + rpc UpdateMuteConfig(UpdateMuteConfigRequest) returns (MuteConfig) { + option (google.api.http) = { + patch: "/v1/{mute_config.name=organizations/*/muteConfigs/*}" + body: "mute_config" + additional_bindings { + patch: "/v1/{mute_config.name=folders/*/muteConfigs/*}" + body: "mute_config" + } + additional_bindings { + patch: "/v1/{mute_config.name=projects/*/muteConfigs/*}" + body: "mute_config" + } + }; + option (google.api.method_signature) = "mute_config,update_mask"; + } + + // + // Updates a notification config. The following update + // fields are allowed: description, pubsub_topic, streaming_config.filter + rpc UpdateNotificationConfig(UpdateNotificationConfigRequest) returns (NotificationConfig) { + option (google.api.http) = { + patch: "/v1/{notification_config.name=organizations/*/notificationConfigs/*}" + body: "notification_config" + }; + option (google.api.method_signature) = "notification_config"; + option (google.api.method_signature) = "notification_config,update_mask"; + } + + // Updates an organization's settings. + rpc UpdateOrganizationSettings(UpdateOrganizationSettingsRequest) returns (OrganizationSettings) { + option (google.api.http) = { + patch: "/v1/{organization_settings.name=organizations/*/organizationSettings}" + body: "organization_settings" + }; + option (google.api.method_signature) = "organization_settings"; + } + + // Updates a source. + rpc UpdateSource(UpdateSourceRequest) returns (Source) { + option (google.api.http) = { + patch: "/v1/{source.name=organizations/*/sources/*}" + body: "source" + }; + option (google.api.method_signature) = "source"; + } + + // Updates security marks. + rpc UpdateSecurityMarks(UpdateSecurityMarksRequest) returns (SecurityMarks) { + option (google.api.http) = { + patch: "/v1/{security_marks.name=organizations/*/assets/*/securityMarks}" + body: "security_marks" + additional_bindings { + patch: "/v1/{security_marks.name=folders/*/assets/*/securityMarks}" + body: "security_marks" + } + additional_bindings { + patch: "/v1/{security_marks.name=projects/*/assets/*/securityMarks}" + body: "security_marks" + } + additional_bindings { + patch: "/v1/{security_marks.name=organizations/*/sources/*/findings/*/securityMarks}" + body: "security_marks" + } + additional_bindings { + patch: "/v1/{security_marks.name=folders/*/sources/*/findings/*/securityMarks}" + body: "security_marks" + } + additional_bindings { + patch: "/v1/{security_marks.name=projects/*/sources/*/findings/*/securityMarks}" + body: "security_marks" + } + }; + option (google.api.method_signature) = "security_marks"; + } + + // Creates a big query export. + rpc CreateBigQueryExport(CreateBigQueryExportRequest) returns (BigQueryExport) { + option (google.api.http) = { + post: "/v1/{parent=organizations/*}/bigQueryExports" + body: "big_query_export" + additional_bindings { + post: "/v1/{parent=folders/*}/bigQueryExports" + body: "big_query_export" + } + additional_bindings { + post: "/v1/{parent=projects/*}/bigQueryExports" + body: "big_query_export" + } + }; + option (google.api.method_signature) = "parent,big_query_export,big_query_export_id"; + } + + // Deletes an existing big query export. + rpc DeleteBigQueryExport(DeleteBigQueryExportRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { + delete: "/v1/{name=organizations/*/bigQueryExports/*}" + additional_bindings { + delete: "/v1/{name=folders/*/bigQueryExports/*}" + } + additional_bindings { + delete: "/v1/{name=projects/*/bigQueryExports/*}" + } + }; + option (google.api.method_signature) = "name"; + } + + // Updates a BigQuery export. + rpc UpdateBigQueryExport(UpdateBigQueryExportRequest) returns (BigQueryExport) { + option (google.api.http) = { + patch: "/v1/{big_query_export.name=organizations/*/bigQueryExports/*}" + body: "big_query_export" + additional_bindings { + patch: "/v1/{big_query_export.name=folders/*/bigQueryExports/*}" + body: "big_query_export" + } + additional_bindings { + patch: "/v1/{big_query_export.name=projects/*/bigQueryExports/*}" + body: "big_query_export" + } + }; + option (google.api.method_signature) = "big_query_export,update_mask"; + } + + // Lists BigQuery exports. Note that when requesting BigQuery exports at a + // given level all exports under that level are also returned e.g. if + // requesting BigQuery exports under a folder, then all BigQuery exports + // immediately under the folder plus the ones created under the projects + // within the folder are returned. + rpc ListBigQueryExports(ListBigQueryExportsRequest) returns (ListBigQueryExportsResponse) { + option (google.api.http) = { + get: "/v1/{parent=organizations/*}/bigQueryExports" + additional_bindings { + get: "/v1/{parent=folders/*}/bigQueryExports" + } + additional_bindings { + get: "/v1/{parent=projects/*}/bigQueryExports" + } + }; + option (google.api.method_signature) = "parent"; + } +} + +// Request message for bulk findings update. +// +// Note: +// 1. If multiple bulk update requests match the same resource, the order in +// which they get executed is not defined. +// 2. Once a bulk operation is started, there is no way to stop it. +message BulkMuteFindingsRequest { + // Required. The parent, at which bulk action needs to be applied. Its format is + // "organizations/[organization_id]", "folders/[folder_id]", + // "projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "*" + } + ]; + + // Expression that identifies findings that should be updated. + // The expression is a list of zero or more restrictions combined + // via logical operators `AND` and `OR`. Parentheses are supported, and `OR` + // has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a + // `-` character in front of them to indicate negation. The fields map to + // those defined in the corresponding resource. + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + string filter = 2; + + // This can be a mute configuration name or any identifier for mute/unmute + // of findings based on the filter. + string mute_annotation = 3 [deprecated = true]; +} + +// The response to a BulkMute request. Contains the LRO information. +message BulkMuteFindingsResponse { + +} + +// Request message for creating a finding. +message CreateFindingRequest { + // Required. Resource name of the new finding's parent. Its format should be + // "organizations/[organization_id]/sources/[source_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; + + // Required. Unique identifier provided by the client within the parent scope. + // It must be alphanumeric and less than or equal to 32 characters and + // greater than 0 characters in length. + string finding_id = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. The Finding being created. The name and security_marks will be ignored as + // they are both output only fields on this resource. + Finding finding = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for creating a mute config. +message CreateMuteConfigRequest { + // Required. Resource name of the new mute configs's parent. Its format is + // "organizations/[organization_id]", "folders/[folder_id]", or + // "projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/MuteConfig" + } + ]; + + // Required. The mute config being created. + MuteConfig mute_config = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. Unique identifier provided by the client within the parent scope. + // It must consist of lower case letters, numbers, and hyphen, with the first + // character a letter, the last a letter or a number, and a 63 character + // maximum. + string mute_config_id = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for creating a notification config. +message CreateNotificationConfigRequest { + // Required. Resource name of the new notification config's parent. Its format is + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Required. + // Unique identifier provided by the client within the parent scope. + // It must be between 1 and 128 characters, and contains alphanumeric + // characters, underscores or hyphens only. + string config_id = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. The notification config being created. The name and the service account + // will be ignored as they are both output only fields on this resource. + NotificationConfig notification_config = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for creating a source. +message CreateSourceRequest { + // Required. Resource name of the new source's parent. Its format should be + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Required. The Source being created, only the display_name and description will be + // used. All other fields will be ignored. + Source source = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for deleting a mute config. +message DeleteMuteConfigRequest { + // Required. Name of the mute config to delete. Its format is + // organizations/{organization}/muteConfigs/{config_id}, + // folders/{folder}/muteConfigs/{config_id}, or + // projects/{project}/muteConfigs/{config_id} + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/MuteConfig" + } + ]; +} + +// Request message for deleting a notification config. +message DeleteNotificationConfigRequest { + // Required. Name of the notification config to delete. Its format is + // "organizations/[organization_id]/notificationConfigs/[config_id]". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/NotificationConfig" + } + ]; +} + +// Request message for retrieving a big query export. +message GetBigQueryExportRequest { + // Required. Name of the big query export to retrieve. Its format is + // organizations/{organization}/bigQueryExports/{export_id}, + // folders/{folder}/bigQueryExports/{export_id}, or + // projects/{project}/bigQueryExports/{export_id} + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/BigQueryExport" + } + ]; +} + +// Request message for retrieving a mute config. +message GetMuteConfigRequest { + // Required. Name of the mute config to retrieve. Its format is + // organizations/{organization}/muteConfigs/{config_id}, + // folders/{folder}/muteConfigs/{config_id}, or + // projects/{project}/muteConfigs/{config_id} + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/MuteConfig" + } + ]; +} + +// Request message for getting a notification config. +message GetNotificationConfigRequest { + // Required. Name of the notification config to get. Its format is + // "organizations/[organization_id]/notificationConfigs/[config_id]". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/NotificationConfig" + } + ]; +} + +// Request message for getting organization settings. +message GetOrganizationSettingsRequest { + // Required. Name of the organization to get organization settings for. Its format is + // "organizations/[organization_id]/organizationSettings". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/OrganizationSettings" + } + ]; +} + +// Request message for getting a source. +message GetSourceRequest { + // Required. Relative resource name of the source. Its format is + // "organizations/[organization_id]/source/[source_id]". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; +} + +// Request message for grouping by assets. +message GroupAssetsRequest { + // Required. Name of the organization to groupBy. Its format is + // "organizations/[organization_id], folders/[folder_id], or + // projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/Asset" + } + ]; + + // Expression that defines the filter to apply across assets. + // The expression is a list of zero or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. The fields map to those + // defined in the Asset resource. Examples include: + // + // * name + // * security_center_properties.resource_name + // * resource_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // The following field and operator combinations are supported: + // + // * name: `=` + // * update_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `update_time = "2019-06-10T16:07:18-07:00"` + // `update_time = 1560208038000` + // + // * create_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `create_time = "2019-06-10T16:07:18-07:00"` + // `create_time = 1560208038000` + // + // * iam_policy.policy_blob: `=`, `:` + // * resource_properties: `=`, `:`, `>`, `<`, `>=`, `<=` + // * security_marks.marks: `=`, `:` + // * security_center_properties.resource_name: `=`, `:` + // * security_center_properties.resource_display_name: `=`, `:` + // * security_center_properties.resource_type: `=`, `:` + // * security_center_properties.resource_parent: `=`, `:` + // * security_center_properties.resource_parent_display_name: `=`, `:` + // * security_center_properties.resource_project: `=`, `:` + // * security_center_properties.resource_project_display_name: `=`, `:` + // * security_center_properties.resource_owners: `=`, `:` + // + // For example, `resource_properties.size = 100` is a valid filter string. + // + // Use a partial match on the empty string to filter based on a property + // existing: `resource_properties.my_property : ""` + // + // Use a negated partial match on the empty string to filter based on a + // property not existing: `-resource_properties.my_property : ""` + string filter = 2; + + // Required. Expression that defines what assets fields to use for grouping. The string + // value should follow SQL syntax: comma separated list of fields. For + // example: + // "security_center_properties.resource_project,security_center_properties.project". + // + // The following fields are supported when compare_duration is not set: + // + // * security_center_properties.resource_project + // * security_center_properties.resource_project_display_name + // * security_center_properties.resource_type + // * security_center_properties.resource_parent + // * security_center_properties.resource_parent_display_name + // + // The following fields are supported when compare_duration is set: + // + // * security_center_properties.resource_type + // * security_center_properties.resource_project_display_name + // * security_center_properties.resource_parent_display_name + string group_by = 3 [(google.api.field_behavior) = REQUIRED]; + + // When compare_duration is set, the GroupResult's "state_change" property is + // updated to indicate whether the asset was added, removed, or remained + // present during the compare_duration period of time that precedes the + // read_time. This is the time between (read_time - compare_duration) and + // read_time. + // + // The state change value is derived based on the presence of the asset at the + // two points in time. Intermediate state changes between the two times don't + // affect the result. For example, the results aren't affected if the asset is + // removed and re-created again. + // + // Possible "state_change" values when compare_duration is specified: + // + // * "ADDED": indicates that the asset was not present at the start of + // compare_duration, but present at reference_time. + // * "REMOVED": indicates that the asset was present at the start of + // compare_duration, but not present at reference_time. + // * "ACTIVE": indicates that the asset was present at both the + // start and the end of the time period defined by + // compare_duration and reference_time. + // + // If compare_duration is not specified, then the only possible state_change + // is "UNUSED", which will be the state_change set for all assets present at + // read_time. + // + // If this field is set then `state_change` must be a specified field in + // `group_by`. + google.protobuf.Duration compare_duration = 4; + + // Time used as a reference point when filtering assets. The filter is limited + // to assets existing at the supplied time and their values are those at that + // specific time. Absence of this field will default to the API's version of + // NOW. + google.protobuf.Timestamp read_time = 5; + + // The value returned by the last `GroupAssetsResponse`; indicates + // that this is a continuation of a prior `GroupAssets` call, and that the + // system should return the next page of data. + string page_token = 7; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 8; +} + +// Response message for grouping by assets. +message GroupAssetsResponse { + // Group results. There exists an element for each existing unique + // combination of property/values. The element contains a count for the number + // of times those specific property/values appear. + repeated GroupResult group_by_results = 1; + + // Time used for executing the groupBy request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of results matching the query. + int32 total_size = 4; +} + +// Request message for grouping by findings. +message GroupFindingsRequest { + // Required. Name of the source to groupBy. Its format is + // "organizations/[organization_id]/sources/[source_id]", + // folders/[folder_id]/sources/[source_id], or + // projects/[project_id]/sources/[source_id]. To groupBy across all sources + // provide a source_id of `-`. For example: + // organizations/{organization_id}/sources/-, folders/{folder_id}/sources/-, + // or projects/{project_id}/sources/- + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; + + // Expression that defines the filter to apply across findings. + // The expression is a list of one or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. Examples include: + // + // * name + // * source_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // The following field and operator combinations are supported: + // + // * name: `=` + // * parent: `=`, `:` + // * resource_name: `=`, `:` + // * state: `=`, `:` + // * category: `=`, `:` + // * external_uri: `=`, `:` + // * event_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `event_time = "2019-06-10T16:07:18-07:00"` + // `event_time = 1560208038000` + // + // * severity: `=`, `:` + // * workflow_state: `=`, `:` + // * security_marks.marks: `=`, `:` + // * source_properties: `=`, `:`, `>`, `<`, `>=`, `<=` + // + // For example, `source_properties.size = 100` is a valid filter string. + // + // Use a partial match on the empty string to filter based on a property + // existing: `source_properties.my_property : ""` + // + // Use a negated partial match on the empty string to filter based on a + // property not existing: `-source_properties.my_property : ""` + // + // * resource: + // * resource.name: `=`, `:` + // * resource.parent_name: `=`, `:` + // * resource.parent_display_name: `=`, `:` + // * resource.project_name: `=`, `:` + // * resource.project_display_name: `=`, `:` + // * resource.type: `=`, `:` + string filter = 2; + + // Required. Expression that defines what assets fields to use for grouping (including + // `state_change`). The string value should follow SQL syntax: comma separated + // list of fields. For example: "parent,resource_name". + // + // The following fields are supported: + // + // * resource_name + // * category + // * state + // * parent + // * severity + // + // The following fields are supported when compare_duration is set: + // + // * state_change + string group_by = 3 [(google.api.field_behavior) = REQUIRED]; + + // Time used as a reference point when filtering findings. The filter is + // limited to findings existing at the supplied time and their values are + // those at that specific time. Absence of this field will default to the + // API's version of NOW. + google.protobuf.Timestamp read_time = 4; + + // When compare_duration is set, the GroupResult's "state_change" attribute is + // updated to indicate whether the finding had its state changed, the + // finding's state remained unchanged, or if the finding was added during the + // compare_duration period of time that precedes the read_time. This is the + // time between (read_time - compare_duration) and read_time. + // + // The state_change value is derived based on the presence and state of the + // finding at the two points in time. Intermediate state changes between the + // two times don't affect the result. For example, the results aren't affected + // if the finding is made inactive and then active again. + // + // Possible "state_change" values when compare_duration is specified: + // + // * "CHANGED": indicates that the finding was present and matched the given + // filter at the start of compare_duration, but changed its + // state at read_time. + // * "UNCHANGED": indicates that the finding was present and matched the given + // filter at the start of compare_duration and did not change + // state at read_time. + // * "ADDED": indicates that the finding did not match the given filter or + // was not present at the start of compare_duration, but was + // present at read_time. + // * "REMOVED": indicates that the finding was present and matched the + // filter at the start of compare_duration, but did not match + // the filter at read_time. + // + // If compare_duration is not specified, then the only possible state_change + // is "UNUSED", which will be the state_change set for all findings present + // at read_time. + // + // If this field is set then `state_change` must be a specified field in + // `group_by`. + google.protobuf.Duration compare_duration = 5; + + // The value returned by the last `GroupFindingsResponse`; indicates + // that this is a continuation of a prior `GroupFindings` call, and + // that the system should return the next page of data. + string page_token = 7; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 8; +} + +// Response message for group by findings. +message GroupFindingsResponse { + // Group results. There exists an element for each existing unique + // combination of property/values. The element contains a count for the number + // of times those specific property/values appear. + repeated GroupResult group_by_results = 1; + + // Time used for executing the groupBy request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of results matching the query. + int32 total_size = 4; +} + +// Result containing the properties and count of a groupBy request. +message GroupResult { + // Properties matching the groupBy fields in the request. + map<string, google.protobuf.Value> properties = 1; + + // Total count of resources for the given properties. + int64 count = 2; +} + +// Request message for listing mute configs at a given scope e.g. organization, +// folder or project. +message ListMuteConfigsRequest { + // Required. The parent, which owns the collection of mute configs. Its format is + // "organizations/[organization_id]", "folders/[folder_id]", + // "projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/MuteConfig" + } + ]; + + // The maximum number of configs to return. The service may return fewer than + // this value. + // If unspecified, at most 10 configs will be returned. + // The maximum value is 1000; values above 1000 will be coerced to 1000. + int32 page_size = 2; + + // A page token, received from a previous `ListMuteConfigs` call. + // Provide this to retrieve the subsequent page. + // + // When paginating, all other parameters provided to `ListMuteConfigs` must + // match the call that provided the page token. + string page_token = 3; +} + +// Response message for listing mute configs. +message ListMuteConfigsResponse { + // The mute configs from the specified parent. + repeated MuteConfig mute_configs = 1; + + // A token, which can be sent as `page_token` to retrieve the next page. + // If this field is omitted, there are no subsequent pages. + string next_page_token = 2; +} + +// Request message for listing notification configs. +message ListNotificationConfigsRequest { + // Required. Name of the organization to list notification configs. + // Its format is "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // The value returned by the last `ListNotificationConfigsResponse`; indicates + // that this is a continuation of a prior `ListNotificationConfigs` call, and + // that the system should return the next page of data. + string page_token = 2; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 3; +} + +// Response message for listing notification configs. +message ListNotificationConfigsResponse { + // Notification configs belonging to the requested parent. + repeated NotificationConfig notification_configs = 1; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 2; +} + +// Request message for listing sources. +message ListSourcesRequest { + // Required. Resource name of the parent of sources to list. Its format should be + // "organizations/[organization_id], folders/[folder_id], or + // projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/Source" + } + ]; + + // The value returned by the last `ListSourcesResponse`; indicates + // that this is a continuation of a prior `ListSources` call, and + // that the system should return the next page of data. + string page_token = 2; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 7; +} + +// Response message for listing sources. +message ListSourcesResponse { + // Sources belonging to the requested parent. + repeated Source sources = 1; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 2; +} + +// Request message for listing assets. +message ListAssetsRequest { + // Required. Name of the organization assets should belong to. Its format is + // "organizations/[organization_id], folders/[folder_id], or + // projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/Asset" + } + ]; + + // Expression that defines the filter to apply across assets. + // The expression is a list of zero or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. The fields map to those + // defined in the Asset resource. Examples include: + // + // * name + // * security_center_properties.resource_name + // * resource_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // The following are the allowed field and operator combinations: + // + // * name: `=` + // * update_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `update_time = "2019-06-10T16:07:18-07:00"` + // `update_time = 1560208038000` + // + // * create_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `create_time = "2019-06-10T16:07:18-07:00"` + // `create_time = 1560208038000` + // + // * iam_policy.policy_blob: `=`, `:` + // * resource_properties: `=`, `:`, `>`, `<`, `>=`, `<=` + // * security_marks.marks: `=`, `:` + // * security_center_properties.resource_name: `=`, `:` + // * security_center_properties.resource_display_name: `=`, `:` + // * security_center_properties.resource_type: `=`, `:` + // * security_center_properties.resource_parent: `=`, `:` + // * security_center_properties.resource_parent_display_name: `=`, `:` + // * security_center_properties.resource_project: `=`, `:` + // * security_center_properties.resource_project_display_name: `=`, `:` + // * security_center_properties.resource_owners: `=`, `:` + // + // For example, `resource_properties.size = 100` is a valid filter string. + // + // Use a partial match on the empty string to filter based on a property + // existing: `resource_properties.my_property : ""` + // + // Use a negated partial match on the empty string to filter based on a + // property not existing: `-resource_properties.my_property : ""` + string filter = 2; + + // Expression that defines what fields and order to use for sorting. The + // string value should follow SQL syntax: comma separated list of fields. For + // example: "name,resource_properties.a_property". The default sorting order + // is ascending. To specify descending order for a field, a suffix " desc" + // should be appended to the field name. For example: "name + // desc,resource_properties.a_property". Redundant space characters in the + // syntax are insignificant. "name desc,resource_properties.a_property" and " + // name desc , resource_properties.a_property " are equivalent. + // + // The following fields are supported: + // name + // update_time + // resource_properties + // security_marks.marks + // security_center_properties.resource_name + // security_center_properties.resource_display_name + // security_center_properties.resource_parent + // security_center_properties.resource_parent_display_name + // security_center_properties.resource_project + // security_center_properties.resource_project_display_name + // security_center_properties.resource_type + string order_by = 3; + + // Time used as a reference point when filtering assets. The filter is limited + // to assets existing at the supplied time and their values are those at that + // specific time. Absence of this field will default to the API's version of + // NOW. + google.protobuf.Timestamp read_time = 4; + + // When compare_duration is set, the ListAssetsResult's "state_change" + // attribute is updated to indicate whether the asset was added, removed, or + // remained present during the compare_duration period of time that precedes + // the read_time. This is the time between (read_time - compare_duration) and + // read_time. + // + // The state_change value is derived based on the presence of the asset at the + // two points in time. Intermediate state changes between the two times don't + // affect the result. For example, the results aren't affected if the asset is + // removed and re-created again. + // + // Possible "state_change" values when compare_duration is specified: + // + // * "ADDED": indicates that the asset was not present at the start of + // compare_duration, but present at read_time. + // * "REMOVED": indicates that the asset was present at the start of + // compare_duration, but not present at read_time. + // * "ACTIVE": indicates that the asset was present at both the + // start and the end of the time period defined by + // compare_duration and read_time. + // + // If compare_duration is not specified, then the only possible state_change + // is "UNUSED", which will be the state_change set for all assets present at + // read_time. + google.protobuf.Duration compare_duration = 5; + + // A field mask to specify the ListAssetsResult fields to be listed in the + // response. + // An empty field mask will list all fields. + google.protobuf.FieldMask field_mask = 7; + + // The value returned by the last `ListAssetsResponse`; indicates + // that this is a continuation of a prior `ListAssets` call, and + // that the system should return the next page of data. + string page_token = 8; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 9; +} + +// Response message for listing assets. +message ListAssetsResponse { + // Result containing the Asset and its State. + message ListAssetsResult { + // The change in state of the asset. + // + // When querying across two points in time this describes + // the change between the two points: ADDED, REMOVED, or ACTIVE. + // If there was no compare_duration supplied in the request the state change + // will be: UNUSED + enum StateChange { + // State change is unused, this is the canonical default for this enum. + UNUSED = 0; + + // Asset was added between the points in time. + ADDED = 1; + + // Asset was removed between the points in time. + REMOVED = 2; + + // Asset was present at both point(s) in time. + ACTIVE = 3; + } + + // Asset matching the search request. + Asset asset = 1; + + // State change of the asset between the points in time. + StateChange state_change = 2; + } + + // Assets matching the list request. + repeated ListAssetsResult list_assets_results = 1; + + // Time used for executing the list request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of assets matching the query. + int32 total_size = 4; +} + +// Request message for listing findings. +message ListFindingsRequest { + // Required. Name of the source the findings belong to. Its format is + // "organizations/[organization_id]/sources/[source_id], + // folders/[folder_id]/sources/[source_id], or + // projects/[project_id]/sources/[source_id]". To list across all sources + // provide a source_id of `-`. For example: + // organizations/{organization_id}/sources/-, folders/{folder_id}/sources/- or + // projects/{projects_id}/sources/- + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; + + // Expression that defines the filter to apply across findings. + // The expression is a list of one or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. Examples include: + // + // * name + // * source_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // The following field and operator combinations are supported: + // + // * name: `=` + // * parent: `=`, `:` + // * resource_name: `=`, `:` + // * state: `=`, `:` + // * category: `=`, `:` + // * external_uri: `=`, `:` + // * event_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `event_time = "2019-06-10T16:07:18-07:00"` + // `event_time = 1560208038000` + // + // * severity: `=`, `:` + // * workflow_state: `=`, `:` + // * security_marks.marks: `=`, `:` + // * source_properties: `=`, `:`, `>`, `<`, `>=`, `<=` + // + // For example, `source_properties.size = 100` is a valid filter string. + // + // Use a partial match on the empty string to filter based on a property + // existing: `source_properties.my_property : ""` + // + // Use a negated partial match on the empty string to filter based on a + // property not existing: `-source_properties.my_property : ""` + // + // * resource: + // * resource.name: `=`, `:` + // * resource.parent_name: `=`, `:` + // * resource.parent_display_name: `=`, `:` + // * resource.project_name: `=`, `:` + // * resource.project_display_name: `=`, `:` + // * resource.type: `=`, `:` + // * resource.folders.resource_folder: `=`, `:` + // * resource.display_name: `=`, `:` + string filter = 2; + + // Expression that defines what fields and order to use for sorting. The + // string value should follow SQL syntax: comma separated list of fields. For + // example: "name,resource_properties.a_property". The default sorting order + // is ascending. To specify descending order for a field, a suffix " desc" + // should be appended to the field name. For example: "name + // desc,source_properties.a_property". Redundant space characters in the + // syntax are insignificant. "name desc,source_properties.a_property" and " + // name desc , source_properties.a_property " are equivalent. + // + // The following fields are supported: + // name + // parent + // state + // category + // resource_name + // event_time + // source_properties + // security_marks.marks + string order_by = 3; + + // Time used as a reference point when filtering findings. The filter is + // limited to findings existing at the supplied time and their values are + // those at that specific time. Absence of this field will default to the + // API's version of NOW. + google.protobuf.Timestamp read_time = 4; + + // When compare_duration is set, the ListFindingsResult's "state_change" + // attribute is updated to indicate whether the finding had its state changed, + // the finding's state remained unchanged, or if the finding was added in any + // state during the compare_duration period of time that precedes the + // read_time. This is the time between (read_time - compare_duration) and + // read_time. + // + // The state_change value is derived based on the presence and state of the + // finding at the two points in time. Intermediate state changes between the + // two times don't affect the result. For example, the results aren't affected + // if the finding is made inactive and then active again. + // + // Possible "state_change" values when compare_duration is specified: + // + // * "CHANGED": indicates that the finding was present and matched the given + // filter at the start of compare_duration, but changed its + // state at read_time. + // * "UNCHANGED": indicates that the finding was present and matched the given + // filter at the start of compare_duration and did not change + // state at read_time. + // * "ADDED": indicates that the finding did not match the given filter or + // was not present at the start of compare_duration, but was + // present at read_time. + // * "REMOVED": indicates that the finding was present and matched the + // filter at the start of compare_duration, but did not match + // the filter at read_time. + // + // If compare_duration is not specified, then the only possible state_change + // is "UNUSED", which will be the state_change set for all findings present at + // read_time. + google.protobuf.Duration compare_duration = 5; + + // A field mask to specify the Finding fields to be listed in the response. + // An empty field mask will list all fields. + google.protobuf.FieldMask field_mask = 7; + + // The value returned by the last `ListFindingsResponse`; indicates + // that this is a continuation of a prior `ListFindings` call, and + // that the system should return the next page of data. + string page_token = 8; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 9; +} + +// Response message for listing findings. +message ListFindingsResponse { + // Result containing the Finding and its StateChange. + message ListFindingsResult { + // The change in state of the finding. + // + // When querying across two points in time this describes + // the change in the finding between the two points: CHANGED, UNCHANGED, + // ADDED, or REMOVED. Findings can not be deleted, so REMOVED implies that + // the finding at timestamp does not match the filter specified, but it did + // at timestamp - compare_duration. If there was no compare_duration + // supplied in the request the state change will be: UNUSED + enum StateChange { + // State change is unused, this is the canonical default for this enum. + UNUSED = 0; + + // The finding has changed state in some way between the points in time + // and existed at both points. + CHANGED = 1; + + // The finding has not changed state between the points in time and + // existed at both points. + UNCHANGED = 2; + + // The finding was created between the points in time. + ADDED = 3; + + // The finding at timestamp does not match the filter specified, but it + // did at timestamp - compare_duration. + REMOVED = 4; + } + + // Information related to the Google Cloud resource that is + // associated with this finding. + message Resource { + // The full resource name of the resource. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string name = 1; + + // The human readable name of the resource. + string display_name = 8; + + // The full resource type of the resource. + string type = 6; + + // The full resource name of project that the resource belongs to. + string project_name = 2; + + // The project ID that the resource belongs to. + string project_display_name = 3; + + // The full resource name of resource's parent. + string parent_name = 4; + + // The human readable name of resource's parent. + string parent_display_name = 5; + + // Contains a Folder message for each folder in the assets ancestry. + // The first folder is the deepest nested folder, and the last folder is + // the folder directly under the Organization. + repeated Folder folders = 7; + } + + // Finding matching the search request. + Finding finding = 1; + + // State change of the finding between the points in time. + StateChange state_change = 2; + + // Output only. Resource that is associated with this finding. + Resource resource = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; + } + + // Findings matching the list request. + repeated ListFindingsResult list_findings_results = 1; + + // Time used for executing the list request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of findings matching the query. + int32 total_size = 4; +} + +// Request message for updating a finding's state. +message SetFindingStateRequest { + // Required. The relative resource name of the finding. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}/finding/{finding_id}". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Finding" + } + ]; + + // Required. The desired State of the finding. + Finding.State state = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. The time at which the updated state takes effect. + google.protobuf.Timestamp start_time = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for updating a finding's mute status. +message SetMuteRequest { + // Required. The relative resource name of the finding. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}/finding/{finding_id}", + // "folders/{folder_id}/sources/{source_id}/finding/{finding_id}", + // "projects/{project_id}/sources/{source_id}/finding/{finding_id}". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Finding" + } + ]; + + // Required. The desired state of the Mute. + Finding.Mute mute = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for running asset discovery for an organization. +message RunAssetDiscoveryRequest { + // Required. Name of the organization to run asset discovery for. Its format is + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; +} + +// Request message for updating a ExternalSystem resource. +message UpdateExternalSystemRequest { + // Required. The external system resource to update. + ExternalSystem external_system = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the external system resource. + // + // If empty all mutable fields will be updated. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating or creating a finding. +message UpdateFindingRequest { + // Required. The finding resource to update or create if it does not already exist. + // parent, security_marks, and update_time will be ignored. + // + // In the case of creation, the finding id portion of the name must be + // alphanumeric and less than or equal to 32 characters and greater than 0 + // characters in length. + Finding finding = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the finding resource. This field should + // not be specified when creating a finding. + // + // When updating a finding, an empty mask is treated as updating all mutable + // fields and replacing source_properties. Individual source_properties can + // be added/updated by using "source_properties.<property key>" in the field + // mask. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating a mute config. +message UpdateMuteConfigRequest { + // Required. The mute config being updated. + MuteConfig mute_config = 1 [(google.api.field_behavior) = REQUIRED]; + + // The list of fields to be updated. + // If empty all mutable fields will be updated. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating a notification config. +message UpdateNotificationConfigRequest { + // Required. The notification config to update. + NotificationConfig notification_config = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the notification config. + // + // If empty all mutable fields will be updated. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating an organization's settings. +message UpdateOrganizationSettingsRequest { + // Required. The organization settings resource to update. + OrganizationSettings organization_settings = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the settings resource. + // + // If empty all mutable fields will be updated. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating a source. +message UpdateSourceRequest { + // Required. The source resource to update. + Source source = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the source resource. + // + // If empty all mutable fields will be updated. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating a SecurityMarks resource. +message UpdateSecurityMarksRequest { + // Required. The security marks resource to update. + SecurityMarks security_marks = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the security marks resource. + // + // The field mask must not contain duplicate fields. + // If empty or set to "marks", all marks will be replaced. Individual + // marks can be updated using "marks.<mark_key>". + google.protobuf.FieldMask update_mask = 2; + + // The time at which the updated SecurityMarks take effect. + // If not set uses current server time. Updates will be applied to the + // SecurityMarks that are active immediately preceding this time. Must be + // earlier or equal to the server time. + google.protobuf.Timestamp start_time = 3; +} + +// Request message for creating a big query export. +message CreateBigQueryExportRequest { + // Required. Resource name of the new big query export's parent. Its format is + // "organizations/[organization_id]", "folders/[folder_id]", or + // "projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/BigQueryExport" + } + ]; + + // Required. The big query export being created. + BigQueryExport big_query_export = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. Unique identifier provided by the client within the parent scope. + // It must consist of lower case letters, numbers, and hyphen, with the first + // character a letter, the last a letter or a number, and a 63 character + // maximum. + string big_query_export_id = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for updating a BigQuery export. +message UpdateBigQueryExportRequest { + // Required. The BigQuery export being updated. + BigQueryExport big_query_export = 1 [(google.api.field_behavior) = REQUIRED]; + + // The list of fields to be updated. + // If empty all mutable fields will be updated. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for listing BigQuery exports at a given scope e.g. +// organization, folder or project. +message ListBigQueryExportsRequest { + // Required. The parent, which owns the collection of BigQuery exports. Its format is + // "organizations/[organization_id]", "folders/[folder_id]", + // "projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/BigQueryExport" + } + ]; + + // The maximum number of configs to return. The service may return fewer than + // this value. + // If unspecified, at most 10 configs will be returned. + // The maximum value is 1000; values above 1000 will be coerced to 1000. + int32 page_size = 2; + + // A page token, received from a previous `ListBigQueryExports` call. + // Provide this to retrieve the subsequent page. + // When paginating, all other parameters provided to `ListBigQueryExports` + // must match the call that provided the page token. + string page_token = 3; +} + +// Response message for listing BigQuery exports. +message ListBigQueryExportsResponse { + // The BigQuery exports from the specified parent. + repeated BigQueryExport big_query_exports = 1; + + // A token, which can be sent as `page_token` to retrieve the next page. + // If this field is omitted, there are no subsequent pages. + string next_page_token = 2; +} + +// Request message for deleting a big query export. +message DeleteBigQueryExportRequest { + // Required. Name of the big query export to delete. Its format is + // organizations/{organization}/bigQueryExports/{export_id}, + // folders/{folder}/bigQueryExports/{export_id}, or + // projects/{project}/bigQueryExports/{export_id} + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/BigQueryExport" + } + ]; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/securitycenter_v1.yaml b/third_party/googleapis/google/cloud/securitycenter/v1/securitycenter_v1.yaml new file mode 100644 index 0000000..662a65e --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/securitycenter_v1.yaml @@ -0,0 +1,51 @@ +type: google.api.Service +config_version: 3 +name: securitycenter.googleapis.com +title: Security Command Center API + +apis: +- name: google.cloud.securitycenter.v1.SecurityCenter +- name: google.longrunning.Operations + +types: +- name: google.cloud.securitycenter.v1.BigQueryExport +- name: google.cloud.securitycenter.v1.BulkMuteFindingsResponse +- name: google.cloud.securitycenter.v1.ExternalSystem +- name: google.cloud.securitycenter.v1.MuteConfig +- name: google.cloud.securitycenter.v1.NotificationMessage +- name: google.cloud.securitycenter.v1.Resource +- name: google.cloud.securitycenter.v1.RunAssetDiscoveryResponse + +documentation: + summary: |- + Security Command Center API provides access to temporal views of assets and + findings within an organization. + +backend: + rules: + - selector: 'google.cloud.securitycenter.v1.SecurityCenter.*' + deadline: 480.0 + - selector: 'google.longrunning.Operations.*' + deadline: 60.0 + +http: + rules: + - selector: google.longrunning.Operations.CancelOperation + post: '/v1/{name=organizations/*/operations/*}:cancel' + - selector: google.longrunning.Operations.DeleteOperation + delete: '/v1/{name=organizations/*/operations/*}' + - selector: google.longrunning.Operations.GetOperation + get: '/v1/{name=organizations/*/operations/*}' + - selector: google.longrunning.Operations.ListOperations + get: '/v1/{name=organizations/*/operations}' + +authentication: + rules: + - selector: 'google.cloud.securitycenter.v1.SecurityCenter.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform + - selector: 'google.longrunning.Operations.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/source.proto b/third_party/googleapis/google/cloud/securitycenter/v1/source.proto new file mode 100644 index 0000000..75c069a --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/source.proto @@ -0,0 +1,69 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +import "google/api/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Security Command Center finding source. A finding source +// is an entity or a mechanism that can produce a finding. A source is like a +// container of findings that come from the same scanner, logger, monitor, and +// other tools. +message Source { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Source" + pattern: "organizations/{organization}/sources/{source}" + pattern: "folders/{folder}/sources/{source}" + pattern: "projects/{project}/sources/{source}" + }; + + // The relative resource name of this source. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}" + string name = 1; + + // The source's display name. + // A source's display name must be unique amongst its siblings, for example, + // two sources with the same parent can't share the same display name. + // The display name must have a length between 1 and 64 characters + // (inclusive). + string display_name = 2; + + // The description of the source (max of 1024 characters). + // Example: + // "Web Security Scanner is a web security scanner for common + // vulnerabilities in App Engine applications. It can automatically + // scan and detect four common vulnerabilities, including cross-site-scripting + // (XSS), Flash injection, mixed content (HTTP in HTTPS), and + // outdated or insecure libraries." + string description = 3; + + // The canonical name of the finding. It's either + // "organizations/{organization_id}/sources/{source_id}", + // "folders/{folder_id}/sources/{source_id}" or + // "projects/{project_number}/sources/{source_id}", + // depending on the closest CRM ancestor of the resource associated with the + // finding. + string canonical_name = 14; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1/vulnerability.proto b/third_party/googleapis/google/cloud/securitycenter/v1/vulnerability.proto new file mode 100644 index 0000000..3810d90 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1/vulnerability.proto @@ -0,0 +1,216 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "VulnerabilityProto"; +option java_package = "com.google.cloud.securitycenter.v1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1"; + +// Refers to common vulnerability fields e.g. cve, cvss, cwe etc. +message Vulnerability { + // CVE stands for Common Vulnerabilities and Exposures + // (https://cve.mitre.org/about/) + Cve cve = 1; +} + +// CVE stands for Common Vulnerabilities and Exposures. +// More information: https://cve.mitre.org +message Cve { + // The unique identifier for the vulnerability. e.g. CVE-2021-34527 + string id = 1; + + // Additional information about the CVE. + // e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527 + repeated Reference references = 2; + + // Describe Common Vulnerability Scoring System specified at + // https://www.first.org/cvss/v3.1/specification-document + Cvssv3 cvssv3 = 3; + + // Whether upstream fix is available for the CVE. + bool upstream_fix_available = 4; +} + +// Additional Links +message Reference { + // Source of the reference e.g. NVD + string source = 1; + + // Uri for the mentioned source e.g. + // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. + string uri = 2; +} + +// Common Vulnerability Scoring System version 3. +message Cvssv3 { + // This metric reflects the context by which vulnerability exploitation is + // possible. + enum AttackVector { + // Invalid value. + ATTACK_VECTOR_UNSPECIFIED = 0; + + // The vulnerable component is bound to the network stack and the set of + // possible attackers extends beyond the other options listed below, up to + // and including the entire Internet. + ATTACK_VECTOR_NETWORK = 1; + + // The vulnerable component is bound to the network stack, but the attack is + // limited at the protocol level to a logically adjacent topology. + ATTACK_VECTOR_ADJACENT = 2; + + // The vulnerable component is not bound to the network stack and the + // attacker's path is via read/write/execute capabilities. + ATTACK_VECTOR_LOCAL = 3; + + // The attack requires the attacker to physically touch or manipulate the + // vulnerable component. + ATTACK_VECTOR_PHYSICAL = 4; + } + + // This metric describes the conditions beyond the attacker's control that + // must exist in order to exploit the vulnerability. + enum AttackComplexity { + // Invalid value. + ATTACK_COMPLEXITY_UNSPECIFIED = 0; + + // Specialized access conditions or extenuating circumstances do not exist. + // An attacker can expect repeatable success when attacking the vulnerable + // component. + ATTACK_COMPLEXITY_LOW = 1; + + // A successful attack depends on conditions beyond the attacker's control. + // That is, a successful attack cannot be accomplished at will, but requires + // the attacker to invest in some measurable amount of effort in preparation + // or execution against the vulnerable component before a successful attack + // can be expected. + ATTACK_COMPLEXITY_HIGH = 2; + } + + // This metric describes the level of privileges an attacker must possess + // before successfully exploiting the vulnerability. + enum PrivilegesRequired { + // Invalid value. + PRIVILEGES_REQUIRED_UNSPECIFIED = 0; + + // The attacker is unauthorized prior to attack, and therefore does not + // require any access to settings or files of the vulnerable system to + // carry out an attack. + PRIVILEGES_REQUIRED_NONE = 1; + + // The attacker requires privileges that provide basic user capabilities + // that could normally affect only settings and files owned by a user. + // Alternatively, an attacker with Low privileges has the ability to access + // only non-sensitive resources. + PRIVILEGES_REQUIRED_LOW = 2; + + // The attacker requires privileges that provide significant (e.g., + // administrative) control over the vulnerable component allowing access to + // component-wide settings and files. + PRIVILEGES_REQUIRED_HIGH = 3; + } + + // This metric captures the requirement for a human user, other than the + // attacker, to participate in the successful compromise of the vulnerable + // component. + enum UserInteraction { + // Invalid value. + USER_INTERACTION_UNSPECIFIED = 0; + + // The vulnerable system can be exploited without interaction from any user. + USER_INTERACTION_NONE = 1; + + // Successful exploitation of this vulnerability requires a user to take + // some action before the vulnerability can be exploited. + USER_INTERACTION_REQUIRED = 2; + } + + // The Scope metric captures whether a vulnerability in one vulnerable + // component impacts resources in components beyond its security scope. + enum Scope { + // Invalid value. + SCOPE_UNSPECIFIED = 0; + + // An exploited vulnerability can only affect resources managed by the same + // security authority. + SCOPE_UNCHANGED = 1; + + // An exploited vulnerability can affect resources beyond the security scope + // managed by the security authority of the vulnerable component. + SCOPE_CHANGED = 2; + } + + // The Impact metrics capture the effects of a successfully exploited + // vulnerability on the component that suffers the worst outcome that is most + // directly and predictably associated with the attack. + enum Impact { + // Invalid value. + IMPACT_UNSPECIFIED = 0; + + // High impact. + IMPACT_HIGH = 1; + + // Low impact. + IMPACT_LOW = 2; + + // No impact. + IMPACT_NONE = 3; + } + + // The base score is a function of the base metric scores. + double base_score = 1; + + // Base Metrics + // Represents the intrinsic characteristics of a vulnerability that are + // constant over time and across user environments. + // This metric reflects the context by which vulnerability exploitation is + // possible. + AttackVector attack_vector = 5; + + // This metric describes the conditions beyond the attacker's control that + // must exist in order to exploit the vulnerability. + AttackComplexity attack_complexity = 6; + + // This metric describes the level of privileges an attacker must possess + // before successfully exploiting the vulnerability. + PrivilegesRequired privileges_required = 7; + + // This metric captures the requirement for a human user, other than the + // attacker, to participate in the successful compromise of the vulnerable + // component. + UserInteraction user_interaction = 8; + + // The Scope metric captures whether a vulnerability in one vulnerable + // component impacts resources in components beyond its security scope. + Scope scope = 9; + + // This metric measures the impact to the confidentiality of the information + // resources managed by a software component due to a successfully exploited + // vulnerability. + Impact confidentiality_impact = 10; + + // This metric measures the impact to integrity of a successfully exploited + // vulnerability. + Impact integrity_impact = 11; + + // This metric measures the impact to the availability of the impacted + // component resulting from a successfully exploited vulnerability. + Impact availability_impact = 12; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/BUILD.bazel b/third_party/googleapis/google/cloud/securitycenter/v1beta1/BUILD.bazel new file mode 100644 index 0000000..b2c9d0c --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/BUILD.bazel @@ -0,0 +1,358 @@ +# This file was automatically generated by BuildFileGenerator + +# This is an API workspace, having public visibility by default makes perfect sense. +package(default_visibility = ["//visibility:public"]) + +############################################################################## +# Common +############################################################################## +load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_googleapis_imports//:imports.bzl", "proto_library_with_info") + +proto_library( + name = "securitycenter_proto", + srcs = [ + "asset.proto", + "finding.proto", + "organization_settings.proto", + "run_asset_discovery_response.proto", + "security_marks.proto", + "securitycenter_service.proto", + "source.proto", + ], + deps = [ + "//google/api:annotations_proto", + "//google/api:client_proto", + "//google/api:field_behavior_proto", + "//google/api:resource_proto", + "//google/iam/v1:iam_policy_proto", + "//google/iam/v1:policy_proto", + "//google/longrunning:operations_proto", + "@com_google_protobuf//:duration_proto", + "@com_google_protobuf//:empty_proto", + "@com_google_protobuf//:field_mask_proto", + "@com_google_protobuf//:struct_proto", + "@com_google_protobuf//:timestamp_proto", + ], +) + +proto_library_with_info( + name = "securitycenter_proto_with_info", + deps = [ + ":securitycenter_proto", + "//google/cloud:common_resources_proto", + ], +) + +############################################################################## +# Java +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "java_gapic_assembly_gradle_pkg", + "java_gapic_library", + "java_gapic_test", + "java_grpc_library", + "java_proto_library", +) + +java_proto_library( + name = "securitycenter_java_proto", + deps = [":securitycenter_proto"], +) + +java_grpc_library( + name = "securitycenter_java_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_java_proto"], +) + +java_gapic_library( + name = "securitycenter_java_gapic", + srcs = [":securitycenter_proto_with_info"], + grpc_service_config = "securitycenter_grpc_service_config.json", + test_deps = [ + ":securitycenter_java_grpc", + "//google/iam/v1:iam_java_grpc", + ], + transport = "grpc+rest", + deps = [ + ":securitycenter_java_proto", + "//google/iam/v1:iam_java_proto", + ], +) + +java_gapic_test( + name = "securitycenter_java_gapic_test_suite", + test_classes = [ + "com.google.cloud.securitycenter.v1beta1.SecurityCenterClientHttpJsonTest", + "com.google.cloud.securitycenter.v1beta1.SecurityCenterClientTest", + ], + runtime_deps = [":securitycenter_java_gapic_test"], +) + +# Open Source Packages +java_gapic_assembly_gradle_pkg( + name = "google-cloud-securitycenter-v1beta1-java", + include_samples = True, + transport = "grpc+rest", + deps = [ + ":securitycenter_java_gapic", + ":securitycenter_java_grpc", + ":securitycenter_java_proto", + ":securitycenter_proto", + ], +) + +############################################################################## +# Go +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "go_gapic_assembly_pkg", + "go_gapic_library", + "go_proto_library", + "go_test", +) + +go_proto_library( + name = "securitycenter_go_proto", + compilers = ["@io_bazel_rules_go//proto:go_grpc"], + importpath = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1beta1", + protos = [":securitycenter_proto"], + deps = [ + "//google/api:annotations_go_proto", + "//google/iam/v1:iam_go_proto", + "//google/longrunning:longrunning_go_proto", + ], +) + +go_gapic_library( + name = "securitycenter_go_gapic", + srcs = [":securitycenter_proto_with_info"], + grpc_service_config = "securitycenter_grpc_service_config.json", + importpath = "cloud.google.com/go/securitycenter/apiv1beta1;securitycenter", + service_yaml = "securitycenter_v1beta1.yaml", + transport = "grpc+rest", + deps = [ + ":securitycenter_go_proto", + "//google/iam/v1:iam_go_proto", + "//google/longrunning:longrunning_go_proto", + "@com_google_cloud_go//longrunning:go_default_library", + "@com_google_cloud_go//longrunning/autogen:go_default_library", + "@io_bazel_rules_go//proto/wkt:duration_go_proto", + "@io_bazel_rules_go//proto/wkt:struct_go_proto", + ], +) + +go_test( + name = "securitycenter_go_gapic_test", + srcs = [":securitycenter_go_gapic_srcjar_test"], + embed = [":securitycenter_go_gapic"], + importpath = "cloud.google.com/go/securitycenter/apiv1beta1", +) + +# Open Source Packages +go_gapic_assembly_pkg( + name = "gapi-cloud-securitycenter-v1beta1-go", + deps = [ + ":securitycenter_go_gapic", + ":securitycenter_go_gapic_srcjar-test.srcjar", + ":securitycenter_go_proto", + ], +) + +############################################################################## +# Python +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "py_gapic_assembly_pkg", + "py_gapic_library", + "py_test", +) + +py_gapic_library( + name = "securitycenter_py_gapic", + srcs = [":securitycenter_proto"], + grpc_service_config = "securitycenter_grpc_service_config.json", + transport = "grpc", + deps = [ + "//google/iam/v1:iam_policy_py_proto", + ], +) + +py_test( + name = "securitycenter_py_gapic_test", + srcs = [ + "securitycenter_py_gapic_pytest.py", + "securitycenter_py_gapic_test.py", + ], + legacy_create_init = False, + deps = [":securitycenter_py_gapic"], +) + +# Open Source Packages +py_gapic_assembly_pkg( + name = "securitycenter-v1beta1-py", + deps = [ + ":securitycenter_py_gapic", + ], +) + +############################################################################## +# PHP +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "php_gapic_assembly_pkg", + "php_gapic_library", + "php_grpc_library", + "php_proto_library", +) + +php_proto_library( + name = "securitycenter_php_proto", + deps = [":securitycenter_proto"], +) + +php_grpc_library( + name = "securitycenter_php_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_php_proto"], +) + +php_gapic_library( + name = "securitycenter_php_gapic", + srcs = [":securitycenter_proto_with_info"], + grpc_service_config = "securitycenter_grpc_service_config.json", + service_yaml = "securitycenter_v1beta1.yaml", + deps = [ + ":securitycenter_php_grpc", + ":securitycenter_php_proto", + ], +) + +# Open Source Packages +php_gapic_assembly_pkg( + name = "google-cloud-securitycenter-v1beta1-php", + deps = [ + ":securitycenter_php_gapic", + ":securitycenter_php_grpc", + ":securitycenter_php_proto", + ], +) + +############################################################################## +# Node.js +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "nodejs_gapic_assembly_pkg", + "nodejs_gapic_library", +) + +nodejs_gapic_library( + name = "securitycenter_nodejs_gapic", + package_name = "@google-cloud/security-center", + src = ":securitycenter_proto_with_info", + extra_protoc_parameters = ["metadata"], + grpc_service_config = "securitycenter_grpc_service_config.json", + package = "google.cloud.securitycenter.v1beta1", + service_yaml = "securitycenter_v1beta1.yaml", + deps = [], +) + +nodejs_gapic_assembly_pkg( + name = "securitycenter-v1beta1-nodejs", + deps = [ + ":securitycenter_nodejs_gapic", + ":securitycenter_proto", + ], +) + +############################################################################## +# Ruby +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "ruby_cloud_gapic_library", + "ruby_gapic_assembly_pkg", + "ruby_grpc_library", + "ruby_proto_library", +) + +ruby_proto_library( + name = "securitycenter_ruby_proto", + deps = [":securitycenter_proto"], +) + +ruby_grpc_library( + name = "securitycenter_ruby_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_ruby_proto"], +) + +ruby_cloud_gapic_library( + name = "securitycenter_ruby_gapic", + srcs = [":securitycenter_proto_with_info"], + extra_protoc_parameters = ["ruby-cloud-gem-name=google-cloud-securitycenter-v1beta1"], + deps = [ + ":securitycenter_ruby_grpc", + ":securitycenter_ruby_proto", + ], +) + +# Open Source Packages +ruby_gapic_assembly_pkg( + name = "google-cloud-securitycenter-v1beta1-ruby", + deps = [ + ":securitycenter_ruby_gapic", + ":securitycenter_ruby_grpc", + ":securitycenter_ruby_proto", + ], +) + +############################################################################## +# C# +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "csharp_gapic_assembly_pkg", + "csharp_gapic_library", + "csharp_grpc_library", + "csharp_proto_library", +) + +csharp_proto_library( + name = "securitycenter_csharp_proto", + deps = [":securitycenter_proto"], +) + +csharp_grpc_library( + name = "securitycenter_csharp_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_csharp_proto"], +) + +csharp_gapic_library( + name = "securitycenter_csharp_gapic", + srcs = [":securitycenter_proto_with_info"], + common_resources_config = "@gax_dotnet//:Google.Api.Gax/ResourceNames/CommonResourcesConfig.json", + grpc_service_config = "securitycenter_grpc_service_config.json", + service_yaml = "securitycenter_v1beta1.yaml", + deps = [ + ":securitycenter_csharp_grpc", + ":securitycenter_csharp_proto", + ], +) + +# Open Source Packages +csharp_gapic_assembly_pkg( + name = "google-cloud-securitycenter-v1beta1-csharp", + deps = [ + ":securitycenter_csharp_gapic", + ":securitycenter_csharp_grpc", + ":securitycenter_csharp_proto", + ], +) diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/asset.proto b/third_party/googleapis/google/cloud/securitycenter/v1beta1/asset.proto new file mode 100644 index 0000000..415e7a2 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/asset.proto @@ -0,0 +1,92 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1beta1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/cloud/securitycenter/v1beta1/security_marks.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1beta1"; + +// Security Command Center representation of a Google Cloud +// resource. +// +// The Asset is a Security Command Center resource that captures information +// about a single Google Cloud resource. All modifications to an Asset are only +// within the context of Security Command Center and don't affect the referenced +// Google Cloud resource. +message Asset { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Asset" + pattern: "organizations/{organization}/assets/{asset}" + }; + + // Security Command Center managed properties. These properties are managed by + // Security Command Center and cannot be modified by the user. + message SecurityCenterProperties { + // Immutable. The full resource name of the Google Cloud resource this asset + // represents. This field is immutable after create time. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_name = 1 [(google.api.field_behavior) = IMMUTABLE]; + + // The type of the Google Cloud resource. Examples include: APPLICATION, + // PROJECT, and ORGANIZATION. This is a case insensitive field defined by + // Security Command Center and/or the producer of the resource and is + // immutable after create time. + string resource_type = 2; + + // The full resource name of the immediate parent of the resource. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_parent = 3; + + // The full resource name of the project the resource belongs to. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_project = 4; + + // Owners of the Google Cloud resource. + repeated string resource_owners = 5; + } + + // The relative resource name of this asset. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/assets/{asset_id}". + string name = 1; + + // Security Command Center managed properties. These properties are managed by + // Security Command Center and cannot be modified by the user. + SecurityCenterProperties security_center_properties = 2; + + // Resource managed properties. These properties are managed and defined by + // the Google Cloud resource and cannot be modified by the user. + map<string, google.protobuf.Value> resource_properties = 7; + + // User specified security marks. These marks are entirely managed by the user + // and come from the SecurityMarks resource that belongs to the asset. + SecurityMarks security_marks = 8; + + // The time at which the asset was created in Security Command Center. + google.protobuf.Timestamp create_time = 9; + + // The time at which the asset was last updated, added, or deleted in Security + // Command Center. + google.protobuf.Timestamp update_time = 10; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/finding.proto b/third_party/googleapis/google/cloud/securitycenter/v1beta1/finding.proto new file mode 100644 index 0000000..768bf41 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/finding.proto @@ -0,0 +1,109 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1beta1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/cloud/securitycenter/v1beta1/security_marks.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1beta1"; + +// Security Command Center finding. +// +// A finding is a record of assessment data (security, risk, health or privacy) +// ingested into Security Command Center for presentation, notification, +// analysis, policy testing, and enforcement. For example, an XSS vulnerability +// in an App Engine application is a finding. +message Finding { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Finding" + pattern: "organizations/{organization}/sources/{source}/findings/{finding}" + }; + + // The state of the finding. + enum State { + // Unspecified state. + STATE_UNSPECIFIED = 0; + + // The finding requires attention and has not been addressed yet. + ACTIVE = 1; + + // The finding has been fixed, triaged as a non-issue or otherwise addressed + // and is no longer active. + INACTIVE = 2; + } + + // The relative resource name of this finding. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" + string name = 1; + + // Immutable. The relative resource name of the source the finding belongs to. + // See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // This field is immutable after creation time. + // For example: + // "organizations/{organization_id}/sources/{source_id}" + string parent = 2 [(google.api.field_behavior) = IMMUTABLE]; + + // For findings on Google Cloud resources, the full resource + // name of the Google Cloud resource this finding is for. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + // When the finding is for a non-Google Cloud resource, the resourceName can + // be a customer or partner defined string. This field is immutable after + // creation time. + string resource_name = 3; + + // The state of the finding. + State state = 4; + + // The additional taxonomy group within findings from a given source. + // This field is immutable after creation time. + // Example: "XSS_FLASH_INJECTION" + string category = 5; + + // The URI that, if available, points to a web page outside of Security + // Command Center where additional information about the finding can be found. + // This field is guaranteed to be either empty or a well formed URL. + string external_uri = 6; + + // Source specific properties. These properties are managed by the source + // that writes the finding. The key names in the source_properties map must be + // between 1 and 255 characters, and must start with a letter and contain + // alphanumeric characters or underscores only. + map<string, google.protobuf.Value> source_properties = 7; + + // Output only. User specified security marks. These marks are entirely + // managed by the user and come from the SecurityMarks resource that belongs + // to the finding. + SecurityMarks security_marks = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // The time at which the event took place, or when an update to the finding + // occurred. For example, if the finding represents an open firewall it would + // capture the time the detector believes the firewall became open. The + // accuracy is determined by the detector. If the finding were to be resolved + // afterward, this time would reflect when the finding was resolved. + google.protobuf.Timestamp event_time = 9; + + // The time at which the finding was created in Security Command Center. + google.protobuf.Timestamp create_time = 10; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/organization_settings.proto b/third_party/googleapis/google/cloud/securitycenter/v1beta1/organization_settings.proto new file mode 100644 index 0000000..b447bf6 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/organization_settings.proto @@ -0,0 +1,78 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1beta1; + +import "google/api/resource.proto"; + +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1beta1"; + +// User specified settings that are attached to the Security Command +// Center organization. +message OrganizationSettings { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/OrganizationSettings" + pattern: "organizations/{organization}/organizationSettings" + }; + + // The configuration used for Asset Discovery runs. + message AssetDiscoveryConfig { + // The mode of inclusion when running Asset Discovery. + // Asset discovery can be limited by explicitly identifying projects to be + // included or excluded. If INCLUDE_ONLY is set, then only those projects + // within the organization and their children are discovered during asset + // discovery. If EXCLUDE is set, then projects that don't match those + // projects are discovered during asset discovery. If neither are set, then + // all projects within the organization are discovered during asset + // discovery. + enum InclusionMode { + // Unspecified. Setting the mode with this value will disable + // inclusion/exclusion filtering for Asset Discovery. + INCLUSION_MODE_UNSPECIFIED = 0; + + // Asset Discovery will capture only the resources within the projects + // specified. All other resources will be ignored. + INCLUDE_ONLY = 1; + + // Asset Discovery will ignore all resources under the projects specified. + // All other resources will be retrieved. + EXCLUDE = 2; + } + + // The project ids to use for filtering asset discovery. + repeated string project_ids = 1; + + // The mode to use for filtering asset discovery. + InclusionMode inclusion_mode = 2; + } + + // The relative resource name of the settings. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/organizationSettings". + string name = 1; + + // A flag that indicates if Asset Discovery should be enabled. If the flag is + // set to `true`, then discovery of assets will occur. If it is set to `false, + // all historical assets will remain, but discovery of future assets will not + // occur. + bool enable_asset_discovery = 2; + + // The configuration used for Asset Discovery runs. + AssetDiscoveryConfig asset_discovery_config = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/run_asset_discovery_response.proto b/third_party/googleapis/google/cloud/securitycenter/v1beta1/run_asset_discovery_response.proto new file mode 100644 index 0000000..cab92d9 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/run_asset_discovery_response.proto @@ -0,0 +1,48 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1beta1; + +import "google/protobuf/duration.proto"; + +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1beta1"; + +// Response of asset discovery run +message RunAssetDiscoveryResponse { + // The state of an asset discovery run. + enum State { + // Asset discovery run state was unspecified. + STATE_UNSPECIFIED = 0; + + // Asset discovery run completed successfully. + COMPLETED = 1; + + // Asset discovery run was cancelled with tasks still pending, as another + // run for the same organization was started with a higher priority. + SUPERSEDED = 2; + + // Asset discovery run was killed and terminated. + TERMINATED = 3; + } + + // The state of an asset discovery run. + State state = 1; + + // The duration between asset discovery run start and end + google.protobuf.Duration duration = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/security_marks.proto b/third_party/googleapis/google/cloud/securitycenter/v1beta1/security_marks.proto new file mode 100644 index 0000000..f1dc88d --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/security_marks.proto @@ -0,0 +1,52 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1beta1; + +import "google/api/resource.proto"; + +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1beta1"; + +// User specified security marks that are attached to the parent Security +// Command Center resource. Security marks are scoped within a Security Command +// Center organization -- they can be modified and viewed by all users who have +// proper permissions on the organization. +message SecurityMarks { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/SecurityMarks" + pattern: "organizations/{organization}/assets/{asset}/securityMarks" + pattern: "organizations/{organization}/sources/{source}/findings/{finding}/securityMarks" + }; + + // The relative resource name of the SecurityMarks. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Examples: + // "organizations/{organization_id}/assets/{asset_id}/securityMarks" + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". + string name = 1; + + // Mutable user specified security marks belonging to the parent resource. + // Constraints are as follows: + // + // * Keys and values are treated as case insensitive + // * Keys must be between 1 - 256 characters (inclusive) + // * Keys must be letters, numbers, underscores, or dashes + // * Values have leading and trailing whitespace trimmed, remaining + // characters must be between 1 - 4096 characters (inclusive) + map<string, string> marks = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_gapic.yaml b/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_gapic.yaml new file mode 100644 index 0000000..0bcb880 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_gapic.yaml @@ -0,0 +1,2 @@ +type: com.google.api.codegen.ConfigProto +config_schema_version: 2.0.0 diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_grpc_service_config.json b/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_grpc_service_config.json new file mode 100755 index 0000000..e74f4a5 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_grpc_service_config.json @@ -0,0 +1,115 @@ +{ + "methodConfig": [ + { + "name": [ + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "CreateSource" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "CreateFinding" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "RunAssetDiscovery" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "SetFindingState" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "SetIamPolicy" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "UpdateFinding" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "UpdateOrganizationSettings" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "UpdateSource" + } + ], + "timeout": "60s" + }, + { + "name": [ + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "GetIamPolicy" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "GetOrganizationSettings" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "GetSource" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "ListSources" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "TestIamPermissions" + } + ], + "timeout": "60s", + "retryPolicy": { + "initialBackoff": "0.100s", + "maxBackoff": "60s", + "backoffMultiplier": 1.3, + "retryableStatusCodes": [ + "DEADLINE_EXCEEDED", + "UNAVAILABLE" + ] + } + }, + { + "name": [ + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "UpdateSecurityMarks" + } + ], + "timeout": "480s" + }, + { + "name": [ + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "GroupAssets" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "GroupFindings" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "ListAssets" + }, + { + "service": "google.cloud.securitycenter.v1beta1.SecurityCenter", + "method": "ListFindings" + } + ], + "timeout": "480s", + "retryPolicy": { + "maxAttempts": 5, + "initialBackoff": "0.100s", + "maxBackoff": "60s", + "backoffMultiplier": 1.3, + "retryableStatusCodes": [ + "DEADLINE_EXCEEDED", + "UNAVAILABLE" + ] + } + } + ] +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_service.proto b/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_service.proto new file mode 100644 index 0000000..55276ef --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_service.proto @@ -0,0 +1,823 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1beta1; + +import "google/api/annotations.proto"; +import "google/api/client.proto"; +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/cloud/securitycenter/v1beta1/asset.proto"; +import "google/cloud/securitycenter/v1beta1/finding.proto"; +import "google/cloud/securitycenter/v1beta1/organization_settings.proto"; +import "google/cloud/securitycenter/v1beta1/security_marks.proto"; +import "google/cloud/securitycenter/v1beta1/source.proto"; +import "google/iam/v1/iam_policy.proto"; +import "google/iam/v1/policy.proto"; +import "google/longrunning/operations.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/field_mask.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1beta1"; + +// V1 Beta APIs for Security Center service. +service SecurityCenter { + option (google.api.default_host) = "securitycenter.googleapis.com"; + option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; + + // Creates a source. + rpc CreateSource(CreateSourceRequest) returns (Source) { + option (google.api.http) = { + post: "/v1beta1/{parent=organizations/*}/sources" + body: "source" + }; + option (google.api.method_signature) = "parent,source"; + } + + // Creates a finding. The corresponding source must exist for finding creation + // to succeed. + rpc CreateFinding(CreateFindingRequest) returns (Finding) { + option (google.api.http) = { + post: "/v1beta1/{parent=organizations/*/sources/*}/findings" + body: "finding" + }; + option (google.api.method_signature) = "parent,finding_id,finding"; + } + + // Gets the access control policy on the specified Source. + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { + post: "/v1beta1/{resource=organizations/*/sources/*}:getIamPolicy" + body: "*" + }; + option (google.api.method_signature) = "resource"; + } + + // Gets the settings for an organization. + rpc GetOrganizationSettings(GetOrganizationSettingsRequest) returns (OrganizationSettings) { + option (google.api.http) = { + get: "/v1beta1/{name=organizations/*/organizationSettings}" + }; + option (google.api.method_signature) = "name"; + } + + // Gets a source. + rpc GetSource(GetSourceRequest) returns (Source) { + option (google.api.http) = { + get: "/v1beta1/{name=organizations/*/sources/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Filters an organization's assets and groups them by their specified + // properties. + rpc GroupAssets(GroupAssetsRequest) returns (GroupAssetsResponse) { + option (google.api.http) = { + post: "/v1beta1/{parent=organizations/*}/assets:group" + body: "*" + }; + } + + // Filters an organization or source's findings and groups them by their + // specified properties. + // + // To group across all sources provide a `-` as the source id. + // Example: /v1beta1/organizations/{organization_id}/sources/-/findings + rpc GroupFindings(GroupFindingsRequest) returns (GroupFindingsResponse) { + option (google.api.http) = { + post: "/v1beta1/{parent=organizations/*/sources/*}/findings:group" + body: "*" + }; + option (google.api.method_signature) = "parent,group_by"; + } + + // Lists an organization's assets. + rpc ListAssets(ListAssetsRequest) returns (ListAssetsResponse) { + option (google.api.http) = { + get: "/v1beta1/{parent=organizations/*}/assets" + }; + } + + // Lists an organization or source's findings. + // + // To list across all sources provide a `-` as the source id. + // Example: /v1beta1/organizations/{organization_id}/sources/-/findings + rpc ListFindings(ListFindingsRequest) returns (ListFindingsResponse) { + option (google.api.http) = { + get: "/v1beta1/{parent=organizations/*/sources/*}/findings" + }; + } + + // Lists all sources belonging to an organization. + rpc ListSources(ListSourcesRequest) returns (ListSourcesResponse) { + option (google.api.http) = { + get: "/v1beta1/{parent=organizations/*}/sources" + }; + option (google.api.method_signature) = "parent"; + } + + // Runs asset discovery. The discovery is tracked with a long-running + // operation. + // + // This API can only be called with limited frequency for an organization. If + // it is called too frequently the caller will receive a TOO_MANY_REQUESTS + // error. + rpc RunAssetDiscovery(RunAssetDiscoveryRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1beta1/{parent=organizations/*}/assets:runDiscovery" + body: "*" + }; + option (google.api.method_signature) = "parent"; + option (google.longrunning.operation_info) = { + response_type: "google.protobuf.Empty" + metadata_type: "google.protobuf.Empty" + }; + } + + // Updates the state of a finding. + rpc SetFindingState(SetFindingStateRequest) returns (Finding) { + option (google.api.http) = { + post: "/v1beta1/{name=organizations/*/sources/*/findings/*}:setState" + body: "*" + }; + option (google.api.method_signature) = "name,state,start_time"; + } + + // Sets the access control policy on the specified Source. + rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { + post: "/v1beta1/{resource=organizations/*/sources/*}:setIamPolicy" + body: "*" + }; + option (google.api.method_signature) = "resource,policy"; + } + + // Returns the permissions that a caller has on the specified source. + rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { + option (google.api.http) = { + post: "/v1beta1/{resource=organizations/*/sources/*}:testIamPermissions" + body: "*" + }; + option (google.api.method_signature) = "resource,permissions"; + } + + // Creates or updates a finding. The corresponding source must exist for a + // finding creation to succeed. + rpc UpdateFinding(UpdateFindingRequest) returns (Finding) { + option (google.api.http) = { + patch: "/v1beta1/{finding.name=organizations/*/sources/*/findings/*}" + body: "finding" + }; + option (google.api.method_signature) = "finding"; + } + + // Updates an organization's settings. + rpc UpdateOrganizationSettings(UpdateOrganizationSettingsRequest) returns (OrganizationSettings) { + option (google.api.http) = { + patch: "/v1beta1/{organization_settings.name=organizations/*/organizationSettings}" + body: "organization_settings" + }; + option (google.api.method_signature) = "organization_settings"; + } + + // Updates a source. + rpc UpdateSource(UpdateSourceRequest) returns (Source) { + option (google.api.http) = { + patch: "/v1beta1/{source.name=organizations/*/sources/*}" + body: "source" + }; + option (google.api.method_signature) = "source"; + } + + // Updates security marks. + rpc UpdateSecurityMarks(UpdateSecurityMarksRequest) returns (SecurityMarks) { + option (google.api.http) = { + patch: "/v1beta1/{security_marks.name=organizations/*/assets/*/securityMarks}" + body: "security_marks" + additional_bindings { + patch: "/v1beta1/{security_marks.name=organizations/*/sources/*/findings/*/securityMarks}" + body: "security_marks" + } + }; + option (google.api.method_signature) = "security_marks"; + } +} + +// Request message for creating a finding. +message CreateFindingRequest { + // Required. Resource name of the new finding's parent. Its format should be + // "organizations/[organization_id]/sources/[source_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; + + // Required. Unique identifier provided by the client within the parent scope. + // It must be alphanumeric and less than or equal to 32 characters and + // greater than 0 characters in length. + string finding_id = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. The Finding being created. The name and security_marks will be ignored as + // they are both output only fields on this resource. + Finding finding = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for creating a source. +message CreateSourceRequest { + // Required. Resource name of the new source's parent. Its format should be + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Required. The Source being created, only the display_name and description will be + // used. All other fields will be ignored. + Source source = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for getting organization settings. +message GetOrganizationSettingsRequest { + // Required. Name of the organization to get organization settings for. Its format is + // "organizations/[organization_id]/organizationSettings". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/OrganizationSettings" + } + ]; +} + +// Request message for getting a source. +message GetSourceRequest { + // Required. Relative resource name of the source. Its format is + // "organizations/[organization_id]/source/[source_id]". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; +} + +// Request message for grouping by assets. +message GroupAssetsRequest { + // Required. Name of the organization to groupBy. Its format is + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Expression that defines the filter to apply across assets. + // The expression is a list of zero or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are not supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. The fields map to those + // defined in the Asset resource. Examples include: + // + // * name + // * security_center_properties.resource_name + // * resource_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // For example, `resource_properties.size = 100` is a valid filter string. + string filter = 2; + + // Required. Expression that defines what assets fields to use for grouping. The string + // value should follow SQL syntax: comma separated list of fields. For + // example: + // "security_center_properties.resource_project,security_center_properties.project". + // + // The following fields are supported when compare_duration is not set: + // + // * security_center_properties.resource_project + // * security_center_properties.resource_type + // * security_center_properties.resource_parent + // + // The following fields are supported when compare_duration is set: + // + // * security_center_properties.resource_type + string group_by = 3 [(google.api.field_behavior) = REQUIRED]; + + // When compare_duration is set, the Asset's "state" property is updated to + // indicate whether the asset was added, removed, or remained present during + // the compare_duration period of time that precedes the read_time. This is + // the time between (read_time - compare_duration) and read_time. + // + // The state value is derived based on the presence of the asset at the two + // points in time. Intermediate state changes between the two times don't + // affect the result. For example, the results aren't affected if the asset is + // removed and re-created again. + // + // Possible "state" values when compare_duration is specified: + // + // * "ADDED": indicates that the asset was not present before + // compare_duration, but present at reference_time. + // * "REMOVED": indicates that the asset was present at the start of + // compare_duration, but not present at reference_time. + // * "ACTIVE": indicates that the asset was present at both the + // start and the end of the time period defined by + // compare_duration and reference_time. + // + // This field is ignored if `state` is not a field in `group_by`. + google.protobuf.Duration compare_duration = 4; + + // Time used as a reference point when filtering assets. The filter is limited + // to assets existing at the supplied time and their values are those at that + // specific time. Absence of this field will default to the API's version of + // NOW. + google.protobuf.Timestamp read_time = 5; + + // The value returned by the last `GroupAssetsResponse`; indicates + // that this is a continuation of a prior `GroupAssets` call, and that the + // system should return the next page of data. + string page_token = 7; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 8; +} + +// Response message for grouping by assets. +message GroupAssetsResponse { + // Group results. There exists an element for each existing unique + // combination of property/values. The element contains a count for the number + // of times those specific property/values appear. + repeated GroupResult group_by_results = 1; + + // Time used for executing the groupBy request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; +} + +// Request message for grouping by findings. +message GroupFindingsRequest { + // Required. Name of the source to groupBy. Its format is + // "organizations/[organization_id]/sources/[source_id]". To groupBy across + // all sources provide a source_id of `-`. For example: + // organizations/{organization_id}/sources/- + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; + + // Expression that defines the filter to apply across findings. + // The expression is a list of one or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are not supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. Examples include: + // + // * name + // * source_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // For example, `source_properties.size = 100` is a valid filter string. + string filter = 2; + + // Required. Expression that defines what assets fields to use for grouping (including + // `state`). The string value should follow SQL syntax: comma separated list + // of fields. For example: + // "parent,resource_name". + // + // The following fields are supported: + // + // * resource_name + // * category + // * state + // * parent + string group_by = 3 [(google.api.field_behavior) = REQUIRED]; + + // Time used as a reference point when filtering findings. The filter is + // limited to findings existing at the supplied time and their values are + // those at that specific time. Absence of this field will default to the + // API's version of NOW. + google.protobuf.Timestamp read_time = 4; + + // The value returned by the last `GroupFindingsResponse`; indicates + // that this is a continuation of a prior `GroupFindings` call, and + // that the system should return the next page of data. + string page_token = 5; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 6; +} + +// Response message for group by findings. +message GroupFindingsResponse { + // Group results. There exists an element for each existing unique + // combination of property/values. The element contains a count for the number + // of times those specific property/values appear. + repeated GroupResult group_by_results = 1; + + // Time used for executing the groupBy request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; +} + +// Result containing the properties and count of a groupBy request. +message GroupResult { + // Properties matching the groupBy fields in the request. + map<string, google.protobuf.Value> properties = 1; + + // Total count of resources for the given properties. + int64 count = 2; +} + +// Request message for listing sources. +message ListSourcesRequest { + // Required. Resource name of the parent of sources to list. Its format should be + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // The value returned by the last `ListSourcesResponse`; indicates + // that this is a continuation of a prior `ListSources` call, and + // that the system should return the next page of data. + string page_token = 2; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 7; +} + +// Response message for listing sources. +message ListSourcesResponse { + // Sources belonging to the requested parent. + repeated Source sources = 1; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 2; +} + +// Request message for listing assets. +message ListAssetsRequest { + // Required. Name of the organization assets should belong to. Its format is + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Expression that defines the filter to apply across assets. + // The expression is a list of zero or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are not supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. The fields map to those + // defined in the Asset resource. Examples include: + // + // * name + // * security_center_properties.resource_name + // * resource_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // For example, `resource_properties.size = 100` is a valid filter string. + string filter = 2; + + // Expression that defines what fields and order to use for sorting. The + // string value should follow SQL syntax: comma separated list of fields. For + // example: "name,resource_properties.a_property". The default sorting order + // is ascending. To specify descending order for a field, a suffix " desc" + // should be appended to the field name. For example: "name + // desc,resource_properties.a_property". Redundant space characters in the + // syntax are insignificant. "name desc,resource_properties.a_property" and " + // name desc , resource_properties.a_property " are equivalent. + string order_by = 3; + + // Time used as a reference point when filtering assets. The filter is limited + // to assets existing at the supplied time and their values are those at that + // specific time. Absence of this field will default to the API's version of + // NOW. + google.protobuf.Timestamp read_time = 4; + + // When compare_duration is set, the ListAssetResult's "state" attribute is + // updated to indicate whether the asset was added, removed, or remained + // present during the compare_duration period of time that precedes the + // read_time. This is the time between (read_time - + // compare_duration) and read_time. + // + // The state value is derived based on the presence of the asset at the two + // points in time. Intermediate state changes between the two times don't + // affect the result. For example, the results aren't affected if the asset is + // removed and re-created again. + // + // Possible "state" values when compare_duration is specified: + // + // * "ADDED": indicates that the asset was not present before + // compare_duration, but present at read_time. + // * "REMOVED": indicates that the asset was present at the start of + // compare_duration, but not present at read_time. + // * "ACTIVE": indicates that the asset was present at both the + // start and the end of the time period defined by + // compare_duration and read_time. + // + // If compare_duration is not specified, then the only possible state is + // "UNUSED", which indicates that the asset is present at read_time. + google.protobuf.Duration compare_duration = 5; + + // Optional. A field mask to specify the ListAssetsResult fields to be listed in the + // response. + // An empty field mask will list all fields. + google.protobuf.FieldMask field_mask = 7 [(google.api.field_behavior) = OPTIONAL]; + + // The value returned by the last `ListAssetsResponse`; indicates + // that this is a continuation of a prior `ListAssets` call, and + // that the system should return the next page of data. + string page_token = 8; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 9; +} + +// Response message for listing assets. +message ListAssetsResponse { + // Result containing the Asset and its State. + message ListAssetsResult { + // State of the asset. + // + // When querying across two points in time this describes + // the change between the two points: ADDED, REMOVED, or ACTIVE. + // If there was no compare_duration supplied in the request the state should + // be: UNUSED + enum State { + // Unspecified state. + STATE_UNSPECIFIED = 0; + + // Request did not specify use of this field in the result. + UNUSED = 1; + + // Asset was added between the points in time. + ADDED = 2; + + // Asset was removed between the points in time. + REMOVED = 3; + + // Asset was active at both point(s) in time. + ACTIVE = 4; + } + + // Asset matching the search request. + Asset asset = 1; + + // State of the asset. + State state = 2; + } + + // Assets matching the list request. + repeated ListAssetsResult list_assets_results = 1; + + // Time used for executing the list request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of assets matching the query. + int32 total_size = 4; +} + +// Request message for listing findings. +message ListFindingsRequest { + // Required. Name of the source the findings belong to. Its format is + // "organizations/[organization_id]/sources/[source_id]". To list across all + // sources provide a source_id of `-`. For example: + // organizations/{organization_id}/sources/- + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; + + // Expression that defines the filter to apply across findings. + // The expression is a list of one or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are not supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. Examples include: + // + // * name + // * source_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // For example, `source_properties.size = 100` is a valid filter string. + string filter = 2; + + // Expression that defines what fields and order to use for sorting. The + // string value should follow SQL syntax: comma separated list of fields. For + // example: "name,resource_properties.a_property". The default sorting order + // is ascending. To specify descending order for a field, a suffix " desc" + // should be appended to the field name. For example: "name + // desc,source_properties.a_property". Redundant space characters in the + // syntax are insignificant. "name desc,source_properties.a_property" and " + // name desc , source_properties.a_property " are equivalent. + string order_by = 3; + + // Time used as a reference point when filtering findings. The filter is + // limited to findings existing at the supplied time and their values are + // those at that specific time. Absence of this field will default to the + // API's version of NOW. + google.protobuf.Timestamp read_time = 4; + + // Optional. A field mask to specify the Finding fields to be listed in the response. + // An empty field mask will list all fields. + google.protobuf.FieldMask field_mask = 5 [(google.api.field_behavior) = OPTIONAL]; + + // The value returned by the last `ListFindingsResponse`; indicates + // that this is a continuation of a prior `ListFindings` call, and + // that the system should return the next page of data. + string page_token = 6; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 7; +} + +// Response message for listing findings. +message ListFindingsResponse { + // Findings matching the list request. + repeated Finding findings = 1; + + // Time used for executing the list request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of findings matching the query. + int32 total_size = 4; +} + +// Request message for updating a finding's state. +message SetFindingStateRequest { + // Required. The relative resource name of the finding. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}/finding/{finding_id}". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Finding" + } + ]; + + // Required. The desired State of the finding. + Finding.State state = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. The time at which the updated state takes effect. + google.protobuf.Timestamp start_time = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for running asset discovery for an organization. +message RunAssetDiscoveryRequest { + // Required. Name of the organization to run asset discovery for. Its format is + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; +} + +// Request message for updating or creating a finding. +message UpdateFindingRequest { + // Required. The finding resource to update or create if it does not already exist. + // parent, security_marks, and update_time will be ignored. + // + // In the case of creation, the finding id portion of the name must + // alphanumeric and less than or equal to 32 characters and greater than 0 + // characters in length. + Finding finding = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the finding resource. This field should + // not be specified when creating a finding. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating an organization's settings. +message UpdateOrganizationSettingsRequest { + // Required. The organization settings resource to update. + OrganizationSettings organization_settings = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the settings resource. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating a source. +message UpdateSourceRequest { + // Required. The source resource to update. + Source source = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the source resource. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating a SecurityMarks resource. +message UpdateSecurityMarksRequest { + // Required. The security marks resource to update. + SecurityMarks security_marks = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the security marks resource. + google.protobuf.FieldMask update_mask = 2; + + // The time at which the updated SecurityMarks take effect. + google.protobuf.Timestamp start_time = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_v1beta1.yaml b/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_v1beta1.yaml new file mode 100644 index 0000000..e5d7b5b --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/securitycenter_v1beta1.yaml @@ -0,0 +1,45 @@ +type: google.api.Service +config_version: 3 +name: securitycenter.googleapis.com +title: Security Command Center API + +apis: +- name: google.cloud.securitycenter.v1beta1.SecurityCenter + +types: +- name: google.cloud.securitycenter.v1beta1.RunAssetDiscoveryResponse + +documentation: + summary: |- + Security Command Center API provides access to temporal views of assets and + findings within an organization. + +backend: + rules: + - selector: 'google.cloud.securitycenter.v1beta1.SecurityCenter.*' + deadline: 480.0 + - selector: 'google.longrunning.Operations.*' + deadline: 60.0 + +http: + rules: + - selector: google.longrunning.Operations.CancelOperation + post: '/v1beta1/{name=organizations/*/operations/*}:cancel' + body: '*' + - selector: google.longrunning.Operations.DeleteOperation + delete: '/v1beta1/{name=organizations/*/operations/*}' + - selector: google.longrunning.Operations.GetOperation + get: '/v1beta1/{name=organizations/*/operations/*}' + - selector: google.longrunning.Operations.ListOperations + get: '/v1beta1/{name=organizations/*/operations}' + +authentication: + rules: + - selector: 'google.cloud.securitycenter.v1beta1.SecurityCenter.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform + - selector: 'google.longrunning.Operations.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform diff --git a/third_party/googleapis/google/cloud/securitycenter/v1beta1/source.proto b/third_party/googleapis/google/cloud/securitycenter/v1beta1/source.proto new file mode 100644 index 0000000..a4a4974 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1beta1/source.proto @@ -0,0 +1,55 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1beta1; + +import "google/api/resource.proto"; + +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1beta1"; + +// Security Command Center finding source. A finding source +// is an entity or a mechanism that can produce a finding. A source is like a +// container of findings that come from the same scanner, logger, monitor, etc. +message Source { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Source" + pattern: "organizations/{organization}/sources/{source}" + }; + + // The relative resource name of this source. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}" + string name = 1; + + // The source's display name. + // A source's display name must be unique amongst its siblings, for example, + // two sources with the same parent can't share the same display name. + // The display name must have a length between 1 and 64 characters + // (inclusive). + string display_name = 2; + + // The description of the source (max of 1024 characters). + // Example: + // "Web Security Scanner is a web security scanner for common + // vulnerabilities in App Engine applications. It can automatically + // scan and detect four common vulnerabilities, including cross-site-scripting + // (XSS), Flash injection, mixed content (HTTP in HTTPS), and + // outdated/insecure libraries." + string description = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/BUILD.bazel b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/BUILD.bazel new file mode 100644 index 0000000..85ce055 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/BUILD.bazel @@ -0,0 +1,380 @@ +# This file was automatically generated by BuildFileGenerator +# https://github.com/googleapis/gapic-generator/tree/master/rules_gapic/bazel + +# Most of the manual changes to this file will be overwritten. +# It's **only** allowed to change the following rule attribute values: +# - names of *_gapic_assembly_* rules +# - certain parameters of *_gapic_library rules, including but not limited to: +# * extra_protoc_parameters +# * extra_protoc_file_parameters +# The complete list of preserved parameters can be found in the source code. + +# This is an API workspace, having public visibility by default makes perfect sense. +package(default_visibility = ["//visibility:public"]) + +############################################################################## +# Common +############################################################################## +load("@rules_proto//proto:defs.bzl", "proto_library") +load("@com_google_googleapis_imports//:imports.bzl", "proto_library_with_info") + +proto_library( + name = "securitycenter_proto", + srcs = [ + "asset.proto", + "finding.proto", + "folder.proto", + "notification_config.proto", + "notification_message.proto", + "organization_settings.proto", + "resource.proto", + "run_asset_discovery_response.proto", + "security_marks.proto", + "securitycenter_service.proto", + "source.proto", + ], + deps = [ + "//google/api:annotations_proto", + "//google/api:client_proto", + "//google/api:field_behavior_proto", + "//google/api:resource_proto", + "//google/iam/v1:iam_policy_proto", + "//google/iam/v1:policy_proto", + "//google/longrunning:operations_proto", + "@com_google_protobuf//:duration_proto", + "@com_google_protobuf//:empty_proto", + "@com_google_protobuf//:field_mask_proto", + "@com_google_protobuf//:struct_proto", + "@com_google_protobuf//:timestamp_proto", + ], +) + +proto_library_with_info( + name = "securitycenter_proto_with_info", + deps = [ + ":securitycenter_proto", + "//google/cloud:common_resources_proto", + ], +) + +############################################################################## +# Java +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "java_gapic_assembly_gradle_pkg", + "java_gapic_library", + "java_gapic_test", + "java_grpc_library", + "java_proto_library", +) + +java_proto_library( + name = "securitycenter_java_proto", + deps = [":securitycenter_proto"], +) + +java_grpc_library( + name = "securitycenter_java_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_java_proto"], +) + +java_gapic_library( + name = "securitycenter_java_gapic", + srcs = [":securitycenter_proto_with_info"], + grpc_service_config = "securitycenter_grpc_service_config.json", + test_deps = [ + ":securitycenter_java_grpc", + "//google/iam/v1:iam_java_grpc", + ], + transport = "grpc+rest", + deps = [ + ":securitycenter_java_proto", + "//google/iam/v1:iam_java_proto", + ], +) + +java_gapic_test( + name = "securitycenter_java_gapic_test_suite", + test_classes = [ + "com.google.cloud.securitycenter.v1p1beta1.SecurityCenterClientHttpJsonTest", + "com.google.cloud.securitycenter.v1p1beta1.SecurityCenterClientTest", + ], + runtime_deps = [":securitycenter_java_gapic_test"], +) + +# Open Source Packages +java_gapic_assembly_gradle_pkg( + name = "google-cloud-securitycenter-v1p1beta1-java", + include_samples = True, + transport = "grpc+rest", + deps = [ + ":securitycenter_java_gapic", + ":securitycenter_java_grpc", + ":securitycenter_java_proto", + ":securitycenter_proto", + ], +) + +############################################################################## +# Go +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "go_gapic_assembly_pkg", + "go_gapic_library", + "go_proto_library", + "go_test", +) + +go_proto_library( + name = "securitycenter_go_proto", + compilers = ["@io_bazel_rules_go//proto:go_grpc"], + importpath = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1", + protos = [":securitycenter_proto"], + deps = [ + "//google/api:annotations_go_proto", + "//google/iam/v1:iam_go_proto", + "//google/longrunning:longrunning_go_proto", + ], +) + +go_gapic_library( + name = "securitycenter_go_gapic", + srcs = [":securitycenter_proto_with_info"], + grpc_service_config = "securitycenter_grpc_service_config.json", + importpath = "cloud.google.com/go/securitycenter/apiv1p1beta1;securitycenter", + service_yaml = "securitycenter_v1p1beta1.yaml", + transport = "grpc+rest", + deps = [ + ":securitycenter_go_proto", + "//google/iam/v1:iam_go_proto", + "//google/longrunning:longrunning_go_proto", + "@com_google_cloud_go//longrunning:go_default_library", + "@com_google_cloud_go//longrunning/autogen:go_default_library", + "@io_bazel_rules_go//proto/wkt:duration_go_proto", + "@io_bazel_rules_go//proto/wkt:struct_go_proto", + ], +) + +go_test( + name = "securitycenter_go_gapic_test", + srcs = [":securitycenter_go_gapic_srcjar_test"], + embed = [":securitycenter_go_gapic"], + importpath = "cloud.google.com/go/securitycenter/apiv1p1beta1", +) + +# Open Source Packages +go_gapic_assembly_pkg( + name = "gapi-cloud-securitycenter-v1p1beta1-go", + deps = [ + ":securitycenter_go_gapic", + ":securitycenter_go_gapic_srcjar-test.srcjar", + ":securitycenter_go_proto", + ], +) + +############################################################################## +# Python +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "py_gapic_assembly_pkg", + "py_gapic_library", + "py_test", +) + +py_gapic_library( + name = "securitycenter_py_gapic", + srcs = [":securitycenter_proto"], + grpc_service_config = "securitycenter_grpc_service_config.json", + transport = "grpc", + deps = [ + "//google/iam/v1:iam_policy_py_proto", + ], +) + +py_test( + name = "securitycenter_py_gapic_test", + srcs = [ + "securitycenter_py_gapic_pytest.py", + "securitycenter_py_gapic_test.py", + ], + legacy_create_init = False, + deps = [":securitycenter_py_gapic"], +) + +# Open Source Packages +py_gapic_assembly_pkg( + name = "securitycenter-v1p1beta1-py", + deps = [ + ":securitycenter_py_gapic", + ], +) + +############################################################################## +# PHP +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "php_gapic_assembly_pkg", + "php_gapic_library", + "php_grpc_library", + "php_proto_library", +) + +php_proto_library( + name = "securitycenter_php_proto", + deps = [":securitycenter_proto"], +) + +php_grpc_library( + name = "securitycenter_php_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_php_proto"], +) + +php_gapic_library( + name = "securitycenter_php_gapic", + srcs = [":securitycenter_proto_with_info"], + grpc_service_config = "securitycenter_grpc_service_config.json", + service_yaml = "securitycenter_v1p1beta1.yaml", + deps = [ + ":securitycenter_php_grpc", + ":securitycenter_php_proto", + ], +) + +# Open Source Packages +php_gapic_assembly_pkg( + name = "google-cloud-securitycenter-v1p1beta1-php", + deps = [ + ":securitycenter_php_gapic", + ":securitycenter_php_grpc", + ":securitycenter_php_proto", + ], +) + +############################################################################## +# Node.js +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "nodejs_gapic_assembly_pkg", + "nodejs_gapic_library", +) + +nodejs_gapic_library( + name = "securitycenter_nodejs_gapic", + package_name = "@google-cloud/security-center", + src = ":securitycenter_proto_with_info", + extra_protoc_parameters = ["metadata"], + grpc_service_config = "securitycenter_grpc_service_config.json", + package = "google.cloud.securitycenter.v1p1beta1", + service_yaml = "securitycenter_v1p1beta1.yaml", + deps = [], +) + +nodejs_gapic_assembly_pkg( + name = "securitycenter-v1p1beta1-nodejs", + deps = [ + ":securitycenter_nodejs_gapic", + ":securitycenter_proto", + ], +) + +############################################################################## +# Ruby +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "ruby_cloud_gapic_library", + "ruby_gapic_assembly_pkg", + "ruby_grpc_library", + "ruby_proto_library", +) + +ruby_proto_library( + name = "securitycenter_ruby_proto", + deps = [":securitycenter_proto"], +) + +ruby_grpc_library( + name = "securitycenter_ruby_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_ruby_proto"], +) + +ruby_cloud_gapic_library( + name = "securitycenter_ruby_gapic", + srcs = [":securitycenter_proto_with_info"], + extra_protoc_parameters = [ + "ruby-cloud-gem-name=google-cloud-security_center-v1p1beta1", + "ruby-cloud-env-prefix=SECURITY_CENTER", + "ruby-cloud-product-url=https://cloud.google.com/security-command-center", + "ruby-cloud-api-id=securitycenter.googleapis.com", + "ruby-cloud-api-shortname=securitycenter", + ], + grpc_service_config = "securitycenter_grpc_service_config.json", + ruby_cloud_description = "Security Command Center API provides access to temporal views of assets and findings within an organization.", + ruby_cloud_title = "Cloud Security Command Center V1p1beta1", + deps = [ + ":securitycenter_ruby_grpc", + ":securitycenter_ruby_proto", + ], +) + +# Open Source Packages +ruby_gapic_assembly_pkg( + name = "google-cloud-securitycenter-v1p1beta1-ruby", + deps = [ + ":securitycenter_ruby_gapic", + ":securitycenter_ruby_grpc", + ":securitycenter_ruby_proto", + ], +) + +############################################################################## +# C# +############################################################################## +load( + "@com_google_googleapis_imports//:imports.bzl", + "csharp_gapic_assembly_pkg", + "csharp_gapic_library", + "csharp_grpc_library", + "csharp_proto_library", +) + +csharp_proto_library( + name = "securitycenter_csharp_proto", + deps = [":securitycenter_proto"], +) + +csharp_grpc_library( + name = "securitycenter_csharp_grpc", + srcs = [":securitycenter_proto"], + deps = [":securitycenter_csharp_proto"], +) + +csharp_gapic_library( + name = "securitycenter_csharp_gapic", + srcs = [":securitycenter_proto_with_info"], + common_resources_config = "@gax_dotnet//:Google.Api.Gax/ResourceNames/CommonResourcesConfig.json", + grpc_service_config = "securitycenter_grpc_service_config.json", + service_yaml = "securitycenter_v1p1beta1.yaml", + deps = [ + ":securitycenter_csharp_grpc", + ":securitycenter_csharp_proto", + ], +) + +# Open Source Packages +csharp_gapic_assembly_pkg( + name = "google-cloud-securitycenter-v1p1beta1-csharp", + deps = [ + ":securitycenter_csharp_gapic", + ":securitycenter_csharp_grpc", + ":securitycenter_csharp_proto", + ], +) diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/asset.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/asset.proto new file mode 100644 index 0000000..45fdcbf --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/asset.proto @@ -0,0 +1,134 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import "google/api/resource.proto"; +import "google/cloud/securitycenter/v1p1beta1/folder.proto"; +import "google/cloud/securitycenter/v1p1beta1/security_marks.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; + +// Security Command Center representation of a Google Cloud +// resource. +// +// The Asset is a Security Command Center resource that captures information +// about a single Google Cloud resource. All modifications to an Asset are only +// within the context of Security Command Center and don't affect the referenced +// Google Cloud resource. +message Asset { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Asset" + pattern: "organizations/{organization}/assets/{asset}" + pattern: "folders/{folder}/assets/{asset}" + pattern: "projects/{project}/assets/{asset}" + }; + + // Security Command Center managed properties. These properties are managed by + // Security Command Center and cannot be modified by the user. + message SecurityCenterProperties { + // The full resource name of the Google Cloud resource this asset + // represents. This field is immutable after create time. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_name = 1; + + // The type of the Google Cloud resource. Examples include: APPLICATION, + // PROJECT, and ORGANIZATION. This is a case insensitive field defined by + // Security Command Center and/or the producer of the resource and is + // immutable after create time. + string resource_type = 2; + + // The full resource name of the immediate parent of the resource. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_parent = 3; + + // The full resource name of the project the resource belongs to. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_project = 4; + + // Owners of the Google Cloud resource. + repeated string resource_owners = 5; + + // The user defined display name for this resource. + string resource_display_name = 6; + + // The user defined display name for the parent of this resource. + string resource_parent_display_name = 7; + + // The user defined display name for the project of this resource. + string resource_project_display_name = 8; + + // Contains a Folder message for each folder in the assets ancestry. + // The first folder is the deepest nested folder, and the last folder is the + // folder directly under the Organization. + repeated Folder folders = 10; + } + + // Cloud IAM Policy information associated with the Google Cloud resource + // described by the Security Command Center asset. This information is managed + // and defined by the Google Cloud resource and cannot be modified by the + // user. + message IamPolicy { + // The JSON representation of the Policy associated with the asset. + // See https://cloud.google.com/iam/docs/reference/rest/v1/Policy for + // format details. + string policy_blob = 1; + } + + // The relative resource name of this asset. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/assets/{asset_id}". + string name = 1; + + // Security Command Center managed properties. These properties are managed by + // Security Command Center and cannot be modified by the user. + SecurityCenterProperties security_center_properties = 2; + + // Resource managed properties. These properties are managed and defined by + // the Google Cloud resource and cannot be modified by the user. + map<string, google.protobuf.Value> resource_properties = 7; + + // User specified security marks. These marks are entirely managed by the user + // and come from the SecurityMarks resource that belongs to the asset. + SecurityMarks security_marks = 8; + + // The time at which the asset was created in Security Command Center. + google.protobuf.Timestamp create_time = 9; + + // The time at which the asset was last updated or added in Cloud SCC. + google.protobuf.Timestamp update_time = 10; + + // Cloud IAM Policy information associated with the Google Cloud resource + // described by the Security Command Center asset. This information is managed + // and defined by the Google Cloud resource and cannot be modified by the + // user. + IamPolicy iam_policy = 11; + + // The canonical name of the resource. It's either + // "organizations/{organization_id}/assets/{asset_id}", + // "folders/{folder_id}/assets/{asset_id}" or + // "projects/{project_number}/assets/{asset_id}", depending on the closest CRM + // ancestor of the resource. + string canonical_name = 13; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/finding.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/finding.proto new file mode 100644 index 0000000..5edd3d8 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/finding.proto @@ -0,0 +1,145 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/cloud/securitycenter/v1p1beta1/security_marks.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; + +// Security Command Center finding. +// +// A finding is a record of assessment data (security, risk, health or privacy) +// ingested into Security Command Center for presentation, notification, +// analysis, policy testing, and enforcement. For example, an XSS vulnerability +// in an App Engine application is a finding. +message Finding { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Finding" + pattern: "organizations/{organization}/sources/{source}/findings/{finding}" + pattern: "folders/{folder}/sources/{source}/findings/{finding}" + pattern: "projects/{project}/sources/{source}/findings/{finding}" + }; + + // The state of the finding. + enum State { + // Unspecified state. + STATE_UNSPECIFIED = 0; + + // The finding requires attention and has not been addressed yet. + ACTIVE = 1; + + // The finding has been fixed, triaged as a non-issue or otherwise addressed + // and is no longer active. + INACTIVE = 2; + } + + // The severity of the finding. This field is managed by the source that + // writes the finding. + enum Severity { + // No severity specified. The default value. + SEVERITY_UNSPECIFIED = 0; + + // Critical severity. + CRITICAL = 1; + + // High severity. + HIGH = 2; + + // Medium severity. + MEDIUM = 3; + + // Low severity. + LOW = 4; + } + + // The relative resource name of this finding. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}" + string name = 1; + + // The relative resource name of the source the finding belongs to. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // This field is immutable after creation time. + // For example: + // "organizations/{organization_id}/sources/{source_id}" + string parent = 2; + + // For findings on Google Cloud resources, the full resource + // name of the Google Cloud resource this finding is for. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + // When the finding is for a non-Google Cloud resource, the resourceName can + // be a customer or partner defined string. This field is immutable after + // creation time. + string resource_name = 3; + + // The state of the finding. + State state = 4; + + // The additional taxonomy group within findings from a given source. + // This field is immutable after creation time. + // Example: "XSS_FLASH_INJECTION" + string category = 5; + + // The URI that, if available, points to a web page outside of Security + // Command Center where additional information about the finding can be found. + // This field is guaranteed to be either empty or a well formed URL. + string external_uri = 6; + + // Source specific properties. These properties are managed by the source + // that writes the finding. The key names in the source_properties map must be + // between 1 and 255 characters, and must start with a letter and contain + // alphanumeric characters or underscores only. + map<string, google.protobuf.Value> source_properties = 7; + + // Output only. User specified security marks. These marks are entirely + // managed by the user and come from the SecurityMarks resource that belongs + // to the finding. + SecurityMarks security_marks = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // The time at which the event took place, or when an update to the finding + // occurred. For example, if the finding represents an open firewall it would + // capture the time the detector believes the firewall became open. The + // accuracy is determined by the detector. If the finding were to be resolved + // afterward, this time would reflect when the finding was resolved. Must not + // be set to a value greater than the current timestamp. + google.protobuf.Timestamp event_time = 9; + + // The time at which the finding was created in Security Command Center. + google.protobuf.Timestamp create_time = 10; + + // The severity of the finding. This field is managed by the source that + // writes the finding. + Severity severity = 13; + + // The canonical name of the finding. It's either + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}", + // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}" or + // "projects/{project_number}/sources/{source_id}/findings/{finding_id}", + // depending on the closest CRM ancestor of the resource associated with the + // finding. + string canonical_name = 14; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/folder.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/folder.proto new file mode 100644 index 0000000..28a5871 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/folder.proto @@ -0,0 +1,37 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "FolderProto"; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1Beta1"; + +// Message that contains the resource name and display name of a folder +// resource. +message Folder { + // Full resource name of this folder. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string resource_folder = 1; + + // The user defined display name for this folder. + string resource_folder_display_name = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/notification_config.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/notification_config.proto new file mode 100644 index 0000000..faaab37 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/notification_config.proto @@ -0,0 +1,107 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; +option (google.api.resource_definition) = { + type: "pubsub.googleapis.com/Topic" + pattern: "projects/{project}/topics/{topic}" +}; + +// Security Command Center notification configs. +// +// A notification config is a Security Command Center resource that contains the +// configuration to send notifications for create/update events of findings, +// assets and etc. +message NotificationConfig { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/NotificationConfig" + pattern: "organizations/{organization}/notificationConfigs/{notification_config}" + }; + + // The config for streaming-based notifications, which send each event as soon + // as it is detected. + message StreamingConfig { + // Expression that defines the filter to apply across create/update events + // of assets or findings as specified by the event type. The expression is a + // list of zero or more restrictions combined via logical operators `AND` + // and `OR`. Parentheses are supported, and `OR` has higher precedence than + // `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a + // `-` character in front of them to indicate negation. The fields map to + // those defined in the corresponding resource. + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + string filter = 1; + } + + // The type of events. + enum EventType { + // Unspecified event type. + EVENT_TYPE_UNSPECIFIED = 0; + + // Events for findings. + FINDING = 1; + } + + // The relative resource name of this notification config. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/notificationConfigs/notify_public_bucket". + string name = 1; + + // The description of the notification config (max of 1024 characters). + string description = 2; + + // The type of events the config is for, e.g. FINDING. + EventType event_type = 3; + + // The Pub/Sub topic to send notifications to. Its format is + // "projects/[project_id]/topics/[topic]". + string pubsub_topic = 4 [(google.api.resource_reference) = { + type: "pubsub.googleapis.com/Topic" + }]; + + // Output only. The service account that needs "pubsub.topics.publish" + // permission to publish to the Pub/Sub topic. + string service_account = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // The config for triggering notifications. + oneof notify_config { + // The config for triggering streaming-based notifications. + StreamingConfig streaming_config = 6; + } +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/notification_message.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/notification_message.proto new file mode 100644 index 0000000..78a3e78 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/notification_message.proto @@ -0,0 +1,43 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import "google/cloud/securitycenter/v1p1beta1/finding.proto"; +import "google/cloud/securitycenter/v1p1beta1/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; + +// Security Command Center's Notification +message NotificationMessage { + // Name of the notification config that generated current notification. + string notification_config_name = 1; + + // Notification Event. + oneof event { + // If it's a Finding based notification config, this field will be + // populated. + Finding finding = 2; + } + + // The Cloud resource tied to the notification. + Resource resource = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/organization_settings.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/organization_settings.proto new file mode 100644 index 0000000..b80f046 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/organization_settings.proto @@ -0,0 +1,85 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import "google/api/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; + +// User specified settings that are attached to the Security Command +// Center organization. +message OrganizationSettings { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/OrganizationSettings" + pattern: "organizations/{organization}/organizationSettings" + }; + + // The configuration used for Asset Discovery runs. + message AssetDiscoveryConfig { + // The mode of inclusion when running Asset Discovery. + // Asset discovery can be limited by explicitly identifying projects to be + // included or excluded. If INCLUDE_ONLY is set, then only those projects + // within the organization and their children are discovered during asset + // discovery. If EXCLUDE is set, then projects that don't match those + // projects are discovered during asset discovery. If neither are set, then + // all projects within the organization are discovered during asset + // discovery. + enum InclusionMode { + // Unspecified. Setting the mode with this value will disable + // inclusion/exclusion filtering for Asset Discovery. + INCLUSION_MODE_UNSPECIFIED = 0; + + // Asset Discovery will capture only the resources within the projects + // specified. All other resources will be ignored. + INCLUDE_ONLY = 1; + + // Asset Discovery will ignore all resources under the projects specified. + // All other resources will be retrieved. + EXCLUDE = 2; + } + + // The project ids to use for filtering asset discovery. + repeated string project_ids = 1; + + // The mode to use for filtering asset discovery. + InclusionMode inclusion_mode = 2; + + // The folder ids to use for filtering asset discovery. + // It consists of only digits, e.g., 756619654966. + repeated string folder_ids = 3; + } + + // The relative resource name of the settings. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/organizationSettings". + string name = 1; + + // A flag that indicates if Asset Discovery should be enabled. If the flag is + // set to `true`, then discovery of assets will occur. If it is set to `false, + // all historical assets will remain, but discovery of future assets will not + // occur. + bool enable_asset_discovery = 2; + + // The configuration used for Asset Discovery runs. + AssetDiscoveryConfig asset_discovery_config = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/resource.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/resource.proto new file mode 100644 index 0000000..3b2d2d4 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/resource.proto @@ -0,0 +1,52 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import "google/api/field_behavior.proto"; +import "google/cloud/securitycenter/v1p1beta1/folder.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_outer_classname = "ResourceProto"; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; + +// Information related to the Google Cloud resource. +message Resource { + // The full resource name of the resource. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string name = 1; + + // The full resource name of project that the resource belongs to. + string project = 2; + + // The human readable name of project that the resource belongs to. + string project_display_name = 3; + + // The full resource name of resource's parent. + string parent = 4; + + // The human readable name of resource's parent. + string parent_display_name = 5; + + // Output only. Contains a Folder message for each folder in the assets ancestry. + // The first folder is the deepest nested folder, and the last folder is the + // folder directly under the Organization. + repeated Folder folders = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/run_asset_discovery_response.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/run_asset_discovery_response.proto new file mode 100644 index 0000000..835e33f --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/run_asset_discovery_response.proto @@ -0,0 +1,51 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import "google/protobuf/duration.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; + +// Response of asset discovery run +message RunAssetDiscoveryResponse { + // The state of an asset discovery run. + enum State { + // Asset discovery run state was unspecified. + STATE_UNSPECIFIED = 0; + + // Asset discovery run completed successfully. + COMPLETED = 1; + + // Asset discovery run was cancelled with tasks still pending, as another + // run for the same organization was started with a higher priority. + SUPERSEDED = 2; + + // Asset discovery run was killed and terminated. + TERMINATED = 3; + } + + // The state of an asset discovery run. + State state = 1; + + // The duration between asset discovery run start and end + google.protobuf.Duration duration = 2; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/security_marks.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/security_marks.proto new file mode 100644 index 0000000..2245605 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/security_marks.proto @@ -0,0 +1,69 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import "google/api/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; + +// User specified security marks that are attached to the parent Security +// Command Center resource. Security marks are scoped within a Security Command +// Center organization -- they can be modified and viewed by all users who have +// proper permissions on the organization. +message SecurityMarks { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/SecurityMarks" + pattern: "organizations/{organization}/assets/{asset}/securityMarks" + pattern: "organizations/{organization}/sources/{source}/findings/{finding}/securityMarks" + pattern: "folders/{folder}/assets/{asset}/securityMarks" + pattern: "projects/{project}/assets/{asset}/securityMarks" + pattern: "folders/{folder}/sources/{source}/findings/{finding}/securityMarks" + pattern: "projects/{project}/sources/{source}/findings/{finding}/securityMarks" + }; + + // The relative resource name of the SecurityMarks. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Examples: + // "organizations/{organization_id}/assets/{asset_id}/securityMarks" + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks". + string name = 1; + + // Mutable user specified security marks belonging to the parent resource. + // Constraints are as follows: + // + // * Keys and values are treated as case insensitive + // * Keys must be between 1 - 256 characters (inclusive) + // * Keys must be letters, numbers, underscores, or dashes + // * Values have leading and trailing whitespace trimmed, remaining + // characters must be between 1 - 4096 characters (inclusive) + map<string, string> marks = 2; + + // The canonical name of the marks. + // Examples: + // "organizations/{organization_id}/assets/{asset_id}/securityMarks" + // "folders/{folder_id}/assets/{asset_id}/securityMarks" + // "projects/{project_number}/assets/{asset_id}/securityMarks" + // "organizations/{organization_id}/sources/{source_id}/findings/{finding_id}/securityMarks" + // "folders/{folder_id}/sources/{source_id}/findings/{finding_id}/securityMarks" + // "projects/{project_number}/sources/{source_id}/findings/{finding_id}/securityMarks" + string canonical_name = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/securitycenter_grpc_service_config.json b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/securitycenter_grpc_service_config.json new file mode 100755 index 0000000..4730a62 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/securitycenter_grpc_service_config.json @@ -0,0 +1,135 @@ +{ + "methodConfig": [ + { + "name": [ + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "CreateSource" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "CreateFinding" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "CreateNotificationConfig" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "DeleteNotificationConfig" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "RunAssetDiscovery" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "SetFindingState" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "SetIamPolicy" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "UpdateFinding" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "UpdateNotificationConfig" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "UpdateOrganizationSettings" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "UpdateSource" + } + ], + "timeout": "60s" + }, + { + "name": [ + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "GetIamPolicy" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "GetNotificationConfig" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "GetOrganizationSettings" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "GetSource" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "ListNotificationConfigs" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "ListSources" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "TestIamPermissions" + } + ], + "timeout": "60s", + "retryPolicy": { + "initialBackoff": "0.100s", + "maxBackoff": "60s", + "backoffMultiplier": 1.3, + "retryableStatusCodes": [ + "DEADLINE_EXCEEDED", + "UNAVAILABLE" + ] + } + }, + { + "name": [ + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "UpdateSecurityMarks" + } + ], + "timeout": "480s" + }, + { + "name": [ + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "GroupAssets" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "GroupFindings" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "ListAssets" + }, + { + "service": "google.cloud.securitycenter.v1p1beta1.SecurityCenter", + "method": "ListFindings" + } + ], + "timeout": "480s", + "retryPolicy": { + "maxAttempts": 5, + "initialBackoff": "0.100s", + "maxBackoff": "60s", + "backoffMultiplier": 1.3, + "retryableStatusCodes": [ + "DEADLINE_EXCEEDED", + "UNAVAILABLE" + ] + } + } + ] +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/securitycenter_service.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/securitycenter_service.proto new file mode 100644 index 0000000..958e697 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/securitycenter_service.proto @@ -0,0 +1,1351 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import public "google/cloud/securitycenter/v1p1beta1/notification_message.proto"; +import public "google/cloud/securitycenter/v1p1beta1/run_asset_discovery_response.proto"; +import "google/api/annotations.proto"; +import "google/api/client.proto"; +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/cloud/securitycenter/v1p1beta1/asset.proto"; +import "google/cloud/securitycenter/v1p1beta1/finding.proto"; +import "google/cloud/securitycenter/v1p1beta1/folder.proto"; +import "google/cloud/securitycenter/v1p1beta1/notification_config.proto"; +import "google/cloud/securitycenter/v1p1beta1/organization_settings.proto"; +import "google/cloud/securitycenter/v1p1beta1/security_marks.proto"; +import "google/cloud/securitycenter/v1p1beta1/source.proto"; +import "google/iam/v1/iam_policy.proto"; +import "google/iam/v1/policy.proto"; +import "google/longrunning/operations.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/field_mask.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; + +// V1p1Beta1 APIs for Security Center service. +service SecurityCenter { + option (google.api.default_host) = "securitycenter.googleapis.com"; + option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; + + // Creates a source. + rpc CreateSource(CreateSourceRequest) returns (Source) { + option (google.api.http) = { + post: "/v1p1beta1/{parent=organizations/*}/sources" + body: "source" + }; + option (google.api.method_signature) = "parent,source"; + } + + // Creates a finding. The corresponding source must exist for finding + // creation to succeed. + rpc CreateFinding(CreateFindingRequest) returns (Finding) { + option (google.api.http) = { + post: "/v1p1beta1/{parent=organizations/*/sources/*}/findings" + body: "finding" + }; + option (google.api.method_signature) = "parent,finding_id,finding"; + option (google.api.method_signature) = "parent,finding,finding_id"; + } + + // Creates a notification config. + rpc CreateNotificationConfig(CreateNotificationConfigRequest) returns (NotificationConfig) { + option (google.api.http) = { + post: "/v1p1beta1/{parent=organizations/*}/notificationConfigs" + body: "notification_config" + }; + option (google.api.method_signature) = "parent,config_id,notification_config"; + option (google.api.method_signature) = "parent,notification_config"; + } + + // Deletes a notification config. + rpc DeleteNotificationConfig(DeleteNotificationConfigRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { + delete: "/v1p1beta1/{name=organizations/*/notificationConfigs/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Gets the access control policy on the specified Source. + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { + post: "/v1p1beta1/{resource=organizations/*/sources/*}:getIamPolicy" + body: "*" + }; + option (google.api.method_signature) = "resource"; + } + + // Gets a notification config. + rpc GetNotificationConfig(GetNotificationConfigRequest) returns (NotificationConfig) { + option (google.api.http) = { + get: "/v1p1beta1/{name=organizations/*/notificationConfigs/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Gets the settings for an organization. + rpc GetOrganizationSettings(GetOrganizationSettingsRequest) returns (OrganizationSettings) { + option (google.api.http) = { + get: "/v1p1beta1/{name=organizations/*/organizationSettings}" + }; + option (google.api.method_signature) = "name"; + } + + // Gets a source. + rpc GetSource(GetSourceRequest) returns (Source) { + option (google.api.http) = { + get: "/v1p1beta1/{name=organizations/*/sources/*}" + }; + option (google.api.method_signature) = "name"; + } + + // Filters an organization's assets and groups them by their specified + // properties. + rpc GroupAssets(GroupAssetsRequest) returns (GroupAssetsResponse) { + option (google.api.http) = { + post: "/v1p1beta1/{parent=organizations/*}/assets:group" + body: "*" + additional_bindings { + post: "/v1p1beta1/{parent=folders/*}/assets:group" + body: "*" + } + additional_bindings { + post: "/v1p1beta1/{parent=projects/*}/assets:group" + body: "*" + } + }; + } + + // Filters an organization or source's findings and groups them by their + // specified properties. + // + // To group across all sources provide a `-` as the source id. + // Example: /v1/organizations/{organization_id}/sources/-/findings, + // /v1/folders/{folder_id}/sources/-/findings, + // /v1/projects/{project_id}/sources/-/findings + rpc GroupFindings(GroupFindingsRequest) returns (GroupFindingsResponse) { + option (google.api.http) = { + post: "/v1p1beta1/{parent=organizations/*/sources/*}/findings:group" + body: "*" + additional_bindings { + post: "/v1p1beta1/{parent=folders/*/sources/*}/findings:group" + body: "*" + } + additional_bindings { + post: "/v1p1beta1/{parent=projects/*/sources/*}/findings:group" + body: "*" + } + }; + option (google.api.method_signature) = "parent,group_by"; + } + + // Lists an organization's assets. + rpc ListAssets(ListAssetsRequest) returns (ListAssetsResponse) { + option (google.api.http) = { + get: "/v1p1beta1/{parent=organizations/*}/assets" + additional_bindings { + get: "/v1p1beta1/{parent=folders/*}/assets" + } + additional_bindings { + get: "/v1p1beta1/{parent=projects/*}/assets" + } + }; + option (google.api.method_signature) = "parent"; + } + + // Lists an organization or source's findings. + // + // To list across all sources provide a `-` as the source id. + // Example: /v1p1beta1/organizations/{organization_id}/sources/-/findings + rpc ListFindings(ListFindingsRequest) returns (ListFindingsResponse) { + option (google.api.http) = { + get: "/v1p1beta1/{parent=organizations/*/sources/*}/findings" + additional_bindings { + get: "/v1p1beta1/{parent=folders/*/sources/*}/findings" + } + additional_bindings { + get: "/v1p1beta1/{parent=projects/*/sources/*}/findings" + } + }; + option (google.api.method_signature) = "parent"; + } + + // Lists notification configs. + rpc ListNotificationConfigs(ListNotificationConfigsRequest) returns (ListNotificationConfigsResponse) { + option (google.api.http) = { + get: "/v1p1beta1/{parent=organizations/*}/notificationConfigs" + }; + option (google.api.method_signature) = "parent"; + } + + // Lists all sources belonging to an organization. + rpc ListSources(ListSourcesRequest) returns (ListSourcesResponse) { + option (google.api.http) = { + get: "/v1p1beta1/{parent=organizations/*}/sources" + additional_bindings { + get: "/v1p1beta1/{parent=folders/*}/sources" + } + additional_bindings { + get: "/v1p1beta1/{parent=projects/*}/sources" + } + }; + option (google.api.method_signature) = "parent"; + } + + // Runs asset discovery. The discovery is tracked with a long-running + // operation. + // + // This API can only be called with limited frequency for an organization. If + // it is called too frequently the caller will receive a TOO_MANY_REQUESTS + // error. + rpc RunAssetDiscovery(RunAssetDiscoveryRequest) returns (google.longrunning.Operation) { + option (google.api.http) = { + post: "/v1p1beta1/{parent=organizations/*}/assets:runDiscovery" + body: "*" + }; + option (google.api.method_signature) = "parent"; + option (google.longrunning.operation_info) = { + response_type: "google.cloud.securitycenter.v1p1beta1.RunAssetDiscoveryResponse" + metadata_type: "google.protobuf.Empty" + }; + } + + // Updates the state of a finding. + rpc SetFindingState(SetFindingStateRequest) returns (Finding) { + option (google.api.http) = { + post: "/v1p1beta1/{name=organizations/*/sources/*/findings/*}:setState" + body: "*" + additional_bindings { + post: "/v1p1beta1/{name=folders/*/sources/*/findings/*}:setState" + body: "*" + } + additional_bindings { + post: "/v1p1beta1/{name=projects/*/sources/*/findings/*}:setState" + body: "*" + } + }; + option (google.api.method_signature) = "name,state,start_time"; + } + + // Sets the access control policy on the specified Source. + rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { + post: "/v1p1beta1/{resource=organizations/*/sources/*}:setIamPolicy" + body: "*" + }; + option (google.api.method_signature) = "resource,policy"; + } + + // Returns the permissions that a caller has on the specified source. + rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { + option (google.api.http) = { + post: "/v1p1beta1/{resource=organizations/*/sources/*}:testIamPermissions" + body: "*" + }; + option (google.api.method_signature) = "resource,permissions"; + } + + // Creates or updates a finding. The corresponding source must exist for a + // finding creation to succeed. + rpc UpdateFinding(UpdateFindingRequest) returns (Finding) { + option (google.api.http) = { + patch: "/v1p1beta1/{finding.name=organizations/*/sources/*/findings/*}" + body: "finding" + additional_bindings { + patch: "/v1p1beta1/{finding.name=folders/*/sources/*/findings/*}" + body: "finding" + } + additional_bindings { + patch: "/v1p1beta1/{finding.name=projects/*/sources/*/findings/*}" + body: "finding" + } + }; + option (google.api.method_signature) = "finding"; + option (google.api.method_signature) = "finding,update_mask"; + } + + // Updates a notification config. The following update + // fields are allowed: description, pubsub_topic, streaming_config.filter + rpc UpdateNotificationConfig(UpdateNotificationConfigRequest) returns (NotificationConfig) { + option (google.api.http) = { + patch: "/v1p1beta1/{notification_config.name=organizations/*/notificationConfigs/*}" + body: "notification_config" + }; + option (google.api.method_signature) = "notification_config"; + option (google.api.method_signature) = "notification_config,update_mask"; + } + + // Updates an organization's settings. + rpc UpdateOrganizationSettings(UpdateOrganizationSettingsRequest) returns (OrganizationSettings) { + option (google.api.http) = { + patch: "/v1p1beta1/{organization_settings.name=organizations/*/organizationSettings}" + body: "organization_settings" + }; + option (google.api.method_signature) = "organization_settings"; + } + + // Updates a source. + rpc UpdateSource(UpdateSourceRequest) returns (Source) { + option (google.api.http) = { + patch: "/v1p1beta1/{source.name=organizations/*/sources/*}" + body: "source" + }; + option (google.api.method_signature) = "source"; + option (google.api.method_signature) = "source,update_mask"; + } + + // Updates security marks. + rpc UpdateSecurityMarks(UpdateSecurityMarksRequest) returns (SecurityMarks) { + option (google.api.http) = { + patch: "/v1p1beta1/{security_marks.name=organizations/*/assets/*/securityMarks}" + body: "security_marks" + additional_bindings { + patch: "/v1p1beta1/{security_marks.name=folders/*/assets/*/securityMarks}" + body: "security_marks" + } + additional_bindings { + patch: "/v1p1beta1/{security_marks.name=projects/*/assets/*/securityMarks}" + body: "security_marks" + } + additional_bindings { + patch: "/v1p1beta1/{security_marks.name=organizations/*/sources/*/findings/*/securityMarks}" + body: "security_marks" + } + additional_bindings { + patch: "/v1p1beta1/{security_marks.name=folders/*/sources/*/findings/*/securityMarks}" + body: "security_marks" + } + additional_bindings { + patch: "/v1p1beta1/{security_marks.name=projects/*/sources/*/findings/*/securityMarks}" + body: "security_marks" + } + }; + option (google.api.method_signature) = "security_marks"; + option (google.api.method_signature) = "security_marks,update_mask"; + } +} + +// Request message for creating a finding. +message CreateFindingRequest { + // Required. Resource name of the new finding's parent. Its format should be + // "organizations/[organization_id]/sources/[source_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; + + // Required. Unique identifier provided by the client within the parent scope. + string finding_id = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. The Finding being created. The name and security_marks will be ignored as + // they are both output only fields on this resource. + Finding finding = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for creating a notification config. +message CreateNotificationConfigRequest { + // Required. Resource name of the new notification config's parent. Its format is + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Required. Unique identifier provided by the client within the parent scope. + // It must be between 1 and 128 characters, and contains alphanumeric + // characters, underscores or hyphens only. + string config_id = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. The notification config being created. The name and the service account + // will be ignored as they are both output only fields on this resource. + NotificationConfig notification_config = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for creating a source. +message CreateSourceRequest { + // Required. Resource name of the new source's parent. Its format should be + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // Required. The Source being created, only the display_name and description will be + // used. All other fields will be ignored. + Source source = 2 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for deleting a notification config. +message DeleteNotificationConfigRequest { + // Required. Name of the notification config to delete. Its format is + // "organizations/[organization_id]/notificationConfigs/[config_id]". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/NotificationConfig" + } + ]; +} + +// Request message for getting a notification config. +message GetNotificationConfigRequest { + // Required. Name of the notification config to get. Its format is + // "organizations/[organization_id]/notificationConfigs/[config_id]". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/NotificationConfig" + } + ]; +} + +// Request message for getting organization settings. +message GetOrganizationSettingsRequest { + // Required. Name of the organization to get organization settings for. Its format is + // "organizations/[organization_id]/organizationSettings". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/OrganizationSettings" + } + ]; +} + +// Request message for getting a source. +message GetSourceRequest { + // Required. Relative resource name of the source. Its format is + // "organizations/[organization_id]/source/[source_id]". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; +} + +// Request message for grouping by assets. +message GroupAssetsRequest { + // Required. Name of the organization to groupBy. Its format is + // "organizations/[organization_id], folders/[folder_id], or + // projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/Asset" + } + ]; + + // Expression that defines the filter to apply across assets. + // The expression is a list of zero or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. The fields map to those + // defined in the Asset resource. Examples include: + // + // * name + // * security_center_properties.resource_name + // * resource_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // The following field and operator combinations are supported: + // + // * name: `=` + // * update_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `update_time = "2019-06-10T16:07:18-07:00"` + // `update_time = 1560208038000` + // + // * create_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `create_time = "2019-06-10T16:07:18-07:00"` + // `create_time = 1560208038000` + // + // * iam_policy.policy_blob: `=`, `:` + // * resource_properties: `=`, `:`, `>`, `<`, `>=`, `<=` + // * security_marks.marks: `=`, `:` + // * security_center_properties.resource_name: `=`, `:` + // * security_center_properties.resource_name_display_name: `=`, `:` + // * security_center_properties.resource_type: `=`, `:` + // * security_center_properties.resource_parent: `=`, `:` + // * security_center_properties.resource_parent_display_name: `=`, `:` + // * security_center_properties.resource_project: `=`, `:` + // * security_center_properties.resource_project_display_name: `=`, `:` + // * security_center_properties.resource_owners: `=`, `:` + // + // For example, `resource_properties.size = 100` is a valid filter string. + // + // Use a partial match on the empty string to filter based on a property + // existing: `resource_properties.my_property : ""` + // + // Use a negated partial match on the empty string to filter based on a + // property not existing: `-resource_properties.my_property : ""` + string filter = 2; + + // Required. Expression that defines what assets fields to use for grouping. The string + // value should follow SQL syntax: comma separated list of fields. For + // example: + // "security_center_properties.resource_project,security_center_properties.project". + // + // The following fields are supported when compare_duration is not set: + // + // * security_center_properties.resource_project + // * security_center_properties.resource_project_display_name + // * security_center_properties.resource_type + // * security_center_properties.resource_parent + // * security_center_properties.resource_parent_display_name + // + // The following fields are supported when compare_duration is set: + // + // * security_center_properties.resource_type + // * security_center_properties.resource_project_display_name + // * security_center_properties.resource_parent_display_name + string group_by = 3 [(google.api.field_behavior) = REQUIRED]; + + // When compare_duration is set, the GroupResult's "state_change" property is + // updated to indicate whether the asset was added, removed, or remained + // present during the compare_duration period of time that precedes the + // read_time. This is the time between (read_time - compare_duration) and + // read_time. + // + // The state change value is derived based on the presence of the asset at the + // two points in time. Intermediate state changes between the two times don't + // affect the result. For example, the results aren't affected if the asset is + // removed and re-created again. + // + // Possible "state_change" values when compare_duration is specified: + // + // * "ADDED": indicates that the asset was not present at the start of + // compare_duration, but present at reference_time. + // * "REMOVED": indicates that the asset was present at the start of + // compare_duration, but not present at reference_time. + // * "ACTIVE": indicates that the asset was present at both the + // start and the end of the time period defined by + // compare_duration and reference_time. + // + // If compare_duration is not specified, then the only possible state_change + // is "UNUSED", which will be the state_change set for all assets present at + // read_time. + // + // If this field is set then `state_change` must be a specified field in + // `group_by`. + google.protobuf.Duration compare_duration = 4; + + // Time used as a reference point when filtering assets. The filter is limited + // to assets existing at the supplied time and their values are those at that + // specific time. Absence of this field will default to the API's version of + // NOW. + google.protobuf.Timestamp read_time = 5; + + // The value returned by the last `GroupAssetsResponse`; indicates + // that this is a continuation of a prior `GroupAssets` call, and that the + // system should return the next page of data. + string page_token = 7; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 8; +} + +// Response message for grouping by assets. +message GroupAssetsResponse { + // Group results. There exists an element for each existing unique + // combination of property/values. The element contains a count for the number + // of times those specific property/values appear. + repeated GroupResult group_by_results = 1; + + // Time used for executing the groupBy request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of results matching the query. + int32 total_size = 4; +} + +// Request message for grouping by findings. +message GroupFindingsRequest { + // Required. Name of the source to groupBy. Its format is + // "organizations/[organization_id]/sources/[source_id]", + // folders/[folder_id]/sources/[source_id], or + // projects/[project_id]/sources/[source_id]. To groupBy across all sources + // provide a source_id of `-`. For example: + // organizations/{organization_id}/sources/-, folders/{folder_id}/sources/-, + // or projects/{project_id}/sources/- + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; + + // Expression that defines the filter to apply across findings. + // The expression is a list of one or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. Examples include: + // + // * name + // * source_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // The following field and operator combinations are supported: + // + // * name: `=` + // * parent: `=`, `:` + // * resource_name: `=`, `:` + // * state: `=`, `:` + // * category: `=`, `:` + // * external_uri: `=`, `:` + // * event_time: `=`, `>`, `<`, `>=`, `<=` + // * severity: `=`, `:` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `event_time = "2019-06-10T16:07:18-07:00"` + // `event_time = 1560208038000` + // + // * security_marks.marks: `=`, `:` + // * source_properties: `=`, `:`, `>`, `<`, `>=`, `<=` + // + // For example, `source_properties.size = 100` is a valid filter string. + // + // Use a partial match on the empty string to filter based on a property + // existing: `source_properties.my_property : ""` + // + // Use a negated partial match on the empty string to filter based on a + // property not existing: `-source_properties.my_property : ""` + string filter = 2; + + // Required. Expression that defines what assets fields to use for grouping (including + // `state_change`). The string value should follow SQL syntax: comma separated + // list of fields. For example: "parent,resource_name". + // + // The following fields are supported: + // + // * resource_name + // * category + // * state + // * parent + // * severity + // + // The following fields are supported when compare_duration is set: + // + // * state_change + string group_by = 3 [(google.api.field_behavior) = REQUIRED]; + + // Time used as a reference point when filtering findings. The filter is + // limited to findings existing at the supplied time and their values are + // those at that specific time. Absence of this field will default to the + // API's version of NOW. + google.protobuf.Timestamp read_time = 4; + + // When compare_duration is set, the GroupResult's "state_change" attribute is + // updated to indicate whether the finding had its state changed, the + // finding's state remained unchanged, or if the finding was added during the + // compare_duration period of time that precedes the read_time. This is the + // time between (read_time - compare_duration) and read_time. + // + // The state_change value is derived based on the presence and state of the + // finding at the two points in time. Intermediate state changes between the + // two times don't affect the result. For example, the results aren't affected + // if the finding is made inactive and then active again. + // + // Possible "state_change" values when compare_duration is specified: + // + // * "CHANGED": indicates that the finding was present and matched the given + // filter at the start of compare_duration, but changed its + // state at read_time. + // * "UNCHANGED": indicates that the finding was present and matched the given + // filter at the start of compare_duration and did not change + // state at read_time. + // * "ADDED": indicates that the finding did not match the given filter or + // was not present at the start of compare_duration, but was + // present at read_time. + // * "REMOVED": indicates that the finding was present and matched the + // filter at the start of compare_duration, but did not match + // the filter at read_time. + // + // If compare_duration is not specified, then the only possible state_change + // is "UNUSED", which will be the state_change set for all findings present + // at read_time. + // + // If this field is set then `state_change` must be a specified field in + // `group_by`. + google.protobuf.Duration compare_duration = 5; + + // The value returned by the last `GroupFindingsResponse`; indicates + // that this is a continuation of a prior `GroupFindings` call, and + // that the system should return the next page of data. + string page_token = 7; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 8; +} + +// Response message for group by findings. +message GroupFindingsResponse { + // Group results. There exists an element for each existing unique + // combination of property/values. The element contains a count for the number + // of times those specific property/values appear. + repeated GroupResult group_by_results = 1; + + // Time used for executing the groupBy request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of results matching the query. + int32 total_size = 4; +} + +// Result containing the properties and count of a groupBy request. +message GroupResult { + // Properties matching the groupBy fields in the request. + map<string, google.protobuf.Value> properties = 1; + + // Total count of resources for the given properties. + int64 count = 2; +} + +// Request message for listing notification configs. +message ListNotificationConfigsRequest { + // Required. Name of the organization to list notification configs. + // Its format is "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; + + // The value returned by the last `ListNotificationConfigsResponse`; indicates + // that this is a continuation of a prior `ListNotificationConfigs` call, and + // that the system should return the next page of data. + string page_token = 2; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 3; +} + +// Response message for listing notification configs. +message ListNotificationConfigsResponse { + // Notification configs belonging to the requested parent. + repeated NotificationConfig notification_configs = 1; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 2; +} + +// Request message for listing sources. +message ListSourcesRequest { + // Required. Resource name of the parent of sources to list. Its format should be + // "organizations/[organization_id], folders/[folder_id], or + // projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/Source" + } + ]; + + // The value returned by the last `ListSourcesResponse`; indicates + // that this is a continuation of a prior `ListSources` call, and + // that the system should return the next page of data. + string page_token = 2; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 7; +} + +// Response message for listing sources. +message ListSourcesResponse { + // Sources belonging to the requested parent. + repeated Source sources = 1; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 2; +} + +// Request message for listing assets. +message ListAssetsRequest { + // Required. Name of the organization assets should belong to. Its format is + // "organizations/[organization_id], folders/[folder_id], or + // projects/[project_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + child_type: "securitycenter.googleapis.com/Asset" + } + ]; + + // Expression that defines the filter to apply across assets. + // The expression is a list of zero or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. The fields map to those + // defined in the Asset resource. Examples include: + // + // * name + // * security_center_properties.resource_name + // * resource_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // The following are the allowed field and operator combinations: + // + // * name: `=` + // * update_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `update_time = "2019-06-10T16:07:18-07:00"` + // `update_time = 1560208038000` + // + // * create_time: `=`, `>`, `<`, `>=`, `<=` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `create_time = "2019-06-10T16:07:18-07:00"` + // `create_time = 1560208038000` + // + // * iam_policy.policy_blob: `=`, `:` + // * resource_properties: `=`, `:`, `>`, `<`, `>=`, `<=` + // * security_marks.marks: `=`, `:` + // * security_center_properties.resource_name: `=`, `:` + // * security_center_properties.resource_display_name: `=`, `:` + // * security_center_properties.resource_type: `=`, `:` + // * security_center_properties.resource_parent: `=`, `:` + // * security_center_properties.resource_parent_display_name: `=`, `:` + // * security_center_properties.resource_project: `=`, `:` + // * security_center_properties.resource_project_display_name: `=`, `:` + // * security_center_properties.resource_owners: `=`, `:` + // + // For example, `resource_properties.size = 100` is a valid filter string. + // + // Use a partial match on the empty string to filter based on a property + // existing: `resource_properties.my_property : ""` + // + // Use a negated partial match on the empty string to filter based on a + // property not existing: `-resource_properties.my_property : ""` + string filter = 2; + + // Expression that defines what fields and order to use for sorting. The + // string value should follow SQL syntax: comma separated list of fields. For + // example: "name,resource_properties.a_property". The default sorting order + // is ascending. To specify descending order for a field, a suffix " desc" + // should be appended to the field name. For example: "name + // desc,resource_properties.a_property". Redundant space characters in the + // syntax are insignificant. "name desc,resource_properties.a_property" and " + // name desc , resource_properties.a_property " are equivalent. + // + // The following fields are supported: + // name + // update_time + // resource_properties + // security_marks.marks + // security_center_properties.resource_name + // security_center_properties.resource_display_name + // security_center_properties.resource_parent + // security_center_properties.resource_parent_display_name + // security_center_properties.resource_project + // security_center_properties.resource_project_display_name + // security_center_properties.resource_type + string order_by = 3; + + // Time used as a reference point when filtering assets. The filter is limited + // to assets existing at the supplied time and their values are those at that + // specific time. Absence of this field will default to the API's version of + // NOW. + google.protobuf.Timestamp read_time = 4; + + // When compare_duration is set, the ListAssetsResult's "state_change" + // attribute is updated to indicate whether the asset was added, removed, or + // remained present during the compare_duration period of time that precedes + // the read_time. This is the time between (read_time - compare_duration) and + // read_time. + // + // The state_change value is derived based on the presence of the asset at the + // two points in time. Intermediate state changes between the two times don't + // affect the result. For example, the results aren't affected if the asset is + // removed and re-created again. + // + // Possible "state_change" values when compare_duration is specified: + // + // * "ADDED": indicates that the asset was not present at the start of + // compare_duration, but present at read_time. + // * "REMOVED": indicates that the asset was present at the start of + // compare_duration, but not present at read_time. + // * "ACTIVE": indicates that the asset was present at both the + // start and the end of the time period defined by + // compare_duration and read_time. + // + // If compare_duration is not specified, then the only possible state_change + // is "UNUSED", which will be the state_change set for all assets present at + // read_time. + google.protobuf.Duration compare_duration = 5; + + // A field mask to specify the ListAssetsResult fields to be listed in the + // response. + // An empty field mask will list all fields. + google.protobuf.FieldMask field_mask = 7; + + // The value returned by the last `ListAssetsResponse`; indicates + // that this is a continuation of a prior `ListAssets` call, and + // that the system should return the next page of data. + string page_token = 8; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 9; +} + +// Response message for listing assets. +message ListAssetsResponse { + // Result containing the Asset and its State. + message ListAssetsResult { + // The change in state of the asset. + // + // When querying across two points in time this describes + // the change between the two points: ADDED, REMOVED, or ACTIVE. + // If there was no compare_duration supplied in the request the state change + // will be: UNUSED + enum StateChange { + // State change is unused, this is the canonical default for this enum. + UNUSED = 0; + + // Asset was added between the points in time. + ADDED = 1; + + // Asset was removed between the points in time. + REMOVED = 2; + + // Asset was present at both point(s) in time. + ACTIVE = 3; + } + + // Asset matching the search request. + Asset asset = 1; + + // State change of the asset between the points in time. + StateChange state_change = 2; + } + + // Assets matching the list request. + repeated ListAssetsResult list_assets_results = 1; + + // Time used for executing the list request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of assets matching the query. + int32 total_size = 4; +} + +// Request message for listing findings. +message ListFindingsRequest { + // Required. Name of the source the findings belong to. Its format is + // "organizations/[organization_id]/sources/[source_id], + // folders/[folder_id]/sources/[source_id], or + // projects/[project_id]/sources/[source_id]". To list across all sources + // provide a source_id of `-`. For example: + // organizations/{organization_id}/sources/-, folders/{folder_id}/sources/- or + // projects/{projects_id}/sources/- + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Source" + } + ]; + + // Expression that defines the filter to apply across findings. + // The expression is a list of one or more restrictions combined via logical + // operators `AND` and `OR`. + // Parentheses are supported, and `OR` has higher precedence than `AND`. + // + // Restrictions have the form `<field> <operator> <value>` and may have a `-` + // character in front of them to indicate negation. Examples include: + // + // * name + // * source_properties.a_property + // * security_marks.marks.marka + // + // The supported operators are: + // + // * `=` for all value types. + // * `>`, `<`, `>=`, `<=` for integer values. + // * `:`, meaning substring matching, for strings. + // + // The supported value types are: + // + // * string literals in quotes. + // * integer literals without quotes. + // * boolean literals `true` and `false` without quotes. + // + // The following field and operator combinations are supported: + // + // * name: `=` + // * parent: `=`, `:` + // * resource_name: `=`, `:` + // * state: `=`, `:` + // * category: `=`, `:` + // * external_uri: `=`, `:` + // * event_time: `=`, `>`, `<`, `>=`, `<=` + // * severity: `=`, `:` + // + // Usage: This should be milliseconds since epoch or an RFC3339 string. + // Examples: + // `event_time = "2019-06-10T16:07:18-07:00"` + // `event_time = 1560208038000` + // + // security_marks.marks: `=`, `:` + // source_properties: `=`, `:`, `>`, `<`, `>=`, `<=` + // + // For example, `source_properties.size = 100` is a valid filter string. + // + // Use a partial match on the empty string to filter based on a property + // existing: `source_properties.my_property : ""` + // + // Use a negated partial match on the empty string to filter based on a + // property not existing: `-source_properties.my_property : ""` + string filter = 2; + + // Expression that defines what fields and order to use for sorting. The + // string value should follow SQL syntax: comma separated list of fields. For + // example: "name,resource_properties.a_property". The default sorting order + // is ascending. To specify descending order for a field, a suffix " desc" + // should be appended to the field name. For example: "name + // desc,source_properties.a_property". Redundant space characters in the + // syntax are insignificant. "name desc,source_properties.a_property" and " + // name desc , source_properties.a_property " are equivalent. + // + // The following fields are supported: + // name + // parent + // state + // category + // resource_name + // event_time + // source_properties + // security_marks.marks + string order_by = 3; + + // Time used as a reference point when filtering findings. The filter is + // limited to findings existing at the supplied time and their values are + // those at that specific time. Absence of this field will default to the + // API's version of NOW. + google.protobuf.Timestamp read_time = 4; + + // When compare_duration is set, the ListFindingsResult's "state_change" + // attribute is updated to indicate whether the finding had its state changed, + // the finding's state remained unchanged, or if the finding was added in any + // state during the compare_duration period of time that precedes the + // read_time. This is the time between (read_time - compare_duration) and + // read_time. + // + // The state_change value is derived based on the presence and state of the + // finding at the two points in time. Intermediate state changes between the + // two times don't affect the result. For example, the results aren't affected + // if the finding is made inactive and then active again. + // + // Possible "state_change" values when compare_duration is specified: + // + // * "CHANGED": indicates that the finding was present and matched the given + // filter at the start of compare_duration, but changed its + // state at read_time. + // * "UNCHANGED": indicates that the finding was present and matched the given + // filter at the start of compare_duration and did not change + // state at read_time. + // * "ADDED": indicates that the finding did not match the given filter or + // was not present at the start of compare_duration, but was + // present at read_time. + // * "REMOVED": indicates that the finding was present and matched the + // filter at the start of compare_duration, but did not match + // the filter at read_time. + // + // If compare_duration is not specified, then the only possible state_change + // is "UNUSED", which will be the state_change set for all findings present at + // read_time. + google.protobuf.Duration compare_duration = 5; + + // A field mask to specify the Finding fields to be listed in the response. + // An empty field mask will list all fields. + google.protobuf.FieldMask field_mask = 7; + + // The value returned by the last `ListFindingsResponse`; indicates + // that this is a continuation of a prior `ListFindings` call, and + // that the system should return the next page of data. + string page_token = 8; + + // The maximum number of results to return in a single response. Default is + // 10, minimum is 1, maximum is 1000. + int32 page_size = 9; +} + +// Response message for listing findings. +message ListFindingsResponse { + // Result containing the Finding and its StateChange. + message ListFindingsResult { + // Information related to the Google Cloud resource that is + // associated with this finding. + message Resource { + // The full resource name of the resource. See: + // https://cloud.google.com/apis/design/resource_names#full_resource_name + string name = 1; + + // The full resource name of project that the resource belongs to. + string project_name = 2; + + // The human readable name of project that the resource belongs to. + string project_display_name = 3; + + // The full resource name of resource's parent. + string parent_name = 4; + + // The human readable name of resource's parent. + string parent_display_name = 5; + + // Contains a Folder message for each folder in the assets ancestry. + // The first folder is the deepest nested folder, and the last folder is + // the folder directly under the Organization. + repeated Folder folders = 10; + } + + // The change in state of the finding. + // + // When querying across two points in time this describes + // the change in the finding between the two points: CHANGED, UNCHANGED, + // ADDED, or REMOVED. Findings can not be deleted, so REMOVED implies that + // the finding at timestamp does not match the filter specified, but it did + // at timestamp - compare_duration. If there was no compare_duration + // supplied in the request the state change will be: UNUSED + enum StateChange { + // State change is unused, this is the canonical default for this enum. + UNUSED = 0; + + // The finding has changed state in some way between the points in time + // and existed at both points. + CHANGED = 1; + + // The finding has not changed state between the points in time and + // existed at both points. + UNCHANGED = 2; + + // The finding was created between the points in time. + ADDED = 3; + + // The finding at timestamp does not match the filter specified, but it + // did at timestamp - compare_duration. + REMOVED = 4; + } + + // Finding matching the search request. + Finding finding = 1; + + // State change of the finding between the points in time. + StateChange state_change = 2; + + // Output only. Resource that is associated with this finding. + Resource resource = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; + } + + // Findings matching the list request. + repeated ListFindingsResult list_findings_results = 1; + + // Time used for executing the list request. + google.protobuf.Timestamp read_time = 2; + + // Token to retrieve the next page of results, or empty if there are no more + // results. + string next_page_token = 3; + + // The total number of findings matching the query. + int32 total_size = 4; +} + +// Request message for updating a finding's state. +message SetFindingStateRequest { + // Required. The relative resource name of the finding. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}/finding/{finding_id}". + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "securitycenter.googleapis.com/Finding" + } + ]; + + // Required. The desired State of the finding. + Finding.State state = 2 [(google.api.field_behavior) = REQUIRED]; + + // Required. The time at which the updated state takes effect. + google.protobuf.Timestamp start_time = 3 [(google.api.field_behavior) = REQUIRED]; +} + +// Request message for running asset discovery for an organization. +message RunAssetDiscoveryRequest { + // Required. Name of the organization to run asset discovery for. Its format is + // "organizations/[organization_id]". + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "cloudresourcemanager.googleapis.com/Organization" + } + ]; +} + +// Request message for updating or creating a finding. +message UpdateFindingRequest { + // Required. The finding resource to update or create if it does not already exist. + // parent, security_marks, and update_time will be ignored. + // + // In the case of creation, the finding id portion of the name must be + // alphanumeric and less than or equal to 32 characters and greater than 0 + // characters in length. + Finding finding = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the finding resource. This field should + // not be specified when creating a finding. + // + // When updating a finding, an empty mask is treated as updating all mutable + // fields and replacing source_properties. Individual source_properties can + // be added/updated by using "source_properties.<property key>" in the field + // mask. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating a notification config. +message UpdateNotificationConfigRequest { + // Required. The notification config to update. + NotificationConfig notification_config = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the notification config. + // + // If empty all mutable fields will be updated. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating an organization's settings. +message UpdateOrganizationSettingsRequest { + // Required. The organization settings resource to update. + OrganizationSettings organization_settings = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the settings resource. + // + // If empty all mutable fields will be updated. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating a source. +message UpdateSourceRequest { + // Required. The source resource to update. + Source source = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the source resource. + // + // If empty all mutable fields will be updated. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for updating a SecurityMarks resource. +message UpdateSecurityMarksRequest { + // Required. The security marks resource to update. + SecurityMarks security_marks = 1 [(google.api.field_behavior) = REQUIRED]; + + // The FieldMask to use when updating the security marks resource. + // + // The field mask must not contain duplicate fields. + // If empty or set to "marks", all marks will be replaced. Individual + // marks can be updated using "marks.<mark_key>". + google.protobuf.FieldMask update_mask = 2; + + // The time at which the updated SecurityMarks take effect. + // If not set uses current server time. Updates will be applied to the + // SecurityMarks that are active immediately preceding this time. + google.protobuf.Timestamp start_time = 3; +} diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/securitycenter_v1p1beta1.yaml b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/securitycenter_v1p1beta1.yaml new file mode 100644 index 0000000..90e2f1b --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/securitycenter_v1p1beta1.yaml @@ -0,0 +1,47 @@ +type: google.api.Service +config_version: 3 +name: securitycenter.googleapis.com +title: Security Command Center API + +apis: +- name: google.cloud.securitycenter.v1p1beta1.SecurityCenter + +types: +- name: google.cloud.securitycenter.v1p1beta1.NotificationMessage +- name: google.cloud.securitycenter.v1p1beta1.Resource +- name: google.cloud.securitycenter.v1p1beta1.RunAssetDiscoveryResponse + +documentation: + summary: |- + Security Command Center API provides access to temporal views of assets and + findings within an organization. + +backend: + rules: + - selector: 'google.cloud.securitycenter.v1p1beta1.SecurityCenter.*' + deadline: 480.0 + - selector: 'google.longrunning.Operations.*' + deadline: 60.0 + +http: + rules: + - selector: google.longrunning.Operations.CancelOperation + post: '/v1p1beta1/{name=organizations/*/operations/*}:cancel' + body: '*' + - selector: google.longrunning.Operations.DeleteOperation + delete: '/v1p1beta1/{name=organizations/*/operations/*}' + - selector: google.longrunning.Operations.GetOperation + get: '/v1p1beta1/{name=organizations/*/operations/*}' + - selector: google.longrunning.Operations.ListOperations + get: '/v1p1beta1/{name=organizations/*/operations}' + +authentication: + rules: + - selector: 'google.cloud.securitycenter.v1p1beta1.SecurityCenter.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform + - selector: 'google.longrunning.Operations.*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform diff --git a/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/source.proto b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/source.proto new file mode 100644 index 0000000..e2a5565 --- /dev/null +++ b/third_party/googleapis/google/cloud/securitycenter/v1p1beta1/source.proto @@ -0,0 +1,68 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.securitycenter.v1p1beta1; + +import "google/api/resource.proto"; + +option csharp_namespace = "Google.Cloud.SecurityCenter.V1P1Beta1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1p1beta1;securitycenter"; +option java_multiple_files = true; +option java_package = "com.google.cloud.securitycenter.v1p1beta1"; +option php_namespace = "Google\\Cloud\\SecurityCenter\\V1p1beta1"; +option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1"; + +// Security Command Center finding source. A finding source +// is an entity or a mechanism that can produce a finding. A source is like a +// container of findings that come from the same scanner, logger, monitor, etc. +message Source { + option (google.api.resource) = { + type: "securitycenter.googleapis.com/Source" + pattern: "organizations/{organization}/sources/{source}" + pattern: "folders/{folder}/sources/{source}" + pattern: "projects/{project}/sources/{source}" + }; + + // The relative resource name of this source. See: + // https://cloud.google.com/apis/design/resource_names#relative_resource_name + // Example: + // "organizations/{organization_id}/sources/{source_id}" + string name = 1; + + // The source's display name. + // A source's display name must be unique amongst its siblings, for example, + // two sources with the same parent can't share the same display name. + // The display name must have a length between 1 and 64 characters + // (inclusive). + string display_name = 2; + + // The description of the source (max of 1024 characters). + // Example: + // "Web Security Scanner is a web security scanner for common + // vulnerabilities in App Engine applications. It can automatically + // scan and detect four common vulnerabilities, including cross-site-scripting + // (XSS), Flash injection, mixed content (HTTP in HTTPS), and + // outdated/insecure libraries." + string description = 3; + + // The canonical name of the finding. It's either + // "organizations/{organization_id}/sources/{source_id}", + // "folders/{folder_id}/sources/{source_id}" or + // "projects/{project_number}/sources/{source_id}", + // depending on the closest CRM ancestor of the resource associated with the + // finding. + string canonical_name = 14; +} |