kpt-grpc-demo/google/cloud/security/privateca/v1beta1/service.proto

// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.security.privateca.v1beta1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/security/privateca/v1beta1/resources.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Security.PrivateCA.V1Beta1";
option go_package = "google.golang.org/genproto/googleapis/cloud/security/privateca/v1beta1;privateca";
option java_multiple_files = true;
option java_outer_classname = "PrivateCaProto";
option java_package = "com.google.cloud.security.privateca.v1beta1";
option php_namespace = "Google\\Cloud\\Security\\PrivateCA\\V1beta1";
option ruby_package = "Google::Cloud::Security::PrivateCA::V1beta1";

// [Certificate Authority Service][google.cloud.security.privateca.v1beta1.CertificateAuthorityService] manages private
// certificate authorities and issued certificates.
service CertificateAuthorityService {
  option (google.api.default_host) = "privateca.googleapis.com";
  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

  // Create a new [Certificate][google.cloud.security.privateca.v1beta1.Certificate] in a given Project, Location from a particular
  // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  rpc CreateCertificate(CreateCertificateRequest) returns (Certificate) {
    option (google.api.http) = {
      post: "/v1beta1/{parent=projects/*/locations/*/certificateAuthorities/*}/certificates"
      body: "certificate"
    };
    option (google.api.method_signature) = "parent,certificate,certificate_id";
  }

  // Returns a [Certificate][google.cloud.security.privateca.v1beta1.Certificate].
  rpc GetCertificate(GetCertificateRequest) returns (Certificate) {
    option (google.api.http) = {
      get: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*/certificates/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists [Certificates][google.cloud.security.privateca.v1beta1.Certificate].
  rpc ListCertificates(ListCertificatesRequest) returns (ListCertificatesResponse) {
    option (google.api.http) = {
      get: "/v1beta1/{parent=projects/*/locations/*/certificateAuthorities/*}/certificates"
    };
    option (google.api.method_signature) = "parent";
  }

  // Revoke a [Certificate][google.cloud.security.privateca.v1beta1.Certificate].
  rpc RevokeCertificate(RevokeCertificateRequest) returns (Certificate) {
    option (google.api.http) = {
      post: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*/certificates/*}:revoke"
      body: "*"
    };
    option (google.api.method_signature) = "name";
  }

  // Update a [Certificate][google.cloud.security.privateca.v1beta1.Certificate]. Currently, the only field you can update is the
  // [labels][google.cloud.security.privateca.v1beta1.Certificate.labels] field.
  rpc UpdateCertificate(UpdateCertificateRequest) returns (Certificate) {
    option (google.api.http) = {
      patch: "/v1beta1/{certificate.name=projects/*/locations/*/certificateAuthorities/*/certificates/*}"
      body: "certificate"
    };
    option (google.api.method_signature) = "certificate,update_mask";
  }

  // Activate a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] that is in state
  // [PENDING_ACTIVATION][google.cloud.security.privateca.v1beta1.CertificateAuthority.State.PENDING_ACTIVATION] and is
  // of type [SUBORDINATE][google.cloud.security.privateca.v1beta1.CertificateAuthority.Type.SUBORDINATE]. After the
  // parent Certificate Authority signs a certificate signing request from
  // [FetchCertificateAuthorityCsr][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.FetchCertificateAuthorityCsr], this method can complete the activation
  // process.
  rpc ActivateCertificateAuthority(ActivateCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*}:activate"
      body: "*"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Create a new [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in a given Project and Location.
  rpc CreateCertificateAuthority(CreateCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1beta1/{parent=projects/*/locations/*}/certificateAuthorities"
      body: "certificate_authority"
    };
    option (google.api.method_signature) = "parent,certificate_authority,certificate_authority_id";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Disable a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  rpc DisableCertificateAuthority(DisableCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*}:disable"
      body: "*"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Enable a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  rpc EnableCertificateAuthority(EnableCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*}:enable"
      body: "*"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Fetch a certificate signing request (CSR) from a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]
  // that is in state
  // [PENDING_ACTIVATION][google.cloud.security.privateca.v1beta1.CertificateAuthority.State.PENDING_ACTIVATION] and is
  // of type [SUBORDINATE][google.cloud.security.privateca.v1beta1.CertificateAuthority.Type.SUBORDINATE]. The CSR must
  // then be signed by the desired parent Certificate Authority, which could be
  // another [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] resource, or could be an on-prem
  // certificate authority. See also [ActivateCertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ActivateCertificateAuthority].
  rpc FetchCertificateAuthorityCsr(FetchCertificateAuthorityCsrRequest) returns (FetchCertificateAuthorityCsrResponse) {
    option (google.api.http) = {
      get: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*}:fetch"
    };
    option (google.api.method_signature) = "name";
  }

  // Returns a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  rpc GetCertificateAuthority(GetCertificateAuthorityRequest) returns (CertificateAuthority) {
    option (google.api.http) = {
      get: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists [CertificateAuthorities][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  rpc ListCertificateAuthorities(ListCertificateAuthoritiesRequest) returns (ListCertificateAuthoritiesResponse) {
    option (google.api.http) = {
      get: "/v1beta1/{parent=projects/*/locations/*}/certificateAuthorities"
    };
    option (google.api.method_signature) = "parent";
  }

  // Restore a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] that is scheduled for deletion.
  rpc RestoreCertificateAuthority(RestoreCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*}:restore"
      body: "*"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Schedule a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] for deletion.
  rpc ScheduleDeleteCertificateAuthority(ScheduleDeleteCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*}:scheduleDelete"
      body: "*"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Update a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  rpc UpdateCertificateAuthority(UpdateCertificateAuthorityRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1beta1/{certificate_authority.name=projects/*/locations/*/certificateAuthorities/*}"
      body: "certificate_authority"
    };
    option (google.api.method_signature) = "certificate_authority,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateAuthority"
      metadata_type: "OperationMetadata"
    };
  }

  // Returns a [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList].
  rpc GetCertificateRevocationList(GetCertificateRevocationListRequest) returns (CertificateRevocationList) {
    option (google.api.http) = {
      get: "/v1beta1/{name=projects/*/locations/*/certificateAuthorities/*/certificateRevocationLists/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists [CertificateRevocationLists][google.cloud.security.privateca.v1beta1.CertificateRevocationList].
  rpc ListCertificateRevocationLists(ListCertificateRevocationListsRequest) returns (ListCertificateRevocationListsResponse) {
    option (google.api.http) = {
      get: "/v1beta1/{parent=projects/*/locations/*/certificateAuthorities/*}/certificateRevocationLists"
    };
    option (google.api.method_signature) = "parent";
  }

  // Update a [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList].
  rpc UpdateCertificateRevocationList(UpdateCertificateRevocationListRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1beta1/{certificate_revocation_list.name=projects/*/locations/*/certificateAuthorities/*/certificateRevocationLists/*}"
      body: "certificate_revocation_list"
    };
    option (google.api.method_signature) = "certificate_revocation_list,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateRevocationList"
      metadata_type: "OperationMetadata"
    };
  }

  // Returns a [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig].
  rpc GetReusableConfig(GetReusableConfigRequest) returns (ReusableConfig) {
    option (google.api.http) = {
      get: "/v1beta1/{name=projects/*/locations/*/reusableConfigs/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists [ReusableConfigs][google.cloud.security.privateca.v1beta1.ReusableConfig].
  rpc ListReusableConfigs(ListReusableConfigsRequest) returns (ListReusableConfigsResponse) {
    option (google.api.http) = {
      get: "/v1beta1/{parent=projects/*/locations/*}/reusableConfigs"
    };
    option (google.api.method_signature) = "parent";
  }
}

// Request message for [CertificateAuthorityService.CreateCertificate][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.CreateCertificate].
message CreateCertificateRequest {
  // Required. The resource name of the location and [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]
  // associated with the [Certificate][google.cloud.security.privateca.v1beta1.Certificate], in the format
  // `projects/*/locations/*/certificateAuthorities/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. It must be unique within a location and match the regular
  // expression `[a-zA-Z0-9_-]{1,63}`. This field is required when using a
  // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the Enterprise [CertificateAuthority.Tier][google.cloud.security.privateca.v1beta1.CertificateAuthority.Tier],
  // but is optional and its value is ignored otherwise.
  string certificate_id = 2 [(google.api.field_behavior) = OPTIONAL];

  // Required. A [Certificate][google.cloud.security.privateca.v1beta1.Certificate] with initial field values.
  Certificate certificate = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.GetCertificate][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.GetCertificate].
message GetCertificateRequest {
  // Required. The [name][google.cloud.security.privateca.v1beta1.Certificate.name] of the [Certificate][google.cloud.security.privateca.v1beta1.Certificate] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/Certificate"
    }
  ];
}

// Request message for [CertificateAuthorityService.ListCertificates][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ListCertificates].
message ListCertificatesRequest {
  // Required. The resource name of the location associated with the
  // [Certificates][google.cloud.security.privateca.v1beta1.Certificate], in the format
  // `projects/*/locations/*/certificateauthorities/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. Limit on the number of
  // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] to include in the
  // response. Further [Certificates][google.cloud.security.privateca.v1beta1.Certificate] can subsequently be obtained
  // by including the
  // [ListCertificatesResponse.next_page_token][google.cloud.security.privateca.v1beta1.ListCertificatesResponse.next_page_token] in a subsequent
  // request. If unspecified, the server will pick an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Pagination token, returned earlier via
  // [ListCertificatesResponse.next_page_token][google.cloud.security.privateca.v1beta1.ListCertificatesResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response. For details
  // on supported filters and syntax, see [Certificates Filtering
  // documentation](https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support).
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted. For details on supported fields
  // and syntax, see [Certificates Sorting
  // documentation](https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#sorting_support).
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for [CertificateAuthorityService.ListCertificates][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ListCertificates].
message ListCertificatesResponse {
  // The list of [Certificates][google.cloud.security.privateca.v1beta1.Certificate].
  repeated Certificate certificates = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCertificatesRequest.next_page_token][] to retrieve the
  // next page of results.
  string next_page_token = 2;

  // A list of locations (e.g. "us-west1") that could not be reached.
  repeated string unreachable = 3;
}

// Request message for
// [CertificateAuthorityService.RevokeCertificate][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.RevokeCertificate].
message RevokeCertificateRequest {
  // Required. The resource name for this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] in the
  // format `projects/*/locations/*/certificateAuthorities/*/certificates/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/Certificate"
    }
  ];

  // Required. The [RevocationReason][google.cloud.security.privateca.v1beta1.RevocationReason] for revoking this certificate.
  RevocationReason reason = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for [CertificateAuthorityService.UpdateCertificate][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.UpdateCertificate].
message UpdateCertificateRequest {
  // Required. [Certificate][google.cloud.security.privateca.v1beta1.Certificate] with updated values.
  Certificate certificate = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. A list of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.ActivateCertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ActivateCertificateAuthority].
message ActivateCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the
  // format `projects/*/locations/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Required. The signed CA certificate issued from
  // [FetchCertificateAuthorityCsrResponse.pem_csr][google.cloud.security.privateca.v1beta1.FetchCertificateAuthorityCsrResponse.pem_csr].
  string pem_ca_certificate = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. Must include information about the issuer of 'pem_ca_certificate', and any
  // further issuers until the self-signed CA.
  SubordinateConfig subordinate_config = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.CreateCertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.CreateCertificateAuthority].
message CreateCertificateAuthorityRequest {
  // Required. The resource name of the location associated with the
  // [CertificateAuthorities][google.cloud.security.privateca.v1beta1.CertificateAuthority], in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Required. It must be unique within a location and match the regular
  // expression `[a-zA-Z0-9_-]{1,63}`
  string certificate_authority_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] with initial field values.
  CertificateAuthority certificate_authority = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.DisableCertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.DisableCertificateAuthority].
message DisableCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the
  // format `projects/*/locations/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.EnableCertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.EnableCertificateAuthority].
message EnableCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the
  // format `projects/*/locations/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.FetchCertificateAuthorityCsr][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.FetchCertificateAuthorityCsr].
message FetchCertificateAuthorityCsrRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the
  // format `projects/*/locations/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];
}

// Response message for
// [CertificateAuthorityService.FetchCertificateAuthorityCsr][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.FetchCertificateAuthorityCsr].
message FetchCertificateAuthorityCsrResponse {
  // Output only. The PEM-encoded signed certificate signing request (CSR).
  string pem_csr = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Request message for [CertificateAuthorityService.GetCertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.GetCertificateAuthority].
message GetCertificateAuthorityRequest {
  // Required. The [name][google.cloud.security.privateca.v1beta1.CertificateAuthority.name] of the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] to
  // get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];
}

// Request message for
// [CertificateAuthorityService.ListCertificateAuthorities][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ListCertificateAuthorities].
message ListCertificateAuthoritiesRequest {
  // Required. The resource name of the location associated with the
  // [CertificateAuthorities][google.cloud.security.privateca.v1beta1.CertificateAuthority], in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Optional. Limit on the number of [CertificateAuthorities][google.cloud.security.privateca.v1beta1.CertificateAuthority] to
  // include in the response.
  // Further [CertificateAuthorities][google.cloud.security.privateca.v1beta1.CertificateAuthority] can subsequently be
  // obtained by including the
  // [ListCertificateAuthoritiesResponse.next_page_token][google.cloud.security.privateca.v1beta1.ListCertificateAuthoritiesResponse.next_page_token] in a subsequent
  // request. If unspecified, the server will pick an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Pagination token, returned earlier via
  // [ListCertificateAuthoritiesResponse.next_page_token][google.cloud.security.privateca.v1beta1.ListCertificateAuthoritiesResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response.
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for
// [CertificateAuthorityService.ListCertificateAuthorities][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ListCertificateAuthorities].
message ListCertificateAuthoritiesResponse {
  // The list of [CertificateAuthorities][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  repeated CertificateAuthority certificate_authorities = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCertificateAuthoritiesRequest.next_page_token][] to retrieve the next
  // page of results.
  string next_page_token = 2;

  // A list of locations (e.g. "us-west1") that could not be reached.
  repeated string unreachable = 3;
}

// Request message for
// [CertificateAuthorityService.RestoreCertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.RestoreCertificateAuthority].
message RestoreCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the
  // format `projects/*/locations/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.ScheduleDeleteCertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ScheduleDeleteCertificateAuthority].
message ScheduleDeleteCertificateAuthorityRequest {
  // Required. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the
  // format `projects/*/locations/*/certificateAuthorities/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.UpdateCertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.UpdateCertificateAuthority].
message UpdateCertificateAuthorityRequest {
  // Required. [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] with updated values.
  CertificateAuthority certificate_authority = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. A list of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.GetCertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.GetCertificateRevocationList].
message GetCertificateRevocationListRequest {
  // Required. The [name][google.cloud.security.privateca.v1beta1.CertificateRevocationList.name] of the
  // [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateRevocationList"
    }
  ];
}

// Request message for
// [CertificateAuthorityService.ListCertificateRevocationLists][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ListCertificateRevocationLists].
message ListCertificateRevocationListsRequest {
  // Required. The resource name of the location associated with the
  // [CertificateRevocationLists][google.cloud.security.privateca.v1beta1.CertificateRevocationList], in the format
  // `projects/*/locations/*/certificateauthorities/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/CertificateAuthority"
    }
  ];

  // Optional. Limit on the number of
  // [CertificateRevocationLists][google.cloud.security.privateca.v1beta1.CertificateRevocationList] to include in the
  // response. Further [CertificateRevocationLists][google.cloud.security.privateca.v1beta1.CertificateRevocationList]
  // can subsequently be obtained by including the
  // [ListCertificateRevocationListsResponse.next_page_token][google.cloud.security.privateca.v1beta1.ListCertificateRevocationListsResponse.next_page_token] in a subsequent
  // request. If unspecified, the server will pick an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Pagination token, returned earlier via
  // [ListCertificateRevocationListsResponse.next_page_token][google.cloud.security.privateca.v1beta1.ListCertificateRevocationListsResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response.
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for
// [CertificateAuthorityService.ListCertificateRevocationLists][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ListCertificateRevocationLists].
message ListCertificateRevocationListsResponse {
  // The list of [CertificateRevocationLists][google.cloud.security.privateca.v1beta1.CertificateRevocationList].
  repeated CertificateRevocationList certificate_revocation_lists = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCertificateRevocationListsRequest.next_page_token][] to retrieve the
  // next page of results.
  string next_page_token = 2;

  // A list of locations (e.g. "us-west1") that could not be reached.
  repeated string unreachable = 3;
}

// Request message for
// [CertificateAuthorityService.UpdateCertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.UpdateCertificateRevocationList].
message UpdateCertificateRevocationListRequest {
  // Required. [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] with updated values.
  CertificateRevocationList certificate_revocation_list = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. A list of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
  // retry your request, the server will know to ignore the request if it has
  // already been completed. The server will guarantee that for at least 60
  // minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and t
  // he request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, will ignore the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [CertificateAuthorityService.GetReusableConfig][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.GetReusableConfig].
message GetReusableConfigRequest {
  // Required. The [name][ReusableConfigs.name] of the [ReusableConfigs][] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "privateca.googleapis.com/ReusableConfig"
    }
  ];
}

// Request message for
// [CertificateAuthorityService.ListReusableConfigs][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ListReusableConfigs].
message ListReusableConfigsRequest {
  // Required. The resource name of the location associated with the
  // [ReusableConfigs][google.cloud.security.privateca.v1beta1.ReusableConfig], in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Optional. Limit on the number of
  // [ReusableConfigs][google.cloud.security.privateca.v1beta1.ReusableConfig] to include in the response.
  // Further [ReusableConfigs][google.cloud.security.privateca.v1beta1.ReusableConfig] can subsequently be
  // obtained by including the
  // [ListReusableConfigsResponse.next_page_token][google.cloud.security.privateca.v1beta1.ListReusableConfigsResponse.next_page_token] in a subsequent request. If
  // unspecified, the server will pick an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Pagination token, returned earlier via
  // [ListReusableConfigsResponse.next_page_token][google.cloud.security.privateca.v1beta1.ListReusableConfigsResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response.
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for
// [CertificateAuthorityService.ListReusableConfigs][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.ListReusableConfigs].
message ListReusableConfigsResponse {
  // The list of [ReusableConfigs][google.cloud.security.privateca.v1beta1.ReusableConfig].
  repeated ReusableConfig reusable_configs = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListReusableConfigsRequest.next_page_token][] to retrieve
  // the next page of results.
  string next_page_token = 2;

  // A list of locations (e.g. "us-west1") that could not be reached.
  repeated string unreachable = 3;
}

// Represents the metadata of the long-running operation.
message OperationMetadata {
  // Output only. The time the operation was created.
  google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The time the operation finished running.
  google.protobuf.Timestamp end_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Server-defined resource path for the target of the operation.
  string target = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Name of the verb executed by the operation.
  string verb = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Human-readable status of the operation, if any.
  string status_message = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Identifies whether the user has requested cancellation
  // of the operation. Operations that have successfully been cancelled
  // have [Operation.error][] value with a [google.rpc.Status.code][google.rpc.Status.code] of 1,
  // corresponding to `Code.CANCELLED`.
  bool requested_cancellation = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. API version used to start the operation.
  string api_version = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
}