diff --git a/packages/google-cloud-binary-authorization/README.rst b/packages/google-cloud-binary-authorization/README.rst index 24ead048036c..36eb4453e172 100644 --- a/packages/google-cloud-binary-authorization/README.rst +++ b/packages/google-cloud-binary-authorization/README.rst @@ -16,9 +16,9 @@ policy control for images deployed to Kubernetes Engine clusters. .. |versions| image:: https://img.shields.io/pypi/pyversions/google-cloud-binary-authorization.svg :target: https://pypi.org/project/google-cloud-binary-authorization/ -.. _Binary Authorization API: https://cloud.google.com/binaryauthorization -.. _Client Library Documentation: https://googleapis.github.io/google-cloud-python/latest/binaryauthorization/usage.html -.. _Product Documentation: https://cloud.google.com/binaryauthorization +.. _Binary Authorization API: https://cloud.google.com/binary-authorization +.. _Client Library Documentation: https://googleapis.dev/python/binaryauthorization/latest +.. _Product Documentation: https://cloud.google.com/binary-authorization Quick Start ----------- @@ -32,7 +32,7 @@ In order to use this library, you first need to go through the following steps: .. _Select or create a Cloud Platform project.: https://console.cloud.google.com/project .. _Enable billing for your project.: https://cloud.google.com/billing/docs/how-to/modify-project#enable_billing_for_a_project -.. _Enable the Binary Authorization API.: https://cloud.google.com/binaryauthorization +.. _Enable the Binary Authorization API.: https://cloud.google.com/binary-authorization .. _Setup Authentication.: https://googleapis.github.io/google-cloud-python/latest/core/auth.html Installation @@ -80,5 +80,5 @@ Next Steps - View this `README`_ to see the full list of Cloud APIs that we cover. -.. _Binary Authorization API Product documentation: https://cloud.google.com/binaryauthorization -.. _README: https://github.com/googleapis/google-cloud-python/blob/main/README.rst \ No newline at end of file +.. _Binary Authorization API Product documentation: https://cloud.google.com/binary-authorization +.. _README: https://github.com/googleapis/google-cloud-python/blob/main/README.rst diff --git a/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/binauthz_management_service_v1.rst b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/binauthz_management_service_v1.rst new file mode 100644 index 000000000000..1d11618cc7cf --- /dev/null +++ b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/binauthz_management_service_v1.rst @@ -0,0 +1,10 @@ +BinauthzManagementServiceV1 +--------------------------------------------- + +.. automodule:: google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1 + :members: + :inherited-members: + +.. automodule:: google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.pagers + :members: + :inherited-members: diff --git a/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/services.rst b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/services.rst new file mode 100644 index 000000000000..d8423c9a8940 --- /dev/null +++ b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/services.rst @@ -0,0 +1,8 @@ +Services for Google Cloud Binaryauthorization v1 API +==================================================== +.. toctree:: + :maxdepth: 2 + + binauthz_management_service_v1 + system_policy_v1 + validation_helper_v1 diff --git a/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/system_policy_v1.rst b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/system_policy_v1.rst new file mode 100644 index 000000000000..da7e2d4746c5 --- /dev/null +++ b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/system_policy_v1.rst @@ -0,0 +1,6 @@ +SystemPolicyV1 +-------------------------------- + +.. automodule:: google.cloud.binaryauthorization_v1.services.system_policy_v1 + :members: + :inherited-members: diff --git a/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/types.rst b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/types.rst new file mode 100644 index 000000000000..f693b223dc90 --- /dev/null +++ b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/types.rst @@ -0,0 +1,7 @@ +Types for Google Cloud Binaryauthorization v1 API +================================================= + +.. automodule:: google.cloud.binaryauthorization_v1.types + :members: + :undoc-members: + :show-inheritance: diff --git a/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/validation_helper_v1.rst b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/validation_helper_v1.rst new file mode 100644 index 000000000000..5d92ddc96e08 --- /dev/null +++ b/packages/google-cloud-binary-authorization/docs/binaryauthorization_v1/validation_helper_v1.rst @@ -0,0 +1,6 @@ +ValidationHelperV1 +------------------------------------ + +.. automodule:: google.cloud.binaryauthorization_v1.services.validation_helper_v1 + :members: + :inherited-members: diff --git a/packages/google-cloud-binary-authorization/docs/index.rst b/packages/google-cloud-binary-authorization/docs/index.rst index 9c3e955b194b..d55ac54f1132 100644 --- a/packages/google-cloud-binary-authorization/docs/index.rst +++ b/packages/google-cloud-binary-authorization/docs/index.rst @@ -2,6 +2,16 @@ .. include:: multiprocessing.rst +This package includes clients for multiple versions of Binary Authorization. +By default, you will get version ``v1``. + +API Reference +------------- +.. toctree:: + :maxdepth: 2 + + binaryauthorization_v1/services + binaryauthorization_v1/types API Reference ------------- diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization/__init__.py index f054e4b93082..b4803079eeca 100644 --- a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization/__init__.py +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization/__init__.py @@ -14,53 +14,73 @@ # limitations under the License. # -from google.cloud.binaryauthorization_v1beta1.services.binauthz_management_service_v1_beta1.client import ( - BinauthzManagementServiceV1Beta1Client, +from google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.client import ( + BinauthzManagementServiceV1Client, ) -from google.cloud.binaryauthorization_v1beta1.services.binauthz_management_service_v1_beta1.async_client import ( - BinauthzManagementServiceV1Beta1AsyncClient, +from google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.async_client import ( + BinauthzManagementServiceV1AsyncClient, ) - -from google.cloud.binaryauthorization_v1beta1.types.continuous_validation_logging import ( - ContinuousValidationEvent, +from google.cloud.binaryauthorization_v1.services.system_policy_v1.client import ( + SystemPolicyV1Client, +) +from google.cloud.binaryauthorization_v1.services.system_policy_v1.async_client import ( + SystemPolicyV1AsyncClient, +) +from google.cloud.binaryauthorization_v1.services.validation_helper_v1.client import ( + ValidationHelperV1Client, ) -from google.cloud.binaryauthorization_v1beta1.types.resources import AdmissionRule -from google.cloud.binaryauthorization_v1beta1.types.resources import ( +from google.cloud.binaryauthorization_v1.services.validation_helper_v1.async_client import ( + ValidationHelperV1AsyncClient, +) + +from google.cloud.binaryauthorization_v1.types.resources import AdmissionRule +from google.cloud.binaryauthorization_v1.types.resources import ( AdmissionWhitelistPattern, ) -from google.cloud.binaryauthorization_v1beta1.types.resources import Attestor -from google.cloud.binaryauthorization_v1beta1.types.resources import AttestorPublicKey -from google.cloud.binaryauthorization_v1beta1.types.resources import PkixPublicKey -from google.cloud.binaryauthorization_v1beta1.types.resources import Policy -from google.cloud.binaryauthorization_v1beta1.types.resources import ( - UserOwnedDrydockNote, +from google.cloud.binaryauthorization_v1.types.resources import Attestor +from google.cloud.binaryauthorization_v1.types.resources import AttestorPublicKey +from google.cloud.binaryauthorization_v1.types.resources import PkixPublicKey +from google.cloud.binaryauthorization_v1.types.resources import Policy +from google.cloud.binaryauthorization_v1.types.resources import UserOwnedGrafeasNote +from google.cloud.binaryauthorization_v1.types.service import CreateAttestorRequest +from google.cloud.binaryauthorization_v1.types.service import DeleteAttestorRequest +from google.cloud.binaryauthorization_v1.types.service import GetAttestorRequest +from google.cloud.binaryauthorization_v1.types.service import GetPolicyRequest +from google.cloud.binaryauthorization_v1.types.service import GetSystemPolicyRequest +from google.cloud.binaryauthorization_v1.types.service import ListAttestorsRequest +from google.cloud.binaryauthorization_v1.types.service import ListAttestorsResponse +from google.cloud.binaryauthorization_v1.types.service import UpdateAttestorRequest +from google.cloud.binaryauthorization_v1.types.service import UpdatePolicyRequest +from google.cloud.binaryauthorization_v1.types.service import ( + ValidateAttestationOccurrenceRequest, +) +from google.cloud.binaryauthorization_v1.types.service import ( + ValidateAttestationOccurrenceResponse, ) -from google.cloud.binaryauthorization_v1beta1.types.service import CreateAttestorRequest -from google.cloud.binaryauthorization_v1beta1.types.service import DeleteAttestorRequest -from google.cloud.binaryauthorization_v1beta1.types.service import GetAttestorRequest -from google.cloud.binaryauthorization_v1beta1.types.service import GetPolicyRequest -from google.cloud.binaryauthorization_v1beta1.types.service import ListAttestorsRequest -from google.cloud.binaryauthorization_v1beta1.types.service import ListAttestorsResponse -from google.cloud.binaryauthorization_v1beta1.types.service import UpdateAttestorRequest -from google.cloud.binaryauthorization_v1beta1.types.service import UpdatePolicyRequest __all__ = ( - "BinauthzManagementServiceV1Beta1Client", - "BinauthzManagementServiceV1Beta1AsyncClient", - "ContinuousValidationEvent", + "BinauthzManagementServiceV1Client", + "BinauthzManagementServiceV1AsyncClient", + "SystemPolicyV1Client", + "SystemPolicyV1AsyncClient", + "ValidationHelperV1Client", + "ValidationHelperV1AsyncClient", "AdmissionRule", "AdmissionWhitelistPattern", "Attestor", "AttestorPublicKey", "PkixPublicKey", "Policy", - "UserOwnedDrydockNote", + "UserOwnedGrafeasNote", "CreateAttestorRequest", "DeleteAttestorRequest", "GetAttestorRequest", "GetPolicyRequest", + "GetSystemPolicyRequest", "ListAttestorsRequest", "ListAttestorsResponse", "UpdateAttestorRequest", "UpdatePolicyRequest", + "ValidateAttestationOccurrenceRequest", + "ValidateAttestationOccurrenceResponse", ) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/__init__.py new file mode 100644 index 000000000000..c26f1791480b --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/__init__.py @@ -0,0 +1,70 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from .services.binauthz_management_service_v1 import BinauthzManagementServiceV1Client +from .services.binauthz_management_service_v1 import ( + BinauthzManagementServiceV1AsyncClient, +) +from .services.system_policy_v1 import SystemPolicyV1Client +from .services.system_policy_v1 import SystemPolicyV1AsyncClient +from .services.validation_helper_v1 import ValidationHelperV1Client +from .services.validation_helper_v1 import ValidationHelperV1AsyncClient + +from .types.resources import AdmissionRule +from .types.resources import AdmissionWhitelistPattern +from .types.resources import Attestor +from .types.resources import AttestorPublicKey +from .types.resources import PkixPublicKey +from .types.resources import Policy +from .types.resources import UserOwnedGrafeasNote +from .types.service import CreateAttestorRequest +from .types.service import DeleteAttestorRequest +from .types.service import GetAttestorRequest +from .types.service import GetPolicyRequest +from .types.service import GetSystemPolicyRequest +from .types.service import ListAttestorsRequest +from .types.service import ListAttestorsResponse +from .types.service import UpdateAttestorRequest +from .types.service import UpdatePolicyRequest +from .types.service import ValidateAttestationOccurrenceRequest +from .types.service import ValidateAttestationOccurrenceResponse + +__all__ = ( + "BinauthzManagementServiceV1AsyncClient", + "SystemPolicyV1AsyncClient", + "ValidationHelperV1AsyncClient", + "AdmissionRule", + "AdmissionWhitelistPattern", + "Attestor", + "AttestorPublicKey", + "BinauthzManagementServiceV1Client", + "CreateAttestorRequest", + "DeleteAttestorRequest", + "GetAttestorRequest", + "GetPolicyRequest", + "GetSystemPolicyRequest", + "ListAttestorsRequest", + "ListAttestorsResponse", + "PkixPublicKey", + "Policy", + "SystemPolicyV1Client", + "UpdateAttestorRequest", + "UpdatePolicyRequest", + "UserOwnedGrafeasNote", + "ValidateAttestationOccurrenceRequest", + "ValidateAttestationOccurrenceResponse", + "ValidationHelperV1Client", +) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/gapic_metadata.json b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/gapic_metadata.json new file mode 100644 index 000000000000..1d349e7bb245 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/gapic_metadata.json @@ -0,0 +1,141 @@ + { + "comment": "This file maps proto services/RPCs to the corresponding library clients/methods", + "language": "python", + "libraryPackage": "google.cloud.binaryauthorization_v1", + "protoPackage": "google.cloud.binaryauthorization.v1", + "schema": "1.0", + "services": { + "BinauthzManagementServiceV1": { + "clients": { + "grpc": { + "libraryClient": "BinauthzManagementServiceV1Client", + "rpcs": { + "CreateAttestor": { + "methods": [ + "create_attestor" + ] + }, + "DeleteAttestor": { + "methods": [ + "delete_attestor" + ] + }, + "GetAttestor": { + "methods": [ + "get_attestor" + ] + }, + "GetPolicy": { + "methods": [ + "get_policy" + ] + }, + "ListAttestors": { + "methods": [ + "list_attestors" + ] + }, + "UpdateAttestor": { + "methods": [ + "update_attestor" + ] + }, + "UpdatePolicy": { + "methods": [ + "update_policy" + ] + } + } + }, + "grpc-async": { + "libraryClient": "BinauthzManagementServiceV1AsyncClient", + "rpcs": { + "CreateAttestor": { + "methods": [ + "create_attestor" + ] + }, + "DeleteAttestor": { + "methods": [ + "delete_attestor" + ] + }, + "GetAttestor": { + "methods": [ + "get_attestor" + ] + }, + "GetPolicy": { + "methods": [ + "get_policy" + ] + }, + "ListAttestors": { + "methods": [ + "list_attestors" + ] + }, + "UpdateAttestor": { + "methods": [ + "update_attestor" + ] + }, + "UpdatePolicy": { + "methods": [ + "update_policy" + ] + } + } + } + } + }, + "SystemPolicyV1": { + "clients": { + "grpc": { + "libraryClient": "SystemPolicyV1Client", + "rpcs": { + "GetSystemPolicy": { + "methods": [ + "get_system_policy" + ] + } + } + }, + "grpc-async": { + "libraryClient": "SystemPolicyV1AsyncClient", + "rpcs": { + "GetSystemPolicy": { + "methods": [ + "get_system_policy" + ] + } + } + } + } + }, + "ValidationHelperV1": { + "clients": { + "grpc": { + "libraryClient": "ValidationHelperV1Client", + "rpcs": { + "ValidateAttestationOccurrence": { + "methods": [ + "validate_attestation_occurrence" + ] + } + } + }, + "grpc-async": { + "libraryClient": "ValidationHelperV1AsyncClient", + "rpcs": { + "ValidateAttestationOccurrence": { + "methods": [ + "validate_attestation_occurrence" + ] + } + } + } + } + } + } +} diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/py.typed b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/py.typed new file mode 100644 index 000000000000..5afd9eca7d00 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/py.typed @@ -0,0 +1,2 @@ +# Marker file for PEP 561. +# The google-cloud-binaryauthorization package uses inline types. diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/__init__.py new file mode 100644 index 000000000000..4de65971c238 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/__init__.py @@ -0,0 +1,15 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/__init__.py new file mode 100644 index 000000000000..0cb1382a1b47 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/__init__.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from .client import BinauthzManagementServiceV1Client +from .async_client import BinauthzManagementServiceV1AsyncClient + +__all__ = ( + "BinauthzManagementServiceV1Client", + "BinauthzManagementServiceV1AsyncClient", +) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/async_client.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/async_client.py new file mode 100644 index 000000000000..bbc4840312e8 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/async_client.py @@ -0,0 +1,840 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from collections import OrderedDict +import functools +import re +from typing import Dict, Sequence, Tuple, Type, Union +import pkg_resources + +import google.api_core.client_options as ClientOptions # type: ignore +from google.api_core import exceptions as core_exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.oauth2 import service_account # type: ignore + +from google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1 import ( + pagers, +) +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from google.protobuf import timestamp_pb2 # type: ignore +from .transports.base import BinauthzManagementServiceV1Transport, DEFAULT_CLIENT_INFO +from .transports.grpc_asyncio import BinauthzManagementServiceV1GrpcAsyncIOTransport +from .client import BinauthzManagementServiceV1Client + + +class BinauthzManagementServiceV1AsyncClient: + """Google Cloud Management Service for Binary Authorization admission + policies and attestation authorities. + + This API implements a REST model with the following objects: + + - [Policy][google.cloud.binaryauthorization.v1.Policy] + - [Attestor][google.cloud.binaryauthorization.v1.Attestor] + """ + + _client: BinauthzManagementServiceV1Client + + DEFAULT_ENDPOINT = BinauthzManagementServiceV1Client.DEFAULT_ENDPOINT + DEFAULT_MTLS_ENDPOINT = BinauthzManagementServiceV1Client.DEFAULT_MTLS_ENDPOINT + + attestor_path = staticmethod(BinauthzManagementServiceV1Client.attestor_path) + parse_attestor_path = staticmethod( + BinauthzManagementServiceV1Client.parse_attestor_path + ) + policy_path = staticmethod(BinauthzManagementServiceV1Client.policy_path) + parse_policy_path = staticmethod( + BinauthzManagementServiceV1Client.parse_policy_path + ) + common_billing_account_path = staticmethod( + BinauthzManagementServiceV1Client.common_billing_account_path + ) + parse_common_billing_account_path = staticmethod( + BinauthzManagementServiceV1Client.parse_common_billing_account_path + ) + common_folder_path = staticmethod( + BinauthzManagementServiceV1Client.common_folder_path + ) + parse_common_folder_path = staticmethod( + BinauthzManagementServiceV1Client.parse_common_folder_path + ) + common_organization_path = staticmethod( + BinauthzManagementServiceV1Client.common_organization_path + ) + parse_common_organization_path = staticmethod( + BinauthzManagementServiceV1Client.parse_common_organization_path + ) + common_project_path = staticmethod( + BinauthzManagementServiceV1Client.common_project_path + ) + parse_common_project_path = staticmethod( + BinauthzManagementServiceV1Client.parse_common_project_path + ) + common_location_path = staticmethod( + BinauthzManagementServiceV1Client.common_location_path + ) + parse_common_location_path = staticmethod( + BinauthzManagementServiceV1Client.parse_common_location_path + ) + + @classmethod + def from_service_account_info(cls, info: dict, *args, **kwargs): + """Creates an instance of this client using the provided credentials + info. + + Args: + info (dict): The service account private key info. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + BinauthzManagementServiceV1AsyncClient: The constructed client. + """ + return BinauthzManagementServiceV1Client.from_service_account_info.__func__(BinauthzManagementServiceV1AsyncClient, info, *args, **kwargs) # type: ignore + + @classmethod + def from_service_account_file(cls, filename: str, *args, **kwargs): + """Creates an instance of this client using the provided credentials + file. + + Args: + filename (str): The path to the service account private key json + file. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + BinauthzManagementServiceV1AsyncClient: The constructed client. + """ + return BinauthzManagementServiceV1Client.from_service_account_file.__func__(BinauthzManagementServiceV1AsyncClient, filename, *args, **kwargs) # type: ignore + + from_service_account_json = from_service_account_file + + @property + def transport(self) -> BinauthzManagementServiceV1Transport: + """Returns the transport used by the client instance. + + Returns: + BinauthzManagementServiceV1Transport: The transport used by the client instance. + """ + return self._client.transport + + get_transport_class = functools.partial( + type(BinauthzManagementServiceV1Client).get_transport_class, + type(BinauthzManagementServiceV1Client), + ) + + def __init__( + self, + *, + credentials: ga_credentials.Credentials = None, + transport: Union[str, BinauthzManagementServiceV1Transport] = "grpc_asyncio", + client_options: ClientOptions = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + ) -> None: + """Instantiates the binauthz management service v1 client. + + Args: + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + transport (Union[str, ~.BinauthzManagementServiceV1Transport]): The + transport to use. If set to None, a transport is chosen + automatically. + client_options (ClientOptions): Custom options for the client. It + won't take effect if a ``transport`` instance is provided. + (1) The ``api_endpoint`` property can be used to override the + default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT + environment variable can also be used to override the endpoint: + "always" (always use the default mTLS endpoint), "never" (always + use the default regular endpoint) and "auto" (auto switch to the + default mTLS endpoint if client certificate is present, this is + the default value). However, the ``api_endpoint`` property takes + precedence if provided. + (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable + is "true", then the ``client_cert_source`` property can be used + to provide client certificate for mutual TLS transport. If + not provided, the default SSL client certificate will be used if + present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not + set, no client certificate will be used. + + Raises: + google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport + creation failed for any reason. + """ + self._client = BinauthzManagementServiceV1Client( + credentials=credentials, + transport=transport, + client_options=client_options, + client_info=client_info, + ) + + async def get_policy( + self, + request: service.GetPolicyRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Policy: + r"""A [policy][google.cloud.binaryauthorization.v1.Policy] specifies + the [attestors][google.cloud.binaryauthorization.v1.Attestor] + that must attest to a container image, before the project is + allowed to deploy that image. There is at most one policy per + project. All image admission requests are permitted if a project + has no policy. + + Gets the [policy][google.cloud.binaryauthorization.v1.Policy] + for this project. Returns a default + [policy][google.cloud.binaryauthorization.v1.Policy] if the + project does not have one. + + Args: + request (:class:`google.cloud.binaryauthorization_v1.types.GetPolicyRequest`): + The request object. Request message for + [BinauthzManagementService.GetPolicy][]. + name (:class:`str`): + Required. The resource name of the + [policy][google.cloud.binaryauthorization.v1.Policy] to + retrieve, in the format ``projects/*/policy``. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Policy: + A [policy][google.cloud.binaryauthorization.v1.Policy] + for container image binary authorization. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.GetPolicyRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.get_policy, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + async def update_policy( + self, + request: service.UpdatePolicyRequest = None, + *, + policy: resources.Policy = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Policy: + r"""Creates or updates a project's + [policy][google.cloud.binaryauthorization.v1.Policy], and + returns a copy of the new + [policy][google.cloud.binaryauthorization.v1.Policy]. A policy + is always updated as a whole, to avoid race conditions with + concurrent policy enforcement (or management!) requests. Returns + NOT_FOUND if the project does not exist, INVALID_ARGUMENT if the + request is malformed. + + Args: + request (:class:`google.cloud.binaryauthorization_v1.types.UpdatePolicyRequest`): + The request object. Request message for + [BinauthzManagementService.UpdatePolicy][]. + policy (:class:`google.cloud.binaryauthorization_v1.types.Policy`): + Required. A new or updated + [policy][google.cloud.binaryauthorization.v1.Policy] + value. The service will overwrite the [policy + name][google.cloud.binaryauthorization.v1.Policy.name] + field with the resource name in the request URL, in the + format ``projects/*/policy``. + + This corresponds to the ``policy`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Policy: + A [policy][google.cloud.binaryauthorization.v1.Policy] + for container image binary authorization. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([policy]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.UpdatePolicyRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if policy is not None: + request.policy = policy + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.update_policy, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata( + (("policy.name", request.policy.name),) + ), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + async def create_attestor( + self, + request: service.CreateAttestorRequest = None, + *, + parent: str = None, + attestor_id: str = None, + attestor: resources.Attestor = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Attestor: + r"""Creates an + [attestor][google.cloud.binaryauthorization.v1.Attestor], and + returns a copy of the new + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the project does not exist, + INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if + the [attestor][google.cloud.binaryauthorization.v1.Attestor] + already exists. + + Args: + request (:class:`google.cloud.binaryauthorization_v1.types.CreateAttestorRequest`): + The request object. Request message for + [BinauthzManagementService.CreateAttestor][]. + parent (:class:`str`): + Required. The parent of this + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + + This corresponds to the ``parent`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + attestor_id (:class:`str`): + Required. The + [attestors][google.cloud.binaryauthorization.v1.Attestor] + ID. + + This corresponds to the ``attestor_id`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + attestor (:class:`google.cloud.binaryauthorization_v1.types.Attestor`): + Required. The initial + [attestor][google.cloud.binaryauthorization.v1.Attestor] + value. The service will overwrite the [attestor + name][google.cloud.binaryauthorization.v1.Attestor.name] + field with the resource name, in the format + ``projects/*/attestors/*``. + + This corresponds to the ``attestor`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Attestor: + An [attestor][google.cloud.binaryauthorization.v1.Attestor] that attests to container image + artifacts. An existing attestor cannot be modified + except where indicated. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([parent, attestor_id, attestor]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.CreateAttestorRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if parent is not None: + request.parent = parent + if attestor_id is not None: + request.attestor_id = attestor_id + if attestor is not None: + request.attestor = attestor + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.create_attestor, + default_timeout=600.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + async def get_attestor( + self, + request: service.GetAttestorRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Attestor: + r"""Gets an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Args: + request (:class:`google.cloud.binaryauthorization_v1.types.GetAttestorRequest`): + The request object. Request message for + [BinauthzManagementService.GetAttestor][]. + name (:class:`str`): + Required. The name of the + [attestor][google.cloud.binaryauthorization.v1.Attestor] + to retrieve, in the format ``projects/*/attestors/*``. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Attestor: + An [attestor][google.cloud.binaryauthorization.v1.Attestor] that attests to container image + artifacts. An existing attestor cannot be modified + except where indicated. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.GetAttestorRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.get_attestor, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + async def update_attestor( + self, + request: service.UpdateAttestorRequest = None, + *, + attestor: resources.Attestor = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Attestor: + r"""Updates an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Args: + request (:class:`google.cloud.binaryauthorization_v1.types.UpdateAttestorRequest`): + The request object. Request message for + [BinauthzManagementService.UpdateAttestor][]. + attestor (:class:`google.cloud.binaryauthorization_v1.types.Attestor`): + Required. The updated + [attestor][google.cloud.binaryauthorization.v1.Attestor] + value. The service will overwrite the [attestor + name][google.cloud.binaryauthorization.v1.Attestor.name] + field with the resource name in the request URL, in the + format ``projects/*/attestors/*``. + + This corresponds to the ``attestor`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Attestor: + An [attestor][google.cloud.binaryauthorization.v1.Attestor] that attests to container image + artifacts. An existing attestor cannot be modified + except where indicated. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([attestor]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.UpdateAttestorRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if attestor is not None: + request.attestor = attestor + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.update_attestor, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata( + (("attestor.name", request.attestor.name),) + ), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + async def list_attestors( + self, + request: service.ListAttestorsRequest = None, + *, + parent: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> pagers.ListAttestorsAsyncPager: + r"""Lists [attestors][google.cloud.binaryauthorization.v1.Attestor]. + Returns INVALID_ARGUMENT if the project does not exist. + + Args: + request (:class:`google.cloud.binaryauthorization_v1.types.ListAttestorsRequest`): + The request object. Request message for + [BinauthzManagementService.ListAttestors][]. + parent (:class:`str`): + Required. The resource name of the project associated + with the + [attestors][google.cloud.binaryauthorization.v1.Attestor], + in the format ``projects/*``. + + This corresponds to the ``parent`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.pagers.ListAttestorsAsyncPager: + Response message for + [BinauthzManagementService.ListAttestors][]. + + Iterating over this object will yield results and + resolve additional pages automatically. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([parent]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.ListAttestorsRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if parent is not None: + request.parent = parent + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.list_attestors, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # This method is paged; wrap the response in a pager, which provides + # an `__aiter__` convenience method. + response = pagers.ListAttestorsAsyncPager( + method=rpc, request=request, response=response, metadata=metadata, + ) + + # Done; return the response. + return response + + async def delete_attestor( + self, + request: service.DeleteAttestorRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> None: + r"""Deletes an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Args: + request (:class:`google.cloud.binaryauthorization_v1.types.DeleteAttestorRequest`): + The request object. Request message for + [BinauthzManagementService.DeleteAttestor][]. + name (:class:`str`): + Required. The name of the + [attestors][google.cloud.binaryauthorization.v1.Attestor] + to delete, in the format ``projects/*/attestors/*``. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.DeleteAttestorRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.delete_attestor, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + await rpc( + request, retry=retry, timeout=timeout, metadata=metadata, + ) + + +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution( + "google-cloud-binary-authorization", + ).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + + +__all__ = ("BinauthzManagementServiceV1AsyncClient",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/client.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/client.py new file mode 100644 index 000000000000..d5eb693e9937 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/client.py @@ -0,0 +1,970 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from collections import OrderedDict +from distutils import util +import os +import re +from typing import Callable, Dict, Optional, Sequence, Tuple, Type, Union +import pkg_resources + +from google.api_core import client_options as client_options_lib # type: ignore +from google.api_core import exceptions as core_exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.auth.transport import mtls # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore +from google.auth.exceptions import MutualTLSChannelError # type: ignore +from google.oauth2 import service_account # type: ignore + +from google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1 import ( + pagers, +) +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from google.protobuf import timestamp_pb2 # type: ignore +from .transports.base import BinauthzManagementServiceV1Transport, DEFAULT_CLIENT_INFO +from .transports.grpc import BinauthzManagementServiceV1GrpcTransport +from .transports.grpc_asyncio import BinauthzManagementServiceV1GrpcAsyncIOTransport + + +class BinauthzManagementServiceV1ClientMeta(type): + """Metaclass for the BinauthzManagementServiceV1 client. + + This provides class-level methods for building and retrieving + support objects (e.g. transport) without polluting the client instance + objects. + """ + + _transport_registry = ( + OrderedDict() + ) # type: Dict[str, Type[BinauthzManagementServiceV1Transport]] + _transport_registry["grpc"] = BinauthzManagementServiceV1GrpcTransport + _transport_registry[ + "grpc_asyncio" + ] = BinauthzManagementServiceV1GrpcAsyncIOTransport + + def get_transport_class( + cls, label: str = None, + ) -> Type[BinauthzManagementServiceV1Transport]: + """Returns an appropriate transport class. + + Args: + label: The name of the desired transport. If none is + provided, then the first transport in the registry is used. + + Returns: + The transport class to use. + """ + # If a specific transport is requested, return that one. + if label: + return cls._transport_registry[label] + + # No transport is requested; return the default (that is, the first one + # in the dictionary). + return next(iter(cls._transport_registry.values())) + + +class BinauthzManagementServiceV1Client( + metaclass=BinauthzManagementServiceV1ClientMeta +): + """Google Cloud Management Service for Binary Authorization admission + policies and attestation authorities. + + This API implements a REST model with the following objects: + + - [Policy][google.cloud.binaryauthorization.v1.Policy] + - [Attestor][google.cloud.binaryauthorization.v1.Attestor] + """ + + @staticmethod + def _get_default_mtls_endpoint(api_endpoint): + """Converts api endpoint to mTLS endpoint. + + Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to + "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively. + Args: + api_endpoint (Optional[str]): the api endpoint to convert. + Returns: + str: converted mTLS api endpoint. + """ + if not api_endpoint: + return api_endpoint + + mtls_endpoint_re = re.compile( + r"(?P[^.]+)(?P\.mtls)?(?P\.sandbox)?(?P\.googleapis\.com)?" + ) + + m = mtls_endpoint_re.match(api_endpoint) + name, mtls, sandbox, googledomain = m.groups() + if mtls or not googledomain: + return api_endpoint + + if sandbox: + return api_endpoint.replace( + "sandbox.googleapis.com", "mtls.sandbox.googleapis.com" + ) + + return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com") + + DEFAULT_ENDPOINT = "binaryauthorization.googleapis.com" + DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore + DEFAULT_ENDPOINT + ) + + @classmethod + def from_service_account_info(cls, info: dict, *args, **kwargs): + """Creates an instance of this client using the provided credentials + info. + + Args: + info (dict): The service account private key info. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + BinauthzManagementServiceV1Client: The constructed client. + """ + credentials = service_account.Credentials.from_service_account_info(info) + kwargs["credentials"] = credentials + return cls(*args, **kwargs) + + @classmethod + def from_service_account_file(cls, filename: str, *args, **kwargs): + """Creates an instance of this client using the provided credentials + file. + + Args: + filename (str): The path to the service account private key json + file. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + BinauthzManagementServiceV1Client: The constructed client. + """ + credentials = service_account.Credentials.from_service_account_file(filename) + kwargs["credentials"] = credentials + return cls(*args, **kwargs) + + from_service_account_json = from_service_account_file + + @property + def transport(self) -> BinauthzManagementServiceV1Transport: + """Returns the transport used by the client instance. + + Returns: + BinauthzManagementServiceV1Transport: The transport used by the client + instance. + """ + return self._transport + + @staticmethod + def attestor_path(project: str, attestor: str,) -> str: + """Returns a fully-qualified attestor string.""" + return "projects/{project}/attestors/{attestor}".format( + project=project, attestor=attestor, + ) + + @staticmethod + def parse_attestor_path(path: str) -> Dict[str, str]: + """Parses a attestor path into its component segments.""" + m = re.match(r"^projects/(?P.+?)/attestors/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def policy_path(project: str,) -> str: + """Returns a fully-qualified policy string.""" + return "projects/{project}/policy".format(project=project,) + + @staticmethod + def parse_policy_path(path: str) -> Dict[str, str]: + """Parses a policy path into its component segments.""" + m = re.match(r"^projects/(?P.+?)/policy$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_billing_account_path(billing_account: str,) -> str: + """Returns a fully-qualified billing_account string.""" + return "billingAccounts/{billing_account}".format( + billing_account=billing_account, + ) + + @staticmethod + def parse_common_billing_account_path(path: str) -> Dict[str, str]: + """Parse a billing_account path into its component segments.""" + m = re.match(r"^billingAccounts/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_folder_path(folder: str,) -> str: + """Returns a fully-qualified folder string.""" + return "folders/{folder}".format(folder=folder,) + + @staticmethod + def parse_common_folder_path(path: str) -> Dict[str, str]: + """Parse a folder path into its component segments.""" + m = re.match(r"^folders/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_organization_path(organization: str,) -> str: + """Returns a fully-qualified organization string.""" + return "organizations/{organization}".format(organization=organization,) + + @staticmethod + def parse_common_organization_path(path: str) -> Dict[str, str]: + """Parse a organization path into its component segments.""" + m = re.match(r"^organizations/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_project_path(project: str,) -> str: + """Returns a fully-qualified project string.""" + return "projects/{project}".format(project=project,) + + @staticmethod + def parse_common_project_path(path: str) -> Dict[str, str]: + """Parse a project path into its component segments.""" + m = re.match(r"^projects/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_location_path(project: str, location: str,) -> str: + """Returns a fully-qualified location string.""" + return "projects/{project}/locations/{location}".format( + project=project, location=location, + ) + + @staticmethod + def parse_common_location_path(path: str) -> Dict[str, str]: + """Parse a location path into its component segments.""" + m = re.match(r"^projects/(?P.+?)/locations/(?P.+?)$", path) + return m.groupdict() if m else {} + + def __init__( + self, + *, + credentials: Optional[ga_credentials.Credentials] = None, + transport: Union[str, BinauthzManagementServiceV1Transport, None] = None, + client_options: Optional[client_options_lib.ClientOptions] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + ) -> None: + """Instantiates the binauthz management service v1 client. + + Args: + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + transport (Union[str, BinauthzManagementServiceV1Transport]): The + transport to use. If set to None, a transport is chosen + automatically. + client_options (google.api_core.client_options.ClientOptions): Custom options for the + client. It won't take effect if a ``transport`` instance is provided. + (1) The ``api_endpoint`` property can be used to override the + default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT + environment variable can also be used to override the endpoint: + "always" (always use the default mTLS endpoint), "never" (always + use the default regular endpoint) and "auto" (auto switch to the + default mTLS endpoint if client certificate is present, this is + the default value). However, the ``api_endpoint`` property takes + precedence if provided. + (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable + is "true", then the ``client_cert_source`` property can be used + to provide client certificate for mutual TLS transport. If + not provided, the default SSL client certificate will be used if + present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not + set, no client certificate will be used. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + + Raises: + google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport + creation failed for any reason. + """ + if isinstance(client_options, dict): + client_options = client_options_lib.from_dict(client_options) + if client_options is None: + client_options = client_options_lib.ClientOptions() + + # Create SSL credentials for mutual TLS if needed. + use_client_cert = bool( + util.strtobool(os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false")) + ) + + client_cert_source_func = None + is_mtls = False + if use_client_cert: + if client_options.client_cert_source: + is_mtls = True + client_cert_source_func = client_options.client_cert_source + else: + is_mtls = mtls.has_default_client_cert_source() + if is_mtls: + client_cert_source_func = mtls.default_client_cert_source() + else: + client_cert_source_func = None + + # Figure out which api endpoint to use. + if client_options.api_endpoint is not None: + api_endpoint = client_options.api_endpoint + else: + use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") + if use_mtls_env == "never": + api_endpoint = self.DEFAULT_ENDPOINT + elif use_mtls_env == "always": + api_endpoint = self.DEFAULT_MTLS_ENDPOINT + elif use_mtls_env == "auto": + if is_mtls: + api_endpoint = self.DEFAULT_MTLS_ENDPOINT + else: + api_endpoint = self.DEFAULT_ENDPOINT + else: + raise MutualTLSChannelError( + "Unsupported GOOGLE_API_USE_MTLS_ENDPOINT value. Accepted " + "values: never, auto, always" + ) + + # Save or instantiate the transport. + # Ordinarily, we provide the transport, but allowing a custom transport + # instance provides an extensibility point for unusual situations. + if isinstance(transport, BinauthzManagementServiceV1Transport): + # transport is a BinauthzManagementServiceV1Transport instance. + if credentials or client_options.credentials_file: + raise ValueError( + "When providing a transport instance, " + "provide its credentials directly." + ) + if client_options.scopes: + raise ValueError( + "When providing a transport instance, provide its scopes " + "directly." + ) + self._transport = transport + else: + Transport = type(self).get_transport_class(transport) + self._transport = Transport( + credentials=credentials, + credentials_file=client_options.credentials_file, + host=api_endpoint, + scopes=client_options.scopes, + client_cert_source_for_mtls=client_cert_source_func, + quota_project_id=client_options.quota_project_id, + client_info=client_info, + always_use_jwt_access=( + Transport == type(self).get_transport_class("grpc") + or Transport == type(self).get_transport_class("grpc_asyncio") + ), + ) + + def get_policy( + self, + request: service.GetPolicyRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Policy: + r"""A [policy][google.cloud.binaryauthorization.v1.Policy] specifies + the [attestors][google.cloud.binaryauthorization.v1.Attestor] + that must attest to a container image, before the project is + allowed to deploy that image. There is at most one policy per + project. All image admission requests are permitted if a project + has no policy. + + Gets the [policy][google.cloud.binaryauthorization.v1.Policy] + for this project. Returns a default + [policy][google.cloud.binaryauthorization.v1.Policy] if the + project does not have one. + + Args: + request (google.cloud.binaryauthorization_v1.types.GetPolicyRequest): + The request object. Request message for + [BinauthzManagementService.GetPolicy][]. + name (str): + Required. The resource name of the + [policy][google.cloud.binaryauthorization.v1.Policy] to + retrieve, in the format ``projects/*/policy``. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Policy: + A [policy][google.cloud.binaryauthorization.v1.Policy] + for container image binary authorization. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.GetPolicyRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.GetPolicyRequest): + request = service.GetPolicyRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[self._transport.get_policy] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + def update_policy( + self, + request: service.UpdatePolicyRequest = None, + *, + policy: resources.Policy = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Policy: + r"""Creates or updates a project's + [policy][google.cloud.binaryauthorization.v1.Policy], and + returns a copy of the new + [policy][google.cloud.binaryauthorization.v1.Policy]. A policy + is always updated as a whole, to avoid race conditions with + concurrent policy enforcement (or management!) requests. Returns + NOT_FOUND if the project does not exist, INVALID_ARGUMENT if the + request is malformed. + + Args: + request (google.cloud.binaryauthorization_v1.types.UpdatePolicyRequest): + The request object. Request message for + [BinauthzManagementService.UpdatePolicy][]. + policy (google.cloud.binaryauthorization_v1.types.Policy): + Required. A new or updated + [policy][google.cloud.binaryauthorization.v1.Policy] + value. The service will overwrite the [policy + name][google.cloud.binaryauthorization.v1.Policy.name] + field with the resource name in the request URL, in the + format ``projects/*/policy``. + + This corresponds to the ``policy`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Policy: + A [policy][google.cloud.binaryauthorization.v1.Policy] + for container image binary authorization. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([policy]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.UpdatePolicyRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.UpdatePolicyRequest): + request = service.UpdatePolicyRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if policy is not None: + request.policy = policy + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[self._transport.update_policy] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata( + (("policy.name", request.policy.name),) + ), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + def create_attestor( + self, + request: service.CreateAttestorRequest = None, + *, + parent: str = None, + attestor_id: str = None, + attestor: resources.Attestor = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Attestor: + r"""Creates an + [attestor][google.cloud.binaryauthorization.v1.Attestor], and + returns a copy of the new + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the project does not exist, + INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if + the [attestor][google.cloud.binaryauthorization.v1.Attestor] + already exists. + + Args: + request (google.cloud.binaryauthorization_v1.types.CreateAttestorRequest): + The request object. Request message for + [BinauthzManagementService.CreateAttestor][]. + parent (str): + Required. The parent of this + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + + This corresponds to the ``parent`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + attestor_id (str): + Required. The + [attestors][google.cloud.binaryauthorization.v1.Attestor] + ID. + + This corresponds to the ``attestor_id`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + attestor (google.cloud.binaryauthorization_v1.types.Attestor): + Required. The initial + [attestor][google.cloud.binaryauthorization.v1.Attestor] + value. The service will overwrite the [attestor + name][google.cloud.binaryauthorization.v1.Attestor.name] + field with the resource name, in the format + ``projects/*/attestors/*``. + + This corresponds to the ``attestor`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Attestor: + An [attestor][google.cloud.binaryauthorization.v1.Attestor] that attests to container image + artifacts. An existing attestor cannot be modified + except where indicated. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([parent, attestor_id, attestor]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.CreateAttestorRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.CreateAttestorRequest): + request = service.CreateAttestorRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if parent is not None: + request.parent = parent + if attestor_id is not None: + request.attestor_id = attestor_id + if attestor is not None: + request.attestor = attestor + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[self._transport.create_attestor] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + def get_attestor( + self, + request: service.GetAttestorRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Attestor: + r"""Gets an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Args: + request (google.cloud.binaryauthorization_v1.types.GetAttestorRequest): + The request object. Request message for + [BinauthzManagementService.GetAttestor][]. + name (str): + Required. The name of the + [attestor][google.cloud.binaryauthorization.v1.Attestor] + to retrieve, in the format ``projects/*/attestors/*``. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Attestor: + An [attestor][google.cloud.binaryauthorization.v1.Attestor] that attests to container image + artifacts. An existing attestor cannot be modified + except where indicated. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.GetAttestorRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.GetAttestorRequest): + request = service.GetAttestorRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[self._transport.get_attestor] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + def update_attestor( + self, + request: service.UpdateAttestorRequest = None, + *, + attestor: resources.Attestor = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Attestor: + r"""Updates an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Args: + request (google.cloud.binaryauthorization_v1.types.UpdateAttestorRequest): + The request object. Request message for + [BinauthzManagementService.UpdateAttestor][]. + attestor (google.cloud.binaryauthorization_v1.types.Attestor): + Required. The updated + [attestor][google.cloud.binaryauthorization.v1.Attestor] + value. The service will overwrite the [attestor + name][google.cloud.binaryauthorization.v1.Attestor.name] + field with the resource name in the request URL, in the + format ``projects/*/attestors/*``. + + This corresponds to the ``attestor`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Attestor: + An [attestor][google.cloud.binaryauthorization.v1.Attestor] that attests to container image + artifacts. An existing attestor cannot be modified + except where indicated. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([attestor]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.UpdateAttestorRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.UpdateAttestorRequest): + request = service.UpdateAttestorRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if attestor is not None: + request.attestor = attestor + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[self._transport.update_attestor] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata( + (("attestor.name", request.attestor.name),) + ), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + def list_attestors( + self, + request: service.ListAttestorsRequest = None, + *, + parent: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> pagers.ListAttestorsPager: + r"""Lists [attestors][google.cloud.binaryauthorization.v1.Attestor]. + Returns INVALID_ARGUMENT if the project does not exist. + + Args: + request (google.cloud.binaryauthorization_v1.types.ListAttestorsRequest): + The request object. Request message for + [BinauthzManagementService.ListAttestors][]. + parent (str): + Required. The resource name of the project associated + with the + [attestors][google.cloud.binaryauthorization.v1.Attestor], + in the format ``projects/*``. + + This corresponds to the ``parent`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.pagers.ListAttestorsPager: + Response message for + [BinauthzManagementService.ListAttestors][]. + + Iterating over this object will yield results and + resolve additional pages automatically. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([parent]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.ListAttestorsRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.ListAttestorsRequest): + request = service.ListAttestorsRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if parent is not None: + request.parent = parent + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[self._transport.list_attestors] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # This method is paged; wrap the response in a pager, which provides + # an `__iter__` convenience method. + response = pagers.ListAttestorsPager( + method=rpc, request=request, response=response, metadata=metadata, + ) + + # Done; return the response. + return response + + def delete_attestor( + self, + request: service.DeleteAttestorRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> None: + r"""Deletes an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Args: + request (google.cloud.binaryauthorization_v1.types.DeleteAttestorRequest): + The request object. Request message for + [BinauthzManagementService.DeleteAttestor][]. + name (str): + Required. The name of the + [attestors][google.cloud.binaryauthorization.v1.Attestor] + to delete, in the format ``projects/*/attestors/*``. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.DeleteAttestorRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.DeleteAttestorRequest): + request = service.DeleteAttestorRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[self._transport.delete_attestor] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + rpc( + request, retry=retry, timeout=timeout, metadata=metadata, + ) + + +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution( + "google-cloud-binary-authorization", + ).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + + +__all__ = ("BinauthzManagementServiceV1Client",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/pagers.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/pagers.py new file mode 100644 index 000000000000..30d2338b32ef --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/pagers.py @@ -0,0 +1,156 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from typing import ( + Any, + AsyncIterable, + Awaitable, + Callable, + Iterable, + Sequence, + Tuple, + Optional, +) + +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service + + +class ListAttestorsPager: + """A pager for iterating through ``list_attestors`` requests. + + This class thinly wraps an initial + :class:`google.cloud.binaryauthorization_v1.types.ListAttestorsResponse` object, and + provides an ``__iter__`` method to iterate through its + ``attestors`` field. + + If there are more pages, the ``__iter__`` method will make additional + ``ListAttestors`` requests and continue to iterate + through the ``attestors`` field on the + corresponding responses. + + All the usual :class:`google.cloud.binaryauthorization_v1.types.ListAttestorsResponse` + attributes are available on the pager. If multiple requests are made, only + the most recent response is retained, and thus used for attribute lookup. + """ + + def __init__( + self, + method: Callable[..., service.ListAttestorsResponse], + request: service.ListAttestorsRequest, + response: service.ListAttestorsResponse, + *, + metadata: Sequence[Tuple[str, str]] = () + ): + """Instantiate the pager. + + Args: + method (Callable): The method that was originally called, and + which instantiated this pager. + request (google.cloud.binaryauthorization_v1.types.ListAttestorsRequest): + The initial request object. + response (google.cloud.binaryauthorization_v1.types.ListAttestorsResponse): + The initial response object. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + """ + self._method = method + self._request = service.ListAttestorsRequest(request) + self._response = response + self._metadata = metadata + + def __getattr__(self, name: str) -> Any: + return getattr(self._response, name) + + @property + def pages(self) -> Iterable[service.ListAttestorsResponse]: + yield self._response + while self._response.next_page_token: + self._request.page_token = self._response.next_page_token + self._response = self._method(self._request, metadata=self._metadata) + yield self._response + + def __iter__(self) -> Iterable[resources.Attestor]: + for page in self.pages: + yield from page.attestors + + def __repr__(self) -> str: + return "{0}<{1!r}>".format(self.__class__.__name__, self._response) + + +class ListAttestorsAsyncPager: + """A pager for iterating through ``list_attestors`` requests. + + This class thinly wraps an initial + :class:`google.cloud.binaryauthorization_v1.types.ListAttestorsResponse` object, and + provides an ``__aiter__`` method to iterate through its + ``attestors`` field. + + If there are more pages, the ``__aiter__`` method will make additional + ``ListAttestors`` requests and continue to iterate + through the ``attestors`` field on the + corresponding responses. + + All the usual :class:`google.cloud.binaryauthorization_v1.types.ListAttestorsResponse` + attributes are available on the pager. If multiple requests are made, only + the most recent response is retained, and thus used for attribute lookup. + """ + + def __init__( + self, + method: Callable[..., Awaitable[service.ListAttestorsResponse]], + request: service.ListAttestorsRequest, + response: service.ListAttestorsResponse, + *, + metadata: Sequence[Tuple[str, str]] = () + ): + """Instantiates the pager. + + Args: + method (Callable): The method that was originally called, and + which instantiated this pager. + request (google.cloud.binaryauthorization_v1.types.ListAttestorsRequest): + The initial request object. + response (google.cloud.binaryauthorization_v1.types.ListAttestorsResponse): + The initial response object. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + """ + self._method = method + self._request = service.ListAttestorsRequest(request) + self._response = response + self._metadata = metadata + + def __getattr__(self, name: str) -> Any: + return getattr(self._response, name) + + @property + async def pages(self) -> AsyncIterable[service.ListAttestorsResponse]: + yield self._response + while self._response.next_page_token: + self._request.page_token = self._response.next_page_token + self._response = await self._method(self._request, metadata=self._metadata) + yield self._response + + def __aiter__(self) -> AsyncIterable[resources.Attestor]: + async def async_generator(): + async for page in self.pages: + for response in page.attestors: + yield response + + return async_generator() + + def __repr__(self) -> str: + return "{0}<{1!r}>".format(self.__class__.__name__, self._response) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/__init__.py new file mode 100644 index 000000000000..444c09e8186f --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/__init__.py @@ -0,0 +1,35 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from collections import OrderedDict +from typing import Dict, Type + +from .base import BinauthzManagementServiceV1Transport +from .grpc import BinauthzManagementServiceV1GrpcTransport +from .grpc_asyncio import BinauthzManagementServiceV1GrpcAsyncIOTransport + + +# Compile a registry of transports. +_transport_registry = ( + OrderedDict() +) # type: Dict[str, Type[BinauthzManagementServiceV1Transport]] +_transport_registry["grpc"] = BinauthzManagementServiceV1GrpcTransport +_transport_registry["grpc_asyncio"] = BinauthzManagementServiceV1GrpcAsyncIOTransport + +__all__ = ( + "BinauthzManagementServiceV1Transport", + "BinauthzManagementServiceV1GrpcTransport", + "BinauthzManagementServiceV1GrpcAsyncIOTransport", +) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/base.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/base.py new file mode 100644 index 000000000000..12f8b898d690 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/base.py @@ -0,0 +1,317 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import abc +from typing import Awaitable, Callable, Dict, Optional, Sequence, Union +import packaging.version +import pkg_resources + +import google.auth # type: ignore +import google.api_core # type: ignore +from google.api_core import exceptions as core_exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.oauth2 import service_account # type: ignore + +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from google.protobuf import empty_pb2 # type: ignore + +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution( + "google-cloud-binary-authorization", + ).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + +try: + # google.auth.__version__ was added in 1.26.0 + _GOOGLE_AUTH_VERSION = google.auth.__version__ +except AttributeError: + try: # try pkg_resources if it is available + _GOOGLE_AUTH_VERSION = pkg_resources.get_distribution("google-auth").version + except pkg_resources.DistributionNotFound: # pragma: NO COVER + _GOOGLE_AUTH_VERSION = None + + +class BinauthzManagementServiceV1Transport(abc.ABC): + """Abstract transport class for BinauthzManagementServiceV1.""" + + AUTH_SCOPES = ("https://www.googleapis.com/auth/cloud-platform",) + + DEFAULT_HOST: str = "binaryauthorization.googleapis.com" + + def __init__( + self, + *, + host: str = DEFAULT_HOST, + credentials: ga_credentials.Credentials = None, + credentials_file: Optional[str] = None, + scopes: Optional[Sequence[str]] = None, + quota_project_id: Optional[str] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + always_use_jwt_access: Optional[bool] = False, + **kwargs, + ) -> None: + """Instantiate the transport. + + Args: + host (Optional[str]): + The hostname to connect to. + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is mutually exclusive with credentials. + scopes (Optional[Sequence[str]]): A list of scopes. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + always_use_jwt_access (Optional[bool]): Whether self signed JWT should + be used for service account credentials. + """ + # Save the hostname. Default to port 443 (HTTPS) if none is specified. + if ":" not in host: + host += ":443" + self._host = host + + scopes_kwargs = self._get_scopes_kwargs(self._host, scopes) + + # Save the scopes. + self._scopes = scopes + + # If no credentials are provided, then determine the appropriate + # defaults. + if credentials and credentials_file: + raise core_exceptions.DuplicateCredentialArgs( + "'credentials_file' and 'credentials' are mutually exclusive" + ) + + if credentials_file is not None: + credentials, _ = google.auth.load_credentials_from_file( + credentials_file, **scopes_kwargs, quota_project_id=quota_project_id + ) + + elif credentials is None: + credentials, _ = google.auth.default( + **scopes_kwargs, quota_project_id=quota_project_id + ) + + # If the credentials is service account credentials, then always try to use self signed JWT. + if ( + always_use_jwt_access + and isinstance(credentials, service_account.Credentials) + and hasattr(service_account.Credentials, "with_always_use_jwt_access") + ): + credentials = credentials.with_always_use_jwt_access(True) + + # Save the credentials. + self._credentials = credentials + + # TODO(busunkim): This method is in the base transport + # to avoid duplicating code across the transport classes. These functions + # should be deleted once the minimum required versions of google-auth is increased. + + # TODO: Remove this function once google-auth >= 1.25.0 is required + @classmethod + def _get_scopes_kwargs( + cls, host: str, scopes: Optional[Sequence[str]] + ) -> Dict[str, Optional[Sequence[str]]]: + """Returns scopes kwargs to pass to google-auth methods depending on the google-auth version""" + + scopes_kwargs = {} + + if _GOOGLE_AUTH_VERSION and ( + packaging.version.parse(_GOOGLE_AUTH_VERSION) + >= packaging.version.parse("1.25.0") + ): + scopes_kwargs = {"scopes": scopes, "default_scopes": cls.AUTH_SCOPES} + else: + scopes_kwargs = {"scopes": scopes or cls.AUTH_SCOPES} + + return scopes_kwargs + + def _prep_wrapped_messages(self, client_info): + # Precompute the wrapped methods. + self._wrapped_methods = { + self.get_policy: gapic_v1.method.wrap_method( + self.get_policy, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=client_info, + ), + self.update_policy: gapic_v1.method.wrap_method( + self.update_policy, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=client_info, + ), + self.create_attestor: gapic_v1.method.wrap_method( + self.create_attestor, default_timeout=600.0, client_info=client_info, + ), + self.get_attestor: gapic_v1.method.wrap_method( + self.get_attestor, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=client_info, + ), + self.update_attestor: gapic_v1.method.wrap_method( + self.update_attestor, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=client_info, + ), + self.list_attestors: gapic_v1.method.wrap_method( + self.list_attestors, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=client_info, + ), + self.delete_attestor: gapic_v1.method.wrap_method( + self.delete_attestor, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=600.0, + ), + default_timeout=600.0, + client_info=client_info, + ), + } + + @property + def get_policy( + self, + ) -> Callable[ + [service.GetPolicyRequest], Union[resources.Policy, Awaitable[resources.Policy]] + ]: + raise NotImplementedError() + + @property + def update_policy( + self, + ) -> Callable[ + [service.UpdatePolicyRequest], + Union[resources.Policy, Awaitable[resources.Policy]], + ]: + raise NotImplementedError() + + @property + def create_attestor( + self, + ) -> Callable[ + [service.CreateAttestorRequest], + Union[resources.Attestor, Awaitable[resources.Attestor]], + ]: + raise NotImplementedError() + + @property + def get_attestor( + self, + ) -> Callable[ + [service.GetAttestorRequest], + Union[resources.Attestor, Awaitable[resources.Attestor]], + ]: + raise NotImplementedError() + + @property + def update_attestor( + self, + ) -> Callable[ + [service.UpdateAttestorRequest], + Union[resources.Attestor, Awaitable[resources.Attestor]], + ]: + raise NotImplementedError() + + @property + def list_attestors( + self, + ) -> Callable[ + [service.ListAttestorsRequest], + Union[service.ListAttestorsResponse, Awaitable[service.ListAttestorsResponse]], + ]: + raise NotImplementedError() + + @property + def delete_attestor( + self, + ) -> Callable[ + [service.DeleteAttestorRequest], + Union[empty_pb2.Empty, Awaitable[empty_pb2.Empty]], + ]: + raise NotImplementedError() + + +__all__ = ("BinauthzManagementServiceV1Transport",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/grpc.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/grpc.py new file mode 100644 index 000000000000..53d8da30a451 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/grpc.py @@ -0,0 +1,454 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import warnings +from typing import Callable, Dict, Optional, Sequence, Tuple, Union + +from google.api_core import grpc_helpers # type: ignore +from google.api_core import gapic_v1 # type: ignore +import google.auth # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore + +import grpc # type: ignore + +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from google.protobuf import empty_pb2 # type: ignore +from .base import BinauthzManagementServiceV1Transport, DEFAULT_CLIENT_INFO + + +class BinauthzManagementServiceV1GrpcTransport(BinauthzManagementServiceV1Transport): + """gRPC backend transport for BinauthzManagementServiceV1. + + Google Cloud Management Service for Binary Authorization admission + policies and attestation authorities. + + This API implements a REST model with the following objects: + + - [Policy][google.cloud.binaryauthorization.v1.Policy] + - [Attestor][google.cloud.binaryauthorization.v1.Attestor] + + This class defines the same methods as the primary client, so the + primary client can load the underlying transport implementation + and call it. + + It sends protocol buffers over the wire using gRPC (which is built on + top of HTTP/2); the ``grpcio`` package must be installed. + """ + + _stubs: Dict[str, Callable] + + def __init__( + self, + *, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: str = None, + scopes: Sequence[str] = None, + channel: grpc.Channel = None, + api_mtls_endpoint: str = None, + client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, + ssl_channel_credentials: grpc.ChannelCredentials = None, + client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None, + quota_project_id: Optional[str] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + always_use_jwt_access: Optional[bool] = False, + ) -> None: + """Instantiate the transport. + + Args: + host (Optional[str]): + The hostname to connect to. + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + This argument is ignored if ``channel`` is provided. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is ignored if ``channel`` is provided. + scopes (Optional(Sequence[str])): A list of scopes. This argument is + ignored if ``channel`` is provided. + channel (Optional[grpc.Channel]): A ``Channel`` instance through + which to make calls. + api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. + If provided, it overrides the ``host`` argument and tries to create + a mutual TLS channel with client SSL credentials from + ``client_cert_source`` or applicatin default SSL credentials. + client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): + Deprecated. A callback to provide client SSL certificate bytes and + private key bytes, both in PEM format. It is ignored if + ``api_mtls_endpoint`` is None. + ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials + for grpc channel. It is ignored if ``channel`` is provided. + client_cert_source_for_mtls (Optional[Callable[[], Tuple[bytes, bytes]]]): + A callback to provide client certificate bytes and private key bytes, + both in PEM format. It is used to configure mutual TLS channel. It is + ignored if ``channel`` or ``ssl_channel_credentials`` is provided. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + always_use_jwt_access (Optional[bool]): Whether self signed JWT should + be used for service account credentials. + + Raises: + google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport + creation failed for any reason. + google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` + and ``credentials_file`` are passed. + """ + self._grpc_channel = None + self._ssl_channel_credentials = ssl_channel_credentials + self._stubs: Dict[str, Callable] = {} + + if api_mtls_endpoint: + warnings.warn("api_mtls_endpoint is deprecated", DeprecationWarning) + if client_cert_source: + warnings.warn("client_cert_source is deprecated", DeprecationWarning) + + if channel: + # Ignore credentials if a channel was passed. + credentials = False + # If a channel was explicitly provided, set it. + self._grpc_channel = channel + self._ssl_channel_credentials = None + + else: + if api_mtls_endpoint: + host = api_mtls_endpoint + + # Create SSL credentials with client_cert_source or application + # default SSL credentials. + if client_cert_source: + cert, key = client_cert_source() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + else: + self._ssl_channel_credentials = SslCredentials().ssl_credentials + + else: + if client_cert_source_for_mtls and not ssl_channel_credentials: + cert, key = client_cert_source_for_mtls() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + + # The base transport sets the host, credentials and scopes + super().__init__( + host=host, + credentials=credentials, + credentials_file=credentials_file, + scopes=scopes, + quota_project_id=quota_project_id, + client_info=client_info, + always_use_jwt_access=always_use_jwt_access, + ) + + if not self._grpc_channel: + self._grpc_channel = type(self).create_channel( + self._host, + credentials=self._credentials, + credentials_file=credentials_file, + scopes=self._scopes, + ssl_credentials=self._ssl_channel_credentials, + quota_project_id=quota_project_id, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + # Wrap messages. This must be done after self._grpc_channel exists + self._prep_wrapped_messages(client_info) + + @classmethod + def create_channel( + cls, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: str = None, + scopes: Optional[Sequence[str]] = None, + quota_project_id: Optional[str] = None, + **kwargs, + ) -> grpc.Channel: + """Create and return a gRPC channel object. + Args: + host (Optional[str]): The host for the channel to use. + credentials (Optional[~.Credentials]): The + authorization credentials to attach to requests. These + credentials identify this application to the service. If + none are specified, the client will attempt to ascertain + the credentials from the environment. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is mutually exclusive with credentials. + scopes (Optional[Sequence[str]]): A optional list of scopes needed for this + service. These are only used when credentials are not specified and + are passed to :func:`google.auth.default`. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + kwargs (Optional[dict]): Keyword arguments, which are passed to the + channel creation. + Returns: + grpc.Channel: A gRPC channel object. + + Raises: + google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` + and ``credentials_file`` are passed. + """ + + return grpc_helpers.create_channel( + host, + credentials=credentials, + credentials_file=credentials_file, + quota_project_id=quota_project_id, + default_scopes=cls.AUTH_SCOPES, + scopes=scopes, + default_host=cls.DEFAULT_HOST, + **kwargs, + ) + + @property + def grpc_channel(self) -> grpc.Channel: + """Return the channel designed to connect to this service. + """ + return self._grpc_channel + + @property + def get_policy(self) -> Callable[[service.GetPolicyRequest], resources.Policy]: + r"""Return a callable for the get policy method over gRPC. + + A [policy][google.cloud.binaryauthorization.v1.Policy] specifies + the [attestors][google.cloud.binaryauthorization.v1.Attestor] + that must attest to a container image, before the project is + allowed to deploy that image. There is at most one policy per + project. All image admission requests are permitted if a project + has no policy. + + Gets the [policy][google.cloud.binaryauthorization.v1.Policy] + for this project. Returns a default + [policy][google.cloud.binaryauthorization.v1.Policy] if the + project does not have one. + + Returns: + Callable[[~.GetPolicyRequest], + ~.Policy]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "get_policy" not in self._stubs: + self._stubs["get_policy"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/GetPolicy", + request_serializer=service.GetPolicyRequest.serialize, + response_deserializer=resources.Policy.deserialize, + ) + return self._stubs["get_policy"] + + @property + def update_policy( + self, + ) -> Callable[[service.UpdatePolicyRequest], resources.Policy]: + r"""Return a callable for the update policy method over gRPC. + + Creates or updates a project's + [policy][google.cloud.binaryauthorization.v1.Policy], and + returns a copy of the new + [policy][google.cloud.binaryauthorization.v1.Policy]. A policy + is always updated as a whole, to avoid race conditions with + concurrent policy enforcement (or management!) requests. Returns + NOT_FOUND if the project does not exist, INVALID_ARGUMENT if the + request is malformed. + + Returns: + Callable[[~.UpdatePolicyRequest], + ~.Policy]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "update_policy" not in self._stubs: + self._stubs["update_policy"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/UpdatePolicy", + request_serializer=service.UpdatePolicyRequest.serialize, + response_deserializer=resources.Policy.deserialize, + ) + return self._stubs["update_policy"] + + @property + def create_attestor( + self, + ) -> Callable[[service.CreateAttestorRequest], resources.Attestor]: + r"""Return a callable for the create attestor method over gRPC. + + Creates an + [attestor][google.cloud.binaryauthorization.v1.Attestor], and + returns a copy of the new + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the project does not exist, + INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if + the [attestor][google.cloud.binaryauthorization.v1.Attestor] + already exists. + + Returns: + Callable[[~.CreateAttestorRequest], + ~.Attestor]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "create_attestor" not in self._stubs: + self._stubs["create_attestor"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/CreateAttestor", + request_serializer=service.CreateAttestorRequest.serialize, + response_deserializer=resources.Attestor.deserialize, + ) + return self._stubs["create_attestor"] + + @property + def get_attestor( + self, + ) -> Callable[[service.GetAttestorRequest], resources.Attestor]: + r"""Return a callable for the get attestor method over gRPC. + + Gets an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Returns: + Callable[[~.GetAttestorRequest], + ~.Attestor]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "get_attestor" not in self._stubs: + self._stubs["get_attestor"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/GetAttestor", + request_serializer=service.GetAttestorRequest.serialize, + response_deserializer=resources.Attestor.deserialize, + ) + return self._stubs["get_attestor"] + + @property + def update_attestor( + self, + ) -> Callable[[service.UpdateAttestorRequest], resources.Attestor]: + r"""Return a callable for the update attestor method over gRPC. + + Updates an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Returns: + Callable[[~.UpdateAttestorRequest], + ~.Attestor]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "update_attestor" not in self._stubs: + self._stubs["update_attestor"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/UpdateAttestor", + request_serializer=service.UpdateAttestorRequest.serialize, + response_deserializer=resources.Attestor.deserialize, + ) + return self._stubs["update_attestor"] + + @property + def list_attestors( + self, + ) -> Callable[[service.ListAttestorsRequest], service.ListAttestorsResponse]: + r"""Return a callable for the list attestors method over gRPC. + + Lists [attestors][google.cloud.binaryauthorization.v1.Attestor]. + Returns INVALID_ARGUMENT if the project does not exist. + + Returns: + Callable[[~.ListAttestorsRequest], + ~.ListAttestorsResponse]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "list_attestors" not in self._stubs: + self._stubs["list_attestors"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/ListAttestors", + request_serializer=service.ListAttestorsRequest.serialize, + response_deserializer=service.ListAttestorsResponse.deserialize, + ) + return self._stubs["list_attestors"] + + @property + def delete_attestor( + self, + ) -> Callable[[service.DeleteAttestorRequest], empty_pb2.Empty]: + r"""Return a callable for the delete attestor method over gRPC. + + Deletes an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Returns: + Callable[[~.DeleteAttestorRequest], + ~.Empty]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "delete_attestor" not in self._stubs: + self._stubs["delete_attestor"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/DeleteAttestor", + request_serializer=service.DeleteAttestorRequest.serialize, + response_deserializer=empty_pb2.Empty.FromString, + ) + return self._stubs["delete_attestor"] + + +__all__ = ("BinauthzManagementServiceV1GrpcTransport",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/grpc_asyncio.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/grpc_asyncio.py new file mode 100644 index 000000000000..167e397197fc --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/binauthz_management_service_v1/transports/grpc_asyncio.py @@ -0,0 +1,463 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import warnings +from typing import Awaitable, Callable, Dict, Optional, Sequence, Tuple, Union + +from google.api_core import gapic_v1 # type: ignore +from google.api_core import grpc_helpers_async # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore +import packaging.version + +import grpc # type: ignore +from grpc.experimental import aio # type: ignore + +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from google.protobuf import empty_pb2 # type: ignore +from .base import BinauthzManagementServiceV1Transport, DEFAULT_CLIENT_INFO +from .grpc import BinauthzManagementServiceV1GrpcTransport + + +class BinauthzManagementServiceV1GrpcAsyncIOTransport( + BinauthzManagementServiceV1Transport +): + """gRPC AsyncIO backend transport for BinauthzManagementServiceV1. + + Google Cloud Management Service for Binary Authorization admission + policies and attestation authorities. + + This API implements a REST model with the following objects: + + - [Policy][google.cloud.binaryauthorization.v1.Policy] + - [Attestor][google.cloud.binaryauthorization.v1.Attestor] + + This class defines the same methods as the primary client, so the + primary client can load the underlying transport implementation + and call it. + + It sends protocol buffers over the wire using gRPC (which is built on + top of HTTP/2); the ``grpcio`` package must be installed. + """ + + _grpc_channel: aio.Channel + _stubs: Dict[str, Callable] = {} + + @classmethod + def create_channel( + cls, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: Optional[str] = None, + scopes: Optional[Sequence[str]] = None, + quota_project_id: Optional[str] = None, + **kwargs, + ) -> aio.Channel: + """Create and return a gRPC AsyncIO channel object. + Args: + host (Optional[str]): The host for the channel to use. + credentials (Optional[~.Credentials]): The + authorization credentials to attach to requests. These + credentials identify this application to the service. If + none are specified, the client will attempt to ascertain + the credentials from the environment. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is ignored if ``channel`` is provided. + scopes (Optional[Sequence[str]]): A optional list of scopes needed for this + service. These are only used when credentials are not specified and + are passed to :func:`google.auth.default`. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + kwargs (Optional[dict]): Keyword arguments, which are passed to the + channel creation. + Returns: + aio.Channel: A gRPC AsyncIO channel object. + """ + + return grpc_helpers_async.create_channel( + host, + credentials=credentials, + credentials_file=credentials_file, + quota_project_id=quota_project_id, + default_scopes=cls.AUTH_SCOPES, + scopes=scopes, + default_host=cls.DEFAULT_HOST, + **kwargs, + ) + + def __init__( + self, + *, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: Optional[str] = None, + scopes: Optional[Sequence[str]] = None, + channel: aio.Channel = None, + api_mtls_endpoint: str = None, + client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, + ssl_channel_credentials: grpc.ChannelCredentials = None, + client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None, + quota_project_id=None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + always_use_jwt_access: Optional[bool] = False, + ) -> None: + """Instantiate the transport. + + Args: + host (Optional[str]): + The hostname to connect to. + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + This argument is ignored if ``channel`` is provided. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is ignored if ``channel`` is provided. + scopes (Optional[Sequence[str]]): A optional list of scopes needed for this + service. These are only used when credentials are not specified and + are passed to :func:`google.auth.default`. + channel (Optional[aio.Channel]): A ``Channel`` instance through + which to make calls. + api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. + If provided, it overrides the ``host`` argument and tries to create + a mutual TLS channel with client SSL credentials from + ``client_cert_source`` or applicatin default SSL credentials. + client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): + Deprecated. A callback to provide client SSL certificate bytes and + private key bytes, both in PEM format. It is ignored if + ``api_mtls_endpoint`` is None. + ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials + for grpc channel. It is ignored if ``channel`` is provided. + client_cert_source_for_mtls (Optional[Callable[[], Tuple[bytes, bytes]]]): + A callback to provide client certificate bytes and private key bytes, + both in PEM format. It is used to configure mutual TLS channel. It is + ignored if ``channel`` or ``ssl_channel_credentials`` is provided. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + always_use_jwt_access (Optional[bool]): Whether self signed JWT should + be used for service account credentials. + + Raises: + google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport + creation failed for any reason. + google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` + and ``credentials_file`` are passed. + """ + self._grpc_channel = None + self._ssl_channel_credentials = ssl_channel_credentials + self._stubs: Dict[str, Callable] = {} + + if api_mtls_endpoint: + warnings.warn("api_mtls_endpoint is deprecated", DeprecationWarning) + if client_cert_source: + warnings.warn("client_cert_source is deprecated", DeprecationWarning) + + if channel: + # Ignore credentials if a channel was passed. + credentials = False + # If a channel was explicitly provided, set it. + self._grpc_channel = channel + self._ssl_channel_credentials = None + else: + if api_mtls_endpoint: + host = api_mtls_endpoint + + # Create SSL credentials with client_cert_source or application + # default SSL credentials. + if client_cert_source: + cert, key = client_cert_source() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + else: + self._ssl_channel_credentials = SslCredentials().ssl_credentials + + else: + if client_cert_source_for_mtls and not ssl_channel_credentials: + cert, key = client_cert_source_for_mtls() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + + # The base transport sets the host, credentials and scopes + super().__init__( + host=host, + credentials=credentials, + credentials_file=credentials_file, + scopes=scopes, + quota_project_id=quota_project_id, + client_info=client_info, + always_use_jwt_access=always_use_jwt_access, + ) + + if not self._grpc_channel: + self._grpc_channel = type(self).create_channel( + self._host, + credentials=self._credentials, + credentials_file=credentials_file, + scopes=self._scopes, + ssl_credentials=self._ssl_channel_credentials, + quota_project_id=quota_project_id, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + # Wrap messages. This must be done after self._grpc_channel exists + self._prep_wrapped_messages(client_info) + + @property + def grpc_channel(self) -> aio.Channel: + """Create the channel designed to connect to this service. + + This property caches on the instance; repeated calls return + the same channel. + """ + # Return the channel from cache. + return self._grpc_channel + + @property + def get_policy( + self, + ) -> Callable[[service.GetPolicyRequest], Awaitable[resources.Policy]]: + r"""Return a callable for the get policy method over gRPC. + + A [policy][google.cloud.binaryauthorization.v1.Policy] specifies + the [attestors][google.cloud.binaryauthorization.v1.Attestor] + that must attest to a container image, before the project is + allowed to deploy that image. There is at most one policy per + project. All image admission requests are permitted if a project + has no policy. + + Gets the [policy][google.cloud.binaryauthorization.v1.Policy] + for this project. Returns a default + [policy][google.cloud.binaryauthorization.v1.Policy] if the + project does not have one. + + Returns: + Callable[[~.GetPolicyRequest], + Awaitable[~.Policy]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "get_policy" not in self._stubs: + self._stubs["get_policy"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/GetPolicy", + request_serializer=service.GetPolicyRequest.serialize, + response_deserializer=resources.Policy.deserialize, + ) + return self._stubs["get_policy"] + + @property + def update_policy( + self, + ) -> Callable[[service.UpdatePolicyRequest], Awaitable[resources.Policy]]: + r"""Return a callable for the update policy method over gRPC. + + Creates or updates a project's + [policy][google.cloud.binaryauthorization.v1.Policy], and + returns a copy of the new + [policy][google.cloud.binaryauthorization.v1.Policy]. A policy + is always updated as a whole, to avoid race conditions with + concurrent policy enforcement (or management!) requests. Returns + NOT_FOUND if the project does not exist, INVALID_ARGUMENT if the + request is malformed. + + Returns: + Callable[[~.UpdatePolicyRequest], + Awaitable[~.Policy]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "update_policy" not in self._stubs: + self._stubs["update_policy"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/UpdatePolicy", + request_serializer=service.UpdatePolicyRequest.serialize, + response_deserializer=resources.Policy.deserialize, + ) + return self._stubs["update_policy"] + + @property + def create_attestor( + self, + ) -> Callable[[service.CreateAttestorRequest], Awaitable[resources.Attestor]]: + r"""Return a callable for the create attestor method over gRPC. + + Creates an + [attestor][google.cloud.binaryauthorization.v1.Attestor], and + returns a copy of the new + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the project does not exist, + INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if + the [attestor][google.cloud.binaryauthorization.v1.Attestor] + already exists. + + Returns: + Callable[[~.CreateAttestorRequest], + Awaitable[~.Attestor]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "create_attestor" not in self._stubs: + self._stubs["create_attestor"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/CreateAttestor", + request_serializer=service.CreateAttestorRequest.serialize, + response_deserializer=resources.Attestor.deserialize, + ) + return self._stubs["create_attestor"] + + @property + def get_attestor( + self, + ) -> Callable[[service.GetAttestorRequest], Awaitable[resources.Attestor]]: + r"""Return a callable for the get attestor method over gRPC. + + Gets an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Returns: + Callable[[~.GetAttestorRequest], + Awaitable[~.Attestor]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "get_attestor" not in self._stubs: + self._stubs["get_attestor"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/GetAttestor", + request_serializer=service.GetAttestorRequest.serialize, + response_deserializer=resources.Attestor.deserialize, + ) + return self._stubs["get_attestor"] + + @property + def update_attestor( + self, + ) -> Callable[[service.UpdateAttestorRequest], Awaitable[resources.Attestor]]: + r"""Return a callable for the update attestor method over gRPC. + + Updates an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Returns: + Callable[[~.UpdateAttestorRequest], + Awaitable[~.Attestor]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "update_attestor" not in self._stubs: + self._stubs["update_attestor"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/UpdateAttestor", + request_serializer=service.UpdateAttestorRequest.serialize, + response_deserializer=resources.Attestor.deserialize, + ) + return self._stubs["update_attestor"] + + @property + def list_attestors( + self, + ) -> Callable[ + [service.ListAttestorsRequest], Awaitable[service.ListAttestorsResponse] + ]: + r"""Return a callable for the list attestors method over gRPC. + + Lists [attestors][google.cloud.binaryauthorization.v1.Attestor]. + Returns INVALID_ARGUMENT if the project does not exist. + + Returns: + Callable[[~.ListAttestorsRequest], + Awaitable[~.ListAttestorsResponse]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "list_attestors" not in self._stubs: + self._stubs["list_attestors"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/ListAttestors", + request_serializer=service.ListAttestorsRequest.serialize, + response_deserializer=service.ListAttestorsResponse.deserialize, + ) + return self._stubs["list_attestors"] + + @property + def delete_attestor( + self, + ) -> Callable[[service.DeleteAttestorRequest], Awaitable[empty_pb2.Empty]]: + r"""Return a callable for the delete attestor method over gRPC. + + Deletes an + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + Returns NOT_FOUND if the + [attestor][google.cloud.binaryauthorization.v1.Attestor] does + not exist. + + Returns: + Callable[[~.DeleteAttestorRequest], + Awaitable[~.Empty]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "delete_attestor" not in self._stubs: + self._stubs["delete_attestor"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/DeleteAttestor", + request_serializer=service.DeleteAttestorRequest.serialize, + response_deserializer=empty_pb2.Empty.FromString, + ) + return self._stubs["delete_attestor"] + + +__all__ = ("BinauthzManagementServiceV1GrpcAsyncIOTransport",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/__init__.py new file mode 100644 index 000000000000..0d527b7bf4b7 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/__init__.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from .client import SystemPolicyV1Client +from .async_client import SystemPolicyV1AsyncClient + +__all__ = ( + "SystemPolicyV1Client", + "SystemPolicyV1AsyncClient", +) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/async_client.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/async_client.py new file mode 100644 index 000000000000..75c81fc5581d --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/async_client.py @@ -0,0 +1,249 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from collections import OrderedDict +import functools +import re +from typing import Dict, Sequence, Tuple, Type, Union +import pkg_resources + +import google.api_core.client_options as ClientOptions # type: ignore +from google.api_core import exceptions as core_exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.oauth2 import service_account # type: ignore + +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from google.protobuf import timestamp_pb2 # type: ignore +from .transports.base import SystemPolicyV1Transport, DEFAULT_CLIENT_INFO +from .transports.grpc_asyncio import SystemPolicyV1GrpcAsyncIOTransport +from .client import SystemPolicyV1Client + + +class SystemPolicyV1AsyncClient: + """API for working with the system policy.""" + + _client: SystemPolicyV1Client + + DEFAULT_ENDPOINT = SystemPolicyV1Client.DEFAULT_ENDPOINT + DEFAULT_MTLS_ENDPOINT = SystemPolicyV1Client.DEFAULT_MTLS_ENDPOINT + + policy_path = staticmethod(SystemPolicyV1Client.policy_path) + parse_policy_path = staticmethod(SystemPolicyV1Client.parse_policy_path) + common_billing_account_path = staticmethod( + SystemPolicyV1Client.common_billing_account_path + ) + parse_common_billing_account_path = staticmethod( + SystemPolicyV1Client.parse_common_billing_account_path + ) + common_folder_path = staticmethod(SystemPolicyV1Client.common_folder_path) + parse_common_folder_path = staticmethod( + SystemPolicyV1Client.parse_common_folder_path + ) + common_organization_path = staticmethod( + SystemPolicyV1Client.common_organization_path + ) + parse_common_organization_path = staticmethod( + SystemPolicyV1Client.parse_common_organization_path + ) + common_project_path = staticmethod(SystemPolicyV1Client.common_project_path) + parse_common_project_path = staticmethod( + SystemPolicyV1Client.parse_common_project_path + ) + common_location_path = staticmethod(SystemPolicyV1Client.common_location_path) + parse_common_location_path = staticmethod( + SystemPolicyV1Client.parse_common_location_path + ) + + @classmethod + def from_service_account_info(cls, info: dict, *args, **kwargs): + """Creates an instance of this client using the provided credentials + info. + + Args: + info (dict): The service account private key info. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + SystemPolicyV1AsyncClient: The constructed client. + """ + return SystemPolicyV1Client.from_service_account_info.__func__(SystemPolicyV1AsyncClient, info, *args, **kwargs) # type: ignore + + @classmethod + def from_service_account_file(cls, filename: str, *args, **kwargs): + """Creates an instance of this client using the provided credentials + file. + + Args: + filename (str): The path to the service account private key json + file. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + SystemPolicyV1AsyncClient: The constructed client. + """ + return SystemPolicyV1Client.from_service_account_file.__func__(SystemPolicyV1AsyncClient, filename, *args, **kwargs) # type: ignore + + from_service_account_json = from_service_account_file + + @property + def transport(self) -> SystemPolicyV1Transport: + """Returns the transport used by the client instance. + + Returns: + SystemPolicyV1Transport: The transport used by the client instance. + """ + return self._client.transport + + get_transport_class = functools.partial( + type(SystemPolicyV1Client).get_transport_class, type(SystemPolicyV1Client) + ) + + def __init__( + self, + *, + credentials: ga_credentials.Credentials = None, + transport: Union[str, SystemPolicyV1Transport] = "grpc_asyncio", + client_options: ClientOptions = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + ) -> None: + """Instantiates the system policy v1 client. + + Args: + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + transport (Union[str, ~.SystemPolicyV1Transport]): The + transport to use. If set to None, a transport is chosen + automatically. + client_options (ClientOptions): Custom options for the client. It + won't take effect if a ``transport`` instance is provided. + (1) The ``api_endpoint`` property can be used to override the + default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT + environment variable can also be used to override the endpoint: + "always" (always use the default mTLS endpoint), "never" (always + use the default regular endpoint) and "auto" (auto switch to the + default mTLS endpoint if client certificate is present, this is + the default value). However, the ``api_endpoint`` property takes + precedence if provided. + (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable + is "true", then the ``client_cert_source`` property can be used + to provide client certificate for mutual TLS transport. If + not provided, the default SSL client certificate will be used if + present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not + set, no client certificate will be used. + + Raises: + google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport + creation failed for any reason. + """ + self._client = SystemPolicyV1Client( + credentials=credentials, + transport=transport, + client_options=client_options, + client_info=client_info, + ) + + async def get_system_policy( + self, + request: service.GetSystemPolicyRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Policy: + r"""Gets the current system policy in the specified + location. + + Args: + request (:class:`google.cloud.binaryauthorization_v1.types.GetSystemPolicyRequest`): + The request object. Request to read the current system + policy. + name (:class:`str`): + Required. The resource name, in the format + ``locations/*/policy``. Note that the system policy is + not associated with a project. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Policy: + A [policy][google.cloud.binaryauthorization.v1.Policy] + for container image binary authorization. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.GetSystemPolicyRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.get_system_policy, + default_timeout=None, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution( + "google-cloud-binary-authorization", + ).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + + +__all__ = ("SystemPolicyV1AsyncClient",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/client.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/client.py new file mode 100644 index 000000000000..14b1aa046274 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/client.py @@ -0,0 +1,433 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from collections import OrderedDict +from distutils import util +import os +import re +from typing import Callable, Dict, Optional, Sequence, Tuple, Type, Union +import pkg_resources + +from google.api_core import client_options as client_options_lib # type: ignore +from google.api_core import exceptions as core_exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.auth.transport import mtls # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore +from google.auth.exceptions import MutualTLSChannelError # type: ignore +from google.oauth2 import service_account # type: ignore + +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from google.protobuf import timestamp_pb2 # type: ignore +from .transports.base import SystemPolicyV1Transport, DEFAULT_CLIENT_INFO +from .transports.grpc import SystemPolicyV1GrpcTransport +from .transports.grpc_asyncio import SystemPolicyV1GrpcAsyncIOTransport + + +class SystemPolicyV1ClientMeta(type): + """Metaclass for the SystemPolicyV1 client. + + This provides class-level methods for building and retrieving + support objects (e.g. transport) without polluting the client instance + objects. + """ + + _transport_registry = ( + OrderedDict() + ) # type: Dict[str, Type[SystemPolicyV1Transport]] + _transport_registry["grpc"] = SystemPolicyV1GrpcTransport + _transport_registry["grpc_asyncio"] = SystemPolicyV1GrpcAsyncIOTransport + + def get_transport_class(cls, label: str = None,) -> Type[SystemPolicyV1Transport]: + """Returns an appropriate transport class. + + Args: + label: The name of the desired transport. If none is + provided, then the first transport in the registry is used. + + Returns: + The transport class to use. + """ + # If a specific transport is requested, return that one. + if label: + return cls._transport_registry[label] + + # No transport is requested; return the default (that is, the first one + # in the dictionary). + return next(iter(cls._transport_registry.values())) + + +class SystemPolicyV1Client(metaclass=SystemPolicyV1ClientMeta): + """API for working with the system policy.""" + + @staticmethod + def _get_default_mtls_endpoint(api_endpoint): + """Converts api endpoint to mTLS endpoint. + + Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to + "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively. + Args: + api_endpoint (Optional[str]): the api endpoint to convert. + Returns: + str: converted mTLS api endpoint. + """ + if not api_endpoint: + return api_endpoint + + mtls_endpoint_re = re.compile( + r"(?P[^.]+)(?P\.mtls)?(?P\.sandbox)?(?P\.googleapis\.com)?" + ) + + m = mtls_endpoint_re.match(api_endpoint) + name, mtls, sandbox, googledomain = m.groups() + if mtls or not googledomain: + return api_endpoint + + if sandbox: + return api_endpoint.replace( + "sandbox.googleapis.com", "mtls.sandbox.googleapis.com" + ) + + return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com") + + DEFAULT_ENDPOINT = "binaryauthorization.googleapis.com" + DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore + DEFAULT_ENDPOINT + ) + + @classmethod + def from_service_account_info(cls, info: dict, *args, **kwargs): + """Creates an instance of this client using the provided credentials + info. + + Args: + info (dict): The service account private key info. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + SystemPolicyV1Client: The constructed client. + """ + credentials = service_account.Credentials.from_service_account_info(info) + kwargs["credentials"] = credentials + return cls(*args, **kwargs) + + @classmethod + def from_service_account_file(cls, filename: str, *args, **kwargs): + """Creates an instance of this client using the provided credentials + file. + + Args: + filename (str): The path to the service account private key json + file. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + SystemPolicyV1Client: The constructed client. + """ + credentials = service_account.Credentials.from_service_account_file(filename) + kwargs["credentials"] = credentials + return cls(*args, **kwargs) + + from_service_account_json = from_service_account_file + + @property + def transport(self) -> SystemPolicyV1Transport: + """Returns the transport used by the client instance. + + Returns: + SystemPolicyV1Transport: The transport used by the client + instance. + """ + return self._transport + + @staticmethod + def policy_path(project: str,) -> str: + """Returns a fully-qualified policy string.""" + return "projects/{project}/policy".format(project=project,) + + @staticmethod + def parse_policy_path(path: str) -> Dict[str, str]: + """Parses a policy path into its component segments.""" + m = re.match(r"^projects/(?P.+?)/policy$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_billing_account_path(billing_account: str,) -> str: + """Returns a fully-qualified billing_account string.""" + return "billingAccounts/{billing_account}".format( + billing_account=billing_account, + ) + + @staticmethod + def parse_common_billing_account_path(path: str) -> Dict[str, str]: + """Parse a billing_account path into its component segments.""" + m = re.match(r"^billingAccounts/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_folder_path(folder: str,) -> str: + """Returns a fully-qualified folder string.""" + return "folders/{folder}".format(folder=folder,) + + @staticmethod + def parse_common_folder_path(path: str) -> Dict[str, str]: + """Parse a folder path into its component segments.""" + m = re.match(r"^folders/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_organization_path(organization: str,) -> str: + """Returns a fully-qualified organization string.""" + return "organizations/{organization}".format(organization=organization,) + + @staticmethod + def parse_common_organization_path(path: str) -> Dict[str, str]: + """Parse a organization path into its component segments.""" + m = re.match(r"^organizations/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_project_path(project: str,) -> str: + """Returns a fully-qualified project string.""" + return "projects/{project}".format(project=project,) + + @staticmethod + def parse_common_project_path(path: str) -> Dict[str, str]: + """Parse a project path into its component segments.""" + m = re.match(r"^projects/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_location_path(project: str, location: str,) -> str: + """Returns a fully-qualified location string.""" + return "projects/{project}/locations/{location}".format( + project=project, location=location, + ) + + @staticmethod + def parse_common_location_path(path: str) -> Dict[str, str]: + """Parse a location path into its component segments.""" + m = re.match(r"^projects/(?P.+?)/locations/(?P.+?)$", path) + return m.groupdict() if m else {} + + def __init__( + self, + *, + credentials: Optional[ga_credentials.Credentials] = None, + transport: Union[str, SystemPolicyV1Transport, None] = None, + client_options: Optional[client_options_lib.ClientOptions] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + ) -> None: + """Instantiates the system policy v1 client. + + Args: + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + transport (Union[str, SystemPolicyV1Transport]): The + transport to use. If set to None, a transport is chosen + automatically. + client_options (google.api_core.client_options.ClientOptions): Custom options for the + client. It won't take effect if a ``transport`` instance is provided. + (1) The ``api_endpoint`` property can be used to override the + default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT + environment variable can also be used to override the endpoint: + "always" (always use the default mTLS endpoint), "never" (always + use the default regular endpoint) and "auto" (auto switch to the + default mTLS endpoint if client certificate is present, this is + the default value). However, the ``api_endpoint`` property takes + precedence if provided. + (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable + is "true", then the ``client_cert_source`` property can be used + to provide client certificate for mutual TLS transport. If + not provided, the default SSL client certificate will be used if + present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not + set, no client certificate will be used. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + + Raises: + google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport + creation failed for any reason. + """ + if isinstance(client_options, dict): + client_options = client_options_lib.from_dict(client_options) + if client_options is None: + client_options = client_options_lib.ClientOptions() + + # Create SSL credentials for mutual TLS if needed. + use_client_cert = bool( + util.strtobool(os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false")) + ) + + client_cert_source_func = None + is_mtls = False + if use_client_cert: + if client_options.client_cert_source: + is_mtls = True + client_cert_source_func = client_options.client_cert_source + else: + is_mtls = mtls.has_default_client_cert_source() + if is_mtls: + client_cert_source_func = mtls.default_client_cert_source() + else: + client_cert_source_func = None + + # Figure out which api endpoint to use. + if client_options.api_endpoint is not None: + api_endpoint = client_options.api_endpoint + else: + use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") + if use_mtls_env == "never": + api_endpoint = self.DEFAULT_ENDPOINT + elif use_mtls_env == "always": + api_endpoint = self.DEFAULT_MTLS_ENDPOINT + elif use_mtls_env == "auto": + if is_mtls: + api_endpoint = self.DEFAULT_MTLS_ENDPOINT + else: + api_endpoint = self.DEFAULT_ENDPOINT + else: + raise MutualTLSChannelError( + "Unsupported GOOGLE_API_USE_MTLS_ENDPOINT value. Accepted " + "values: never, auto, always" + ) + + # Save or instantiate the transport. + # Ordinarily, we provide the transport, but allowing a custom transport + # instance provides an extensibility point for unusual situations. + if isinstance(transport, SystemPolicyV1Transport): + # transport is a SystemPolicyV1Transport instance. + if credentials or client_options.credentials_file: + raise ValueError( + "When providing a transport instance, " + "provide its credentials directly." + ) + if client_options.scopes: + raise ValueError( + "When providing a transport instance, provide its scopes " + "directly." + ) + self._transport = transport + else: + Transport = type(self).get_transport_class(transport) + self._transport = Transport( + credentials=credentials, + credentials_file=client_options.credentials_file, + host=api_endpoint, + scopes=client_options.scopes, + client_cert_source_for_mtls=client_cert_source_func, + quota_project_id=client_options.quota_project_id, + client_info=client_info, + always_use_jwt_access=( + Transport == type(self).get_transport_class("grpc") + or Transport == type(self).get_transport_class("grpc_asyncio") + ), + ) + + def get_system_policy( + self, + request: service.GetSystemPolicyRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.Policy: + r"""Gets the current system policy in the specified + location. + + Args: + request (google.cloud.binaryauthorization_v1.types.GetSystemPolicyRequest): + The request object. Request to read the current system + policy. + name (str): + Required. The resource name, in the format + ``locations/*/policy``. Note that the system policy is + not associated with a project. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.Policy: + A [policy][google.cloud.binaryauthorization.v1.Policy] + for container image binary authorization. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.GetSystemPolicyRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.GetSystemPolicyRequest): + request = service.GetSystemPolicyRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[self._transport.get_system_policy] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution( + "google-cloud-binary-authorization", + ).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + + +__all__ = ("SystemPolicyV1Client",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/__init__.py new file mode 100644 index 000000000000..bc3c745bec8b --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/__init__.py @@ -0,0 +1,33 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from collections import OrderedDict +from typing import Dict, Type + +from .base import SystemPolicyV1Transport +from .grpc import SystemPolicyV1GrpcTransport +from .grpc_asyncio import SystemPolicyV1GrpcAsyncIOTransport + + +# Compile a registry of transports. +_transport_registry = OrderedDict() # type: Dict[str, Type[SystemPolicyV1Transport]] +_transport_registry["grpc"] = SystemPolicyV1GrpcTransport +_transport_registry["grpc_asyncio"] = SystemPolicyV1GrpcAsyncIOTransport + +__all__ = ( + "SystemPolicyV1Transport", + "SystemPolicyV1GrpcTransport", + "SystemPolicyV1GrpcAsyncIOTransport", +) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/base.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/base.py new file mode 100644 index 000000000000..3e98f40a579d --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/base.py @@ -0,0 +1,173 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import abc +from typing import Awaitable, Callable, Dict, Optional, Sequence, Union +import packaging.version +import pkg_resources + +import google.auth # type: ignore +import google.api_core # type: ignore +from google.api_core import exceptions as core_exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.oauth2 import service_account # type: ignore + +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service + +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution( + "google-cloud-binary-authorization", + ).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + +try: + # google.auth.__version__ was added in 1.26.0 + _GOOGLE_AUTH_VERSION = google.auth.__version__ +except AttributeError: + try: # try pkg_resources if it is available + _GOOGLE_AUTH_VERSION = pkg_resources.get_distribution("google-auth").version + except pkg_resources.DistributionNotFound: # pragma: NO COVER + _GOOGLE_AUTH_VERSION = None + + +class SystemPolicyV1Transport(abc.ABC): + """Abstract transport class for SystemPolicyV1.""" + + AUTH_SCOPES = ("https://www.googleapis.com/auth/cloud-platform",) + + DEFAULT_HOST: str = "binaryauthorization.googleapis.com" + + def __init__( + self, + *, + host: str = DEFAULT_HOST, + credentials: ga_credentials.Credentials = None, + credentials_file: Optional[str] = None, + scopes: Optional[Sequence[str]] = None, + quota_project_id: Optional[str] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + always_use_jwt_access: Optional[bool] = False, + **kwargs, + ) -> None: + """Instantiate the transport. + + Args: + host (Optional[str]): + The hostname to connect to. + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is mutually exclusive with credentials. + scopes (Optional[Sequence[str]]): A list of scopes. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + always_use_jwt_access (Optional[bool]): Whether self signed JWT should + be used for service account credentials. + """ + # Save the hostname. Default to port 443 (HTTPS) if none is specified. + if ":" not in host: + host += ":443" + self._host = host + + scopes_kwargs = self._get_scopes_kwargs(self._host, scopes) + + # Save the scopes. + self._scopes = scopes + + # If no credentials are provided, then determine the appropriate + # defaults. + if credentials and credentials_file: + raise core_exceptions.DuplicateCredentialArgs( + "'credentials_file' and 'credentials' are mutually exclusive" + ) + + if credentials_file is not None: + credentials, _ = google.auth.load_credentials_from_file( + credentials_file, **scopes_kwargs, quota_project_id=quota_project_id + ) + + elif credentials is None: + credentials, _ = google.auth.default( + **scopes_kwargs, quota_project_id=quota_project_id + ) + + # If the credentials is service account credentials, then always try to use self signed JWT. + if ( + always_use_jwt_access + and isinstance(credentials, service_account.Credentials) + and hasattr(service_account.Credentials, "with_always_use_jwt_access") + ): + credentials = credentials.with_always_use_jwt_access(True) + + # Save the credentials. + self._credentials = credentials + + # TODO(busunkim): This method is in the base transport + # to avoid duplicating code across the transport classes. These functions + # should be deleted once the minimum required versions of google-auth is increased. + + # TODO: Remove this function once google-auth >= 1.25.0 is required + @classmethod + def _get_scopes_kwargs( + cls, host: str, scopes: Optional[Sequence[str]] + ) -> Dict[str, Optional[Sequence[str]]]: + """Returns scopes kwargs to pass to google-auth methods depending on the google-auth version""" + + scopes_kwargs = {} + + if _GOOGLE_AUTH_VERSION and ( + packaging.version.parse(_GOOGLE_AUTH_VERSION) + >= packaging.version.parse("1.25.0") + ): + scopes_kwargs = {"scopes": scopes, "default_scopes": cls.AUTH_SCOPES} + else: + scopes_kwargs = {"scopes": scopes or cls.AUTH_SCOPES} + + return scopes_kwargs + + def _prep_wrapped_messages(self, client_info): + # Precompute the wrapped methods. + self._wrapped_methods = { + self.get_system_policy: gapic_v1.method.wrap_method( + self.get_system_policy, default_timeout=None, client_info=client_info, + ), + } + + @property + def get_system_policy( + self, + ) -> Callable[ + [service.GetSystemPolicyRequest], + Union[resources.Policy, Awaitable[resources.Policy]], + ]: + raise NotImplementedError() + + +__all__ = ("SystemPolicyV1Transport",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/grpc.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/grpc.py new file mode 100644 index 000000000000..b112d9f41219 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/grpc.py @@ -0,0 +1,257 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import warnings +from typing import Callable, Dict, Optional, Sequence, Tuple, Union + +from google.api_core import grpc_helpers # type: ignore +from google.api_core import gapic_v1 # type: ignore +import google.auth # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore + +import grpc # type: ignore + +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from .base import SystemPolicyV1Transport, DEFAULT_CLIENT_INFO + + +class SystemPolicyV1GrpcTransport(SystemPolicyV1Transport): + """gRPC backend transport for SystemPolicyV1. + + API for working with the system policy. + + This class defines the same methods as the primary client, so the + primary client can load the underlying transport implementation + and call it. + + It sends protocol buffers over the wire using gRPC (which is built on + top of HTTP/2); the ``grpcio`` package must be installed. + """ + + _stubs: Dict[str, Callable] + + def __init__( + self, + *, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: str = None, + scopes: Sequence[str] = None, + channel: grpc.Channel = None, + api_mtls_endpoint: str = None, + client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, + ssl_channel_credentials: grpc.ChannelCredentials = None, + client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None, + quota_project_id: Optional[str] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + always_use_jwt_access: Optional[bool] = False, + ) -> None: + """Instantiate the transport. + + Args: + host (Optional[str]): + The hostname to connect to. + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + This argument is ignored if ``channel`` is provided. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is ignored if ``channel`` is provided. + scopes (Optional(Sequence[str])): A list of scopes. This argument is + ignored if ``channel`` is provided. + channel (Optional[grpc.Channel]): A ``Channel`` instance through + which to make calls. + api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. + If provided, it overrides the ``host`` argument and tries to create + a mutual TLS channel with client SSL credentials from + ``client_cert_source`` or applicatin default SSL credentials. + client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): + Deprecated. A callback to provide client SSL certificate bytes and + private key bytes, both in PEM format. It is ignored if + ``api_mtls_endpoint`` is None. + ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials + for grpc channel. It is ignored if ``channel`` is provided. + client_cert_source_for_mtls (Optional[Callable[[], Tuple[bytes, bytes]]]): + A callback to provide client certificate bytes and private key bytes, + both in PEM format. It is used to configure mutual TLS channel. It is + ignored if ``channel`` or ``ssl_channel_credentials`` is provided. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + always_use_jwt_access (Optional[bool]): Whether self signed JWT should + be used for service account credentials. + + Raises: + google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport + creation failed for any reason. + google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` + and ``credentials_file`` are passed. + """ + self._grpc_channel = None + self._ssl_channel_credentials = ssl_channel_credentials + self._stubs: Dict[str, Callable] = {} + + if api_mtls_endpoint: + warnings.warn("api_mtls_endpoint is deprecated", DeprecationWarning) + if client_cert_source: + warnings.warn("client_cert_source is deprecated", DeprecationWarning) + + if channel: + # Ignore credentials if a channel was passed. + credentials = False + # If a channel was explicitly provided, set it. + self._grpc_channel = channel + self._ssl_channel_credentials = None + + else: + if api_mtls_endpoint: + host = api_mtls_endpoint + + # Create SSL credentials with client_cert_source or application + # default SSL credentials. + if client_cert_source: + cert, key = client_cert_source() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + else: + self._ssl_channel_credentials = SslCredentials().ssl_credentials + + else: + if client_cert_source_for_mtls and not ssl_channel_credentials: + cert, key = client_cert_source_for_mtls() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + + # The base transport sets the host, credentials and scopes + super().__init__( + host=host, + credentials=credentials, + credentials_file=credentials_file, + scopes=scopes, + quota_project_id=quota_project_id, + client_info=client_info, + always_use_jwt_access=always_use_jwt_access, + ) + + if not self._grpc_channel: + self._grpc_channel = type(self).create_channel( + self._host, + credentials=self._credentials, + credentials_file=credentials_file, + scopes=self._scopes, + ssl_credentials=self._ssl_channel_credentials, + quota_project_id=quota_project_id, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + # Wrap messages. This must be done after self._grpc_channel exists + self._prep_wrapped_messages(client_info) + + @classmethod + def create_channel( + cls, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: str = None, + scopes: Optional[Sequence[str]] = None, + quota_project_id: Optional[str] = None, + **kwargs, + ) -> grpc.Channel: + """Create and return a gRPC channel object. + Args: + host (Optional[str]): The host for the channel to use. + credentials (Optional[~.Credentials]): The + authorization credentials to attach to requests. These + credentials identify this application to the service. If + none are specified, the client will attempt to ascertain + the credentials from the environment. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is mutually exclusive with credentials. + scopes (Optional[Sequence[str]]): A optional list of scopes needed for this + service. These are only used when credentials are not specified and + are passed to :func:`google.auth.default`. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + kwargs (Optional[dict]): Keyword arguments, which are passed to the + channel creation. + Returns: + grpc.Channel: A gRPC channel object. + + Raises: + google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` + and ``credentials_file`` are passed. + """ + + return grpc_helpers.create_channel( + host, + credentials=credentials, + credentials_file=credentials_file, + quota_project_id=quota_project_id, + default_scopes=cls.AUTH_SCOPES, + scopes=scopes, + default_host=cls.DEFAULT_HOST, + **kwargs, + ) + + @property + def grpc_channel(self) -> grpc.Channel: + """Return the channel designed to connect to this service. + """ + return self._grpc_channel + + @property + def get_system_policy( + self, + ) -> Callable[[service.GetSystemPolicyRequest], resources.Policy]: + r"""Return a callable for the get system policy method over gRPC. + + Gets the current system policy in the specified + location. + + Returns: + Callable[[~.GetSystemPolicyRequest], + ~.Policy]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "get_system_policy" not in self._stubs: + self._stubs["get_system_policy"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.SystemPolicyV1/GetSystemPolicy", + request_serializer=service.GetSystemPolicyRequest.serialize, + response_deserializer=resources.Policy.deserialize, + ) + return self._stubs["get_system_policy"] + + +__all__ = ("SystemPolicyV1GrpcTransport",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/grpc_asyncio.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/grpc_asyncio.py new file mode 100644 index 000000000000..e3474e7d00cb --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/system_policy_v1/transports/grpc_asyncio.py @@ -0,0 +1,260 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import warnings +from typing import Awaitable, Callable, Dict, Optional, Sequence, Tuple, Union + +from google.api_core import gapic_v1 # type: ignore +from google.api_core import grpc_helpers_async # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore +import packaging.version + +import grpc # type: ignore +from grpc.experimental import aio # type: ignore + +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from .base import SystemPolicyV1Transport, DEFAULT_CLIENT_INFO +from .grpc import SystemPolicyV1GrpcTransport + + +class SystemPolicyV1GrpcAsyncIOTransport(SystemPolicyV1Transport): + """gRPC AsyncIO backend transport for SystemPolicyV1. + + API for working with the system policy. + + This class defines the same methods as the primary client, so the + primary client can load the underlying transport implementation + and call it. + + It sends protocol buffers over the wire using gRPC (which is built on + top of HTTP/2); the ``grpcio`` package must be installed. + """ + + _grpc_channel: aio.Channel + _stubs: Dict[str, Callable] = {} + + @classmethod + def create_channel( + cls, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: Optional[str] = None, + scopes: Optional[Sequence[str]] = None, + quota_project_id: Optional[str] = None, + **kwargs, + ) -> aio.Channel: + """Create and return a gRPC AsyncIO channel object. + Args: + host (Optional[str]): The host for the channel to use. + credentials (Optional[~.Credentials]): The + authorization credentials to attach to requests. These + credentials identify this application to the service. If + none are specified, the client will attempt to ascertain + the credentials from the environment. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is ignored if ``channel`` is provided. + scopes (Optional[Sequence[str]]): A optional list of scopes needed for this + service. These are only used when credentials are not specified and + are passed to :func:`google.auth.default`. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + kwargs (Optional[dict]): Keyword arguments, which are passed to the + channel creation. + Returns: + aio.Channel: A gRPC AsyncIO channel object. + """ + + return grpc_helpers_async.create_channel( + host, + credentials=credentials, + credentials_file=credentials_file, + quota_project_id=quota_project_id, + default_scopes=cls.AUTH_SCOPES, + scopes=scopes, + default_host=cls.DEFAULT_HOST, + **kwargs, + ) + + def __init__( + self, + *, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: Optional[str] = None, + scopes: Optional[Sequence[str]] = None, + channel: aio.Channel = None, + api_mtls_endpoint: str = None, + client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, + ssl_channel_credentials: grpc.ChannelCredentials = None, + client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None, + quota_project_id=None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + always_use_jwt_access: Optional[bool] = False, + ) -> None: + """Instantiate the transport. + + Args: + host (Optional[str]): + The hostname to connect to. + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + This argument is ignored if ``channel`` is provided. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is ignored if ``channel`` is provided. + scopes (Optional[Sequence[str]]): A optional list of scopes needed for this + service. These are only used when credentials are not specified and + are passed to :func:`google.auth.default`. + channel (Optional[aio.Channel]): A ``Channel`` instance through + which to make calls. + api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. + If provided, it overrides the ``host`` argument and tries to create + a mutual TLS channel with client SSL credentials from + ``client_cert_source`` or applicatin default SSL credentials. + client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): + Deprecated. A callback to provide client SSL certificate bytes and + private key bytes, both in PEM format. It is ignored if + ``api_mtls_endpoint`` is None. + ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials + for grpc channel. It is ignored if ``channel`` is provided. + client_cert_source_for_mtls (Optional[Callable[[], Tuple[bytes, bytes]]]): + A callback to provide client certificate bytes and private key bytes, + both in PEM format. It is used to configure mutual TLS channel. It is + ignored if ``channel`` or ``ssl_channel_credentials`` is provided. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + always_use_jwt_access (Optional[bool]): Whether self signed JWT should + be used for service account credentials. + + Raises: + google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport + creation failed for any reason. + google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` + and ``credentials_file`` are passed. + """ + self._grpc_channel = None + self._ssl_channel_credentials = ssl_channel_credentials + self._stubs: Dict[str, Callable] = {} + + if api_mtls_endpoint: + warnings.warn("api_mtls_endpoint is deprecated", DeprecationWarning) + if client_cert_source: + warnings.warn("client_cert_source is deprecated", DeprecationWarning) + + if channel: + # Ignore credentials if a channel was passed. + credentials = False + # If a channel was explicitly provided, set it. + self._grpc_channel = channel + self._ssl_channel_credentials = None + else: + if api_mtls_endpoint: + host = api_mtls_endpoint + + # Create SSL credentials with client_cert_source or application + # default SSL credentials. + if client_cert_source: + cert, key = client_cert_source() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + else: + self._ssl_channel_credentials = SslCredentials().ssl_credentials + + else: + if client_cert_source_for_mtls and not ssl_channel_credentials: + cert, key = client_cert_source_for_mtls() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + + # The base transport sets the host, credentials and scopes + super().__init__( + host=host, + credentials=credentials, + credentials_file=credentials_file, + scopes=scopes, + quota_project_id=quota_project_id, + client_info=client_info, + always_use_jwt_access=always_use_jwt_access, + ) + + if not self._grpc_channel: + self._grpc_channel = type(self).create_channel( + self._host, + credentials=self._credentials, + credentials_file=credentials_file, + scopes=self._scopes, + ssl_credentials=self._ssl_channel_credentials, + quota_project_id=quota_project_id, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + # Wrap messages. This must be done after self._grpc_channel exists + self._prep_wrapped_messages(client_info) + + @property + def grpc_channel(self) -> aio.Channel: + """Create the channel designed to connect to this service. + + This property caches on the instance; repeated calls return + the same channel. + """ + # Return the channel from cache. + return self._grpc_channel + + @property + def get_system_policy( + self, + ) -> Callable[[service.GetSystemPolicyRequest], Awaitable[resources.Policy]]: + r"""Return a callable for the get system policy method over gRPC. + + Gets the current system policy in the specified + location. + + Returns: + Callable[[~.GetSystemPolicyRequest], + Awaitable[~.Policy]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "get_system_policy" not in self._stubs: + self._stubs["get_system_policy"] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.SystemPolicyV1/GetSystemPolicy", + request_serializer=service.GetSystemPolicyRequest.serialize, + response_deserializer=resources.Policy.deserialize, + ) + return self._stubs["get_system_policy"] + + +__all__ = ("SystemPolicyV1GrpcAsyncIOTransport",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/__init__.py new file mode 100644 index 000000000000..0f6d61a5855c --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/__init__.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from .client import ValidationHelperV1Client +from .async_client import ValidationHelperV1AsyncClient + +__all__ = ( + "ValidationHelperV1Client", + "ValidationHelperV1AsyncClient", +) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/async_client.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/async_client.py new file mode 100644 index 000000000000..5c55468348d7 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/async_client.py @@ -0,0 +1,223 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from collections import OrderedDict +import functools +import re +from typing import Dict, Sequence, Tuple, Type, Union +import pkg_resources + +import google.api_core.client_options as ClientOptions # type: ignore +from google.api_core import exceptions as core_exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.oauth2 import service_account # type: ignore + +from google.cloud.binaryauthorization_v1.types import service +from .transports.base import ValidationHelperV1Transport, DEFAULT_CLIENT_INFO +from .transports.grpc_asyncio import ValidationHelperV1GrpcAsyncIOTransport +from .client import ValidationHelperV1Client + + +class ValidationHelperV1AsyncClient: + """BinAuthz Attestor verification""" + + _client: ValidationHelperV1Client + + DEFAULT_ENDPOINT = ValidationHelperV1Client.DEFAULT_ENDPOINT + DEFAULT_MTLS_ENDPOINT = ValidationHelperV1Client.DEFAULT_MTLS_ENDPOINT + + common_billing_account_path = staticmethod( + ValidationHelperV1Client.common_billing_account_path + ) + parse_common_billing_account_path = staticmethod( + ValidationHelperV1Client.parse_common_billing_account_path + ) + common_folder_path = staticmethod(ValidationHelperV1Client.common_folder_path) + parse_common_folder_path = staticmethod( + ValidationHelperV1Client.parse_common_folder_path + ) + common_organization_path = staticmethod( + ValidationHelperV1Client.common_organization_path + ) + parse_common_organization_path = staticmethod( + ValidationHelperV1Client.parse_common_organization_path + ) + common_project_path = staticmethod(ValidationHelperV1Client.common_project_path) + parse_common_project_path = staticmethod( + ValidationHelperV1Client.parse_common_project_path + ) + common_location_path = staticmethod(ValidationHelperV1Client.common_location_path) + parse_common_location_path = staticmethod( + ValidationHelperV1Client.parse_common_location_path + ) + + @classmethod + def from_service_account_info(cls, info: dict, *args, **kwargs): + """Creates an instance of this client using the provided credentials + info. + + Args: + info (dict): The service account private key info. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + ValidationHelperV1AsyncClient: The constructed client. + """ + return ValidationHelperV1Client.from_service_account_info.__func__(ValidationHelperV1AsyncClient, info, *args, **kwargs) # type: ignore + + @classmethod + def from_service_account_file(cls, filename: str, *args, **kwargs): + """Creates an instance of this client using the provided credentials + file. + + Args: + filename (str): The path to the service account private key json + file. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + ValidationHelperV1AsyncClient: The constructed client. + """ + return ValidationHelperV1Client.from_service_account_file.__func__(ValidationHelperV1AsyncClient, filename, *args, **kwargs) # type: ignore + + from_service_account_json = from_service_account_file + + @property + def transport(self) -> ValidationHelperV1Transport: + """Returns the transport used by the client instance. + + Returns: + ValidationHelperV1Transport: The transport used by the client instance. + """ + return self._client.transport + + get_transport_class = functools.partial( + type(ValidationHelperV1Client).get_transport_class, + type(ValidationHelperV1Client), + ) + + def __init__( + self, + *, + credentials: ga_credentials.Credentials = None, + transport: Union[str, ValidationHelperV1Transport] = "grpc_asyncio", + client_options: ClientOptions = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + ) -> None: + """Instantiates the validation helper v1 client. + + Args: + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + transport (Union[str, ~.ValidationHelperV1Transport]): The + transport to use. If set to None, a transport is chosen + automatically. + client_options (ClientOptions): Custom options for the client. It + won't take effect if a ``transport`` instance is provided. + (1) The ``api_endpoint`` property can be used to override the + default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT + environment variable can also be used to override the endpoint: + "always" (always use the default mTLS endpoint), "never" (always + use the default regular endpoint) and "auto" (auto switch to the + default mTLS endpoint if client certificate is present, this is + the default value). However, the ``api_endpoint`` property takes + precedence if provided. + (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable + is "true", then the ``client_cert_source`` property can be used + to provide client certificate for mutual TLS transport. If + not provided, the default SSL client certificate will be used if + present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not + set, no client certificate will be used. + + Raises: + google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport + creation failed for any reason. + """ + self._client = ValidationHelperV1Client( + credentials=credentials, + transport=transport, + client_options=client_options, + client_info=client_info, + ) + + async def validate_attestation_occurrence( + self, + request: service.ValidateAttestationOccurrenceRequest = None, + *, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> service.ValidateAttestationOccurrenceResponse: + r"""Returns whether the given Attestation for the given + image URI was signed by the given Attestor + + Args: + request (:class:`google.cloud.binaryauthorization_v1.types.ValidateAttestationOccurrenceRequest`): + The request object. Request message for + [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence]. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.ValidateAttestationOccurrenceResponse: + Response message for + [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence]. + + """ + # Create or coerce a protobuf request object. + request = service.ValidateAttestationOccurrenceRequest(request) + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.validate_attestation_occurrence, + default_timeout=None, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("attestor", request.attestor),)), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution( + "google-cloud-binary-authorization", + ).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + + +__all__ = ("ValidationHelperV1AsyncClient",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/client.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/client.py new file mode 100644 index 000000000000..0c85ba2e4b35 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/client.py @@ -0,0 +1,402 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from collections import OrderedDict +from distutils import util +import os +import re +from typing import Callable, Dict, Optional, Sequence, Tuple, Type, Union +import pkg_resources + +from google.api_core import client_options as client_options_lib # type: ignore +from google.api_core import exceptions as core_exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.auth.transport import mtls # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore +from google.auth.exceptions import MutualTLSChannelError # type: ignore +from google.oauth2 import service_account # type: ignore + +from google.cloud.binaryauthorization_v1.types import service +from .transports.base import ValidationHelperV1Transport, DEFAULT_CLIENT_INFO +from .transports.grpc import ValidationHelperV1GrpcTransport +from .transports.grpc_asyncio import ValidationHelperV1GrpcAsyncIOTransport + + +class ValidationHelperV1ClientMeta(type): + """Metaclass for the ValidationHelperV1 client. + + This provides class-level methods for building and retrieving + support objects (e.g. transport) without polluting the client instance + objects. + """ + + _transport_registry = ( + OrderedDict() + ) # type: Dict[str, Type[ValidationHelperV1Transport]] + _transport_registry["grpc"] = ValidationHelperV1GrpcTransport + _transport_registry["grpc_asyncio"] = ValidationHelperV1GrpcAsyncIOTransport + + def get_transport_class( + cls, label: str = None, + ) -> Type[ValidationHelperV1Transport]: + """Returns an appropriate transport class. + + Args: + label: The name of the desired transport. If none is + provided, then the first transport in the registry is used. + + Returns: + The transport class to use. + """ + # If a specific transport is requested, return that one. + if label: + return cls._transport_registry[label] + + # No transport is requested; return the default (that is, the first one + # in the dictionary). + return next(iter(cls._transport_registry.values())) + + +class ValidationHelperV1Client(metaclass=ValidationHelperV1ClientMeta): + """BinAuthz Attestor verification""" + + @staticmethod + def _get_default_mtls_endpoint(api_endpoint): + """Converts api endpoint to mTLS endpoint. + + Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to + "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively. + Args: + api_endpoint (Optional[str]): the api endpoint to convert. + Returns: + str: converted mTLS api endpoint. + """ + if not api_endpoint: + return api_endpoint + + mtls_endpoint_re = re.compile( + r"(?P[^.]+)(?P\.mtls)?(?P\.sandbox)?(?P\.googleapis\.com)?" + ) + + m = mtls_endpoint_re.match(api_endpoint) + name, mtls, sandbox, googledomain = m.groups() + if mtls or not googledomain: + return api_endpoint + + if sandbox: + return api_endpoint.replace( + "sandbox.googleapis.com", "mtls.sandbox.googleapis.com" + ) + + return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com") + + DEFAULT_ENDPOINT = "binaryauthorization.googleapis.com" + DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore + DEFAULT_ENDPOINT + ) + + @classmethod + def from_service_account_info(cls, info: dict, *args, **kwargs): + """Creates an instance of this client using the provided credentials + info. + + Args: + info (dict): The service account private key info. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + ValidationHelperV1Client: The constructed client. + """ + credentials = service_account.Credentials.from_service_account_info(info) + kwargs["credentials"] = credentials + return cls(*args, **kwargs) + + @classmethod + def from_service_account_file(cls, filename: str, *args, **kwargs): + """Creates an instance of this client using the provided credentials + file. + + Args: + filename (str): The path to the service account private key json + file. + args: Additional arguments to pass to the constructor. + kwargs: Additional arguments to pass to the constructor. + + Returns: + ValidationHelperV1Client: The constructed client. + """ + credentials = service_account.Credentials.from_service_account_file(filename) + kwargs["credentials"] = credentials + return cls(*args, **kwargs) + + from_service_account_json = from_service_account_file + + @property + def transport(self) -> ValidationHelperV1Transport: + """Returns the transport used by the client instance. + + Returns: + ValidationHelperV1Transport: The transport used by the client + instance. + """ + return self._transport + + @staticmethod + def common_billing_account_path(billing_account: str,) -> str: + """Returns a fully-qualified billing_account string.""" + return "billingAccounts/{billing_account}".format( + billing_account=billing_account, + ) + + @staticmethod + def parse_common_billing_account_path(path: str) -> Dict[str, str]: + """Parse a billing_account path into its component segments.""" + m = re.match(r"^billingAccounts/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_folder_path(folder: str,) -> str: + """Returns a fully-qualified folder string.""" + return "folders/{folder}".format(folder=folder,) + + @staticmethod + def parse_common_folder_path(path: str) -> Dict[str, str]: + """Parse a folder path into its component segments.""" + m = re.match(r"^folders/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_organization_path(organization: str,) -> str: + """Returns a fully-qualified organization string.""" + return "organizations/{organization}".format(organization=organization,) + + @staticmethod + def parse_common_organization_path(path: str) -> Dict[str, str]: + """Parse a organization path into its component segments.""" + m = re.match(r"^organizations/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_project_path(project: str,) -> str: + """Returns a fully-qualified project string.""" + return "projects/{project}".format(project=project,) + + @staticmethod + def parse_common_project_path(path: str) -> Dict[str, str]: + """Parse a project path into its component segments.""" + m = re.match(r"^projects/(?P.+?)$", path) + return m.groupdict() if m else {} + + @staticmethod + def common_location_path(project: str, location: str,) -> str: + """Returns a fully-qualified location string.""" + return "projects/{project}/locations/{location}".format( + project=project, location=location, + ) + + @staticmethod + def parse_common_location_path(path: str) -> Dict[str, str]: + """Parse a location path into its component segments.""" + m = re.match(r"^projects/(?P.+?)/locations/(?P.+?)$", path) + return m.groupdict() if m else {} + + def __init__( + self, + *, + credentials: Optional[ga_credentials.Credentials] = None, + transport: Union[str, ValidationHelperV1Transport, None] = None, + client_options: Optional[client_options_lib.ClientOptions] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + ) -> None: + """Instantiates the validation helper v1 client. + + Args: + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + transport (Union[str, ValidationHelperV1Transport]): The + transport to use. If set to None, a transport is chosen + automatically. + client_options (google.api_core.client_options.ClientOptions): Custom options for the + client. It won't take effect if a ``transport`` instance is provided. + (1) The ``api_endpoint`` property can be used to override the + default endpoint provided by the client. GOOGLE_API_USE_MTLS_ENDPOINT + environment variable can also be used to override the endpoint: + "always" (always use the default mTLS endpoint), "never" (always + use the default regular endpoint) and "auto" (auto switch to the + default mTLS endpoint if client certificate is present, this is + the default value). However, the ``api_endpoint`` property takes + precedence if provided. + (2) If GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable + is "true", then the ``client_cert_source`` property can be used + to provide client certificate for mutual TLS transport. If + not provided, the default SSL client certificate will be used if + present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not + set, no client certificate will be used. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + + Raises: + google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport + creation failed for any reason. + """ + if isinstance(client_options, dict): + client_options = client_options_lib.from_dict(client_options) + if client_options is None: + client_options = client_options_lib.ClientOptions() + + # Create SSL credentials for mutual TLS if needed. + use_client_cert = bool( + util.strtobool(os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false")) + ) + + client_cert_source_func = None + is_mtls = False + if use_client_cert: + if client_options.client_cert_source: + is_mtls = True + client_cert_source_func = client_options.client_cert_source + else: + is_mtls = mtls.has_default_client_cert_source() + if is_mtls: + client_cert_source_func = mtls.default_client_cert_source() + else: + client_cert_source_func = None + + # Figure out which api endpoint to use. + if client_options.api_endpoint is not None: + api_endpoint = client_options.api_endpoint + else: + use_mtls_env = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") + if use_mtls_env == "never": + api_endpoint = self.DEFAULT_ENDPOINT + elif use_mtls_env == "always": + api_endpoint = self.DEFAULT_MTLS_ENDPOINT + elif use_mtls_env == "auto": + if is_mtls: + api_endpoint = self.DEFAULT_MTLS_ENDPOINT + else: + api_endpoint = self.DEFAULT_ENDPOINT + else: + raise MutualTLSChannelError( + "Unsupported GOOGLE_API_USE_MTLS_ENDPOINT value. Accepted " + "values: never, auto, always" + ) + + # Save or instantiate the transport. + # Ordinarily, we provide the transport, but allowing a custom transport + # instance provides an extensibility point for unusual situations. + if isinstance(transport, ValidationHelperV1Transport): + # transport is a ValidationHelperV1Transport instance. + if credentials or client_options.credentials_file: + raise ValueError( + "When providing a transport instance, " + "provide its credentials directly." + ) + if client_options.scopes: + raise ValueError( + "When providing a transport instance, provide its scopes " + "directly." + ) + self._transport = transport + else: + Transport = type(self).get_transport_class(transport) + self._transport = Transport( + credentials=credentials, + credentials_file=client_options.credentials_file, + host=api_endpoint, + scopes=client_options.scopes, + client_cert_source_for_mtls=client_cert_source_func, + quota_project_id=client_options.quota_project_id, + client_info=client_info, + always_use_jwt_access=( + Transport == type(self).get_transport_class("grpc") + or Transport == type(self).get_transport_class("grpc_asyncio") + ), + ) + + def validate_attestation_occurrence( + self, + request: service.ValidateAttestationOccurrenceRequest = None, + *, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> service.ValidateAttestationOccurrenceResponse: + r"""Returns whether the given Attestation for the given + image URI was signed by the given Attestor + + Args: + request (google.cloud.binaryauthorization_v1.types.ValidateAttestationOccurrenceRequest): + The request object. Request message for + [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence]. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.binaryauthorization_v1.types.ValidateAttestationOccurrenceResponse: + Response message for + [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence]. + + """ + # Create or coerce a protobuf request object. + # Minor optimization to avoid making a copy if the user passes + # in a service.ValidateAttestationOccurrenceRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.ValidateAttestationOccurrenceRequest): + request = service.ValidateAttestationOccurrenceRequest(request) + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[ + self._transport.validate_attestation_occurrence + ] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("attestor", request.attestor),)), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution( + "google-cloud-binary-authorization", + ).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + + +__all__ = ("ValidationHelperV1Client",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/__init__.py new file mode 100644 index 000000000000..a2805670f5f3 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/__init__.py @@ -0,0 +1,35 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from collections import OrderedDict +from typing import Dict, Type + +from .base import ValidationHelperV1Transport +from .grpc import ValidationHelperV1GrpcTransport +from .grpc_asyncio import ValidationHelperV1GrpcAsyncIOTransport + + +# Compile a registry of transports. +_transport_registry = ( + OrderedDict() +) # type: Dict[str, Type[ValidationHelperV1Transport]] +_transport_registry["grpc"] = ValidationHelperV1GrpcTransport +_transport_registry["grpc_asyncio"] = ValidationHelperV1GrpcAsyncIOTransport + +__all__ = ( + "ValidationHelperV1Transport", + "ValidationHelperV1GrpcTransport", + "ValidationHelperV1GrpcAsyncIOTransport", +) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/base.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/base.py new file mode 100644 index 000000000000..d91ba40f4fa8 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/base.py @@ -0,0 +1,177 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import abc +from typing import Awaitable, Callable, Dict, Optional, Sequence, Union +import packaging.version +import pkg_resources + +import google.auth # type: ignore +import google.api_core # type: ignore +from google.api_core import exceptions as core_exceptions # type: ignore +from google.api_core import gapic_v1 # type: ignore +from google.api_core import retry as retries # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.oauth2 import service_account # type: ignore + +from google.cloud.binaryauthorization_v1.types import service + +try: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( + gapic_version=pkg_resources.get_distribution( + "google-cloud-binary-authorization", + ).version, + ) +except pkg_resources.DistributionNotFound: + DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo() + +try: + # google.auth.__version__ was added in 1.26.0 + _GOOGLE_AUTH_VERSION = google.auth.__version__ +except AttributeError: + try: # try pkg_resources if it is available + _GOOGLE_AUTH_VERSION = pkg_resources.get_distribution("google-auth").version + except pkg_resources.DistributionNotFound: # pragma: NO COVER + _GOOGLE_AUTH_VERSION = None + + +class ValidationHelperV1Transport(abc.ABC): + """Abstract transport class for ValidationHelperV1.""" + + AUTH_SCOPES = ("https://www.googleapis.com/auth/cloud-platform",) + + DEFAULT_HOST: str = "binaryauthorization.googleapis.com" + + def __init__( + self, + *, + host: str = DEFAULT_HOST, + credentials: ga_credentials.Credentials = None, + credentials_file: Optional[str] = None, + scopes: Optional[Sequence[str]] = None, + quota_project_id: Optional[str] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + always_use_jwt_access: Optional[bool] = False, + **kwargs, + ) -> None: + """Instantiate the transport. + + Args: + host (Optional[str]): + The hostname to connect to. + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is mutually exclusive with credentials. + scopes (Optional[Sequence[str]]): A list of scopes. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + always_use_jwt_access (Optional[bool]): Whether self signed JWT should + be used for service account credentials. + """ + # Save the hostname. Default to port 443 (HTTPS) if none is specified. + if ":" not in host: + host += ":443" + self._host = host + + scopes_kwargs = self._get_scopes_kwargs(self._host, scopes) + + # Save the scopes. + self._scopes = scopes + + # If no credentials are provided, then determine the appropriate + # defaults. + if credentials and credentials_file: + raise core_exceptions.DuplicateCredentialArgs( + "'credentials_file' and 'credentials' are mutually exclusive" + ) + + if credentials_file is not None: + credentials, _ = google.auth.load_credentials_from_file( + credentials_file, **scopes_kwargs, quota_project_id=quota_project_id + ) + + elif credentials is None: + credentials, _ = google.auth.default( + **scopes_kwargs, quota_project_id=quota_project_id + ) + + # If the credentials is service account credentials, then always try to use self signed JWT. + if ( + always_use_jwt_access + and isinstance(credentials, service_account.Credentials) + and hasattr(service_account.Credentials, "with_always_use_jwt_access") + ): + credentials = credentials.with_always_use_jwt_access(True) + + # Save the credentials. + self._credentials = credentials + + # TODO(busunkim): This method is in the base transport + # to avoid duplicating code across the transport classes. These functions + # should be deleted once the minimum required versions of google-auth is increased. + + # TODO: Remove this function once google-auth >= 1.25.0 is required + @classmethod + def _get_scopes_kwargs( + cls, host: str, scopes: Optional[Sequence[str]] + ) -> Dict[str, Optional[Sequence[str]]]: + """Returns scopes kwargs to pass to google-auth methods depending on the google-auth version""" + + scopes_kwargs = {} + + if _GOOGLE_AUTH_VERSION and ( + packaging.version.parse(_GOOGLE_AUTH_VERSION) + >= packaging.version.parse("1.25.0") + ): + scopes_kwargs = {"scopes": scopes, "default_scopes": cls.AUTH_SCOPES} + else: + scopes_kwargs = {"scopes": scopes or cls.AUTH_SCOPES} + + return scopes_kwargs + + def _prep_wrapped_messages(self, client_info): + # Precompute the wrapped methods. + self._wrapped_methods = { + self.validate_attestation_occurrence: gapic_v1.method.wrap_method( + self.validate_attestation_occurrence, + default_timeout=None, + client_info=client_info, + ), + } + + @property + def validate_attestation_occurrence( + self, + ) -> Callable[ + [service.ValidateAttestationOccurrenceRequest], + Union[ + service.ValidateAttestationOccurrenceResponse, + Awaitable[service.ValidateAttestationOccurrenceResponse], + ], + ]: + raise NotImplementedError() + + +__all__ = ("ValidationHelperV1Transport",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/grpc.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/grpc.py new file mode 100644 index 000000000000..0eeb82fad604 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/grpc.py @@ -0,0 +1,262 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import warnings +from typing import Callable, Dict, Optional, Sequence, Tuple, Union + +from google.api_core import grpc_helpers # type: ignore +from google.api_core import gapic_v1 # type: ignore +import google.auth # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore + +import grpc # type: ignore + +from google.cloud.binaryauthorization_v1.types import service +from .base import ValidationHelperV1Transport, DEFAULT_CLIENT_INFO + + +class ValidationHelperV1GrpcTransport(ValidationHelperV1Transport): + """gRPC backend transport for ValidationHelperV1. + + BinAuthz Attestor verification + + This class defines the same methods as the primary client, so the + primary client can load the underlying transport implementation + and call it. + + It sends protocol buffers over the wire using gRPC (which is built on + top of HTTP/2); the ``grpcio`` package must be installed. + """ + + _stubs: Dict[str, Callable] + + def __init__( + self, + *, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: str = None, + scopes: Sequence[str] = None, + channel: grpc.Channel = None, + api_mtls_endpoint: str = None, + client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, + ssl_channel_credentials: grpc.ChannelCredentials = None, + client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None, + quota_project_id: Optional[str] = None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + always_use_jwt_access: Optional[bool] = False, + ) -> None: + """Instantiate the transport. + + Args: + host (Optional[str]): + The hostname to connect to. + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + This argument is ignored if ``channel`` is provided. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is ignored if ``channel`` is provided. + scopes (Optional(Sequence[str])): A list of scopes. This argument is + ignored if ``channel`` is provided. + channel (Optional[grpc.Channel]): A ``Channel`` instance through + which to make calls. + api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. + If provided, it overrides the ``host`` argument and tries to create + a mutual TLS channel with client SSL credentials from + ``client_cert_source`` or applicatin default SSL credentials. + client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): + Deprecated. A callback to provide client SSL certificate bytes and + private key bytes, both in PEM format. It is ignored if + ``api_mtls_endpoint`` is None. + ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials + for grpc channel. It is ignored if ``channel`` is provided. + client_cert_source_for_mtls (Optional[Callable[[], Tuple[bytes, bytes]]]): + A callback to provide client certificate bytes and private key bytes, + both in PEM format. It is used to configure mutual TLS channel. It is + ignored if ``channel`` or ``ssl_channel_credentials`` is provided. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + always_use_jwt_access (Optional[bool]): Whether self signed JWT should + be used for service account credentials. + + Raises: + google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport + creation failed for any reason. + google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` + and ``credentials_file`` are passed. + """ + self._grpc_channel = None + self._ssl_channel_credentials = ssl_channel_credentials + self._stubs: Dict[str, Callable] = {} + + if api_mtls_endpoint: + warnings.warn("api_mtls_endpoint is deprecated", DeprecationWarning) + if client_cert_source: + warnings.warn("client_cert_source is deprecated", DeprecationWarning) + + if channel: + # Ignore credentials if a channel was passed. + credentials = False + # If a channel was explicitly provided, set it. + self._grpc_channel = channel + self._ssl_channel_credentials = None + + else: + if api_mtls_endpoint: + host = api_mtls_endpoint + + # Create SSL credentials with client_cert_source or application + # default SSL credentials. + if client_cert_source: + cert, key = client_cert_source() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + else: + self._ssl_channel_credentials = SslCredentials().ssl_credentials + + else: + if client_cert_source_for_mtls and not ssl_channel_credentials: + cert, key = client_cert_source_for_mtls() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + + # The base transport sets the host, credentials and scopes + super().__init__( + host=host, + credentials=credentials, + credentials_file=credentials_file, + scopes=scopes, + quota_project_id=quota_project_id, + client_info=client_info, + always_use_jwt_access=always_use_jwt_access, + ) + + if not self._grpc_channel: + self._grpc_channel = type(self).create_channel( + self._host, + credentials=self._credentials, + credentials_file=credentials_file, + scopes=self._scopes, + ssl_credentials=self._ssl_channel_credentials, + quota_project_id=quota_project_id, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + # Wrap messages. This must be done after self._grpc_channel exists + self._prep_wrapped_messages(client_info) + + @classmethod + def create_channel( + cls, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: str = None, + scopes: Optional[Sequence[str]] = None, + quota_project_id: Optional[str] = None, + **kwargs, + ) -> grpc.Channel: + """Create and return a gRPC channel object. + Args: + host (Optional[str]): The host for the channel to use. + credentials (Optional[~.Credentials]): The + authorization credentials to attach to requests. These + credentials identify this application to the service. If + none are specified, the client will attempt to ascertain + the credentials from the environment. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is mutually exclusive with credentials. + scopes (Optional[Sequence[str]]): A optional list of scopes needed for this + service. These are only used when credentials are not specified and + are passed to :func:`google.auth.default`. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + kwargs (Optional[dict]): Keyword arguments, which are passed to the + channel creation. + Returns: + grpc.Channel: A gRPC channel object. + + Raises: + google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` + and ``credentials_file`` are passed. + """ + + return grpc_helpers.create_channel( + host, + credentials=credentials, + credentials_file=credentials_file, + quota_project_id=quota_project_id, + default_scopes=cls.AUTH_SCOPES, + scopes=scopes, + default_host=cls.DEFAULT_HOST, + **kwargs, + ) + + @property + def grpc_channel(self) -> grpc.Channel: + """Return the channel designed to connect to this service. + """ + return self._grpc_channel + + @property + def validate_attestation_occurrence( + self, + ) -> Callable[ + [service.ValidateAttestationOccurrenceRequest], + service.ValidateAttestationOccurrenceResponse, + ]: + r"""Return a callable for the validate attestation + occurrence method over gRPC. + + Returns whether the given Attestation for the given + image URI was signed by the given Attestor + + Returns: + Callable[[~.ValidateAttestationOccurrenceRequest], + ~.ValidateAttestationOccurrenceResponse]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "validate_attestation_occurrence" not in self._stubs: + self._stubs[ + "validate_attestation_occurrence" + ] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.ValidationHelperV1/ValidateAttestationOccurrence", + request_serializer=service.ValidateAttestationOccurrenceRequest.serialize, + response_deserializer=service.ValidateAttestationOccurrenceResponse.deserialize, + ) + return self._stubs["validate_attestation_occurrence"] + + +__all__ = ("ValidationHelperV1GrpcTransport",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/grpc_asyncio.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/grpc_asyncio.py new file mode 100644 index 000000000000..668000bc47d9 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/services/validation_helper_v1/transports/grpc_asyncio.py @@ -0,0 +1,265 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import warnings +from typing import Awaitable, Callable, Dict, Optional, Sequence, Tuple, Union + +from google.api_core import gapic_v1 # type: ignore +from google.api_core import grpc_helpers_async # type: ignore +from google.auth import credentials as ga_credentials # type: ignore +from google.auth.transport.grpc import SslCredentials # type: ignore +import packaging.version + +import grpc # type: ignore +from grpc.experimental import aio # type: ignore + +from google.cloud.binaryauthorization_v1.types import service +from .base import ValidationHelperV1Transport, DEFAULT_CLIENT_INFO +from .grpc import ValidationHelperV1GrpcTransport + + +class ValidationHelperV1GrpcAsyncIOTransport(ValidationHelperV1Transport): + """gRPC AsyncIO backend transport for ValidationHelperV1. + + BinAuthz Attestor verification + + This class defines the same methods as the primary client, so the + primary client can load the underlying transport implementation + and call it. + + It sends protocol buffers over the wire using gRPC (which is built on + top of HTTP/2); the ``grpcio`` package must be installed. + """ + + _grpc_channel: aio.Channel + _stubs: Dict[str, Callable] = {} + + @classmethod + def create_channel( + cls, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: Optional[str] = None, + scopes: Optional[Sequence[str]] = None, + quota_project_id: Optional[str] = None, + **kwargs, + ) -> aio.Channel: + """Create and return a gRPC AsyncIO channel object. + Args: + host (Optional[str]): The host for the channel to use. + credentials (Optional[~.Credentials]): The + authorization credentials to attach to requests. These + credentials identify this application to the service. If + none are specified, the client will attempt to ascertain + the credentials from the environment. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is ignored if ``channel`` is provided. + scopes (Optional[Sequence[str]]): A optional list of scopes needed for this + service. These are only used when credentials are not specified and + are passed to :func:`google.auth.default`. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + kwargs (Optional[dict]): Keyword arguments, which are passed to the + channel creation. + Returns: + aio.Channel: A gRPC AsyncIO channel object. + """ + + return grpc_helpers_async.create_channel( + host, + credentials=credentials, + credentials_file=credentials_file, + quota_project_id=quota_project_id, + default_scopes=cls.AUTH_SCOPES, + scopes=scopes, + default_host=cls.DEFAULT_HOST, + **kwargs, + ) + + def __init__( + self, + *, + host: str = "binaryauthorization.googleapis.com", + credentials: ga_credentials.Credentials = None, + credentials_file: Optional[str] = None, + scopes: Optional[Sequence[str]] = None, + channel: aio.Channel = None, + api_mtls_endpoint: str = None, + client_cert_source: Callable[[], Tuple[bytes, bytes]] = None, + ssl_channel_credentials: grpc.ChannelCredentials = None, + client_cert_source_for_mtls: Callable[[], Tuple[bytes, bytes]] = None, + quota_project_id=None, + client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, + always_use_jwt_access: Optional[bool] = False, + ) -> None: + """Instantiate the transport. + + Args: + host (Optional[str]): + The hostname to connect to. + credentials (Optional[google.auth.credentials.Credentials]): The + authorization credentials to attach to requests. These + credentials identify the application to the service; if none + are specified, the client will attempt to ascertain the + credentials from the environment. + This argument is ignored if ``channel`` is provided. + credentials_file (Optional[str]): A file with credentials that can + be loaded with :func:`google.auth.load_credentials_from_file`. + This argument is ignored if ``channel`` is provided. + scopes (Optional[Sequence[str]]): A optional list of scopes needed for this + service. These are only used when credentials are not specified and + are passed to :func:`google.auth.default`. + channel (Optional[aio.Channel]): A ``Channel`` instance through + which to make calls. + api_mtls_endpoint (Optional[str]): Deprecated. The mutual TLS endpoint. + If provided, it overrides the ``host`` argument and tries to create + a mutual TLS channel with client SSL credentials from + ``client_cert_source`` or applicatin default SSL credentials. + client_cert_source (Optional[Callable[[], Tuple[bytes, bytes]]]): + Deprecated. A callback to provide client SSL certificate bytes and + private key bytes, both in PEM format. It is ignored if + ``api_mtls_endpoint`` is None. + ssl_channel_credentials (grpc.ChannelCredentials): SSL credentials + for grpc channel. It is ignored if ``channel`` is provided. + client_cert_source_for_mtls (Optional[Callable[[], Tuple[bytes, bytes]]]): + A callback to provide client certificate bytes and private key bytes, + both in PEM format. It is used to configure mutual TLS channel. It is + ignored if ``channel`` or ``ssl_channel_credentials`` is provided. + quota_project_id (Optional[str]): An optional project to use for billing + and quota. + client_info (google.api_core.gapic_v1.client_info.ClientInfo): + The client info used to send a user-agent string along with + API requests. If ``None``, then default info will be used. + Generally, you only need to set this if you're developing + your own client library. + always_use_jwt_access (Optional[bool]): Whether self signed JWT should + be used for service account credentials. + + Raises: + google.auth.exceptions.MutualTlsChannelError: If mutual TLS transport + creation failed for any reason. + google.api_core.exceptions.DuplicateCredentialArgs: If both ``credentials`` + and ``credentials_file`` are passed. + """ + self._grpc_channel = None + self._ssl_channel_credentials = ssl_channel_credentials + self._stubs: Dict[str, Callable] = {} + + if api_mtls_endpoint: + warnings.warn("api_mtls_endpoint is deprecated", DeprecationWarning) + if client_cert_source: + warnings.warn("client_cert_source is deprecated", DeprecationWarning) + + if channel: + # Ignore credentials if a channel was passed. + credentials = False + # If a channel was explicitly provided, set it. + self._grpc_channel = channel + self._ssl_channel_credentials = None + else: + if api_mtls_endpoint: + host = api_mtls_endpoint + + # Create SSL credentials with client_cert_source or application + # default SSL credentials. + if client_cert_source: + cert, key = client_cert_source() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + else: + self._ssl_channel_credentials = SslCredentials().ssl_credentials + + else: + if client_cert_source_for_mtls and not ssl_channel_credentials: + cert, key = client_cert_source_for_mtls() + self._ssl_channel_credentials = grpc.ssl_channel_credentials( + certificate_chain=cert, private_key=key + ) + + # The base transport sets the host, credentials and scopes + super().__init__( + host=host, + credentials=credentials, + credentials_file=credentials_file, + scopes=scopes, + quota_project_id=quota_project_id, + client_info=client_info, + always_use_jwt_access=always_use_jwt_access, + ) + + if not self._grpc_channel: + self._grpc_channel = type(self).create_channel( + self._host, + credentials=self._credentials, + credentials_file=credentials_file, + scopes=self._scopes, + ssl_credentials=self._ssl_channel_credentials, + quota_project_id=quota_project_id, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + # Wrap messages. This must be done after self._grpc_channel exists + self._prep_wrapped_messages(client_info) + + @property + def grpc_channel(self) -> aio.Channel: + """Create the channel designed to connect to this service. + + This property caches on the instance; repeated calls return + the same channel. + """ + # Return the channel from cache. + return self._grpc_channel + + @property + def validate_attestation_occurrence( + self, + ) -> Callable[ + [service.ValidateAttestationOccurrenceRequest], + Awaitable[service.ValidateAttestationOccurrenceResponse], + ]: + r"""Return a callable for the validate attestation + occurrence method over gRPC. + + Returns whether the given Attestation for the given + image URI was signed by the given Attestor + + Returns: + Callable[[~.ValidateAttestationOccurrenceRequest], + Awaitable[~.ValidateAttestationOccurrenceResponse]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "validate_attestation_occurrence" not in self._stubs: + self._stubs[ + "validate_attestation_occurrence" + ] = self.grpc_channel.unary_unary( + "/google.cloud.binaryauthorization.v1.ValidationHelperV1/ValidateAttestationOccurrence", + request_serializer=service.ValidateAttestationOccurrenceRequest.serialize, + response_deserializer=service.ValidateAttestationOccurrenceResponse.deserialize, + ) + return self._stubs["validate_attestation_occurrence"] + + +__all__ = ("ValidationHelperV1GrpcAsyncIOTransport",) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/types/__init__.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/types/__init__.py new file mode 100644 index 000000000000..c682ebcaec99 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/types/__init__.py @@ -0,0 +1,58 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +from .resources import ( + AdmissionRule, + AdmissionWhitelistPattern, + Attestor, + AttestorPublicKey, + PkixPublicKey, + Policy, + UserOwnedGrafeasNote, +) +from .service import ( + CreateAttestorRequest, + DeleteAttestorRequest, + GetAttestorRequest, + GetPolicyRequest, + GetSystemPolicyRequest, + ListAttestorsRequest, + ListAttestorsResponse, + UpdateAttestorRequest, + UpdatePolicyRequest, + ValidateAttestationOccurrenceRequest, + ValidateAttestationOccurrenceResponse, +) + +__all__ = ( + "AdmissionRule", + "AdmissionWhitelistPattern", + "Attestor", + "AttestorPublicKey", + "PkixPublicKey", + "Policy", + "UserOwnedGrafeasNote", + "CreateAttestorRequest", + "DeleteAttestorRequest", + "GetAttestorRequest", + "GetPolicyRequest", + "GetSystemPolicyRequest", + "ListAttestorsRequest", + "ListAttestorsResponse", + "UpdateAttestorRequest", + "UpdatePolicyRequest", + "ValidateAttestationOccurrenceRequest", + "ValidateAttestationOccurrenceResponse", +) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/types/resources.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/types/resources.py new file mode 100644 index 000000000000..ff2f3287e7ff --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/types/resources.py @@ -0,0 +1,367 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import proto # type: ignore + +from google.protobuf import timestamp_pb2 # type: ignore + + +__protobuf__ = proto.module( + package="google.cloud.binaryauthorization.v1", + manifest={ + "Policy", + "AdmissionWhitelistPattern", + "AdmissionRule", + "Attestor", + "UserOwnedGrafeasNote", + "PkixPublicKey", + "AttestorPublicKey", + }, +) + + +class Policy(proto.Message): + r"""A [policy][google.cloud.binaryauthorization.v1.Policy] for container + image binary authorization. + + Attributes: + name (str): + Output only. The resource name, in the format + ``projects/*/policy``. There is at most one policy per + project. + description (str): + Optional. A descriptive comment. + global_policy_evaluation_mode (google.cloud.binaryauthorization_v1.types.Policy.GlobalPolicyEvaluationMode): + Optional. Controls the evaluation of a + Google-maintained global admission policy for + common system-level images. Images not covered + by the global policy will be subject to the + project admission policy. This setting has no + effect when specified inside a global admission + policy. + admission_whitelist_patterns (Sequence[google.cloud.binaryauthorization_v1.types.AdmissionWhitelistPattern]): + Optional. Admission policy allowlisting. A + matching admission request will always be + permitted. This feature is typically used to + exclude Google or third-party infrastructure + images from Binary Authorization policies. + cluster_admission_rules (Sequence[google.cloud.binaryauthorization_v1.types.Policy.ClusterAdmissionRulesEntry]): + Optional. Per-cluster admission rules. Cluster spec format: + ``location.clusterId``. There can be at most one admission + rule per cluster spec. A ``location`` is either a compute + zone (e.g. us-central1-a) or a region (e.g. us-central1). + For ``clusterId`` syntax restrictions see + https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters. + kubernetes_namespace_admission_rules (Sequence[google.cloud.binaryauthorization_v1.types.Policy.KubernetesNamespaceAdmissionRulesEntry]): + Optional. Per-kubernetes-namespace admission rules. K8s + namespace spec format: [a-z.-]+, e.g. 'some-namespace' + kubernetes_service_account_admission_rules (Sequence[google.cloud.binaryauthorization_v1.types.Policy.KubernetesServiceAccountAdmissionRulesEntry]): + Optional. Per-kubernetes-service-account admission rules. + Service account spec format: ``namespace:serviceaccount``. + e.g. 'test-ns:default' + istio_service_identity_admission_rules (Sequence[google.cloud.binaryauthorization_v1.types.Policy.IstioServiceIdentityAdmissionRulesEntry]): + Optional. Per-istio-service-identity + admission rules. Istio service identity spec + format: + spiffe:///ns//sa/ + or /ns//sa/ + e.g. spiffe://example.com/ns/test-ns/sa/default + default_admission_rule (google.cloud.binaryauthorization_v1.types.AdmissionRule): + Required. Default admission rule for a + cluster without a per-cluster, per- kubernetes- + service-account, or per-istio-service-identity + admission rule. + update_time (google.protobuf.timestamp_pb2.Timestamp): + Output only. Time when the policy was last + updated. + """ + + class GlobalPolicyEvaluationMode(proto.Enum): + r"""""" + GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED = 0 + ENABLE = 1 + DISABLE = 2 + + name = proto.Field(proto.STRING, number=1,) + description = proto.Field(proto.STRING, number=6,) + global_policy_evaluation_mode = proto.Field( + proto.ENUM, number=7, enum=GlobalPolicyEvaluationMode, + ) + admission_whitelist_patterns = proto.RepeatedField( + proto.MESSAGE, number=2, message="AdmissionWhitelistPattern", + ) + cluster_admission_rules = proto.MapField( + proto.STRING, proto.MESSAGE, number=3, message="AdmissionRule", + ) + kubernetes_namespace_admission_rules = proto.MapField( + proto.STRING, proto.MESSAGE, number=10, message="AdmissionRule", + ) + kubernetes_service_account_admission_rules = proto.MapField( + proto.STRING, proto.MESSAGE, number=8, message="AdmissionRule", + ) + istio_service_identity_admission_rules = proto.MapField( + proto.STRING, proto.MESSAGE, number=9, message="AdmissionRule", + ) + default_admission_rule = proto.Field( + proto.MESSAGE, number=4, message="AdmissionRule", + ) + update_time = proto.Field(proto.MESSAGE, number=5, message=timestamp_pb2.Timestamp,) + + +class AdmissionWhitelistPattern(proto.Message): + r"""An [admission allowlist + pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern] + exempts images from checks by [admission + rules][google.cloud.binaryauthorization.v1.AdmissionRule]. + + Attributes: + name_pattern (str): + An image name pattern to allowlist, in the form + ``registry/path/to/image``. This supports a trailing ``*`` + wildcard, but this is allowed only in text after the + ``registry/`` part. This also supports a trailing ``**`` + wildcard which matches subdirectories of a given entry. + """ + + name_pattern = proto.Field(proto.STRING, number=1,) + + +class AdmissionRule(proto.Message): + r"""An [admission + rule][google.cloud.binaryauthorization.v1.AdmissionRule] specifies + either that all container images used in a pod creation request must + be attested to by one or more + [attestors][google.cloud.binaryauthorization.v1.Attestor], that all + pod creations will be allowed, or that all pod creations will be + denied. + + Images matching an [admission allowlist + pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern] + are exempted from admission rules and will never block a pod + creation. + + Attributes: + evaluation_mode (google.cloud.binaryauthorization_v1.types.AdmissionRule.EvaluationMode): + Required. How this admission rule will be + evaluated. + require_attestations_by (Sequence[str]): + Optional. The resource names of the attestors that must + attest to a container image, in the format + ``projects/*/attestors/*``. Each attestor must exist before + a policy can reference it. To add an attestor to a policy + the principal issuing the policy change request must be able + to read the attestor resource. + + Note: this field must be non-empty when the evaluation_mode + field specifies REQUIRE_ATTESTATION, otherwise it must be + empty. + enforcement_mode (google.cloud.binaryauthorization_v1.types.AdmissionRule.EnforcementMode): + Required. The action when a pod creation is + denied by the admission rule. + """ + + class EvaluationMode(proto.Enum): + r"""""" + EVALUATION_MODE_UNSPECIFIED = 0 + ALWAYS_ALLOW = 1 + REQUIRE_ATTESTATION = 2 + ALWAYS_DENY = 3 + + class EnforcementMode(proto.Enum): + r"""Defines the possible actions when a pod creation is denied by + an admission rule. + """ + ENFORCEMENT_MODE_UNSPECIFIED = 0 + ENFORCED_BLOCK_AND_AUDIT_LOG = 1 + DRYRUN_AUDIT_LOG_ONLY = 2 + + evaluation_mode = proto.Field(proto.ENUM, number=1, enum=EvaluationMode,) + require_attestations_by = proto.RepeatedField(proto.STRING, number=2,) + enforcement_mode = proto.Field(proto.ENUM, number=3, enum=EnforcementMode,) + + +class Attestor(proto.Message): + r"""An [attestor][google.cloud.binaryauthorization.v1.Attestor] that + attests to container image artifacts. An existing attestor cannot be + modified except where indicated. + + Attributes: + name (str): + Required. The resource name, in the format: + ``projects/*/attestors/*``. This field may not be updated. + description (str): + Optional. A descriptive comment. This field + may be updated. The field may be displayed in + chooser dialogs. + user_owned_grafeas_note (google.cloud.binaryauthorization_v1.types.UserOwnedGrafeasNote): + This specifies how an attestation will be + read, and how it will be used during policy + enforcement. + update_time (google.protobuf.timestamp_pb2.Timestamp): + Output only. Time when the attestor was last + updated. + """ + + name = proto.Field(proto.STRING, number=1,) + description = proto.Field(proto.STRING, number=6,) + user_owned_grafeas_note = proto.Field( + proto.MESSAGE, number=3, oneof="attestor_type", message="UserOwnedGrafeasNote", + ) + update_time = proto.Field(proto.MESSAGE, number=4, message=timestamp_pb2.Timestamp,) + + +class UserOwnedGrafeasNote(proto.Message): + r"""An [user owned Grafeas + note][google.cloud.binaryauthorization.v1.UserOwnedGrafeasNote] + references a Grafeas Attestation.Authority Note created by the user. + + Attributes: + note_reference (str): + Required. The Grafeas resource name of a + Attestation.Authority Note, created by the user, in the + format: ``projects/*/notes/*``. This field may not be + updated. + + An attestation by this attestor is stored as a Grafeas + Attestation.Authority Occurrence that names a container + image and that links to this Note. Grafeas is an external + dependency. + public_keys (Sequence[google.cloud.binaryauthorization_v1.types.AttestorPublicKey]): + Optional. Public keys that verify + attestations signed by this attestor. This + field may be updated. + If this field is non-empty, one of the specified + public keys must verify that an attestation was + signed by this attestor for the image specified + in the admission request. + + If this field is empty, this attestor always + returns that no valid attestations exist. + delegation_service_account_email (str): + Output only. This field will contain the service account + email address that this Attestor will use as the principal + when querying Container Analysis. Attestor administrators + must grant this service account the IAM role needed to read + attestations from the [note_reference][Note] in Container + Analysis (``containeranalysis.notes.occurrences.viewer``). + + This email address is fixed for the lifetime of the + Attestor, but callers should not make any other assumptions + about the service account email; future versions may use an + email based on a different naming pattern. + """ + + note_reference = proto.Field(proto.STRING, number=1,) + public_keys = proto.RepeatedField( + proto.MESSAGE, number=2, message="AttestorPublicKey", + ) + delegation_service_account_email = proto.Field(proto.STRING, number=3,) + + +class PkixPublicKey(proto.Message): + r"""A public key in the PkixPublicKey format (see + https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for + details). Public keys of this type are typically textually + encoded using the PEM format. + + Attributes: + public_key_pem (str): + A PEM-encoded public key, as described in + https://tools.ietf.org/html/rfc7468#section-13 + signature_algorithm (google.cloud.binaryauthorization_v1.types.PkixPublicKey.SignatureAlgorithm): + The signature algorithm used to verify a message against a + signature using this key. These signature algorithm must + match the structure and any object identifiers encoded in + ``public_key_pem`` (i.e. this algorithm must match that of + the public key). + """ + + class SignatureAlgorithm(proto.Enum): + r"""Represents a signature algorithm and other information + necessary to verify signatures with a given public key. This is + based primarily on the public key types supported by Tink's + PemKeyType, which is in turn based on KMS's supported signing + algorithms. See https://cloud.google.com/kms/docs/algorithms. In + the future, BinAuthz might support additional public key types + independently of Tink and/or KMS. + """ + _pb_options = {"allow_alias": True} + SIGNATURE_ALGORITHM_UNSPECIFIED = 0 + RSA_PSS_2048_SHA256 = 1 + RSA_PSS_3072_SHA256 = 2 + RSA_PSS_4096_SHA256 = 3 + RSA_PSS_4096_SHA512 = 4 + RSA_SIGN_PKCS1_2048_SHA256 = 5 + RSA_SIGN_PKCS1_3072_SHA256 = 6 + RSA_SIGN_PKCS1_4096_SHA256 = 7 + RSA_SIGN_PKCS1_4096_SHA512 = 8 + ECDSA_P256_SHA256 = 9 + EC_SIGN_P256_SHA256 = 9 + ECDSA_P384_SHA384 = 10 + EC_SIGN_P384_SHA384 = 10 + ECDSA_P521_SHA512 = 11 + EC_SIGN_P521_SHA512 = 11 + + public_key_pem = proto.Field(proto.STRING, number=1,) + signature_algorithm = proto.Field(proto.ENUM, number=2, enum=SignatureAlgorithm,) + + +class AttestorPublicKey(proto.Message): + r"""An [attestor public + key][google.cloud.binaryauthorization.v1.AttestorPublicKey] that + will be used to verify attestations signed by this attestor. + + Attributes: + comment (str): + Optional. A descriptive comment. This field + may be updated. + id (str): + The ID of this public key. Signatures verified by BinAuthz + must include the ID of the public key that can be used to + verify them, and that ID must match the contents of this + field exactly. Additional restrictions on this field can be + imposed based on which public key type is encapsulated. See + the documentation on ``public_key`` cases below for details. + ascii_armored_pgp_public_key (str): + ASCII-armored representation of a PGP public key, as the + entire output by the command + ``gpg --export --armor foo@example.com`` (either LF or CRLF + line endings). When using this field, ``id`` should be left + blank. The BinAuthz API handlers will calculate the ID and + fill it in automatically. BinAuthz computes this ID as the + OpenPGP RFC4880 V4 fingerprint, represented as upper-case + hex. If ``id`` is provided by the caller, it will be + overwritten by the API-calculated ID. + pkix_public_key (google.cloud.binaryauthorization_v1.types.PkixPublicKey): + A raw PKIX SubjectPublicKeyInfo format public key. + + NOTE: ``id`` may be explicitly provided by the caller when + using this type of public key, but it MUST be a valid + RFC3986 URI. If ``id`` is left blank, a default one will be + computed based on the digest of the DER encoding of the + public key. + """ + + comment = proto.Field(proto.STRING, number=1,) + id = proto.Field(proto.STRING, number=2,) + ascii_armored_pgp_public_key = proto.Field( + proto.STRING, number=3, oneof="public_key", + ) + pkix_public_key = proto.Field( + proto.MESSAGE, number=5, oneof="public_key", message="PkixPublicKey", + ) + + +__all__ = tuple(sorted(__protobuf__.manifest)) diff --git a/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/types/service.py b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/types/service.py new file mode 100644 index 000000000000..862610bbf637 --- /dev/null +++ b/packages/google-cloud-binary-authorization/google/cloud/binaryauthorization_v1/types/service.py @@ -0,0 +1,247 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import proto # type: ignore + +from google.cloud.binaryauthorization_v1.types import resources +from grafeas.grafeas_v1.types import attestation # type: ignore + + +__protobuf__ = proto.module( + package="google.cloud.binaryauthorization.v1", + manifest={ + "GetPolicyRequest", + "UpdatePolicyRequest", + "CreateAttestorRequest", + "GetAttestorRequest", + "UpdateAttestorRequest", + "ListAttestorsRequest", + "ListAttestorsResponse", + "DeleteAttestorRequest", + "GetSystemPolicyRequest", + "ValidateAttestationOccurrenceRequest", + "ValidateAttestationOccurrenceResponse", + }, +) + + +class GetPolicyRequest(proto.Message): + r"""Request message for [BinauthzManagementService.GetPolicy][]. + Attributes: + name (str): + Required. The resource name of the + [policy][google.cloud.binaryauthorization.v1.Policy] to + retrieve, in the format ``projects/*/policy``. + """ + + name = proto.Field(proto.STRING, number=1,) + + +class UpdatePolicyRequest(proto.Message): + r"""Request message for [BinauthzManagementService.UpdatePolicy][]. + Attributes: + policy (google.cloud.binaryauthorization_v1.types.Policy): + Required. A new or updated + [policy][google.cloud.binaryauthorization.v1.Policy] value. + The service will overwrite the [policy + name][google.cloud.binaryauthorization.v1.Policy.name] field + with the resource name in the request URL, in the format + ``projects/*/policy``. + """ + + policy = proto.Field(proto.MESSAGE, number=1, message=resources.Policy,) + + +class CreateAttestorRequest(proto.Message): + r"""Request message for [BinauthzManagementService.CreateAttestor][]. + Attributes: + parent (str): + Required. The parent of this + [attestor][google.cloud.binaryauthorization.v1.Attestor]. + attestor_id (str): + Required. The + [attestors][google.cloud.binaryauthorization.v1.Attestor] + ID. + attestor (google.cloud.binaryauthorization_v1.types.Attestor): + Required. The initial + [attestor][google.cloud.binaryauthorization.v1.Attestor] + value. The service will overwrite the [attestor + name][google.cloud.binaryauthorization.v1.Attestor.name] + field with the resource name, in the format + ``projects/*/attestors/*``. + """ + + parent = proto.Field(proto.STRING, number=1,) + attestor_id = proto.Field(proto.STRING, number=2,) + attestor = proto.Field(proto.MESSAGE, number=3, message=resources.Attestor,) + + +class GetAttestorRequest(proto.Message): + r"""Request message for [BinauthzManagementService.GetAttestor][]. + Attributes: + name (str): + Required. The name of the + [attestor][google.cloud.binaryauthorization.v1.Attestor] to + retrieve, in the format ``projects/*/attestors/*``. + """ + + name = proto.Field(proto.STRING, number=1,) + + +class UpdateAttestorRequest(proto.Message): + r"""Request message for [BinauthzManagementService.UpdateAttestor][]. + Attributes: + attestor (google.cloud.binaryauthorization_v1.types.Attestor): + Required. The updated + [attestor][google.cloud.binaryauthorization.v1.Attestor] + value. The service will overwrite the [attestor + name][google.cloud.binaryauthorization.v1.Attestor.name] + field with the resource name in the request URL, in the + format ``projects/*/attestors/*``. + """ + + attestor = proto.Field(proto.MESSAGE, number=1, message=resources.Attestor,) + + +class ListAttestorsRequest(proto.Message): + r"""Request message for [BinauthzManagementService.ListAttestors][]. + Attributes: + parent (str): + Required. The resource name of the project associated with + the + [attestors][google.cloud.binaryauthorization.v1.Attestor], + in the format ``projects/*``. + page_size (int): + Requested page size. The server may return + fewer results than requested. If unspecified, + the server will pick an appropriate default. + page_token (str): + A token identifying a page of results the server should + return. Typically, this is the value of + [ListAttestorsResponse.next_page_token][google.cloud.binaryauthorization.v1.ListAttestorsResponse.next_page_token] + returned from the previous call to the ``ListAttestors`` + method. + """ + + parent = proto.Field(proto.STRING, number=1,) + page_size = proto.Field(proto.INT32, number=2,) + page_token = proto.Field(proto.STRING, number=3,) + + +class ListAttestorsResponse(proto.Message): + r"""Response message for [BinauthzManagementService.ListAttestors][]. + Attributes: + attestors (Sequence[google.cloud.binaryauthorization_v1.types.Attestor]): + The list of + [attestors][google.cloud.binaryauthorization.v1.Attestor]. + next_page_token (str): + A token to retrieve the next page of results. Pass this + value in the + [ListAttestorsRequest.page_token][google.cloud.binaryauthorization.v1.ListAttestorsRequest.page_token] + field in the subsequent call to the ``ListAttestors`` method + to retrieve the next page of results. + """ + + @property + def raw_page(self): + return self + + attestors = proto.RepeatedField( + proto.MESSAGE, number=1, message=resources.Attestor, + ) + next_page_token = proto.Field(proto.STRING, number=2,) + + +class DeleteAttestorRequest(proto.Message): + r"""Request message for [BinauthzManagementService.DeleteAttestor][]. + Attributes: + name (str): + Required. The name of the + [attestors][google.cloud.binaryauthorization.v1.Attestor] to + delete, in the format ``projects/*/attestors/*``. + """ + + name = proto.Field(proto.STRING, number=1,) + + +class GetSystemPolicyRequest(proto.Message): + r"""Request to read the current system policy. + Attributes: + name (str): + Required. The resource name, in the format + ``locations/*/policy``. Note that the system policy is not + associated with a project. + """ + + name = proto.Field(proto.STRING, number=1,) + + +class ValidateAttestationOccurrenceRequest(proto.Message): + r"""Request message for + [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence]. + + Attributes: + attestor (str): + Required. The resource name of the + [Attestor][google.cloud.binaryauthorization.v1.Attestor] of + the [occurrence][grafeas.v1.Occurrence], in the format + ``projects/*/attestors/*``. + attestation (grafeas.grafeas_v1.types.attestation.AttestationOccurrence): + Required. An + [AttestationOccurrence][grafeas.v1.AttestationOccurrence] to + be checked that it can be verified by the Attestor. It does + not have to be an existing entity in Container Analysis. It + must otherwise be a valid AttestationOccurrence. + occurrence_note (str): + Required. The resource name of the [Note][grafeas.v1.Note] + to which the containing [Occurrence][grafeas.v1.Occurrence] + is associated. + occurrence_resource_uri (str): + Required. The URI of the artifact (e.g. container image) + that is the subject of the containing + [Occurrence][grafeas.v1.Occurrence]. + """ + + attestor = proto.Field(proto.STRING, number=1,) + attestation = proto.Field( + proto.MESSAGE, number=2, message=attestation.AttestationOccurrence, + ) + occurrence_note = proto.Field(proto.STRING, number=3,) + occurrence_resource_uri = proto.Field(proto.STRING, number=4,) + + +class ValidateAttestationOccurrenceResponse(proto.Message): + r"""Response message for + [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence]. + + Attributes: + result (google.cloud.binaryauthorization_v1.types.ValidateAttestationOccurrenceResponse.Result): + The result of the Attestation validation. + denial_reason (str): + The reason for denial if the Attestation + couldn't be validated. + """ + + class Result(proto.Enum): + r"""The enum returned in the "result" field.""" + RESULT_UNSPECIFIED = 0 + VERIFIED = 1 + ATTESTATION_NOT_VERIFIABLE = 2 + + result = proto.Field(proto.ENUM, number=1, enum=Result,) + denial_reason = proto.Field(proto.STRING, number=2,) + + +__all__ = tuple(sorted(__protobuf__.manifest)) diff --git a/packages/google-cloud-binary-authorization/owlbot.py b/packages/google-cloud-binary-authorization/owlbot.py index 659cd168fbe4..d5031f7de431 100644 --- a/packages/google-cloud-binary-authorization/owlbot.py +++ b/packages/google-cloud-binary-authorization/owlbot.py @@ -14,15 +14,13 @@ """This script is used to synthesize generated parts of this library.""" -import os - import synthtool as s import synthtool.gcp as gcp from synthtool.languages import python common = gcp.CommonTemplates() -default_version = "v1beta1" +default_version = "v1" for library in s.get_staging_dirs(default_version): # Rename package to 'google-cloud-binary-authorization' @@ -31,6 +29,39 @@ "google-cloud-binaryauthorization", "google-cloud-binary-authorization", ) + + if library.name == "v1": + # Fix import of grafeas + s.replace( + [library / "google/**/*.py", library / "tests/**/*.py"], + "from grafeas.v1", + "from grafeas.grafeas_v1", + ) + + s.replace( + [library / "google/**/*.py", library / "tests/**/*.py"], + "from grafeas.grafeas_v1 import attestation_pb2", + "from grafeas.grafeas_v1.types import attestation", + ) + + s.replace( + [library / "google/**/*.py", library / "tests/**/*.py"], + "from grafeas.grafeas_v1 import common_pb2", + "from grafeas.grafeas_v1.types import common", + ) + + s.replace( + [library / "google/**/*.py", library / "tests/**/*.py"], + "message=attestation_pb2", + "message=attestation", + ) + + s.replace( + [library / "google/**/*.py", library / "tests/**/*.py"], + "grafeas.v1.attestation_pb2.AttestationOccurrence", + "grafeas.grafeas_v1.types.attestation.AttestationOccurrence", + ) + s.move(library, excludes=["setup.py", "README.rst", "docs/index.rst"]) s.remove_staging_dirs() @@ -46,58 +77,4 @@ excludes=[".coveragerc"], # the microgenerator has a good coveragerc file ) -# Remove the replacements below once https://github.com/googleapis/synthtool/pull/1188 is merged - -# Update googleapis/repo-automation-bots repo to main in .kokoro/*.sh files -s.replace(".kokoro/*.sh", "repo-automation-bots/tree/master", "repo-automation-bots/tree/main") - -# Customize CONTRIBUTING.rst to replace master with main -s.replace( - "CONTRIBUTING.rst", - "fetch and merge changes from upstream into master", - "fetch and merge changes from upstream into main", -) - -s.replace( - "CONTRIBUTING.rst", - "git merge upstream/master", - "git merge upstream/main", -) - -s.replace( - "CONTRIBUTING.rst", - """export GOOGLE_CLOUD_TESTING_BRANCH=\"master\"""", - """export GOOGLE_CLOUD_TESTING_BRANCH=\"main\"""", -) - -s.replace( - "CONTRIBUTING.rst", - "remote \(``master``\)", - "remote (``main``)", -) - -s.replace( - "CONTRIBUTING.rst", - "blob/master/CONTRIBUTING.rst", - "blob/main/CONTRIBUTING.rst", -) - -s.replace( - "CONTRIBUTING.rst", - "blob/master/noxfile.py", - "blob/main/noxfile.py", -) - -s.replace( - "docs/conf.py", - "master_doc", - "root_doc", -) - -s.replace( - "docs/conf.py", - "# The master toctree document.", - "# The root toctree document.", -) - s.shell.run(["nox", "-s", "blacken"], hide_output=False) diff --git a/packages/google-cloud-binary-authorization/scripts/fixup_binaryauthorization_v1_keywords.py b/packages/google-cloud-binary-authorization/scripts/fixup_binaryauthorization_v1_keywords.py new file mode 100644 index 000000000000..c11889d24d45 --- /dev/null +++ b/packages/google-cloud-binary-authorization/scripts/fixup_binaryauthorization_v1_keywords.py @@ -0,0 +1,184 @@ +#! /usr/bin/env python3 +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import argparse +import os +import libcst as cst +import pathlib +import sys +from typing import (Any, Callable, Dict, List, Sequence, Tuple) + + +def partition( + predicate: Callable[[Any], bool], + iterator: Sequence[Any] +) -> Tuple[List[Any], List[Any]]: + """A stable, out-of-place partition.""" + results = ([], []) + + for i in iterator: + results[int(predicate(i))].append(i) + + # Returns trueList, falseList + return results[1], results[0] + + +class binaryauthorizationCallTransformer(cst.CSTTransformer): + CTRL_PARAMS: Tuple[str] = ('retry', 'timeout', 'metadata') + METHOD_TO_PARAMS: Dict[str, Tuple[str]] = { + 'create_attestor': ('parent', 'attestor_id', 'attestor', ), + 'delete_attestor': ('name', ), + 'get_attestor': ('name', ), + 'get_policy': ('name', ), + 'get_system_policy': ('name', ), + 'list_attestors': ('parent', 'page_size', 'page_token', ), + 'update_attestor': ('attestor', ), + 'update_policy': ('policy', ), + 'validate_attestation_occurrence': ('attestor', 'attestation', 'occurrence_note', 'occurrence_resource_uri', ), + } + + def leave_Call(self, original: cst.Call, updated: cst.Call) -> cst.CSTNode: + try: + key = original.func.attr.value + kword_params = self.METHOD_TO_PARAMS[key] + except (AttributeError, KeyError): + # Either not a method from the API or too convoluted to be sure. + return updated + + # If the existing code is valid, keyword args come after positional args. + # Therefore, all positional args must map to the first parameters. + args, kwargs = partition(lambda a: not bool(a.keyword), updated.args) + if any(k.keyword.value == "request" for k in kwargs): + # We've already fixed this file, don't fix it again. + return updated + + kwargs, ctrl_kwargs = partition( + lambda a: not a.keyword.value in self.CTRL_PARAMS, + kwargs + ) + + args, ctrl_args = args[:len(kword_params)], args[len(kword_params):] + ctrl_kwargs.extend(cst.Arg(value=a.value, keyword=cst.Name(value=ctrl)) + for a, ctrl in zip(ctrl_args, self.CTRL_PARAMS)) + + request_arg = cst.Arg( + value=cst.Dict([ + cst.DictElement( + cst.SimpleString("'{}'".format(name)), +cst.Element(value=arg.value) + ) + # Note: the args + kwargs looks silly, but keep in mind that + # the control parameters had to be stripped out, and that + # those could have been passed positionally or by keyword. + for name, arg in zip(kword_params, args + kwargs)]), + keyword=cst.Name("request") + ) + + return updated.with_changes( + args=[request_arg] + ctrl_kwargs + ) + + +def fix_files( + in_dir: pathlib.Path, + out_dir: pathlib.Path, + *, + transformer=binaryauthorizationCallTransformer(), +): + """Duplicate the input dir to the output dir, fixing file method calls. + + Preconditions: + * in_dir is a real directory + * out_dir is a real, empty directory + """ + pyfile_gen = ( + pathlib.Path(os.path.join(root, f)) + for root, _, files in os.walk(in_dir) + for f in files if os.path.splitext(f)[1] == ".py" + ) + + for fpath in pyfile_gen: + with open(fpath, 'r') as f: + src = f.read() + + # Parse the code and insert method call fixes. + tree = cst.parse_module(src) + updated = tree.visit(transformer) + + # Create the path and directory structure for the new file. + updated_path = out_dir.joinpath(fpath.relative_to(in_dir)) + updated_path.parent.mkdir(parents=True, exist_ok=True) + + # Generate the updated source file at the corresponding path. + with open(updated_path, 'w') as f: + f.write(updated.code) + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description="""Fix up source that uses the binaryauthorization client library. + +The existing sources are NOT overwritten but are copied to output_dir with changes made. + +Note: This tool operates at a best-effort level at converting positional + parameters in client method calls to keyword based parameters. + Cases where it WILL FAIL include + A) * or ** expansion in a method call. + B) Calls via function or method alias (includes free function calls) + C) Indirect or dispatched calls (e.g. the method is looked up dynamically) + + These all constitute false negatives. The tool will also detect false + positives when an API method shares a name with another method. +""") + parser.add_argument( + '-d', + '--input-directory', + required=True, + dest='input_dir', + help='the input directory to walk for python files to fix up', + ) + parser.add_argument( + '-o', + '--output-directory', + required=True, + dest='output_dir', + help='the directory to output files fixed via un-flattening', + ) + args = parser.parse_args() + input_dir = pathlib.Path(args.input_dir) + output_dir = pathlib.Path(args.output_dir) + if not input_dir.is_dir(): + print( + f"input directory '{input_dir}' does not exist or is not a directory", + file=sys.stderr, + ) + sys.exit(-1) + + if not output_dir.is_dir(): + print( + f"output directory '{output_dir}' does not exist or is not a directory", + file=sys.stderr, + ) + sys.exit(-1) + + if os.listdir(output_dir): + print( + f"output directory '{output_dir}' is not empty", + file=sys.stderr, + ) + sys.exit(-1) + + fix_files(input_dir, output_dir) diff --git a/packages/google-cloud-binary-authorization/setup.py b/packages/google-cloud-binary-authorization/setup.py index 9edeb77e8e4c..e00139ecd165 100644 --- a/packages/google-cloud-binary-authorization/setup.py +++ b/packages/google-cloud-binary-authorization/setup.py @@ -36,7 +36,7 @@ author="Google LLC", author_email="googleapis-packages@google.com", license="Apache 2.0", - url="https://github.com/googleapis/python-documentai", + url="https://github.com/googleapis/python-binary-authorization", packages=[ package for package in setuptools.PEP420PackageFinder.find() @@ -50,8 +50,9 @@ # Until this issue is closed # https://github.com/googleapis/google-cloud-python/issues/10566 "google-api-core[grpc] >= 1.26.0, <3.0.0dev", - "proto-plus >= 1.4.0", + "proto-plus >= 1.15.0", "packaging >= 14.3", + "grafeas >= 1.1.2", ), python_requires=">=3.6", classifiers=[ diff --git a/packages/google-cloud-binary-authorization/testing/constraints-3.6.txt b/packages/google-cloud-binary-authorization/testing/constraints-3.6.txt index e94a6538b969..db1749a6bd29 100644 --- a/packages/google-cloud-binary-authorization/testing/constraints-3.6.txt +++ b/packages/google-cloud-binary-authorization/testing/constraints-3.6.txt @@ -5,6 +5,7 @@ # e.g., if setup.py has "google-cloud-foo >= 1.14.0, < 2.0.0dev", # Then this file should have google-cloud-foo==1.14.0 google-api-core==1.26.0 -proto-plus==1.4.0 +proto-plus==1.15.0 +grafeas==1.1.2 packaging==14.3 google-auth==1.24.0 # TODO: remove when google-auth>=1.25.0 si transitively required through google-api-core diff --git a/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/__init__.py b/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/__init__.py new file mode 100644 index 000000000000..4de65971c238 --- /dev/null +++ b/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/__init__.py @@ -0,0 +1,15 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# diff --git a/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/test_binauthz_management_service_v1.py b/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/test_binauthz_management_service_v1.py new file mode 100644 index 000000000000..bc3bf1c4ea4b --- /dev/null +++ b/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/test_binauthz_management_service_v1.py @@ -0,0 +1,2821 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import os +import mock +import packaging.version + +import grpc +from grpc.experimental import aio +import math +import pytest +from proto.marshal.rules.dates import DurationRule, TimestampRule + + +from google.api_core import client_options +from google.api_core import exceptions as core_exceptions +from google.api_core import gapic_v1 +from google.api_core import grpc_helpers +from google.api_core import grpc_helpers_async +from google.auth import credentials as ga_credentials +from google.auth.exceptions import MutualTLSChannelError +from google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1 import ( + BinauthzManagementServiceV1AsyncClient, +) +from google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1 import ( + BinauthzManagementServiceV1Client, +) +from google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1 import ( + pagers, +) +from google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1 import ( + transports, +) +from google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.transports.base import ( + _GOOGLE_AUTH_VERSION, +) +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from google.oauth2 import service_account +from google.protobuf import timestamp_pb2 # type: ignore +import google.auth + + +# TODO(busunkim): Once google-auth >= 1.25.0 is required transitively +# through google-api-core: +# - Delete the auth "less than" test cases +# - Delete these pytest markers (Make the "greater than or equal to" tests the default). +requires_google_auth_lt_1_25_0 = pytest.mark.skipif( + packaging.version.parse(_GOOGLE_AUTH_VERSION) >= packaging.version.parse("1.25.0"), + reason="This test requires google-auth < 1.25.0", +) +requires_google_auth_gte_1_25_0 = pytest.mark.skipif( + packaging.version.parse(_GOOGLE_AUTH_VERSION) < packaging.version.parse("1.25.0"), + reason="This test requires google-auth >= 1.25.0", +) + + +def client_cert_source_callback(): + return b"cert bytes", b"key bytes" + + +# If default endpoint is localhost, then default mtls endpoint will be the same. +# This method modifies the default endpoint so the client can produce a different +# mtls endpoint for endpoint testing purposes. +def modify_default_endpoint(client): + return ( + "foo.googleapis.com" + if ("localhost" in client.DEFAULT_ENDPOINT) + else client.DEFAULT_ENDPOINT + ) + + +def test__get_default_mtls_endpoint(): + api_endpoint = "example.googleapis.com" + api_mtls_endpoint = "example.mtls.googleapis.com" + sandbox_endpoint = "example.sandbox.googleapis.com" + sandbox_mtls_endpoint = "example.mtls.sandbox.googleapis.com" + non_googleapi = "api.example.com" + + assert BinauthzManagementServiceV1Client._get_default_mtls_endpoint(None) is None + assert ( + BinauthzManagementServiceV1Client._get_default_mtls_endpoint(api_endpoint) + == api_mtls_endpoint + ) + assert ( + BinauthzManagementServiceV1Client._get_default_mtls_endpoint(api_mtls_endpoint) + == api_mtls_endpoint + ) + assert ( + BinauthzManagementServiceV1Client._get_default_mtls_endpoint(sandbox_endpoint) + == sandbox_mtls_endpoint + ) + assert ( + BinauthzManagementServiceV1Client._get_default_mtls_endpoint( + sandbox_mtls_endpoint + ) + == sandbox_mtls_endpoint + ) + assert ( + BinauthzManagementServiceV1Client._get_default_mtls_endpoint(non_googleapi) + == non_googleapi + ) + + +@pytest.mark.parametrize( + "client_class", + [BinauthzManagementServiceV1Client, BinauthzManagementServiceV1AsyncClient,], +) +def test_binauthz_management_service_v1_client_from_service_account_info(client_class): + creds = ga_credentials.AnonymousCredentials() + with mock.patch.object( + service_account.Credentials, "from_service_account_info" + ) as factory: + factory.return_value = creds + info = {"valid": True} + client = client_class.from_service_account_info(info) + assert client.transport._credentials == creds + assert isinstance(client, client_class) + + assert client.transport._host == "binaryauthorization.googleapis.com:443" + + +@pytest.mark.parametrize( + "transport_class,transport_name", + [ + (transports.BinauthzManagementServiceV1GrpcTransport, "grpc"), + (transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, "grpc_asyncio"), + ], +) +def test_binauthz_management_service_v1_client_service_account_always_use_jwt( + transport_class, transport_name +): + with mock.patch.object( + service_account.Credentials, "with_always_use_jwt_access", create=True + ) as use_jwt: + creds = service_account.Credentials(None, None, None) + transport = transport_class(credentials=creds, always_use_jwt_access=True) + use_jwt.assert_called_once_with(True) + + with mock.patch.object( + service_account.Credentials, "with_always_use_jwt_access", create=True + ) as use_jwt: + creds = service_account.Credentials(None, None, None) + transport = transport_class(credentials=creds, always_use_jwt_access=False) + use_jwt.assert_not_called() + + +@pytest.mark.parametrize( + "client_class", + [BinauthzManagementServiceV1Client, BinauthzManagementServiceV1AsyncClient,], +) +def test_binauthz_management_service_v1_client_from_service_account_file(client_class): + creds = ga_credentials.AnonymousCredentials() + with mock.patch.object( + service_account.Credentials, "from_service_account_file" + ) as factory: + factory.return_value = creds + client = client_class.from_service_account_file("dummy/file/path.json") + assert client.transport._credentials == creds + assert isinstance(client, client_class) + + client = client_class.from_service_account_json("dummy/file/path.json") + assert client.transport._credentials == creds + assert isinstance(client, client_class) + + assert client.transport._host == "binaryauthorization.googleapis.com:443" + + +def test_binauthz_management_service_v1_client_get_transport_class(): + transport = BinauthzManagementServiceV1Client.get_transport_class() + available_transports = [ + transports.BinauthzManagementServiceV1GrpcTransport, + ] + assert transport in available_transports + + transport = BinauthzManagementServiceV1Client.get_transport_class("grpc") + assert transport == transports.BinauthzManagementServiceV1GrpcTransport + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name", + [ + ( + BinauthzManagementServiceV1Client, + transports.BinauthzManagementServiceV1GrpcTransport, + "grpc", + ), + ( + BinauthzManagementServiceV1AsyncClient, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + "grpc_asyncio", + ), + ], +) +@mock.patch.object( + BinauthzManagementServiceV1Client, + "DEFAULT_ENDPOINT", + modify_default_endpoint(BinauthzManagementServiceV1Client), +) +@mock.patch.object( + BinauthzManagementServiceV1AsyncClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(BinauthzManagementServiceV1AsyncClient), +) +def test_binauthz_management_service_v1_client_client_options( + client_class, transport_class, transport_name +): + # Check that if channel is provided we won't create a new one. + with mock.patch.object( + BinauthzManagementServiceV1Client, "get_transport_class" + ) as gtc: + transport = transport_class(credentials=ga_credentials.AnonymousCredentials()) + client = client_class(transport=transport) + gtc.assert_not_called() + + # Check that if channel is provided via str we will create a new one. + with mock.patch.object( + BinauthzManagementServiceV1Client, "get_transport_class" + ) as gtc: + client = client_class(transport=transport_name) + gtc.assert_called() + + # Check the case api_endpoint is provided. + options = client_options.ClientOptions(api_endpoint="squid.clam.whelk") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host="squid.clam.whelk", + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is + # "never". + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "never"}): + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is + # "always". + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "always"}): + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_MTLS_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT has + # unsupported value. + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "Unsupported"}): + with pytest.raises(MutualTLSChannelError): + client = client_class() + + # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"} + ): + with pytest.raises(ValueError): + client = client_class() + + # Check the case quota_project_id is provided + options = client_options.ClientOptions(quota_project_id="octopus") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id="octopus", + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name,use_client_cert_env", + [ + ( + BinauthzManagementServiceV1Client, + transports.BinauthzManagementServiceV1GrpcTransport, + "grpc", + "true", + ), + ( + BinauthzManagementServiceV1AsyncClient, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + "grpc_asyncio", + "true", + ), + ( + BinauthzManagementServiceV1Client, + transports.BinauthzManagementServiceV1GrpcTransport, + "grpc", + "false", + ), + ( + BinauthzManagementServiceV1AsyncClient, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + "grpc_asyncio", + "false", + ), + ], +) +@mock.patch.object( + BinauthzManagementServiceV1Client, + "DEFAULT_ENDPOINT", + modify_default_endpoint(BinauthzManagementServiceV1Client), +) +@mock.patch.object( + BinauthzManagementServiceV1AsyncClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(BinauthzManagementServiceV1AsyncClient), +) +@mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "auto"}) +def test_binauthz_management_service_v1_client_mtls_env_auto( + client_class, transport_class, transport_name, use_client_cert_env +): + # This tests the endpoint autoswitch behavior. Endpoint is autoswitched to the default + # mtls endpoint, if GOOGLE_API_USE_CLIENT_CERTIFICATE is "true" and client cert exists. + + # Check the case client_cert_source is provided. Whether client cert is used depends on + # GOOGLE_API_USE_CLIENT_CERTIFICATE value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + options = client_options.ClientOptions( + client_cert_source=client_cert_source_callback + ) + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + + if use_client_cert_env == "false": + expected_client_cert_source = None + expected_host = client.DEFAULT_ENDPOINT + else: + expected_client_cert_source = client_cert_source_callback + expected_host = client.DEFAULT_MTLS_ENDPOINT + + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=expected_host, + scopes=None, + client_cert_source_for_mtls=expected_client_cert_source, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case ADC client cert is provided. Whether client cert is used depends on + # GOOGLE_API_USE_CLIENT_CERTIFICATE value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + with mock.patch.object(transport_class, "__init__") as patched: + with mock.patch( + "google.auth.transport.mtls.has_default_client_cert_source", + return_value=True, + ): + with mock.patch( + "google.auth.transport.mtls.default_client_cert_source", + return_value=client_cert_source_callback, + ): + if use_client_cert_env == "false": + expected_host = client.DEFAULT_ENDPOINT + expected_client_cert_source = None + else: + expected_host = client.DEFAULT_MTLS_ENDPOINT + expected_client_cert_source = client_cert_source_callback + + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=expected_host, + scopes=None, + client_cert_source_for_mtls=expected_client_cert_source, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case client_cert_source and ADC client cert are not provided. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + with mock.patch.object(transport_class, "__init__") as patched: + with mock.patch( + "google.auth.transport.mtls.has_default_client_cert_source", + return_value=False, + ): + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name", + [ + ( + BinauthzManagementServiceV1Client, + transports.BinauthzManagementServiceV1GrpcTransport, + "grpc", + ), + ( + BinauthzManagementServiceV1AsyncClient, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + "grpc_asyncio", + ), + ], +) +def test_binauthz_management_service_v1_client_client_options_scopes( + client_class, transport_class, transport_name +): + # Check the case scopes are provided. + options = client_options.ClientOptions(scopes=["1", "2"],) + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=["1", "2"], + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name", + [ + ( + BinauthzManagementServiceV1Client, + transports.BinauthzManagementServiceV1GrpcTransport, + "grpc", + ), + ( + BinauthzManagementServiceV1AsyncClient, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + "grpc_asyncio", + ), + ], +) +def test_binauthz_management_service_v1_client_client_options_credentials_file( + client_class, transport_class, transport_name +): + # Check the case credentials file is provided. + options = client_options.ClientOptions(credentials_file="credentials.json") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file="credentials.json", + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +def test_binauthz_management_service_v1_client_client_options_from_dict(): + with mock.patch( + "google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.transports.BinauthzManagementServiceV1GrpcTransport.__init__" + ) as grpc_transport: + grpc_transport.return_value = None + client = BinauthzManagementServiceV1Client( + client_options={"api_endpoint": "squid.clam.whelk"} + ) + grpc_transport.assert_called_once_with( + credentials=None, + credentials_file=None, + host="squid.clam.whelk", + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +def test_get_policy(transport: str = "grpc", request_type=service.GetPolicyRequest): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_policy), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Policy( + name="name_value", + description="description_value", + global_policy_evaluation_mode=resources.Policy.GlobalPolicyEvaluationMode.ENABLE, + ) + response = client.get_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.GetPolicyRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Policy) + assert response.name == "name_value" + assert response.description == "description_value" + assert ( + response.global_policy_evaluation_mode + == resources.Policy.GlobalPolicyEvaluationMode.ENABLE + ) + + +def test_get_policy_from_dict(): + test_get_policy(request_type=dict) + + +def test_get_policy_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_policy), "__call__") as call: + client.get_policy() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.GetPolicyRequest() + + +@pytest.mark.asyncio +async def test_get_policy_async( + transport: str = "grpc_asyncio", request_type=service.GetPolicyRequest +): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_policy), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.Policy( + name="name_value", + description="description_value", + global_policy_evaluation_mode=resources.Policy.GlobalPolicyEvaluationMode.ENABLE, + ) + ) + response = await client.get_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.GetPolicyRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Policy) + assert response.name == "name_value" + assert response.description == "description_value" + assert ( + response.global_policy_evaluation_mode + == resources.Policy.GlobalPolicyEvaluationMode.ENABLE + ) + + +@pytest.mark.asyncio +async def test_get_policy_async_from_dict(): + await test_get_policy_async(request_type=dict) + + +def test_get_policy_field_headers(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.GetPolicyRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_policy), "__call__") as call: + call.return_value = resources.Policy() + client.get_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_get_policy_field_headers_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.GetPolicyRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_policy), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Policy()) + await client.get_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +def test_get_policy_flattened(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_policy), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Policy() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.get_policy(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +def test_get_policy_flattened_error(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.get_policy( + service.GetPolicyRequest(), name="name_value", + ) + + +@pytest.mark.asyncio +async def test_get_policy_flattened_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_policy), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Policy() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Policy()) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.get_policy(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +@pytest.mark.asyncio +async def test_get_policy_flattened_error_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.get_policy( + service.GetPolicyRequest(), name="name_value", + ) + + +def test_update_policy( + transport: str = "grpc", request_type=service.UpdatePolicyRequest +): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_policy), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Policy( + name="name_value", + description="description_value", + global_policy_evaluation_mode=resources.Policy.GlobalPolicyEvaluationMode.ENABLE, + ) + response = client.update_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.UpdatePolicyRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Policy) + assert response.name == "name_value" + assert response.description == "description_value" + assert ( + response.global_policy_evaluation_mode + == resources.Policy.GlobalPolicyEvaluationMode.ENABLE + ) + + +def test_update_policy_from_dict(): + test_update_policy(request_type=dict) + + +def test_update_policy_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_policy), "__call__") as call: + client.update_policy() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.UpdatePolicyRequest() + + +@pytest.mark.asyncio +async def test_update_policy_async( + transport: str = "grpc_asyncio", request_type=service.UpdatePolicyRequest +): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_policy), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.Policy( + name="name_value", + description="description_value", + global_policy_evaluation_mode=resources.Policy.GlobalPolicyEvaluationMode.ENABLE, + ) + ) + response = await client.update_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.UpdatePolicyRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Policy) + assert response.name == "name_value" + assert response.description == "description_value" + assert ( + response.global_policy_evaluation_mode + == resources.Policy.GlobalPolicyEvaluationMode.ENABLE + ) + + +@pytest.mark.asyncio +async def test_update_policy_async_from_dict(): + await test_update_policy_async(request_type=dict) + + +def test_update_policy_field_headers(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.UpdatePolicyRequest() + + request.policy.name = "policy.name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_policy), "__call__") as call: + call.return_value = resources.Policy() + client.update_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "policy.name=policy.name/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_update_policy_field_headers_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.UpdatePolicyRequest() + + request.policy.name = "policy.name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_policy), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Policy()) + await client.update_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "policy.name=policy.name/value",) in kw["metadata"] + + +def test_update_policy_flattened(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_policy), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Policy() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.update_policy(policy=resources.Policy(name="name_value"),) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].policy == resources.Policy(name="name_value") + + +def test_update_policy_flattened_error(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.update_policy( + service.UpdatePolicyRequest(), policy=resources.Policy(name="name_value"), + ) + + +@pytest.mark.asyncio +async def test_update_policy_flattened_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_policy), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Policy() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Policy()) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.update_policy( + policy=resources.Policy(name="name_value"), + ) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].policy == resources.Policy(name="name_value") + + +@pytest.mark.asyncio +async def test_update_policy_flattened_error_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.update_policy( + service.UpdatePolicyRequest(), policy=resources.Policy(name="name_value"), + ) + + +def test_create_attestor( + transport: str = "grpc", request_type=service.CreateAttestorRequest +): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.create_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Attestor( + name="name_value", + description="description_value", + user_owned_grafeas_note=resources.UserOwnedGrafeasNote( + note_reference="note_reference_value" + ), + ) + response = client.create_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.CreateAttestorRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Attestor) + assert response.name == "name_value" + assert response.description == "description_value" + + +def test_create_attestor_from_dict(): + test_create_attestor(request_type=dict) + + +def test_create_attestor_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.create_attestor), "__call__") as call: + client.create_attestor() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.CreateAttestorRequest() + + +@pytest.mark.asyncio +async def test_create_attestor_async( + transport: str = "grpc_asyncio", request_type=service.CreateAttestorRequest +): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.create_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.Attestor(name="name_value", description="description_value",) + ) + response = await client.create_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.CreateAttestorRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Attestor) + assert response.name == "name_value" + assert response.description == "description_value" + + +@pytest.mark.asyncio +async def test_create_attestor_async_from_dict(): + await test_create_attestor_async(request_type=dict) + + +def test_create_attestor_field_headers(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.CreateAttestorRequest() + + request.parent = "parent/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.create_attestor), "__call__") as call: + call.return_value = resources.Attestor() + client.create_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_create_attestor_field_headers_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.CreateAttestorRequest() + + request.parent = "parent/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.create_attestor), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Attestor()) + await client.create_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"] + + +def test_create_attestor_flattened(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.create_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Attestor() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.create_attestor( + parent="parent_value", + attestor_id="attestor_id_value", + attestor=resources.Attestor(name="name_value"), + ) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].parent == "parent_value" + assert args[0].attestor_id == "attestor_id_value" + assert args[0].attestor == resources.Attestor(name="name_value") + + +def test_create_attestor_flattened_error(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.create_attestor( + service.CreateAttestorRequest(), + parent="parent_value", + attestor_id="attestor_id_value", + attestor=resources.Attestor(name="name_value"), + ) + + +@pytest.mark.asyncio +async def test_create_attestor_flattened_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.create_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Attestor() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Attestor()) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.create_attestor( + parent="parent_value", + attestor_id="attestor_id_value", + attestor=resources.Attestor(name="name_value"), + ) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].parent == "parent_value" + assert args[0].attestor_id == "attestor_id_value" + assert args[0].attestor == resources.Attestor(name="name_value") + + +@pytest.mark.asyncio +async def test_create_attestor_flattened_error_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.create_attestor( + service.CreateAttestorRequest(), + parent="parent_value", + attestor_id="attestor_id_value", + attestor=resources.Attestor(name="name_value"), + ) + + +def test_get_attestor(transport: str = "grpc", request_type=service.GetAttestorRequest): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Attestor( + name="name_value", + description="description_value", + user_owned_grafeas_note=resources.UserOwnedGrafeasNote( + note_reference="note_reference_value" + ), + ) + response = client.get_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.GetAttestorRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Attestor) + assert response.name == "name_value" + assert response.description == "description_value" + + +def test_get_attestor_from_dict(): + test_get_attestor(request_type=dict) + + +def test_get_attestor_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_attestor), "__call__") as call: + client.get_attestor() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.GetAttestorRequest() + + +@pytest.mark.asyncio +async def test_get_attestor_async( + transport: str = "grpc_asyncio", request_type=service.GetAttestorRequest +): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.Attestor(name="name_value", description="description_value",) + ) + response = await client.get_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.GetAttestorRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Attestor) + assert response.name == "name_value" + assert response.description == "description_value" + + +@pytest.mark.asyncio +async def test_get_attestor_async_from_dict(): + await test_get_attestor_async(request_type=dict) + + +def test_get_attestor_field_headers(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.GetAttestorRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_attestor), "__call__") as call: + call.return_value = resources.Attestor() + client.get_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_get_attestor_field_headers_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.GetAttestorRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_attestor), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Attestor()) + await client.get_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +def test_get_attestor_flattened(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Attestor() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.get_attestor(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +def test_get_attestor_flattened_error(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.get_attestor( + service.GetAttestorRequest(), name="name_value", + ) + + +@pytest.mark.asyncio +async def test_get_attestor_flattened_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.get_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Attestor() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Attestor()) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.get_attestor(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +@pytest.mark.asyncio +async def test_get_attestor_flattened_error_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.get_attestor( + service.GetAttestorRequest(), name="name_value", + ) + + +def test_update_attestor( + transport: str = "grpc", request_type=service.UpdateAttestorRequest +): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Attestor( + name="name_value", + description="description_value", + user_owned_grafeas_note=resources.UserOwnedGrafeasNote( + note_reference="note_reference_value" + ), + ) + response = client.update_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.UpdateAttestorRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Attestor) + assert response.name == "name_value" + assert response.description == "description_value" + + +def test_update_attestor_from_dict(): + test_update_attestor(request_type=dict) + + +def test_update_attestor_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_attestor), "__call__") as call: + client.update_attestor() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.UpdateAttestorRequest() + + +@pytest.mark.asyncio +async def test_update_attestor_async( + transport: str = "grpc_asyncio", request_type=service.UpdateAttestorRequest +): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.Attestor(name="name_value", description="description_value",) + ) + response = await client.update_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.UpdateAttestorRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Attestor) + assert response.name == "name_value" + assert response.description == "description_value" + + +@pytest.mark.asyncio +async def test_update_attestor_async_from_dict(): + await test_update_attestor_async(request_type=dict) + + +def test_update_attestor_field_headers(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.UpdateAttestorRequest() + + request.attestor.name = "attestor.name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_attestor), "__call__") as call: + call.return_value = resources.Attestor() + client.update_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "attestor.name=attestor.name/value",) in kw[ + "metadata" + ] + + +@pytest.mark.asyncio +async def test_update_attestor_field_headers_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.UpdateAttestorRequest() + + request.attestor.name = "attestor.name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_attestor), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Attestor()) + await client.update_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "attestor.name=attestor.name/value",) in kw[ + "metadata" + ] + + +def test_update_attestor_flattened(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Attestor() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.update_attestor(attestor=resources.Attestor(name="name_value"),) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].attestor == resources.Attestor(name="name_value") + + +def test_update_attestor_flattened_error(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.update_attestor( + service.UpdateAttestorRequest(), + attestor=resources.Attestor(name="name_value"), + ) + + +@pytest.mark.asyncio +async def test_update_attestor_flattened_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.update_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Attestor() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Attestor()) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.update_attestor( + attestor=resources.Attestor(name="name_value"), + ) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].attestor == resources.Attestor(name="name_value") + + +@pytest.mark.asyncio +async def test_update_attestor_flattened_error_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.update_attestor( + service.UpdateAttestorRequest(), + attestor=resources.Attestor(name="name_value"), + ) + + +def test_list_attestors( + transport: str = "grpc", request_type=service.ListAttestorsRequest +): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.list_attestors), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = service.ListAttestorsResponse( + next_page_token="next_page_token_value", + ) + response = client.list_attestors(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.ListAttestorsRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, pagers.ListAttestorsPager) + assert response.next_page_token == "next_page_token_value" + + +def test_list_attestors_from_dict(): + test_list_attestors(request_type=dict) + + +def test_list_attestors_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.list_attestors), "__call__") as call: + client.list_attestors() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.ListAttestorsRequest() + + +@pytest.mark.asyncio +async def test_list_attestors_async( + transport: str = "grpc_asyncio", request_type=service.ListAttestorsRequest +): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.list_attestors), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.ListAttestorsResponse(next_page_token="next_page_token_value",) + ) + response = await client.list_attestors(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.ListAttestorsRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, pagers.ListAttestorsAsyncPager) + assert response.next_page_token == "next_page_token_value" + + +@pytest.mark.asyncio +async def test_list_attestors_async_from_dict(): + await test_list_attestors_async(request_type=dict) + + +def test_list_attestors_field_headers(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.ListAttestorsRequest() + + request.parent = "parent/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.list_attestors), "__call__") as call: + call.return_value = service.ListAttestorsResponse() + client.list_attestors(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_list_attestors_field_headers_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.ListAttestorsRequest() + + request.parent = "parent/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.list_attestors), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.ListAttestorsResponse() + ) + await client.list_attestors(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "parent=parent/value",) in kw["metadata"] + + +def test_list_attestors_flattened(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.list_attestors), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = service.ListAttestorsResponse() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.list_attestors(parent="parent_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].parent == "parent_value" + + +def test_list_attestors_flattened_error(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.list_attestors( + service.ListAttestorsRequest(), parent="parent_value", + ) + + +@pytest.mark.asyncio +async def test_list_attestors_flattened_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.list_attestors), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = service.ListAttestorsResponse() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.ListAttestorsResponse() + ) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.list_attestors(parent="parent_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].parent == "parent_value" + + +@pytest.mark.asyncio +async def test_list_attestors_flattened_error_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.list_attestors( + service.ListAttestorsRequest(), parent="parent_value", + ) + + +def test_list_attestors_pager(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials, + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.list_attestors), "__call__") as call: + # Set the response to a series of pages. + call.side_effect = ( + service.ListAttestorsResponse( + attestors=[ + resources.Attestor(), + resources.Attestor(), + resources.Attestor(), + ], + next_page_token="abc", + ), + service.ListAttestorsResponse(attestors=[], next_page_token="def",), + service.ListAttestorsResponse( + attestors=[resources.Attestor(),], next_page_token="ghi", + ), + service.ListAttestorsResponse( + attestors=[resources.Attestor(), resources.Attestor(),], + ), + RuntimeError, + ) + + metadata = () + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("parent", ""),)), + ) + pager = client.list_attestors(request={}) + + assert pager._metadata == metadata + + results = [i for i in pager] + assert len(results) == 6 + assert all(isinstance(i, resources.Attestor) for i in results) + + +def test_list_attestors_pages(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials, + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.list_attestors), "__call__") as call: + # Set the response to a series of pages. + call.side_effect = ( + service.ListAttestorsResponse( + attestors=[ + resources.Attestor(), + resources.Attestor(), + resources.Attestor(), + ], + next_page_token="abc", + ), + service.ListAttestorsResponse(attestors=[], next_page_token="def",), + service.ListAttestorsResponse( + attestors=[resources.Attestor(),], next_page_token="ghi", + ), + service.ListAttestorsResponse( + attestors=[resources.Attestor(), resources.Attestor(),], + ), + RuntimeError, + ) + pages = list(client.list_attestors(request={}).pages) + for page_, token in zip(pages, ["abc", "def", "ghi", ""]): + assert page_.raw_page.next_page_token == token + + +@pytest.mark.asyncio +async def test_list_attestors_async_pager(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials, + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.list_attestors), "__call__", new_callable=mock.AsyncMock + ) as call: + # Set the response to a series of pages. + call.side_effect = ( + service.ListAttestorsResponse( + attestors=[ + resources.Attestor(), + resources.Attestor(), + resources.Attestor(), + ], + next_page_token="abc", + ), + service.ListAttestorsResponse(attestors=[], next_page_token="def",), + service.ListAttestorsResponse( + attestors=[resources.Attestor(),], next_page_token="ghi", + ), + service.ListAttestorsResponse( + attestors=[resources.Attestor(), resources.Attestor(),], + ), + RuntimeError, + ) + async_pager = await client.list_attestors(request={},) + assert async_pager.next_page_token == "abc" + responses = [] + async for response in async_pager: + responses.append(response) + + assert len(responses) == 6 + assert all(isinstance(i, resources.Attestor) for i in responses) + + +@pytest.mark.asyncio +async def test_list_attestors_async_pages(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials, + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.list_attestors), "__call__", new_callable=mock.AsyncMock + ) as call: + # Set the response to a series of pages. + call.side_effect = ( + service.ListAttestorsResponse( + attestors=[ + resources.Attestor(), + resources.Attestor(), + resources.Attestor(), + ], + next_page_token="abc", + ), + service.ListAttestorsResponse(attestors=[], next_page_token="def",), + service.ListAttestorsResponse( + attestors=[resources.Attestor(),], next_page_token="ghi", + ), + service.ListAttestorsResponse( + attestors=[resources.Attestor(), resources.Attestor(),], + ), + RuntimeError, + ) + pages = [] + async for page_ in (await client.list_attestors(request={})).pages: + pages.append(page_) + for page_, token in zip(pages, ["abc", "def", "ghi", ""]): + assert page_.raw_page.next_page_token == token + + +def test_delete_attestor( + transport: str = "grpc", request_type=service.DeleteAttestorRequest +): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.delete_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = None + response = client.delete_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.DeleteAttestorRequest() + + # Establish that the response is the type that we expect. + assert response is None + + +def test_delete_attestor_from_dict(): + test_delete_attestor(request_type=dict) + + +def test_delete_attestor_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.delete_attestor), "__call__") as call: + client.delete_attestor() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.DeleteAttestorRequest() + + +@pytest.mark.asyncio +async def test_delete_attestor_async( + transport: str = "grpc_asyncio", request_type=service.DeleteAttestorRequest +): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.delete_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(None) + response = await client.delete_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.DeleteAttestorRequest() + + # Establish that the response is the type that we expect. + assert response is None + + +@pytest.mark.asyncio +async def test_delete_attestor_async_from_dict(): + await test_delete_attestor_async(request_type=dict) + + +def test_delete_attestor_field_headers(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.DeleteAttestorRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.delete_attestor), "__call__") as call: + call.return_value = None + client.delete_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_delete_attestor_field_headers_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.DeleteAttestorRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.delete_attestor), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(None) + await client.delete_attestor(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +def test_delete_attestor_flattened(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.delete_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = None + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.delete_attestor(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +def test_delete_attestor_flattened_error(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.delete_attestor( + service.DeleteAttestorRequest(), name="name_value", + ) + + +@pytest.mark.asyncio +async def test_delete_attestor_flattened_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.delete_attestor), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = None + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(None) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.delete_attestor(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +@pytest.mark.asyncio +async def test_delete_attestor_flattened_error_async(): + client = BinauthzManagementServiceV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.delete_attestor( + service.DeleteAttestorRequest(), name="name_value", + ) + + +def test_credentials_transport_error(): + # It is an error to provide credentials and a transport instance. + transport = transports.BinauthzManagementServiceV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + with pytest.raises(ValueError): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # It is an error to provide a credentials file and a transport instance. + transport = transports.BinauthzManagementServiceV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + with pytest.raises(ValueError): + client = BinauthzManagementServiceV1Client( + client_options={"credentials_file": "credentials.json"}, + transport=transport, + ) + + # It is an error to provide scopes and a transport instance. + transport = transports.BinauthzManagementServiceV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + with pytest.raises(ValueError): + client = BinauthzManagementServiceV1Client( + client_options={"scopes": ["1", "2"]}, transport=transport, + ) + + +def test_transport_instance(): + # A client may be instantiated with a custom transport instance. + transport = transports.BinauthzManagementServiceV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + client = BinauthzManagementServiceV1Client(transport=transport) + assert client.transport is transport + + +def test_transport_get_channel(): + # A client may be instantiated with a custom transport instance. + transport = transports.BinauthzManagementServiceV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + channel = transport.grpc_channel + assert channel + + transport = transports.BinauthzManagementServiceV1GrpcAsyncIOTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + channel = transport.grpc_channel + assert channel + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.BinauthzManagementServiceV1GrpcTransport, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + ], +) +def test_transport_adc(transport_class): + # Test default credentials are used if not provided. + with mock.patch.object(google.auth, "default") as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport_class() + adc.assert_called_once() + + +def test_transport_grpc_default(): + # A client should use the gRPC transport by default. + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + assert isinstance( + client.transport, transports.BinauthzManagementServiceV1GrpcTransport, + ) + + +def test_binauthz_management_service_v1_base_transport_error(): + # Passing both a credentials object and credentials_file should raise an error + with pytest.raises(core_exceptions.DuplicateCredentialArgs): + transport = transports.BinauthzManagementServiceV1Transport( + credentials=ga_credentials.AnonymousCredentials(), + credentials_file="credentials.json", + ) + + +def test_binauthz_management_service_v1_base_transport(): + # Instantiate the base transport. + with mock.patch( + "google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.transports.BinauthzManagementServiceV1Transport.__init__" + ) as Transport: + Transport.return_value = None + transport = transports.BinauthzManagementServiceV1Transport( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Every method on the transport should just blindly + # raise NotImplementedError. + methods = ( + "get_policy", + "update_policy", + "create_attestor", + "get_attestor", + "update_attestor", + "list_attestors", + "delete_attestor", + ) + for method in methods: + with pytest.raises(NotImplementedError): + getattr(transport, method)(request=object()) + + +@requires_google_auth_gte_1_25_0 +def test_binauthz_management_service_v1_base_transport_with_credentials_file(): + # Instantiate the base transport with a credentials file + with mock.patch.object( + google.auth, "load_credentials_from_file", autospec=True + ) as load_creds, mock.patch( + "google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.transports.BinauthzManagementServiceV1Transport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + load_creds.return_value = (ga_credentials.AnonymousCredentials(), None) + transport = transports.BinauthzManagementServiceV1Transport( + credentials_file="credentials.json", quota_project_id="octopus", + ) + load_creds.assert_called_once_with( + "credentials.json", + scopes=None, + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +@requires_google_auth_lt_1_25_0 +def test_binauthz_management_service_v1_base_transport_with_credentials_file_old_google_auth(): + # Instantiate the base transport with a credentials file + with mock.patch.object( + google.auth, "load_credentials_from_file", autospec=True + ) as load_creds, mock.patch( + "google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.transports.BinauthzManagementServiceV1Transport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + load_creds.return_value = (ga_credentials.AnonymousCredentials(), None) + transport = transports.BinauthzManagementServiceV1Transport( + credentials_file="credentials.json", quota_project_id="octopus", + ) + load_creds.assert_called_once_with( + "credentials.json", + scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +def test_binauthz_management_service_v1_base_transport_with_adc(): + # Test the default credentials are used if credentials and credentials_file are None. + with mock.patch.object(google.auth, "default", autospec=True) as adc, mock.patch( + "google.cloud.binaryauthorization_v1.services.binauthz_management_service_v1.transports.BinauthzManagementServiceV1Transport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport = transports.BinauthzManagementServiceV1Transport() + adc.assert_called_once() + + +@requires_google_auth_gte_1_25_0 +def test_binauthz_management_service_v1_auth_adc(): + # If no credentials are provided, we should use ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + BinauthzManagementServiceV1Client() + adc.assert_called_once_with( + scopes=None, + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id=None, + ) + + +@requires_google_auth_lt_1_25_0 +def test_binauthz_management_service_v1_auth_adc_old_google_auth(): + # If no credentials are provided, we should use ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + BinauthzManagementServiceV1Client() + adc.assert_called_once_with( + scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id=None, + ) + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.BinauthzManagementServiceV1GrpcTransport, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + ], +) +@requires_google_auth_gte_1_25_0 +def test_binauthz_management_service_v1_transport_auth_adc(transport_class): + # If credentials and host are not provided, the transport class should use + # ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport_class(quota_project_id="octopus", scopes=["1", "2"]) + adc.assert_called_once_with( + scopes=["1", "2"], + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.BinauthzManagementServiceV1GrpcTransport, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + ], +) +@requires_google_auth_lt_1_25_0 +def test_binauthz_management_service_v1_transport_auth_adc_old_google_auth( + transport_class, +): + # If credentials and host are not provided, the transport class should use + # ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport_class(quota_project_id="octopus") + adc.assert_called_once_with( + scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +@pytest.mark.parametrize( + "transport_class,grpc_helpers", + [ + (transports.BinauthzManagementServiceV1GrpcTransport, grpc_helpers), + ( + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + grpc_helpers_async, + ), + ], +) +def test_binauthz_management_service_v1_transport_create_channel( + transport_class, grpc_helpers +): + # If credentials and host are not provided, the transport class should use + # ADC credentials. + with mock.patch.object( + google.auth, "default", autospec=True + ) as adc, mock.patch.object( + grpc_helpers, "create_channel", autospec=True + ) as create_channel: + creds = ga_credentials.AnonymousCredentials() + adc.return_value = (creds, None) + transport_class(quota_project_id="octopus", scopes=["1", "2"]) + + create_channel.assert_called_with( + "binaryauthorization.googleapis.com:443", + credentials=creds, + credentials_file=None, + quota_project_id="octopus", + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + scopes=["1", "2"], + default_host="binaryauthorization.googleapis.com", + ssl_credentials=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.BinauthzManagementServiceV1GrpcTransport, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + ], +) +def test_binauthz_management_service_v1_grpc_transport_client_cert_source_for_mtls( + transport_class, +): + cred = ga_credentials.AnonymousCredentials() + + # Check ssl_channel_credentials is used if provided. + with mock.patch.object(transport_class, "create_channel") as mock_create_channel: + mock_ssl_channel_creds = mock.Mock() + transport_class( + host="squid.clam.whelk", + credentials=cred, + ssl_channel_credentials=mock_ssl_channel_creds, + ) + mock_create_channel.assert_called_once_with( + "squid.clam.whelk:443", + credentials=cred, + credentials_file=None, + scopes=None, + ssl_credentials=mock_ssl_channel_creds, + quota_project_id=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + # Check if ssl_channel_credentials is not provided, then client_cert_source_for_mtls + # is used. + with mock.patch.object(transport_class, "create_channel", return_value=mock.Mock()): + with mock.patch("grpc.ssl_channel_credentials") as mock_ssl_cred: + transport_class( + credentials=cred, + client_cert_source_for_mtls=client_cert_source_callback, + ) + expected_cert, expected_key = client_cert_source_callback() + mock_ssl_cred.assert_called_once_with( + certificate_chain=expected_cert, private_key=expected_key + ) + + +def test_binauthz_management_service_v1_host_no_port(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + client_options=client_options.ClientOptions( + api_endpoint="binaryauthorization.googleapis.com" + ), + ) + assert client.transport._host == "binaryauthorization.googleapis.com:443" + + +def test_binauthz_management_service_v1_host_with_port(): + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), + client_options=client_options.ClientOptions( + api_endpoint="binaryauthorization.googleapis.com:8000" + ), + ) + assert client.transport._host == "binaryauthorization.googleapis.com:8000" + + +def test_binauthz_management_service_v1_grpc_transport_channel(): + channel = grpc.secure_channel("http://localhost/", grpc.local_channel_credentials()) + + # Check that channel is used if provided. + transport = transports.BinauthzManagementServiceV1GrpcTransport( + host="squid.clam.whelk", channel=channel, + ) + assert transport.grpc_channel == channel + assert transport._host == "squid.clam.whelk:443" + assert transport._ssl_channel_credentials == None + + +def test_binauthz_management_service_v1_grpc_asyncio_transport_channel(): + channel = aio.secure_channel("http://localhost/", grpc.local_channel_credentials()) + + # Check that channel is used if provided. + transport = transports.BinauthzManagementServiceV1GrpcAsyncIOTransport( + host="squid.clam.whelk", channel=channel, + ) + assert transport.grpc_channel == channel + assert transport._host == "squid.clam.whelk:443" + assert transport._ssl_channel_credentials == None + + +# Remove this test when deprecated arguments (api_mtls_endpoint, client_cert_source) are +# removed from grpc/grpc_asyncio transport constructor. +@pytest.mark.parametrize( + "transport_class", + [ + transports.BinauthzManagementServiceV1GrpcTransport, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + ], +) +def test_binauthz_management_service_v1_transport_channel_mtls_with_client_cert_source( + transport_class, +): + with mock.patch( + "grpc.ssl_channel_credentials", autospec=True + ) as grpc_ssl_channel_cred: + with mock.patch.object( + transport_class, "create_channel" + ) as grpc_create_channel: + mock_ssl_cred = mock.Mock() + grpc_ssl_channel_cred.return_value = mock_ssl_cred + + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + + cred = ga_credentials.AnonymousCredentials() + with pytest.warns(DeprecationWarning): + with mock.patch.object(google.auth, "default") as adc: + adc.return_value = (cred, None) + transport = transport_class( + host="squid.clam.whelk", + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=client_cert_source_callback, + ) + adc.assert_called_once() + + grpc_ssl_channel_cred.assert_called_once_with( + certificate_chain=b"cert bytes", private_key=b"key bytes" + ) + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=cred, + credentials_file=None, + scopes=None, + ssl_credentials=mock_ssl_cred, + quota_project_id=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + assert transport.grpc_channel == mock_grpc_channel + assert transport._ssl_channel_credentials == mock_ssl_cred + + +# Remove this test when deprecated arguments (api_mtls_endpoint, client_cert_source) are +# removed from grpc/grpc_asyncio transport constructor. +@pytest.mark.parametrize( + "transport_class", + [ + transports.BinauthzManagementServiceV1GrpcTransport, + transports.BinauthzManagementServiceV1GrpcAsyncIOTransport, + ], +) +def test_binauthz_management_service_v1_transport_channel_mtls_with_adc( + transport_class, +): + mock_ssl_cred = mock.Mock() + with mock.patch.multiple( + "google.auth.transport.grpc.SslCredentials", + __init__=mock.Mock(return_value=None), + ssl_credentials=mock.PropertyMock(return_value=mock_ssl_cred), + ): + with mock.patch.object( + transport_class, "create_channel" + ) as grpc_create_channel: + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + mock_cred = mock.Mock() + + with pytest.warns(DeprecationWarning): + transport = transport_class( + host="squid.clam.whelk", + credentials=mock_cred, + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=None, + ) + + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=mock_cred, + credentials_file=None, + scopes=None, + ssl_credentials=mock_ssl_cred, + quota_project_id=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + assert transport.grpc_channel == mock_grpc_channel + + +def test_attestor_path(): + project = "squid" + attestor = "clam" + expected = "projects/{project}/attestors/{attestor}".format( + project=project, attestor=attestor, + ) + actual = BinauthzManagementServiceV1Client.attestor_path(project, attestor) + assert expected == actual + + +def test_parse_attestor_path(): + expected = { + "project": "whelk", + "attestor": "octopus", + } + path = BinauthzManagementServiceV1Client.attestor_path(**expected) + + # Check that the path construction is reversible. + actual = BinauthzManagementServiceV1Client.parse_attestor_path(path) + assert expected == actual + + +def test_policy_path(): + project = "oyster" + expected = "projects/{project}/policy".format(project=project,) + actual = BinauthzManagementServiceV1Client.policy_path(project) + assert expected == actual + + +def test_parse_policy_path(): + expected = { + "project": "nudibranch", + } + path = BinauthzManagementServiceV1Client.policy_path(**expected) + + # Check that the path construction is reversible. + actual = BinauthzManagementServiceV1Client.parse_policy_path(path) + assert expected == actual + + +def test_common_billing_account_path(): + billing_account = "cuttlefish" + expected = "billingAccounts/{billing_account}".format( + billing_account=billing_account, + ) + actual = BinauthzManagementServiceV1Client.common_billing_account_path( + billing_account + ) + assert expected == actual + + +def test_parse_common_billing_account_path(): + expected = { + "billing_account": "mussel", + } + path = BinauthzManagementServiceV1Client.common_billing_account_path(**expected) + + # Check that the path construction is reversible. + actual = BinauthzManagementServiceV1Client.parse_common_billing_account_path(path) + assert expected == actual + + +def test_common_folder_path(): + folder = "winkle" + expected = "folders/{folder}".format(folder=folder,) + actual = BinauthzManagementServiceV1Client.common_folder_path(folder) + assert expected == actual + + +def test_parse_common_folder_path(): + expected = { + "folder": "nautilus", + } + path = BinauthzManagementServiceV1Client.common_folder_path(**expected) + + # Check that the path construction is reversible. + actual = BinauthzManagementServiceV1Client.parse_common_folder_path(path) + assert expected == actual + + +def test_common_organization_path(): + organization = "scallop" + expected = "organizations/{organization}".format(organization=organization,) + actual = BinauthzManagementServiceV1Client.common_organization_path(organization) + assert expected == actual + + +def test_parse_common_organization_path(): + expected = { + "organization": "abalone", + } + path = BinauthzManagementServiceV1Client.common_organization_path(**expected) + + # Check that the path construction is reversible. + actual = BinauthzManagementServiceV1Client.parse_common_organization_path(path) + assert expected == actual + + +def test_common_project_path(): + project = "squid" + expected = "projects/{project}".format(project=project,) + actual = BinauthzManagementServiceV1Client.common_project_path(project) + assert expected == actual + + +def test_parse_common_project_path(): + expected = { + "project": "clam", + } + path = BinauthzManagementServiceV1Client.common_project_path(**expected) + + # Check that the path construction is reversible. + actual = BinauthzManagementServiceV1Client.parse_common_project_path(path) + assert expected == actual + + +def test_common_location_path(): + project = "whelk" + location = "octopus" + expected = "projects/{project}/locations/{location}".format( + project=project, location=location, + ) + actual = BinauthzManagementServiceV1Client.common_location_path(project, location) + assert expected == actual + + +def test_parse_common_location_path(): + expected = { + "project": "oyster", + "location": "nudibranch", + } + path = BinauthzManagementServiceV1Client.common_location_path(**expected) + + # Check that the path construction is reversible. + actual = BinauthzManagementServiceV1Client.parse_common_location_path(path) + assert expected == actual + + +def test_client_withDEFAULT_CLIENT_INFO(): + client_info = gapic_v1.client_info.ClientInfo() + + with mock.patch.object( + transports.BinauthzManagementServiceV1Transport, "_prep_wrapped_messages" + ) as prep: + client = BinauthzManagementServiceV1Client( + credentials=ga_credentials.AnonymousCredentials(), client_info=client_info, + ) + prep.assert_called_once_with(client_info) + + with mock.patch.object( + transports.BinauthzManagementServiceV1Transport, "_prep_wrapped_messages" + ) as prep: + transport_class = BinauthzManagementServiceV1Client.get_transport_class() + transport = transport_class( + credentials=ga_credentials.AnonymousCredentials(), client_info=client_info, + ) + prep.assert_called_once_with(client_info) diff --git a/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/test_system_policy_v1.py b/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/test_system_policy_v1.py new file mode 100644 index 000000000000..546b2a736cea --- /dev/null +++ b/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/test_system_policy_v1.py @@ -0,0 +1,1308 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import os +import mock +import packaging.version + +import grpc +from grpc.experimental import aio +import math +import pytest +from proto.marshal.rules.dates import DurationRule, TimestampRule + + +from google.api_core import client_options +from google.api_core import exceptions as core_exceptions +from google.api_core import gapic_v1 +from google.api_core import grpc_helpers +from google.api_core import grpc_helpers_async +from google.auth import credentials as ga_credentials +from google.auth.exceptions import MutualTLSChannelError +from google.cloud.binaryauthorization_v1.services.system_policy_v1 import ( + SystemPolicyV1AsyncClient, +) +from google.cloud.binaryauthorization_v1.services.system_policy_v1 import ( + SystemPolicyV1Client, +) +from google.cloud.binaryauthorization_v1.services.system_policy_v1 import transports +from google.cloud.binaryauthorization_v1.services.system_policy_v1.transports.base import ( + _GOOGLE_AUTH_VERSION, +) +from google.cloud.binaryauthorization_v1.types import resources +from google.cloud.binaryauthorization_v1.types import service +from google.oauth2 import service_account +from google.protobuf import timestamp_pb2 # type: ignore +import google.auth + + +# TODO(busunkim): Once google-auth >= 1.25.0 is required transitively +# through google-api-core: +# - Delete the auth "less than" test cases +# - Delete these pytest markers (Make the "greater than or equal to" tests the default). +requires_google_auth_lt_1_25_0 = pytest.mark.skipif( + packaging.version.parse(_GOOGLE_AUTH_VERSION) >= packaging.version.parse("1.25.0"), + reason="This test requires google-auth < 1.25.0", +) +requires_google_auth_gte_1_25_0 = pytest.mark.skipif( + packaging.version.parse(_GOOGLE_AUTH_VERSION) < packaging.version.parse("1.25.0"), + reason="This test requires google-auth >= 1.25.0", +) + + +def client_cert_source_callback(): + return b"cert bytes", b"key bytes" + + +# If default endpoint is localhost, then default mtls endpoint will be the same. +# This method modifies the default endpoint so the client can produce a different +# mtls endpoint for endpoint testing purposes. +def modify_default_endpoint(client): + return ( + "foo.googleapis.com" + if ("localhost" in client.DEFAULT_ENDPOINT) + else client.DEFAULT_ENDPOINT + ) + + +def test__get_default_mtls_endpoint(): + api_endpoint = "example.googleapis.com" + api_mtls_endpoint = "example.mtls.googleapis.com" + sandbox_endpoint = "example.sandbox.googleapis.com" + sandbox_mtls_endpoint = "example.mtls.sandbox.googleapis.com" + non_googleapi = "api.example.com" + + assert SystemPolicyV1Client._get_default_mtls_endpoint(None) is None + assert ( + SystemPolicyV1Client._get_default_mtls_endpoint(api_endpoint) + == api_mtls_endpoint + ) + assert ( + SystemPolicyV1Client._get_default_mtls_endpoint(api_mtls_endpoint) + == api_mtls_endpoint + ) + assert ( + SystemPolicyV1Client._get_default_mtls_endpoint(sandbox_endpoint) + == sandbox_mtls_endpoint + ) + assert ( + SystemPolicyV1Client._get_default_mtls_endpoint(sandbox_mtls_endpoint) + == sandbox_mtls_endpoint + ) + assert ( + SystemPolicyV1Client._get_default_mtls_endpoint(non_googleapi) == non_googleapi + ) + + +@pytest.mark.parametrize( + "client_class", [SystemPolicyV1Client, SystemPolicyV1AsyncClient,] +) +def test_system_policy_v1_client_from_service_account_info(client_class): + creds = ga_credentials.AnonymousCredentials() + with mock.patch.object( + service_account.Credentials, "from_service_account_info" + ) as factory: + factory.return_value = creds + info = {"valid": True} + client = client_class.from_service_account_info(info) + assert client.transport._credentials == creds + assert isinstance(client, client_class) + + assert client.transport._host == "binaryauthorization.googleapis.com:443" + + +@pytest.mark.parametrize( + "transport_class,transport_name", + [ + (transports.SystemPolicyV1GrpcTransport, "grpc"), + (transports.SystemPolicyV1GrpcAsyncIOTransport, "grpc_asyncio"), + ], +) +def test_system_policy_v1_client_service_account_always_use_jwt( + transport_class, transport_name +): + with mock.patch.object( + service_account.Credentials, "with_always_use_jwt_access", create=True + ) as use_jwt: + creds = service_account.Credentials(None, None, None) + transport = transport_class(credentials=creds, always_use_jwt_access=True) + use_jwt.assert_called_once_with(True) + + with mock.patch.object( + service_account.Credentials, "with_always_use_jwt_access", create=True + ) as use_jwt: + creds = service_account.Credentials(None, None, None) + transport = transport_class(credentials=creds, always_use_jwt_access=False) + use_jwt.assert_not_called() + + +@pytest.mark.parametrize( + "client_class", [SystemPolicyV1Client, SystemPolicyV1AsyncClient,] +) +def test_system_policy_v1_client_from_service_account_file(client_class): + creds = ga_credentials.AnonymousCredentials() + with mock.patch.object( + service_account.Credentials, "from_service_account_file" + ) as factory: + factory.return_value = creds + client = client_class.from_service_account_file("dummy/file/path.json") + assert client.transport._credentials == creds + assert isinstance(client, client_class) + + client = client_class.from_service_account_json("dummy/file/path.json") + assert client.transport._credentials == creds + assert isinstance(client, client_class) + + assert client.transport._host == "binaryauthorization.googleapis.com:443" + + +def test_system_policy_v1_client_get_transport_class(): + transport = SystemPolicyV1Client.get_transport_class() + available_transports = [ + transports.SystemPolicyV1GrpcTransport, + ] + assert transport in available_transports + + transport = SystemPolicyV1Client.get_transport_class("grpc") + assert transport == transports.SystemPolicyV1GrpcTransport + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name", + [ + (SystemPolicyV1Client, transports.SystemPolicyV1GrpcTransport, "grpc"), + ( + SystemPolicyV1AsyncClient, + transports.SystemPolicyV1GrpcAsyncIOTransport, + "grpc_asyncio", + ), + ], +) +@mock.patch.object( + SystemPolicyV1Client, + "DEFAULT_ENDPOINT", + modify_default_endpoint(SystemPolicyV1Client), +) +@mock.patch.object( + SystemPolicyV1AsyncClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(SystemPolicyV1AsyncClient), +) +def test_system_policy_v1_client_client_options( + client_class, transport_class, transport_name +): + # Check that if channel is provided we won't create a new one. + with mock.patch.object(SystemPolicyV1Client, "get_transport_class") as gtc: + transport = transport_class(credentials=ga_credentials.AnonymousCredentials()) + client = client_class(transport=transport) + gtc.assert_not_called() + + # Check that if channel is provided via str we will create a new one. + with mock.patch.object(SystemPolicyV1Client, "get_transport_class") as gtc: + client = client_class(transport=transport_name) + gtc.assert_called() + + # Check the case api_endpoint is provided. + options = client_options.ClientOptions(api_endpoint="squid.clam.whelk") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host="squid.clam.whelk", + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is + # "never". + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "never"}): + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is + # "always". + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "always"}): + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_MTLS_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT has + # unsupported value. + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "Unsupported"}): + with pytest.raises(MutualTLSChannelError): + client = client_class() + + # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"} + ): + with pytest.raises(ValueError): + client = client_class() + + # Check the case quota_project_id is provided + options = client_options.ClientOptions(quota_project_id="octopus") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id="octopus", + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name,use_client_cert_env", + [ + (SystemPolicyV1Client, transports.SystemPolicyV1GrpcTransport, "grpc", "true"), + ( + SystemPolicyV1AsyncClient, + transports.SystemPolicyV1GrpcAsyncIOTransport, + "grpc_asyncio", + "true", + ), + (SystemPolicyV1Client, transports.SystemPolicyV1GrpcTransport, "grpc", "false"), + ( + SystemPolicyV1AsyncClient, + transports.SystemPolicyV1GrpcAsyncIOTransport, + "grpc_asyncio", + "false", + ), + ], +) +@mock.patch.object( + SystemPolicyV1Client, + "DEFAULT_ENDPOINT", + modify_default_endpoint(SystemPolicyV1Client), +) +@mock.patch.object( + SystemPolicyV1AsyncClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(SystemPolicyV1AsyncClient), +) +@mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "auto"}) +def test_system_policy_v1_client_mtls_env_auto( + client_class, transport_class, transport_name, use_client_cert_env +): + # This tests the endpoint autoswitch behavior. Endpoint is autoswitched to the default + # mtls endpoint, if GOOGLE_API_USE_CLIENT_CERTIFICATE is "true" and client cert exists. + + # Check the case client_cert_source is provided. Whether client cert is used depends on + # GOOGLE_API_USE_CLIENT_CERTIFICATE value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + options = client_options.ClientOptions( + client_cert_source=client_cert_source_callback + ) + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + + if use_client_cert_env == "false": + expected_client_cert_source = None + expected_host = client.DEFAULT_ENDPOINT + else: + expected_client_cert_source = client_cert_source_callback + expected_host = client.DEFAULT_MTLS_ENDPOINT + + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=expected_host, + scopes=None, + client_cert_source_for_mtls=expected_client_cert_source, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case ADC client cert is provided. Whether client cert is used depends on + # GOOGLE_API_USE_CLIENT_CERTIFICATE value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + with mock.patch.object(transport_class, "__init__") as patched: + with mock.patch( + "google.auth.transport.mtls.has_default_client_cert_source", + return_value=True, + ): + with mock.patch( + "google.auth.transport.mtls.default_client_cert_source", + return_value=client_cert_source_callback, + ): + if use_client_cert_env == "false": + expected_host = client.DEFAULT_ENDPOINT + expected_client_cert_source = None + else: + expected_host = client.DEFAULT_MTLS_ENDPOINT + expected_client_cert_source = client_cert_source_callback + + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=expected_host, + scopes=None, + client_cert_source_for_mtls=expected_client_cert_source, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case client_cert_source and ADC client cert are not provided. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + with mock.patch.object(transport_class, "__init__") as patched: + with mock.patch( + "google.auth.transport.mtls.has_default_client_cert_source", + return_value=False, + ): + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name", + [ + (SystemPolicyV1Client, transports.SystemPolicyV1GrpcTransport, "grpc"), + ( + SystemPolicyV1AsyncClient, + transports.SystemPolicyV1GrpcAsyncIOTransport, + "grpc_asyncio", + ), + ], +) +def test_system_policy_v1_client_client_options_scopes( + client_class, transport_class, transport_name +): + # Check the case scopes are provided. + options = client_options.ClientOptions(scopes=["1", "2"],) + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=["1", "2"], + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name", + [ + (SystemPolicyV1Client, transports.SystemPolicyV1GrpcTransport, "grpc"), + ( + SystemPolicyV1AsyncClient, + transports.SystemPolicyV1GrpcAsyncIOTransport, + "grpc_asyncio", + ), + ], +) +def test_system_policy_v1_client_client_options_credentials_file( + client_class, transport_class, transport_name +): + # Check the case credentials file is provided. + options = client_options.ClientOptions(credentials_file="credentials.json") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file="credentials.json", + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +def test_system_policy_v1_client_client_options_from_dict(): + with mock.patch( + "google.cloud.binaryauthorization_v1.services.system_policy_v1.transports.SystemPolicyV1GrpcTransport.__init__" + ) as grpc_transport: + grpc_transport.return_value = None + client = SystemPolicyV1Client( + client_options={"api_endpoint": "squid.clam.whelk"} + ) + grpc_transport.assert_called_once_with( + credentials=None, + credentials_file=None, + host="squid.clam.whelk", + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +def test_get_system_policy( + transport: str = "grpc", request_type=service.GetSystemPolicyRequest +): + client = SystemPolicyV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.get_system_policy), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Policy( + name="name_value", + description="description_value", + global_policy_evaluation_mode=resources.Policy.GlobalPolicyEvaluationMode.ENABLE, + ) + response = client.get_system_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.GetSystemPolicyRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Policy) + assert response.name == "name_value" + assert response.description == "description_value" + assert ( + response.global_policy_evaluation_mode + == resources.Policy.GlobalPolicyEvaluationMode.ENABLE + ) + + +def test_get_system_policy_from_dict(): + test_get_system_policy(request_type=dict) + + +def test_get_system_policy_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = SystemPolicyV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.get_system_policy), "__call__" + ) as call: + client.get_system_policy() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.GetSystemPolicyRequest() + + +@pytest.mark.asyncio +async def test_get_system_policy_async( + transport: str = "grpc_asyncio", request_type=service.GetSystemPolicyRequest +): + client = SystemPolicyV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.get_system_policy), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.Policy( + name="name_value", + description="description_value", + global_policy_evaluation_mode=resources.Policy.GlobalPolicyEvaluationMode.ENABLE, + ) + ) + response = await client.get_system_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.GetSystemPolicyRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.Policy) + assert response.name == "name_value" + assert response.description == "description_value" + assert ( + response.global_policy_evaluation_mode + == resources.Policy.GlobalPolicyEvaluationMode.ENABLE + ) + + +@pytest.mark.asyncio +async def test_get_system_policy_async_from_dict(): + await test_get_system_policy_async(request_type=dict) + + +def test_get_system_policy_field_headers(): + client = SystemPolicyV1Client(credentials=ga_credentials.AnonymousCredentials(),) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.GetSystemPolicyRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.get_system_policy), "__call__" + ) as call: + call.return_value = resources.Policy() + client.get_system_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_get_system_policy_field_headers_async(): + client = SystemPolicyV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.GetSystemPolicyRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.get_system_policy), "__call__" + ) as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Policy()) + await client.get_system_policy(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +def test_get_system_policy_flattened(): + client = SystemPolicyV1Client(credentials=ga_credentials.AnonymousCredentials(),) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.get_system_policy), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Policy() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.get_system_policy(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +def test_get_system_policy_flattened_error(): + client = SystemPolicyV1Client(credentials=ga_credentials.AnonymousCredentials(),) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.get_system_policy( + service.GetSystemPolicyRequest(), name="name_value", + ) + + +@pytest.mark.asyncio +async def test_get_system_policy_flattened_async(): + client = SystemPolicyV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.get_system_policy), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = resources.Policy() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.Policy()) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.get_system_policy(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +@pytest.mark.asyncio +async def test_get_system_policy_flattened_error_async(): + client = SystemPolicyV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.get_system_policy( + service.GetSystemPolicyRequest(), name="name_value", + ) + + +def test_credentials_transport_error(): + # It is an error to provide credentials and a transport instance. + transport = transports.SystemPolicyV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + with pytest.raises(ValueError): + client = SystemPolicyV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # It is an error to provide a credentials file and a transport instance. + transport = transports.SystemPolicyV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + with pytest.raises(ValueError): + client = SystemPolicyV1Client( + client_options={"credentials_file": "credentials.json"}, + transport=transport, + ) + + # It is an error to provide scopes and a transport instance. + transport = transports.SystemPolicyV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + with pytest.raises(ValueError): + client = SystemPolicyV1Client( + client_options={"scopes": ["1", "2"]}, transport=transport, + ) + + +def test_transport_instance(): + # A client may be instantiated with a custom transport instance. + transport = transports.SystemPolicyV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + client = SystemPolicyV1Client(transport=transport) + assert client.transport is transport + + +def test_transport_get_channel(): + # A client may be instantiated with a custom transport instance. + transport = transports.SystemPolicyV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + channel = transport.grpc_channel + assert channel + + transport = transports.SystemPolicyV1GrpcAsyncIOTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + channel = transport.grpc_channel + assert channel + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.SystemPolicyV1GrpcTransport, + transports.SystemPolicyV1GrpcAsyncIOTransport, + ], +) +def test_transport_adc(transport_class): + # Test default credentials are used if not provided. + with mock.patch.object(google.auth, "default") as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport_class() + adc.assert_called_once() + + +def test_transport_grpc_default(): + # A client should use the gRPC transport by default. + client = SystemPolicyV1Client(credentials=ga_credentials.AnonymousCredentials(),) + assert isinstance(client.transport, transports.SystemPolicyV1GrpcTransport,) + + +def test_system_policy_v1_base_transport_error(): + # Passing both a credentials object and credentials_file should raise an error + with pytest.raises(core_exceptions.DuplicateCredentialArgs): + transport = transports.SystemPolicyV1Transport( + credentials=ga_credentials.AnonymousCredentials(), + credentials_file="credentials.json", + ) + + +def test_system_policy_v1_base_transport(): + # Instantiate the base transport. + with mock.patch( + "google.cloud.binaryauthorization_v1.services.system_policy_v1.transports.SystemPolicyV1Transport.__init__" + ) as Transport: + Transport.return_value = None + transport = transports.SystemPolicyV1Transport( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Every method on the transport should just blindly + # raise NotImplementedError. + methods = ("get_system_policy",) + for method in methods: + with pytest.raises(NotImplementedError): + getattr(transport, method)(request=object()) + + +@requires_google_auth_gte_1_25_0 +def test_system_policy_v1_base_transport_with_credentials_file(): + # Instantiate the base transport with a credentials file + with mock.patch.object( + google.auth, "load_credentials_from_file", autospec=True + ) as load_creds, mock.patch( + "google.cloud.binaryauthorization_v1.services.system_policy_v1.transports.SystemPolicyV1Transport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + load_creds.return_value = (ga_credentials.AnonymousCredentials(), None) + transport = transports.SystemPolicyV1Transport( + credentials_file="credentials.json", quota_project_id="octopus", + ) + load_creds.assert_called_once_with( + "credentials.json", + scopes=None, + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +@requires_google_auth_lt_1_25_0 +def test_system_policy_v1_base_transport_with_credentials_file_old_google_auth(): + # Instantiate the base transport with a credentials file + with mock.patch.object( + google.auth, "load_credentials_from_file", autospec=True + ) as load_creds, mock.patch( + "google.cloud.binaryauthorization_v1.services.system_policy_v1.transports.SystemPolicyV1Transport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + load_creds.return_value = (ga_credentials.AnonymousCredentials(), None) + transport = transports.SystemPolicyV1Transport( + credentials_file="credentials.json", quota_project_id="octopus", + ) + load_creds.assert_called_once_with( + "credentials.json", + scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +def test_system_policy_v1_base_transport_with_adc(): + # Test the default credentials are used if credentials and credentials_file are None. + with mock.patch.object(google.auth, "default", autospec=True) as adc, mock.patch( + "google.cloud.binaryauthorization_v1.services.system_policy_v1.transports.SystemPolicyV1Transport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport = transports.SystemPolicyV1Transport() + adc.assert_called_once() + + +@requires_google_auth_gte_1_25_0 +def test_system_policy_v1_auth_adc(): + # If no credentials are provided, we should use ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + SystemPolicyV1Client() + adc.assert_called_once_with( + scopes=None, + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id=None, + ) + + +@requires_google_auth_lt_1_25_0 +def test_system_policy_v1_auth_adc_old_google_auth(): + # If no credentials are provided, we should use ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + SystemPolicyV1Client() + adc.assert_called_once_with( + scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id=None, + ) + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.SystemPolicyV1GrpcTransport, + transports.SystemPolicyV1GrpcAsyncIOTransport, + ], +) +@requires_google_auth_gte_1_25_0 +def test_system_policy_v1_transport_auth_adc(transport_class): + # If credentials and host are not provided, the transport class should use + # ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport_class(quota_project_id="octopus", scopes=["1", "2"]) + adc.assert_called_once_with( + scopes=["1", "2"], + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.SystemPolicyV1GrpcTransport, + transports.SystemPolicyV1GrpcAsyncIOTransport, + ], +) +@requires_google_auth_lt_1_25_0 +def test_system_policy_v1_transport_auth_adc_old_google_auth(transport_class): + # If credentials and host are not provided, the transport class should use + # ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport_class(quota_project_id="octopus") + adc.assert_called_once_with( + scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +@pytest.mark.parametrize( + "transport_class,grpc_helpers", + [ + (transports.SystemPolicyV1GrpcTransport, grpc_helpers), + (transports.SystemPolicyV1GrpcAsyncIOTransport, grpc_helpers_async), + ], +) +def test_system_policy_v1_transport_create_channel(transport_class, grpc_helpers): + # If credentials and host are not provided, the transport class should use + # ADC credentials. + with mock.patch.object( + google.auth, "default", autospec=True + ) as adc, mock.patch.object( + grpc_helpers, "create_channel", autospec=True + ) as create_channel: + creds = ga_credentials.AnonymousCredentials() + adc.return_value = (creds, None) + transport_class(quota_project_id="octopus", scopes=["1", "2"]) + + create_channel.assert_called_with( + "binaryauthorization.googleapis.com:443", + credentials=creds, + credentials_file=None, + quota_project_id="octopus", + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + scopes=["1", "2"], + default_host="binaryauthorization.googleapis.com", + ssl_credentials=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.SystemPolicyV1GrpcTransport, + transports.SystemPolicyV1GrpcAsyncIOTransport, + ], +) +def test_system_policy_v1_grpc_transport_client_cert_source_for_mtls(transport_class): + cred = ga_credentials.AnonymousCredentials() + + # Check ssl_channel_credentials is used if provided. + with mock.patch.object(transport_class, "create_channel") as mock_create_channel: + mock_ssl_channel_creds = mock.Mock() + transport_class( + host="squid.clam.whelk", + credentials=cred, + ssl_channel_credentials=mock_ssl_channel_creds, + ) + mock_create_channel.assert_called_once_with( + "squid.clam.whelk:443", + credentials=cred, + credentials_file=None, + scopes=None, + ssl_credentials=mock_ssl_channel_creds, + quota_project_id=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + # Check if ssl_channel_credentials is not provided, then client_cert_source_for_mtls + # is used. + with mock.patch.object(transport_class, "create_channel", return_value=mock.Mock()): + with mock.patch("grpc.ssl_channel_credentials") as mock_ssl_cred: + transport_class( + credentials=cred, + client_cert_source_for_mtls=client_cert_source_callback, + ) + expected_cert, expected_key = client_cert_source_callback() + mock_ssl_cred.assert_called_once_with( + certificate_chain=expected_cert, private_key=expected_key + ) + + +def test_system_policy_v1_host_no_port(): + client = SystemPolicyV1Client( + credentials=ga_credentials.AnonymousCredentials(), + client_options=client_options.ClientOptions( + api_endpoint="binaryauthorization.googleapis.com" + ), + ) + assert client.transport._host == "binaryauthorization.googleapis.com:443" + + +def test_system_policy_v1_host_with_port(): + client = SystemPolicyV1Client( + credentials=ga_credentials.AnonymousCredentials(), + client_options=client_options.ClientOptions( + api_endpoint="binaryauthorization.googleapis.com:8000" + ), + ) + assert client.transport._host == "binaryauthorization.googleapis.com:8000" + + +def test_system_policy_v1_grpc_transport_channel(): + channel = grpc.secure_channel("http://localhost/", grpc.local_channel_credentials()) + + # Check that channel is used if provided. + transport = transports.SystemPolicyV1GrpcTransport( + host="squid.clam.whelk", channel=channel, + ) + assert transport.grpc_channel == channel + assert transport._host == "squid.clam.whelk:443" + assert transport._ssl_channel_credentials == None + + +def test_system_policy_v1_grpc_asyncio_transport_channel(): + channel = aio.secure_channel("http://localhost/", grpc.local_channel_credentials()) + + # Check that channel is used if provided. + transport = transports.SystemPolicyV1GrpcAsyncIOTransport( + host="squid.clam.whelk", channel=channel, + ) + assert transport.grpc_channel == channel + assert transport._host == "squid.clam.whelk:443" + assert transport._ssl_channel_credentials == None + + +# Remove this test when deprecated arguments (api_mtls_endpoint, client_cert_source) are +# removed from grpc/grpc_asyncio transport constructor. +@pytest.mark.parametrize( + "transport_class", + [ + transports.SystemPolicyV1GrpcTransport, + transports.SystemPolicyV1GrpcAsyncIOTransport, + ], +) +def test_system_policy_v1_transport_channel_mtls_with_client_cert_source( + transport_class, +): + with mock.patch( + "grpc.ssl_channel_credentials", autospec=True + ) as grpc_ssl_channel_cred: + with mock.patch.object( + transport_class, "create_channel" + ) as grpc_create_channel: + mock_ssl_cred = mock.Mock() + grpc_ssl_channel_cred.return_value = mock_ssl_cred + + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + + cred = ga_credentials.AnonymousCredentials() + with pytest.warns(DeprecationWarning): + with mock.patch.object(google.auth, "default") as adc: + adc.return_value = (cred, None) + transport = transport_class( + host="squid.clam.whelk", + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=client_cert_source_callback, + ) + adc.assert_called_once() + + grpc_ssl_channel_cred.assert_called_once_with( + certificate_chain=b"cert bytes", private_key=b"key bytes" + ) + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=cred, + credentials_file=None, + scopes=None, + ssl_credentials=mock_ssl_cred, + quota_project_id=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + assert transport.grpc_channel == mock_grpc_channel + assert transport._ssl_channel_credentials == mock_ssl_cred + + +# Remove this test when deprecated arguments (api_mtls_endpoint, client_cert_source) are +# removed from grpc/grpc_asyncio transport constructor. +@pytest.mark.parametrize( + "transport_class", + [ + transports.SystemPolicyV1GrpcTransport, + transports.SystemPolicyV1GrpcAsyncIOTransport, + ], +) +def test_system_policy_v1_transport_channel_mtls_with_adc(transport_class): + mock_ssl_cred = mock.Mock() + with mock.patch.multiple( + "google.auth.transport.grpc.SslCredentials", + __init__=mock.Mock(return_value=None), + ssl_credentials=mock.PropertyMock(return_value=mock_ssl_cred), + ): + with mock.patch.object( + transport_class, "create_channel" + ) as grpc_create_channel: + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + mock_cred = mock.Mock() + + with pytest.warns(DeprecationWarning): + transport = transport_class( + host="squid.clam.whelk", + credentials=mock_cred, + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=None, + ) + + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=mock_cred, + credentials_file=None, + scopes=None, + ssl_credentials=mock_ssl_cred, + quota_project_id=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + assert transport.grpc_channel == mock_grpc_channel + + +def test_policy_path(): + project = "squid" + expected = "projects/{project}/policy".format(project=project,) + actual = SystemPolicyV1Client.policy_path(project) + assert expected == actual + + +def test_parse_policy_path(): + expected = { + "project": "clam", + } + path = SystemPolicyV1Client.policy_path(**expected) + + # Check that the path construction is reversible. + actual = SystemPolicyV1Client.parse_policy_path(path) + assert expected == actual + + +def test_common_billing_account_path(): + billing_account = "whelk" + expected = "billingAccounts/{billing_account}".format( + billing_account=billing_account, + ) + actual = SystemPolicyV1Client.common_billing_account_path(billing_account) + assert expected == actual + + +def test_parse_common_billing_account_path(): + expected = { + "billing_account": "octopus", + } + path = SystemPolicyV1Client.common_billing_account_path(**expected) + + # Check that the path construction is reversible. + actual = SystemPolicyV1Client.parse_common_billing_account_path(path) + assert expected == actual + + +def test_common_folder_path(): + folder = "oyster" + expected = "folders/{folder}".format(folder=folder,) + actual = SystemPolicyV1Client.common_folder_path(folder) + assert expected == actual + + +def test_parse_common_folder_path(): + expected = { + "folder": "nudibranch", + } + path = SystemPolicyV1Client.common_folder_path(**expected) + + # Check that the path construction is reversible. + actual = SystemPolicyV1Client.parse_common_folder_path(path) + assert expected == actual + + +def test_common_organization_path(): + organization = "cuttlefish" + expected = "organizations/{organization}".format(organization=organization,) + actual = SystemPolicyV1Client.common_organization_path(organization) + assert expected == actual + + +def test_parse_common_organization_path(): + expected = { + "organization": "mussel", + } + path = SystemPolicyV1Client.common_organization_path(**expected) + + # Check that the path construction is reversible. + actual = SystemPolicyV1Client.parse_common_organization_path(path) + assert expected == actual + + +def test_common_project_path(): + project = "winkle" + expected = "projects/{project}".format(project=project,) + actual = SystemPolicyV1Client.common_project_path(project) + assert expected == actual + + +def test_parse_common_project_path(): + expected = { + "project": "nautilus", + } + path = SystemPolicyV1Client.common_project_path(**expected) + + # Check that the path construction is reversible. + actual = SystemPolicyV1Client.parse_common_project_path(path) + assert expected == actual + + +def test_common_location_path(): + project = "scallop" + location = "abalone" + expected = "projects/{project}/locations/{location}".format( + project=project, location=location, + ) + actual = SystemPolicyV1Client.common_location_path(project, location) + assert expected == actual + + +def test_parse_common_location_path(): + expected = { + "project": "squid", + "location": "clam", + } + path = SystemPolicyV1Client.common_location_path(**expected) + + # Check that the path construction is reversible. + actual = SystemPolicyV1Client.parse_common_location_path(path) + assert expected == actual + + +def test_client_withDEFAULT_CLIENT_INFO(): + client_info = gapic_v1.client_info.ClientInfo() + + with mock.patch.object( + transports.SystemPolicyV1Transport, "_prep_wrapped_messages" + ) as prep: + client = SystemPolicyV1Client( + credentials=ga_credentials.AnonymousCredentials(), client_info=client_info, + ) + prep.assert_called_once_with(client_info) + + with mock.patch.object( + transports.SystemPolicyV1Transport, "_prep_wrapped_messages" + ) as prep: + transport_class = SystemPolicyV1Client.get_transport_class() + transport = transport_class( + credentials=ga_credentials.AnonymousCredentials(), client_info=client_info, + ) + prep.assert_called_once_with(client_info) diff --git a/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/test_validation_helper_v1.py b/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/test_validation_helper_v1.py new file mode 100644 index 000000000000..04296e14afe0 --- /dev/null +++ b/packages/google-cloud-binary-authorization/tests/unit/gapic/binaryauthorization_v1/test_validation_helper_v1.py @@ -0,0 +1,1234 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import os +import mock +import packaging.version + +import grpc +from grpc.experimental import aio +import math +import pytest +from proto.marshal.rules.dates import DurationRule, TimestampRule + + +from google.api_core import client_options +from google.api_core import exceptions as core_exceptions +from google.api_core import gapic_v1 +from google.api_core import grpc_helpers +from google.api_core import grpc_helpers_async +from google.auth import credentials as ga_credentials +from google.auth.exceptions import MutualTLSChannelError +from google.cloud.binaryauthorization_v1.services.validation_helper_v1 import ( + ValidationHelperV1AsyncClient, +) +from google.cloud.binaryauthorization_v1.services.validation_helper_v1 import ( + ValidationHelperV1Client, +) +from google.cloud.binaryauthorization_v1.services.validation_helper_v1 import transports +from google.cloud.binaryauthorization_v1.services.validation_helper_v1.transports.base import ( + _GOOGLE_AUTH_VERSION, +) +from google.cloud.binaryauthorization_v1.types import service +from google.oauth2 import service_account +from grafeas.grafeas_v1.types import attestation # type: ignore +from grafeas.grafeas_v1.types import common # type: ignore +import google.auth + + +# TODO(busunkim): Once google-auth >= 1.25.0 is required transitively +# through google-api-core: +# - Delete the auth "less than" test cases +# - Delete these pytest markers (Make the "greater than or equal to" tests the default). +requires_google_auth_lt_1_25_0 = pytest.mark.skipif( + packaging.version.parse(_GOOGLE_AUTH_VERSION) >= packaging.version.parse("1.25.0"), + reason="This test requires google-auth < 1.25.0", +) +requires_google_auth_gte_1_25_0 = pytest.mark.skipif( + packaging.version.parse(_GOOGLE_AUTH_VERSION) < packaging.version.parse("1.25.0"), + reason="This test requires google-auth >= 1.25.0", +) + + +def client_cert_source_callback(): + return b"cert bytes", b"key bytes" + + +# If default endpoint is localhost, then default mtls endpoint will be the same. +# This method modifies the default endpoint so the client can produce a different +# mtls endpoint for endpoint testing purposes. +def modify_default_endpoint(client): + return ( + "foo.googleapis.com" + if ("localhost" in client.DEFAULT_ENDPOINT) + else client.DEFAULT_ENDPOINT + ) + + +def test__get_default_mtls_endpoint(): + api_endpoint = "example.googleapis.com" + api_mtls_endpoint = "example.mtls.googleapis.com" + sandbox_endpoint = "example.sandbox.googleapis.com" + sandbox_mtls_endpoint = "example.mtls.sandbox.googleapis.com" + non_googleapi = "api.example.com" + + assert ValidationHelperV1Client._get_default_mtls_endpoint(None) is None + assert ( + ValidationHelperV1Client._get_default_mtls_endpoint(api_endpoint) + == api_mtls_endpoint + ) + assert ( + ValidationHelperV1Client._get_default_mtls_endpoint(api_mtls_endpoint) + == api_mtls_endpoint + ) + assert ( + ValidationHelperV1Client._get_default_mtls_endpoint(sandbox_endpoint) + == sandbox_mtls_endpoint + ) + assert ( + ValidationHelperV1Client._get_default_mtls_endpoint(sandbox_mtls_endpoint) + == sandbox_mtls_endpoint + ) + assert ( + ValidationHelperV1Client._get_default_mtls_endpoint(non_googleapi) + == non_googleapi + ) + + +@pytest.mark.parametrize( + "client_class", [ValidationHelperV1Client, ValidationHelperV1AsyncClient,] +) +def test_validation_helper_v1_client_from_service_account_info(client_class): + creds = ga_credentials.AnonymousCredentials() + with mock.patch.object( + service_account.Credentials, "from_service_account_info" + ) as factory: + factory.return_value = creds + info = {"valid": True} + client = client_class.from_service_account_info(info) + assert client.transport._credentials == creds + assert isinstance(client, client_class) + + assert client.transport._host == "binaryauthorization.googleapis.com:443" + + +@pytest.mark.parametrize( + "transport_class,transport_name", + [ + (transports.ValidationHelperV1GrpcTransport, "grpc"), + (transports.ValidationHelperV1GrpcAsyncIOTransport, "grpc_asyncio"), + ], +) +def test_validation_helper_v1_client_service_account_always_use_jwt( + transport_class, transport_name +): + with mock.patch.object( + service_account.Credentials, "with_always_use_jwt_access", create=True + ) as use_jwt: + creds = service_account.Credentials(None, None, None) + transport = transport_class(credentials=creds, always_use_jwt_access=True) + use_jwt.assert_called_once_with(True) + + with mock.patch.object( + service_account.Credentials, "with_always_use_jwt_access", create=True + ) as use_jwt: + creds = service_account.Credentials(None, None, None) + transport = transport_class(credentials=creds, always_use_jwt_access=False) + use_jwt.assert_not_called() + + +@pytest.mark.parametrize( + "client_class", [ValidationHelperV1Client, ValidationHelperV1AsyncClient,] +) +def test_validation_helper_v1_client_from_service_account_file(client_class): + creds = ga_credentials.AnonymousCredentials() + with mock.patch.object( + service_account.Credentials, "from_service_account_file" + ) as factory: + factory.return_value = creds + client = client_class.from_service_account_file("dummy/file/path.json") + assert client.transport._credentials == creds + assert isinstance(client, client_class) + + client = client_class.from_service_account_json("dummy/file/path.json") + assert client.transport._credentials == creds + assert isinstance(client, client_class) + + assert client.transport._host == "binaryauthorization.googleapis.com:443" + + +def test_validation_helper_v1_client_get_transport_class(): + transport = ValidationHelperV1Client.get_transport_class() + available_transports = [ + transports.ValidationHelperV1GrpcTransport, + ] + assert transport in available_transports + + transport = ValidationHelperV1Client.get_transport_class("grpc") + assert transport == transports.ValidationHelperV1GrpcTransport + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name", + [ + (ValidationHelperV1Client, transports.ValidationHelperV1GrpcTransport, "grpc"), + ( + ValidationHelperV1AsyncClient, + transports.ValidationHelperV1GrpcAsyncIOTransport, + "grpc_asyncio", + ), + ], +) +@mock.patch.object( + ValidationHelperV1Client, + "DEFAULT_ENDPOINT", + modify_default_endpoint(ValidationHelperV1Client), +) +@mock.patch.object( + ValidationHelperV1AsyncClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(ValidationHelperV1AsyncClient), +) +def test_validation_helper_v1_client_client_options( + client_class, transport_class, transport_name +): + # Check that if channel is provided we won't create a new one. + with mock.patch.object(ValidationHelperV1Client, "get_transport_class") as gtc: + transport = transport_class(credentials=ga_credentials.AnonymousCredentials()) + client = client_class(transport=transport) + gtc.assert_not_called() + + # Check that if channel is provided via str we will create a new one. + with mock.patch.object(ValidationHelperV1Client, "get_transport_class") as gtc: + client = client_class(transport=transport_name) + gtc.assert_called() + + # Check the case api_endpoint is provided. + options = client_options.ClientOptions(api_endpoint="squid.clam.whelk") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host="squid.clam.whelk", + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is + # "never". + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "never"}): + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT is + # "always". + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "always"}): + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_MTLS_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case api_endpoint is not provided and GOOGLE_API_USE_MTLS_ENDPOINT has + # unsupported value. + with mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "Unsupported"}): + with pytest.raises(MutualTLSChannelError): + client = client_class() + + # Check the case GOOGLE_API_USE_CLIENT_CERTIFICATE has unsupported value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": "Unsupported"} + ): + with pytest.raises(ValueError): + client = client_class() + + # Check the case quota_project_id is provided + options = client_options.ClientOptions(quota_project_id="octopus") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id="octopus", + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name,use_client_cert_env", + [ + ( + ValidationHelperV1Client, + transports.ValidationHelperV1GrpcTransport, + "grpc", + "true", + ), + ( + ValidationHelperV1AsyncClient, + transports.ValidationHelperV1GrpcAsyncIOTransport, + "grpc_asyncio", + "true", + ), + ( + ValidationHelperV1Client, + transports.ValidationHelperV1GrpcTransport, + "grpc", + "false", + ), + ( + ValidationHelperV1AsyncClient, + transports.ValidationHelperV1GrpcAsyncIOTransport, + "grpc_asyncio", + "false", + ), + ], +) +@mock.patch.object( + ValidationHelperV1Client, + "DEFAULT_ENDPOINT", + modify_default_endpoint(ValidationHelperV1Client), +) +@mock.patch.object( + ValidationHelperV1AsyncClient, + "DEFAULT_ENDPOINT", + modify_default_endpoint(ValidationHelperV1AsyncClient), +) +@mock.patch.dict(os.environ, {"GOOGLE_API_USE_MTLS_ENDPOINT": "auto"}) +def test_validation_helper_v1_client_mtls_env_auto( + client_class, transport_class, transport_name, use_client_cert_env +): + # This tests the endpoint autoswitch behavior. Endpoint is autoswitched to the default + # mtls endpoint, if GOOGLE_API_USE_CLIENT_CERTIFICATE is "true" and client cert exists. + + # Check the case client_cert_source is provided. Whether client cert is used depends on + # GOOGLE_API_USE_CLIENT_CERTIFICATE value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + options = client_options.ClientOptions( + client_cert_source=client_cert_source_callback + ) + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + + if use_client_cert_env == "false": + expected_client_cert_source = None + expected_host = client.DEFAULT_ENDPOINT + else: + expected_client_cert_source = client_cert_source_callback + expected_host = client.DEFAULT_MTLS_ENDPOINT + + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=expected_host, + scopes=None, + client_cert_source_for_mtls=expected_client_cert_source, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case ADC client cert is provided. Whether client cert is used depends on + # GOOGLE_API_USE_CLIENT_CERTIFICATE value. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + with mock.patch.object(transport_class, "__init__") as patched: + with mock.patch( + "google.auth.transport.mtls.has_default_client_cert_source", + return_value=True, + ): + with mock.patch( + "google.auth.transport.mtls.default_client_cert_source", + return_value=client_cert_source_callback, + ): + if use_client_cert_env == "false": + expected_host = client.DEFAULT_ENDPOINT + expected_client_cert_source = None + else: + expected_host = client.DEFAULT_MTLS_ENDPOINT + expected_client_cert_source = client_cert_source_callback + + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=expected_host, + scopes=None, + client_cert_source_for_mtls=expected_client_cert_source, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + # Check the case client_cert_source and ADC client cert are not provided. + with mock.patch.dict( + os.environ, {"GOOGLE_API_USE_CLIENT_CERTIFICATE": use_client_cert_env} + ): + with mock.patch.object(transport_class, "__init__") as patched: + with mock.patch( + "google.auth.transport.mtls.has_default_client_cert_source", + return_value=False, + ): + patched.return_value = None + client = client_class() + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name", + [ + (ValidationHelperV1Client, transports.ValidationHelperV1GrpcTransport, "grpc"), + ( + ValidationHelperV1AsyncClient, + transports.ValidationHelperV1GrpcAsyncIOTransport, + "grpc_asyncio", + ), + ], +) +def test_validation_helper_v1_client_client_options_scopes( + client_class, transport_class, transport_name +): + # Check the case scopes are provided. + options = client_options.ClientOptions(scopes=["1", "2"],) + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file=None, + host=client.DEFAULT_ENDPOINT, + scopes=["1", "2"], + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +@pytest.mark.parametrize( + "client_class,transport_class,transport_name", + [ + (ValidationHelperV1Client, transports.ValidationHelperV1GrpcTransport, "grpc"), + ( + ValidationHelperV1AsyncClient, + transports.ValidationHelperV1GrpcAsyncIOTransport, + "grpc_asyncio", + ), + ], +) +def test_validation_helper_v1_client_client_options_credentials_file( + client_class, transport_class, transport_name +): + # Check the case credentials file is provided. + options = client_options.ClientOptions(credentials_file="credentials.json") + with mock.patch.object(transport_class, "__init__") as patched: + patched.return_value = None + client = client_class(client_options=options) + patched.assert_called_once_with( + credentials=None, + credentials_file="credentials.json", + host=client.DEFAULT_ENDPOINT, + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +def test_validation_helper_v1_client_client_options_from_dict(): + with mock.patch( + "google.cloud.binaryauthorization_v1.services.validation_helper_v1.transports.ValidationHelperV1GrpcTransport.__init__" + ) as grpc_transport: + grpc_transport.return_value = None + client = ValidationHelperV1Client( + client_options={"api_endpoint": "squid.clam.whelk"} + ) + grpc_transport.assert_called_once_with( + credentials=None, + credentials_file=None, + host="squid.clam.whelk", + scopes=None, + client_cert_source_for_mtls=None, + quota_project_id=None, + client_info=transports.base.DEFAULT_CLIENT_INFO, + always_use_jwt_access=True, + ) + + +def test_validate_attestation_occurrence( + transport: str = "grpc", request_type=service.ValidateAttestationOccurrenceRequest +): + client = ValidationHelperV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.validate_attestation_occurrence), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = service.ValidateAttestationOccurrenceResponse( + result=service.ValidateAttestationOccurrenceResponse.Result.VERIFIED, + denial_reason="denial_reason_value", + ) + response = client.validate_attestation_occurrence(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.ValidateAttestationOccurrenceRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, service.ValidateAttestationOccurrenceResponse) + assert ( + response.result == service.ValidateAttestationOccurrenceResponse.Result.VERIFIED + ) + assert response.denial_reason == "denial_reason_value" + + +def test_validate_attestation_occurrence_from_dict(): + test_validate_attestation_occurrence(request_type=dict) + + +def test_validate_attestation_occurrence_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = ValidationHelperV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.validate_attestation_occurrence), "__call__" + ) as call: + client.validate_attestation_occurrence() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.ValidateAttestationOccurrenceRequest() + + +@pytest.mark.asyncio +async def test_validate_attestation_occurrence_async( + transport: str = "grpc_asyncio", + request_type=service.ValidateAttestationOccurrenceRequest, +): + client = ValidationHelperV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.validate_attestation_occurrence), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.ValidateAttestationOccurrenceResponse( + result=service.ValidateAttestationOccurrenceResponse.Result.VERIFIED, + denial_reason="denial_reason_value", + ) + ) + response = await client.validate_attestation_occurrence(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.ValidateAttestationOccurrenceRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, service.ValidateAttestationOccurrenceResponse) + assert ( + response.result == service.ValidateAttestationOccurrenceResponse.Result.VERIFIED + ) + assert response.denial_reason == "denial_reason_value" + + +@pytest.mark.asyncio +async def test_validate_attestation_occurrence_async_from_dict(): + await test_validate_attestation_occurrence_async(request_type=dict) + + +def test_validate_attestation_occurrence_field_headers(): + client = ValidationHelperV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.ValidateAttestationOccurrenceRequest() + + request.attestor = "attestor/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.validate_attestation_occurrence), "__call__" + ) as call: + call.return_value = service.ValidateAttestationOccurrenceResponse() + client.validate_attestation_occurrence(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "attestor=attestor/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_validate_attestation_occurrence_field_headers_async(): + client = ValidationHelperV1AsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.ValidateAttestationOccurrenceRequest() + + request.attestor = "attestor/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.validate_attestation_occurrence), "__call__" + ) as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.ValidateAttestationOccurrenceResponse() + ) + await client.validate_attestation_occurrence(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "attestor=attestor/value",) in kw["metadata"] + + +def test_credentials_transport_error(): + # It is an error to provide credentials and a transport instance. + transport = transports.ValidationHelperV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + with pytest.raises(ValueError): + client = ValidationHelperV1Client( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # It is an error to provide a credentials file and a transport instance. + transport = transports.ValidationHelperV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + with pytest.raises(ValueError): + client = ValidationHelperV1Client( + client_options={"credentials_file": "credentials.json"}, + transport=transport, + ) + + # It is an error to provide scopes and a transport instance. + transport = transports.ValidationHelperV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + with pytest.raises(ValueError): + client = ValidationHelperV1Client( + client_options={"scopes": ["1", "2"]}, transport=transport, + ) + + +def test_transport_instance(): + # A client may be instantiated with a custom transport instance. + transport = transports.ValidationHelperV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + client = ValidationHelperV1Client(transport=transport) + assert client.transport is transport + + +def test_transport_get_channel(): + # A client may be instantiated with a custom transport instance. + transport = transports.ValidationHelperV1GrpcTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + channel = transport.grpc_channel + assert channel + + transport = transports.ValidationHelperV1GrpcAsyncIOTransport( + credentials=ga_credentials.AnonymousCredentials(), + ) + channel = transport.grpc_channel + assert channel + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.ValidationHelperV1GrpcTransport, + transports.ValidationHelperV1GrpcAsyncIOTransport, + ], +) +def test_transport_adc(transport_class): + # Test default credentials are used if not provided. + with mock.patch.object(google.auth, "default") as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport_class() + adc.assert_called_once() + + +def test_transport_grpc_default(): + # A client should use the gRPC transport by default. + client = ValidationHelperV1Client( + credentials=ga_credentials.AnonymousCredentials(), + ) + assert isinstance(client.transport, transports.ValidationHelperV1GrpcTransport,) + + +def test_validation_helper_v1_base_transport_error(): + # Passing both a credentials object and credentials_file should raise an error + with pytest.raises(core_exceptions.DuplicateCredentialArgs): + transport = transports.ValidationHelperV1Transport( + credentials=ga_credentials.AnonymousCredentials(), + credentials_file="credentials.json", + ) + + +def test_validation_helper_v1_base_transport(): + # Instantiate the base transport. + with mock.patch( + "google.cloud.binaryauthorization_v1.services.validation_helper_v1.transports.ValidationHelperV1Transport.__init__" + ) as Transport: + Transport.return_value = None + transport = transports.ValidationHelperV1Transport( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Every method on the transport should just blindly + # raise NotImplementedError. + methods = ("validate_attestation_occurrence",) + for method in methods: + with pytest.raises(NotImplementedError): + getattr(transport, method)(request=object()) + + +@requires_google_auth_gte_1_25_0 +def test_validation_helper_v1_base_transport_with_credentials_file(): + # Instantiate the base transport with a credentials file + with mock.patch.object( + google.auth, "load_credentials_from_file", autospec=True + ) as load_creds, mock.patch( + "google.cloud.binaryauthorization_v1.services.validation_helper_v1.transports.ValidationHelperV1Transport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + load_creds.return_value = (ga_credentials.AnonymousCredentials(), None) + transport = transports.ValidationHelperV1Transport( + credentials_file="credentials.json", quota_project_id="octopus", + ) + load_creds.assert_called_once_with( + "credentials.json", + scopes=None, + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +@requires_google_auth_lt_1_25_0 +def test_validation_helper_v1_base_transport_with_credentials_file_old_google_auth(): + # Instantiate the base transport with a credentials file + with mock.patch.object( + google.auth, "load_credentials_from_file", autospec=True + ) as load_creds, mock.patch( + "google.cloud.binaryauthorization_v1.services.validation_helper_v1.transports.ValidationHelperV1Transport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + load_creds.return_value = (ga_credentials.AnonymousCredentials(), None) + transport = transports.ValidationHelperV1Transport( + credentials_file="credentials.json", quota_project_id="octopus", + ) + load_creds.assert_called_once_with( + "credentials.json", + scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +def test_validation_helper_v1_base_transport_with_adc(): + # Test the default credentials are used if credentials and credentials_file are None. + with mock.patch.object(google.auth, "default", autospec=True) as adc, mock.patch( + "google.cloud.binaryauthorization_v1.services.validation_helper_v1.transports.ValidationHelperV1Transport._prep_wrapped_messages" + ) as Transport: + Transport.return_value = None + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport = transports.ValidationHelperV1Transport() + adc.assert_called_once() + + +@requires_google_auth_gte_1_25_0 +def test_validation_helper_v1_auth_adc(): + # If no credentials are provided, we should use ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + ValidationHelperV1Client() + adc.assert_called_once_with( + scopes=None, + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id=None, + ) + + +@requires_google_auth_lt_1_25_0 +def test_validation_helper_v1_auth_adc_old_google_auth(): + # If no credentials are provided, we should use ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + ValidationHelperV1Client() + adc.assert_called_once_with( + scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id=None, + ) + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.ValidationHelperV1GrpcTransport, + transports.ValidationHelperV1GrpcAsyncIOTransport, + ], +) +@requires_google_auth_gte_1_25_0 +def test_validation_helper_v1_transport_auth_adc(transport_class): + # If credentials and host are not provided, the transport class should use + # ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport_class(quota_project_id="octopus", scopes=["1", "2"]) + adc.assert_called_once_with( + scopes=["1", "2"], + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.ValidationHelperV1GrpcTransport, + transports.ValidationHelperV1GrpcAsyncIOTransport, + ], +) +@requires_google_auth_lt_1_25_0 +def test_validation_helper_v1_transport_auth_adc_old_google_auth(transport_class): + # If credentials and host are not provided, the transport class should use + # ADC credentials. + with mock.patch.object(google.auth, "default", autospec=True) as adc: + adc.return_value = (ga_credentials.AnonymousCredentials(), None) + transport_class(quota_project_id="octopus") + adc.assert_called_once_with( + scopes=("https://www.googleapis.com/auth/cloud-platform",), + quota_project_id="octopus", + ) + + +@pytest.mark.parametrize( + "transport_class,grpc_helpers", + [ + (transports.ValidationHelperV1GrpcTransport, grpc_helpers), + (transports.ValidationHelperV1GrpcAsyncIOTransport, grpc_helpers_async), + ], +) +def test_validation_helper_v1_transport_create_channel(transport_class, grpc_helpers): + # If credentials and host are not provided, the transport class should use + # ADC credentials. + with mock.patch.object( + google.auth, "default", autospec=True + ) as adc, mock.patch.object( + grpc_helpers, "create_channel", autospec=True + ) as create_channel: + creds = ga_credentials.AnonymousCredentials() + adc.return_value = (creds, None) + transport_class(quota_project_id="octopus", scopes=["1", "2"]) + + create_channel.assert_called_with( + "binaryauthorization.googleapis.com:443", + credentials=creds, + credentials_file=None, + quota_project_id="octopus", + default_scopes=("https://www.googleapis.com/auth/cloud-platform",), + scopes=["1", "2"], + default_host="binaryauthorization.googleapis.com", + ssl_credentials=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + +@pytest.mark.parametrize( + "transport_class", + [ + transports.ValidationHelperV1GrpcTransport, + transports.ValidationHelperV1GrpcAsyncIOTransport, + ], +) +def test_validation_helper_v1_grpc_transport_client_cert_source_for_mtls( + transport_class, +): + cred = ga_credentials.AnonymousCredentials() + + # Check ssl_channel_credentials is used if provided. + with mock.patch.object(transport_class, "create_channel") as mock_create_channel: + mock_ssl_channel_creds = mock.Mock() + transport_class( + host="squid.clam.whelk", + credentials=cred, + ssl_channel_credentials=mock_ssl_channel_creds, + ) + mock_create_channel.assert_called_once_with( + "squid.clam.whelk:443", + credentials=cred, + credentials_file=None, + scopes=None, + ssl_credentials=mock_ssl_channel_creds, + quota_project_id=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + + # Check if ssl_channel_credentials is not provided, then client_cert_source_for_mtls + # is used. + with mock.patch.object(transport_class, "create_channel", return_value=mock.Mock()): + with mock.patch("grpc.ssl_channel_credentials") as mock_ssl_cred: + transport_class( + credentials=cred, + client_cert_source_for_mtls=client_cert_source_callback, + ) + expected_cert, expected_key = client_cert_source_callback() + mock_ssl_cred.assert_called_once_with( + certificate_chain=expected_cert, private_key=expected_key + ) + + +def test_validation_helper_v1_host_no_port(): + client = ValidationHelperV1Client( + credentials=ga_credentials.AnonymousCredentials(), + client_options=client_options.ClientOptions( + api_endpoint="binaryauthorization.googleapis.com" + ), + ) + assert client.transport._host == "binaryauthorization.googleapis.com:443" + + +def test_validation_helper_v1_host_with_port(): + client = ValidationHelperV1Client( + credentials=ga_credentials.AnonymousCredentials(), + client_options=client_options.ClientOptions( + api_endpoint="binaryauthorization.googleapis.com:8000" + ), + ) + assert client.transport._host == "binaryauthorization.googleapis.com:8000" + + +def test_validation_helper_v1_grpc_transport_channel(): + channel = grpc.secure_channel("http://localhost/", grpc.local_channel_credentials()) + + # Check that channel is used if provided. + transport = transports.ValidationHelperV1GrpcTransport( + host="squid.clam.whelk", channel=channel, + ) + assert transport.grpc_channel == channel + assert transport._host == "squid.clam.whelk:443" + assert transport._ssl_channel_credentials == None + + +def test_validation_helper_v1_grpc_asyncio_transport_channel(): + channel = aio.secure_channel("http://localhost/", grpc.local_channel_credentials()) + + # Check that channel is used if provided. + transport = transports.ValidationHelperV1GrpcAsyncIOTransport( + host="squid.clam.whelk", channel=channel, + ) + assert transport.grpc_channel == channel + assert transport._host == "squid.clam.whelk:443" + assert transport._ssl_channel_credentials == None + + +# Remove this test when deprecated arguments (api_mtls_endpoint, client_cert_source) are +# removed from grpc/grpc_asyncio transport constructor. +@pytest.mark.parametrize( + "transport_class", + [ + transports.ValidationHelperV1GrpcTransport, + transports.ValidationHelperV1GrpcAsyncIOTransport, + ], +) +def test_validation_helper_v1_transport_channel_mtls_with_client_cert_source( + transport_class, +): + with mock.patch( + "grpc.ssl_channel_credentials", autospec=True + ) as grpc_ssl_channel_cred: + with mock.patch.object( + transport_class, "create_channel" + ) as grpc_create_channel: + mock_ssl_cred = mock.Mock() + grpc_ssl_channel_cred.return_value = mock_ssl_cred + + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + + cred = ga_credentials.AnonymousCredentials() + with pytest.warns(DeprecationWarning): + with mock.patch.object(google.auth, "default") as adc: + adc.return_value = (cred, None) + transport = transport_class( + host="squid.clam.whelk", + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=client_cert_source_callback, + ) + adc.assert_called_once() + + grpc_ssl_channel_cred.assert_called_once_with( + certificate_chain=b"cert bytes", private_key=b"key bytes" + ) + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=cred, + credentials_file=None, + scopes=None, + ssl_credentials=mock_ssl_cred, + quota_project_id=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + assert transport.grpc_channel == mock_grpc_channel + assert transport._ssl_channel_credentials == mock_ssl_cred + + +# Remove this test when deprecated arguments (api_mtls_endpoint, client_cert_source) are +# removed from grpc/grpc_asyncio transport constructor. +@pytest.mark.parametrize( + "transport_class", + [ + transports.ValidationHelperV1GrpcTransport, + transports.ValidationHelperV1GrpcAsyncIOTransport, + ], +) +def test_validation_helper_v1_transport_channel_mtls_with_adc(transport_class): + mock_ssl_cred = mock.Mock() + with mock.patch.multiple( + "google.auth.transport.grpc.SslCredentials", + __init__=mock.Mock(return_value=None), + ssl_credentials=mock.PropertyMock(return_value=mock_ssl_cred), + ): + with mock.patch.object( + transport_class, "create_channel" + ) as grpc_create_channel: + mock_grpc_channel = mock.Mock() + grpc_create_channel.return_value = mock_grpc_channel + mock_cred = mock.Mock() + + with pytest.warns(DeprecationWarning): + transport = transport_class( + host="squid.clam.whelk", + credentials=mock_cred, + api_mtls_endpoint="mtls.squid.clam.whelk", + client_cert_source=None, + ) + + grpc_create_channel.assert_called_once_with( + "mtls.squid.clam.whelk:443", + credentials=mock_cred, + credentials_file=None, + scopes=None, + ssl_credentials=mock_ssl_cred, + quota_project_id=None, + options=[ + ("grpc.max_send_message_length", -1), + ("grpc.max_receive_message_length", -1), + ], + ) + assert transport.grpc_channel == mock_grpc_channel + + +def test_common_billing_account_path(): + billing_account = "squid" + expected = "billingAccounts/{billing_account}".format( + billing_account=billing_account, + ) + actual = ValidationHelperV1Client.common_billing_account_path(billing_account) + assert expected == actual + + +def test_parse_common_billing_account_path(): + expected = { + "billing_account": "clam", + } + path = ValidationHelperV1Client.common_billing_account_path(**expected) + + # Check that the path construction is reversible. + actual = ValidationHelperV1Client.parse_common_billing_account_path(path) + assert expected == actual + + +def test_common_folder_path(): + folder = "whelk" + expected = "folders/{folder}".format(folder=folder,) + actual = ValidationHelperV1Client.common_folder_path(folder) + assert expected == actual + + +def test_parse_common_folder_path(): + expected = { + "folder": "octopus", + } + path = ValidationHelperV1Client.common_folder_path(**expected) + + # Check that the path construction is reversible. + actual = ValidationHelperV1Client.parse_common_folder_path(path) + assert expected == actual + + +def test_common_organization_path(): + organization = "oyster" + expected = "organizations/{organization}".format(organization=organization,) + actual = ValidationHelperV1Client.common_organization_path(organization) + assert expected == actual + + +def test_parse_common_organization_path(): + expected = { + "organization": "nudibranch", + } + path = ValidationHelperV1Client.common_organization_path(**expected) + + # Check that the path construction is reversible. + actual = ValidationHelperV1Client.parse_common_organization_path(path) + assert expected == actual + + +def test_common_project_path(): + project = "cuttlefish" + expected = "projects/{project}".format(project=project,) + actual = ValidationHelperV1Client.common_project_path(project) + assert expected == actual + + +def test_parse_common_project_path(): + expected = { + "project": "mussel", + } + path = ValidationHelperV1Client.common_project_path(**expected) + + # Check that the path construction is reversible. + actual = ValidationHelperV1Client.parse_common_project_path(path) + assert expected == actual + + +def test_common_location_path(): + project = "winkle" + location = "nautilus" + expected = "projects/{project}/locations/{location}".format( + project=project, location=location, + ) + actual = ValidationHelperV1Client.common_location_path(project, location) + assert expected == actual + + +def test_parse_common_location_path(): + expected = { + "project": "scallop", + "location": "abalone", + } + path = ValidationHelperV1Client.common_location_path(**expected) + + # Check that the path construction is reversible. + actual = ValidationHelperV1Client.parse_common_location_path(path) + assert expected == actual + + +def test_client_withDEFAULT_CLIENT_INFO(): + client_info = gapic_v1.client_info.ClientInfo() + + with mock.patch.object( + transports.ValidationHelperV1Transport, "_prep_wrapped_messages" + ) as prep: + client = ValidationHelperV1Client( + credentials=ga_credentials.AnonymousCredentials(), client_info=client_info, + ) + prep.assert_called_once_with(client_info) + + with mock.patch.object( + transports.ValidationHelperV1Transport, "_prep_wrapped_messages" + ) as prep: + transport_class = ValidationHelperV1Client.get_transport_class() + transport = transport_class( + credentials=ga_credentials.AnonymousCredentials(), client_info=client_info, + ) + prep.assert_called_once_with(client_info)