feat: Add support for Password Check through the private_password_lea…

…k_verification field in the reCAPTCHA Assessment (googleapis#376) * feat: Add support for Password Check through the private_password_leak_verification field in the reCAPTCHA Assessment PiperOrigin-RevId: 449202953 Source-Link: googleapis/googleapis@e2ed48f Source-Link: https://github.com/googleapis/googleapis-gen/commit/82f55ea1435da6d69c8ceb0a33f863d1fd6a484e Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiODJmNTVlYTE0MzVkYTZkNjljOGNlYjBhMzNmODYzZDFmZDZhNDg0ZSJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
renovate-bot · May 18, 2022 · 7c1583c · 7c1583c
1 parent 4042ae2
commit 7c1583c
Show file tree

Hide file tree

Showing 11 changed files with 662 additions and 154 deletions.
diff --git a/protos/google/cloud/recaptchaenterprise/v1/recaptchaenterprise.proto b/protos/google/cloud/recaptchaenterprise/v1/recaptchaenterprise.proto
@@ -36,7 +36,8 @@ option ruby_package = "Google::Cloud::RecaptchaEnterprise::V1";
 // Service to determine the likelihood an event is legitimate.
 service RecaptchaEnterpriseService {
   option (google.api.default_host) = "recaptchaenterprise.googleapis.com";
-  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
+  option (google.api.oauth_scopes) =
+      "https://www.googleapis.com/auth/cloud-platform";
 
   // Creates an Assessment of the likelihood an event is legitimate.
   rpc CreateAssessment(CreateAssessmentRequest) returns (Assessment) {
@@ -49,7 +50,8 @@ service RecaptchaEnterpriseService {
 
   // Annotates a previously created Assessment to provide additional information
   // on whether the event turned out to be authentic or fraudulent.
-  rpc AnnotateAssessment(AnnotateAssessmentRequest) returns (AnnotateAssessmentResponse) {
+  rpc AnnotateAssessment(AnnotateAssessmentRequest)
+      returns (AnnotateAssessmentResponse) {
     option (google.api.http) = {
       post: "/v1/{name=projects/*/assessments/*}:annotate"
       body: "*"
@@ -117,23 +119,28 @@ service RecaptchaEnterpriseService {
   }
 
   // List groups of related accounts.
-  rpc ListRelatedAccountGroups(ListRelatedAccountGroupsRequest) returns (ListRelatedAccountGroupsResponse) {
+  rpc ListRelatedAccountGroups(ListRelatedAccountGroupsRequest)
+      returns (ListRelatedAccountGroupsResponse) {
     option (google.api.http) = {
       get: "/v1/{parent=projects/*}/relatedaccountgroups"
     };
     option (google.api.method_signature) = "parent";
   }
 
   // Get the memberships in a group of related accounts.
-  rpc ListRelatedAccountGroupMemberships(ListRelatedAccountGroupMembershipsRequest) returns (ListRelatedAccountGroupMembershipsResponse) {
+  rpc ListRelatedAccountGroupMemberships(
+      ListRelatedAccountGroupMembershipsRequest)
+      returns (ListRelatedAccountGroupMembershipsResponse) {
     option (google.api.http) = {
       get: "/v1/{parent=projects/*/relatedaccountgroups/*}/memberships"
     };
     option (google.api.method_signature) = "parent";
   }
 
   // Search group memberships related to a given account.
-  rpc SearchRelatedAccountGroupMemberships(SearchRelatedAccountGroupMembershipsRequest) returns (SearchRelatedAccountGroupMembershipsResponse) {
+  rpc SearchRelatedAccountGroupMemberships(
+      SearchRelatedAccountGroupMembershipsRequest)
+      returns (SearchRelatedAccountGroupMembershipsResponse) {
     option (google.api.http) = {
       post: "/v1/{project=projects/*}/relatedaccountgroupmemberships:search"
       body: "*"
@@ -234,26 +241,25 @@ message AnnotateAssessmentRequest {
     }
   ];
 
-  // Optional. The annotation that will be assigned to the Event. This field can be left
-  // empty to provide reasons that apply to an event without concluding whether
-  // the event is legitimate or fraudulent.
+  // Optional. The annotation that will be assigned to the Event. This field can
+  // be left empty to provide reasons that apply to an event without concluding
+  // whether the event is legitimate or fraudulent.
   Annotation annotation = 2 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Optional reasons for the annotation that will be assigned to the Event.
+  // Optional. Optional reasons for the annotation that will be assigned to the
+  // Event.
   repeated Reason reasons = 3 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Optional unique stable hashed user identifier to apply to the assessment.
-  // This is an alternative to setting the hashed_account_id in
+  // Optional. Optional unique stable hashed user identifier to apply to the
+  // assessment. This is an alternative to setting the hashed_account_id in
   // CreateAssessment, for example when the account identifier is not yet known
   // in the initial request. It is recommended that the identifier is hashed
   // using hmac-sha256 with stable secret.
   bytes hashed_account_id = 4 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Empty response for AnnotateAssessment.
-message AnnotateAssessmentResponse {
-
-}
+message AnnotateAssessmentResponse {}
 
 // A recaptcha assessment resource.
 message Assessment {
@@ -273,36 +279,41 @@ message Assessment {
   RiskAnalysis risk_analysis = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // Output only. Properties of the provided event token.
-  TokenProperties token_properties = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
+  TokenProperties token_properties = 4
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // Assessment returned by Account Defender when a hashed_account_id is
   // provided.
   AccountDefenderAssessment account_defender_assessment = 6;
+
+  // Password leak verification info.
+  PrivatePasswordLeakVerification private_password_leak_verification = 7;
 }
 
 message Event {
-  // Optional. The user response token provided by the reCAPTCHA client-side integration
-  // on your site.
+  // Optional. The user response token provided by the reCAPTCHA client-side
+  // integration on your site.
   string token = 1 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. The site key that was used to invoke reCAPTCHA on your site and generate
-  // the token.
+  // Optional. The site key that was used to invoke reCAPTCHA on your site and
+  // generate the token.
   string site_key = 2 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. The user agent present in the request from the user's device related to
-  // this event.
+  // Optional. The user agent present in the request from the user's device
+  // related to this event.
   string user_agent = 3 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. The IP address in the request from the user's device related to this event.
+  // Optional. The IP address in the request from the user's device related to
+  // this event.
   string user_ip_address = 4 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. The expected action for this type of event. This should be the same action
-  // provided at token generation time on client-side platforms already
-  // integrated with recaptcha enterprise.
+  // Optional. The expected action for this type of event. This should be the
+  // same action provided at token generation time on client-side platforms
+  // already integrated with recaptcha enterprise.
   string expected_action = 5 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Optional unique stable hashed user identifier for the request. The
-  // identifier should ideally be hashed using sha256 with stable secret.
+  // Optional. Optional unique stable hashed user identifier for the request.
+  // The identifier should ideally be hashed using sha256 with stable secret.
   bytes hashed_account_id = 6 [(google.api.field_behavior) = OPTIONAL];
 }
 
@@ -414,6 +425,31 @@ message AccountDefenderAssessment {
   repeated AccountDefenderLabel labels = 1;
 }
 
+// Private password leak verification info.
+message PrivatePasswordLeakVerification {
+  // Exactly 26-bit prefix of the SHA-256 hash of the canonicalized username. It
+  // is used to look up password leaks associated with that hash prefix.
+  bytes lookup_hash_prefix = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Encrypted Scrypt hash of the canonicalized username+password. It is
+  // re-encrypted by the server and returned through
+  // `reencrypted_user_credentials_hash`.
+  bytes encrypted_user_credentials_hash = 2
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // List of prefixes of the encrypted potential password leaks that matched the
+  // given parameters. They should be compared with the client-side decryption
+  // prefix of `reencrypted_user_credentials_hash`
+  repeated bytes encrypted_leak_match_prefixes = 3
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Corresponds to the re-encryption of the `encrypted_user_credentials_hash`
+  // field. Used to match potential password leaks within
+  // `encrypted_leak_match_prefixes`.
+  bytes reencrypted_user_credentials_hash = 4
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+}
+
 // The create key request message.
 message CreateKeyRequest {
   // Required. The name of the project in which the key will be created, in the
@@ -476,9 +512,10 @@ message UpdateKeyRequest {
   // Required. The key to update.
   Key key = 1 [(google.api.field_behavior) = REQUIRED];
 
-  // Optional. The mask to control which fields of the key get updated. If the mask is not
-  // present, all fields will be updated.
-  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = OPTIONAL];
+  // Optional. The mask to control which fields of the key get updated. If the
+  // mask is not present, all fields will be updated.
+  google.protobuf.FieldMask update_mask = 2
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // The delete key request message.
@@ -740,14 +777,14 @@ message ListRelatedAccountGroupMembershipsRequest {
     }
   ];
 
-  // Optional. The maximum number of accounts to return. The service may return fewer than
-  // this value.
-  // If unspecified, at most 50 accounts will be returned.
-  // The maximum value is 1000; values above 1000 will be coerced to 1000.
+  // Optional. The maximum number of accounts to return. The service may return
+  // fewer than this value. If unspecified, at most 50 accounts will be
+  // returned. The maximum value is 1000; values above 1000 will be coerced to
+  // 1000.
   int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. A page token, received from a previous `ListRelatedAccountGroupMemberships`
-  // call.
+  // Optional. A page token, received from a previous
+  // `ListRelatedAccountGroupMemberships` call.
   //
   // When paginating, all other parameters provided to
   // `ListRelatedAccountGroupMemberships` must match the call that provided the
@@ -767,23 +804,22 @@ message ListRelatedAccountGroupMembershipsResponse {
 
 // The request message to list related account groups.
 message ListRelatedAccountGroupsRequest {
-  // Required. The name of the project to list related account groups from, in the format
-  // "projects/{project}".
+  // Required. The name of the project to list related account groups from, in
+  // the format "projects/{project}".
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
       child_type: "recaptchaenterprise.googleapis.com/RelatedAccountGroup"
     }
   ];
 
-  // Optional. The maximum number of groups to return. The service may return fewer than
-  // this value.
-  // If unspecified, at most 50 groups will be returned.
+  // Optional. The maximum number of groups to return. The service may return
+  // fewer than this value. If unspecified, at most 50 groups will be returned.
   // The maximum value is 1000; values above 1000 will be coerced to 1000.
   int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. A page token, received from a previous `ListRelatedAccountGroups` call.
-  // Provide this to retrieve the subsequent page.
+  // Optional. A page token, received from a previous `ListRelatedAccountGroups`
+  // call. Provide this to retrieve the subsequent page.
   //
   // When paginating, all other parameters provided to
   // `ListRelatedAccountGroups` must match the call that provided the page
@@ -803,23 +839,22 @@ message ListRelatedAccountGroupsResponse {
 
 // The request message to search related account group memberships.
 message SearchRelatedAccountGroupMembershipsRequest {
-  // Required. The name of the project to search related account group memberships from,
-  // in the format "projects/{project}".
+  // Required. The name of the project to search related account group
+  // memberships from, in the format "projects/{project}".
   string project = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
       child_type: "recaptchaenterprise.googleapis.com/RelatedAccountGroupMembership"
     }
   ];
 
-  // Optional. The unique stable hashed user identifier we should search connections to.
-  // The identifier should correspond to a `hashed_account_id` provided in a
-  // previous CreateAssessment or AnnotateAssessment call.
+  // Optional. The unique stable hashed user identifier we should search
+  // connections to. The identifier should correspond to a `hashed_account_id`
+  // provided in a previous CreateAssessment or AnnotateAssessment call.
   bytes hashed_account_id = 2 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. The maximum number of groups to return. The service may return fewer than
-  // this value.
-  // If unspecified, at most 50 groups will be returned.
+  // Optional. The maximum number of groups to return. The service may return
+  // fewer than this value. If unspecified, at most 50 groups will be returned.
   // The maximum value is 1000; values above 1000 will be coerced to 1000.
   int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL];