def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor to which the public key should be added.'),
),
)
parser.add_argument(
'--comment', help='The comment describing the public key.')
key_group = parser.add_group(mutex=True, required=True)
pgp_group = key_group.add_group()
pgp_group.add_argument(
'--pgp-public-key-file',
type=arg_parsers.BufferedFileInput(),
help='The path to the file containing the '
'ASCII-armored PGP public key to add.')
kms_group = key_group.add_group()
flags.AddConcepts(
kms_group,
flags.GetCryptoKeyVersionPresentationSpec(
base_name='keyversion',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Cloud KMS (Key Management Service) CryptoKeyVersion whose
public key will be added to the attestor.""")),
)
pkix_group = key_group.add_group()
pkix_group.add_argument(
'--pkix-public-key-file',
required=True,
type=arg_parsers.BufferedFileInput(),
help='The path to the file containing the PKIX public key to add.')
pkix_group.add_argument(
'--pkix-public-key-algorithm',
choices=pkix.GetAlgorithmMapper().choices,
required=True,
help=textwrap.dedent("""\
The signing algorithm of the associated key. This will be used to
verify the signatures associated with this key."""))
parser.add_argument(
'--public-key-id-override',
type=str,
help=textwrap.dedent("""\
If provided, the ID to replace the default API-generated one. All IDs
must be valid URIs as defined by RFC 3986
(https://tools.ietf.org/html/rfc3986).
When creating Attestations to be verified by this key, one must always
provide this custom ID as the public key ID."""))
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor on which the public key should be updated.'),
),
)
parser.add_argument('public_key_id',
help='The ID of the public key to update.')
file_group = parser.add_mutually_exclusive_group()
file_group.add_argument(
'--public-key-file',
action=actions.DeprecationAction(
'public-key-file',
warn=
'This flag is deprecated. Use --pgp-public-key-file instead.'),
type=arg_parsers.FileContents(),
help='The path to a file containing the '
'updated ASCII-armored PGP public key.')
file_group.add_argument('--pgp-public-key-file',
type=arg_parsers.FileContents(),
help='The path to a file containing the '
'updated ASCII-armored PGP public key.')
parser.add_argument('--comment',
help='The comment describing the public key.')
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser)
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
flags.GetCryptoKeyVersionPresentationSpec(
base_name='keyversion',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Cloud KMS (Key Management Service) CryptoKeyVersion to use to
sign the attestation payload.""")),
)
parser.add_argument('--public-key-id-override',
type=str,
help=textwrap.dedent("""\
If provided, the ID of the public key that will be used to verify the
Attestation instead of the default generated one. This ID should match
the one found on the Attestor resource(s) which will use this
Attestation.
This parameter is only necessary if the `--public-key-id-override`
flag was provided when this KMS key was added to the Attestor."""))
def Args(parser):
# TODO(b/74193183): Add a comment option.
flags.AddConcepts(
parser,
flags.GetAuthorityPresentationSpec(
positional=True, group_help='The authority to update.'),
)
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True,
group_help='The attestor to be created.',
),
flags.GetAuthorityNotePresentationSpec(
base_name='attestation-authority-note',
required=True,
positional=False,
group_help=textwrap.dedent("""\
The Container Analysis ATTESTATION_AUTHORITY Note to which the
created attestor will be bound.
For the attestor to be able to access and use the Note,
the Note must exist and the active gcloud account (core/account)
must have the `containeranalysis.occurrences.viewer` permission
for the Note. This can be achieved by granting the
`containeranalysis.notes.viewer` role to the active account for
the Note resource in question.
"""),
),
)
parser.add_argument('--description',
required=False,
help='A description for the attestor')
def Args(parser):
flags.AddArtifactUrlFlag(parser, required=False)
mutex_group = parser.add_mutually_exclusive_group(required=True)
flags.AddConcepts(
mutex_group,
flags.GetAuthorityPresentationSpec(
base_name='attestation-authority',
required=False, # one-of requirement is set in mutex_group.
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestation Authority whose Container Analysis Note will be
queried for attestations. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")
),
flags.GetAuthorityNotePresentationSpec(
base_name='attestation-authority-note',
required=False, # one-of requirement is set in mutex_group.
positional=False,
group_help=textwrap.dedent("""\
The Container Analysis ATTESTATION_AUTHORITY Note that will be
queried for attestations. When this option is passed, only
occurrences with kind ATTESTATION_AUTHORITY will be returned. The
occurrences might be from any project, not just the project where
the note lives. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")
),
)
def Args(parser):
flags.AddArtifactUrlFlag(parser)
parser.add_argument('--signature-file',
required=True,
type=str,
help=textwrap.dedent("""\
Path to file containing the signature to store, or `-` to read
signature from stdin."""))
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
)
parser.add_argument('--pgp-key-fingerprint',
type=str,
required=True,
help=textwrap.dedent("""\
The cryptographic ID of the key used to generate the signature. For
Binary Authorization, this must be the version 4, full 160-bit
fingerprint, expressed as a 40 character hexidecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor to which the public key should be added.'),
),
)
# TODO(b/133451183): Remove deprecated flag.
if cls.ReleaseTrack() == base.ReleaseTrack.GA:
parser.add_argument('--pgp-public-key-file',
type=arg_parsers.FileContents(),
required=True,
help='The path to the file containing the '
'ASCII-armored PGP public key to add.')
else:
pgp_group = parser.add_mutually_exclusive_group(required=True)
pgp_group.add_argument('--public-key-file',
action=actions.DeprecationAction(
'public-key-file',
warn='This flag is deprecated. '
'Use --pgp-public-key-file instead.'),
type=arg_parsers.FileContents(),
help='The path to the file containing the '
'ASCII-armored PGP public key to add.')
pgp_group.add_argument('--pgp-public-key-file',
type=arg_parsers.FileContents(),
help='The path to the file containing the '
'ASCII-armored PGP public key to add.')
parser.add_argument('--comment',
help='The comment describing the public key.')
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser)
parser.add_argument('--signature-file',
required=True,
type=str,
help=textwrap.dedent("""\
Path to file containing the signature to store, or `-` to read
signature from stdin."""))
parser.add_argument('--payload-file',
required=False,
type=str,
help=textwrap.dedent("""\
Path to file containing the payload over which the signature was
calculated.
This defaults to the output of the standard payload command:
$ {grandparent_command} create-signature-payload
NOTE: If you sign a payload with e.g. different whitespace or
formatting, you must explicitly provide the payload content via this
flag.
"""))
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
)
parser.add_argument('--public-key-id',
required=True,
type=str,
help=textwrap.dedent("""\
The ID of the public key that will be used to verify the signature
of the created Attestation. This ID must match the one found on the
Attestor resource(s) which will verify this Attestation.
For PGP keys, this must be the version 4, full 160-bit fingerprint,
expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
parser.add_argument('--validate',
action='store_true',
default=False,
help=textwrap.dedent("""\
Whether to validate that the Attestation can be verified by the
provided Attestor.
"""))
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True,
group_help='The attestor whose IAM policy will be fetched.',
),
)
def Args(parser):
flags.AddConcepts(
parser,
flags.GetAuthorityPresentationSpec(
positional=True,
group_help='The authority to be deleted.'
),
)
def Args(parser):
flags.AddConcepts(
parser,
flags.GetAuthorityPresentationSpec(
positional=True,
group_help='The authority whose IAM policy will be fetched.',
),
)
def Args(parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True, group_help='The attestor to update.'),
)
parser.add_argument('--description',
required=False,
help='The new description for the attestor')
def Args(parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True,
group_help='The attestor whose IAM policy will be modified.',
),
)
iam_util.AddArgsForAddIamPolicyBinding(parser)
def Args(parser):
flags.AddConcepts(
parser,
flags.GetAuthorityPresentationSpec(
positional=True,
group_help='The authority whose IAM policy will be modified.',
),
)
iam_util.AddArgsForRemoveIamPolicyBinding(parser)
def Args(parser):
flags.AddConcepts(
parser,
flags.GetAuthorityPresentationSpec(
required=True,
positional=False,
group_help=(
'The authority from which the public key should be removed.'),
),
)
parser.add_argument('public_key_fingerprint',
help='The fingerprint of the public key to remove.')
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor from which the public key should be removed.'
),
),
)
parser.add_argument('public_key_id',
help='The ID of the public key to remove.')
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser, required=False)
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be queried
for attestations. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")),
)
def Args(parser):
flags.AddConcepts(
parser,
flags.GetAuthorityPresentationSpec(
required=True,
positional=False,
group_help=(
'The authority to which the public key should be added.'),
),
)
parser.add_argument('--public-key-file',
type=arg_parsers.BufferedFileInput(),
help='The path to the file containing the '
'ASCII-armored PGP public key to add.',
required=True)
parser.add_argument('--comment',
help='The comment describing the public key.')
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor to which the public key should be added.'),
),
)
parser.add_argument('--pgp-public-key-file',
type=arg_parsers.FileContents(),
required=True,
help='The path to the file containing the '
'ASCII-armored PGP public key to add.')
parser.add_argument('--comment',
help='The comment describing the public key.')
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
required=True,
positional=False,
group_help=(
'The attestor on which the public key should be updated.'),
),
)
parser.add_argument('public_key_id',
help='The ID of the public key to update.')
parser.add_argument('--pgp-public-key-file',
type=arg_parsers.BufferedFileInput(),
help='The path to the file containing the '
'new ASCII-armored PGP public key.')
parser.add_argument('--comment',
help='The comment describing the public key.')
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser)
parser.add_argument('--signature-file',
required=True,
type=str,
help=textwrap.dedent("""\
Path to file containing the signature to store, or `-` to read
signature from stdin."""))
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
)
parser.add_argument('--public-key-id',
required=True,
type=str,
help=textwrap.dedent("""\
The ID of the public key that will be used to verify the signature
of the created Attestation. This ID should match the one found on the
Attestor resource(s) which will use this Attestation.
For PKIX keys, this will be the URI-formatted `id` field of the
associated Attestor public key.
For PGP keys, this must be the version 4, full 160-bit fingerprint,
expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
def Args(cls, parser):
parser.display_info.AddFormat("""
table(
attestation.attestation.pgpSignedAttestation.pgpKeyId,
resource.uri:label=ARTIFACT_URL:sort=1
)
""")
flags.AddArtifactUrlFlag(parser, required=False)
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be queried
for attestations. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")),
)
def Args(parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True, group_help='The attestor to be deleted.'),
)
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True, group_help='The attestor to describe.'),
)
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser)
parser.add_argument(
'--signature-file',
required=True,
type=str,
help=textwrap.dedent("""\
Path to file containing the signature to store, or `-` to read
signature from stdin."""))
parser.add_argument(
'--payload-file',
required=False,
type=str,
help=textwrap.dedent("""\
Path to file containing the payload over which the signature was
calculated.
This defaults to the output of the standard payload command:
$ {grandparent_command} create-signature-payload
NOTE: If you sign a payload with e.g. different whitespace or
formatting, you must explicitly provide the payload content via this
flag.
"""))
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
)
# TODO(b/133451183): Remove deprecated flag.
if cls.ReleaseTrack() == base.ReleaseTrack.GA:
parser.add_argument(
'--public-key-id',
type=str,
required=True,
help=textwrap.dedent("""\
The ID of the public key that will be used to verify the signature
of the created Attestation. This ID must match the one found on the
Attestor resource(s) which will verify this Attestation.
For PGP keys, this must be the version 4, full 160-bit fingerprint,
expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
else:
mutex_group = parser.add_mutually_exclusive_group(required=True)
mutex_group.add_argument(
'--pgp-key-fingerprint',
action=actions.DeprecationAction(
'pgp-key-fingerprint',
warn='This flag is deprecated. Use --public-key-id instead.'),
type=str,
help=textwrap.dedent("""\
The cryptographic ID of the key used to generate the signature. For
Binary Authorization, this must be the version 4, full 160-bit
fingerprint, expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
mutex_group.add_argument(
'--public-key-id',
type=str,
help=textwrap.dedent("""\
The ID of the public key that will be used to verify the signature
of the created Attestation. This ID must match the one found on the
Attestor resource(s) which will verify this Attestation.
For PGP keys, this must be the version 4, full 160-bit fingerprint,
expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))