def Args(parser):
flags.AddArtifactUrlFlag(parser, required=False)
mutex_group = parser.add_mutually_exclusive_group(required=True)
flags.AddConcepts(
mutex_group,
flags.GetAuthorityPresentationSpec(
base_name='attestation-authority',
required=False, # one-of requirement is set in mutex_group.
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestation Authority whose Container Analysis Note will be
queried for attestations. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")
),
flags.GetAuthorityNotePresentationSpec(
base_name='attestation-authority-note',
required=False, # one-of requirement is set in mutex_group.
positional=False,
group_help=textwrap.dedent("""\
The Container Analysis ATTESTATION_AUTHORITY Note that will be
queried for attestations. When this option is passed, only
occurrences with kind ATTESTATION_AUTHORITY will be returned. The
occurrences might be from any project, not just the project where
the note lives. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")
),
)
def Args(cls, parser):
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
positional=True,
group_help='The attestor to be created.',
),
flags.GetAuthorityNotePresentationSpec(
base_name='attestation-authority-note',
required=True,
positional=False,
group_help=textwrap.dedent("""\
The Container Analysis ATTESTATION_AUTHORITY Note to which the
created attestor will be bound.
For the attestor to be able to access and use the Note,
the Note must exist and the active gcloud account (core/account)
must have the `containeranalysis.occurrences.viewer` permission
for the Note. This can be achieved by granting the
`containeranalysis.notes.viewer` role to the active account for
the Note resource in question.
"""),
),
)
parser.add_argument('--description',
required=False,
help='A description for the attestor')
def Args(parser):
flags.AddArtifactUrlFlag(parser)
parser.add_argument('--signature-file',
required=True,
type=str,
help=textwrap.dedent("""\
Path to file containing the signature to store, or `-` to read signature
from stdin."""))
mutex_group = parser.add_mutually_exclusive_group(required=True)
flags.AddConcepts(
mutex_group,
flags.GetAuthorityPresentationSpec(
base_name='attestation-authority',
required=False, # one-of requirement is set in mutex_group.
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestation Authority whose Container Analysis Note will be
used to host the created attestation. In order to successfully
attach the attestation, the active gcloud account (core/account)
must have the `containeranalysis.notes.attachOccurrence`
permission for the Authority's underlying Note resource (usually
via the `containeranalysis.notes.attacher` role).""")),
flags.GetAuthorityNotePresentationSpec(
base_name='attestation-authority-note',
required=False, # one-of requirement is set in mutex_group.
positional=False,
group_help=textwrap.dedent("""\
The Container Analysis ATTESTATION_AUTHORITY Note that the created
attestation will be bound to. This note must exist and the active
gcloud account (core/account) must have the
`containeranalysis.notes.attachOccurrence` permission for the note
resource (usually via the `containeranalysis.notes.attacher`
role).""")),
)
parser.add_argument('--pgp-key-fingerprint',
type=str,
required=True,
help=textwrap.dedent("""\
The cryptographic ID of the key used to generate the signature. For
Binary Authorization, this must be the version 4, full 160-bit
fingerprint, expressed as a 40 character hexidecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))