From b47fda99821d1bd8b7a6aa50c868470e23852f0c Mon Sep 17 00:00:00 2001
From: Xiaozhen Liu <xiaozhenliu@google.com>
Date: Thu, 19 Sep 2019 12:35:07 -0700
Subject: [PATCH] feat: add proto list template (#24)

* add proto list template

* feedback

* resolve conflict

* gts fix

* add test for multiple protos list generation
---
 .gitignore                                    |   1 +
 .../src/$version/$service_proto_list.json.njk |   1 +
 typescript/src/schema/api.ts                  |  10 +
 typescript/test/multi_proto.ts                |  89 +++
 .../test/protos/google/kms/v1/resources.proto | 533 +++++++++++++
 .../test/protos/google/kms/v1/service.proto   | 718 ++++++++++++++++++
 .../keymanagementservice_proto_list.json      |   4 +
 7 files changed, 1356 insertions(+)
 create mode 100644 templates/typescript_gapic/src/$version/$service_proto_list.json.njk
 create mode 100644 typescript/test/multi_proto.ts
 create mode 100644 typescript/test/protos/google/kms/v1/resources.proto
 create mode 100644 typescript/test/protos/google/kms/v1/service.proto
 create mode 100644 typescript/test/testdata/keymanagementservice_proto_list.json

diff --git a/.gitignore b/.gitignore
index 60db85b73..9c9ab5b68 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@ pbjs-genfiles/
 .DS_Store
 .idea
 .baseline-test-out
+.multi-proto-test-out
diff --git a/templates/typescript_gapic/src/$version/$service_proto_list.json.njk b/templates/typescript_gapic/src/$version/$service_proto_list.json.njk
new file mode 100644
index 000000000..a8e6df2b9
--- /dev/null
+++ b/templates/typescript_gapic/src/$version/$service_proto_list.json.njk
@@ -0,0 +1 @@
+{{ api.protoFilesToGenerateJSON | safe}}
diff --git a/typescript/src/schema/api.ts b/typescript/src/schema/api.ts
index c61324302..0c3e2066a 100644
--- a/typescript/src/schema/api.ts
+++ b/typescript/src/schema/api.ts
@@ -52,4 +52,14 @@ export class API {
       proto => this.protos[proto].fileToGenerate
     );
   }
+
+  get protoFilesToGenerateJSON() {
+    return JSON.stringify(
+      this.filesToGenerate.map(file => {
+        return `../../protos/${file}`;
+      }),
+      null,
+      '  '
+    );
+  }
 }
diff --git a/typescript/test/multi_proto.ts b/typescript/test/multi_proto.ts
new file mode 100644
index 000000000..b37496bfe
--- /dev/null
+++ b/typescript/test/multi_proto.ts
@@ -0,0 +1,89 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as assert from 'assert';
+import { execSync } from 'child_process';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as rimraf from 'rimraf';
+
+const cwd = process.cwd();
+
+const OUTPUT_DIR = path.join(cwd, '.multi-proto-test-out');
+const GENERATED_PROTO_FILE = path.join(
+  OUTPUT_DIR,
+  'src',
+  'v1',
+  'keymanagementservice_proto_list.json'
+);
+const GOOGLE_GAX_PROTOS_DIR = path.join(
+  cwd,
+  'node_modules',
+  'google-gax',
+  'protos'
+);
+const PROTOS_DIR = path.join(cwd, 'build', 'test', 'protos');
+const KMS_PROTO_FILE = path.join(
+  PROTOS_DIR,
+  'google',
+  'kms',
+  'v1',
+  'service.proto'
+);
+
+const PROTOLIST_LIBRARY_BASELINE = path.join(
+  cwd,
+  'typescript',
+  'test',
+  'testdata',
+  'keymanagementservice_proto_list.json'
+);
+const SRCDIR = path.join(cwd, 'build', 'src');
+const CLI = path.join(SRCDIR, 'cli.js');
+const PLUGIN = path.join(SRCDIR, 'protoc-gen-typescript_gapic');
+
+describe('Proto List Generate Test', () => {
+  describe('Generate Client library', () => {
+    it('Generated proto list should have same output with baseline.', function() {
+      this.timeout(10000);
+      if (fs.existsSync(OUTPUT_DIR)) {
+        rimraf.sync(OUTPUT_DIR);
+      }
+      fs.mkdirSync(OUTPUT_DIR);
+
+      if (fs.existsSync(PLUGIN)) {
+        rimraf.sync(PLUGIN);
+      }
+      fs.copyFileSync(CLI, PLUGIN);
+      process.env['PATH'] = SRCDIR + path.delimiter + process.env['PATH'];
+
+      try {
+        execSync(`chmod +x ${PLUGIN}`);
+      } catch (err) {
+        console.warn(`Failed to chmod +x ${PLUGIN}: ${err}. Ignoring...`);
+      }
+
+      execSync(
+        `protoc --typescript_gapic_out=${OUTPUT_DIR} ` +
+          `-I${GOOGLE_GAX_PROTOS_DIR} ` +
+          `-I${PROTOS_DIR} ` +
+          KMS_PROTO_FILE
+      );
+      assert.strictEqual(
+        fs.readFileSync(GENERATED_PROTO_FILE).toString(),
+        fs.readFileSync(PROTOLIST_LIBRARY_BASELINE).toString()
+      );
+    });
+  });
+});
diff --git a/typescript/test/protos/google/kms/v1/resources.proto b/typescript/test/protos/google/kms/v1/resources.proto
new file mode 100644
index 000000000..09baaf1be
--- /dev/null
+++ b/typescript/test/protos/google/kms/v1/resources.proto
@@ -0,0 +1,533 @@
+// Copyright 2019 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package google.cloud.kms.v1;
+
+import "google/api/annotations.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/timestamp.proto";
+
+option cc_enable_arenas = true;
+option csharp_namespace = "Google.Cloud.Kms.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms";
+option java_multiple_files = true;
+option java_outer_classname = "KmsResourcesProto";
+option java_package = "com.google.cloud.kms.v1";
+option php_namespace = "Google\\Cloud\\Kms\\V1";
+
+// A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+message KeyRing {
+  // Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format
+  // `projects/*/locations/*/keyRings/*`.
+  string name = 1;
+
+  // Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created.
+  google.protobuf.Timestamp create_time = 2;
+}
+
+// A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
+// operations.
+//
+// A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of one or more [versions][google.cloud.kms.v1.CryptoKeyVersion], which
+// represent the actual key material used in cryptographic operations.
+message CryptoKey {
+  // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by
+  // its purpose. For more information, see
+  // [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
+  enum CryptoKeyPurpose {
+    // Not specified.
+    CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0;
+
+    // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with
+    // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and
+    // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+    ENCRYPT_DECRYPT = 1;
+
+    // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with
+    // [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] and
+    // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+    ASYMMETRIC_SIGN = 5;
+
+    // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with
+    // [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] and
+    // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+    ASYMMETRIC_DECRYPT = 6;
+  }
+
+  // Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format
+  // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+  string name = 1;
+
+  // Output only. A copy of the "primary" [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used
+  // by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given
+  // in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name].
+  //
+  // The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be updated via
+  // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+  //
+  // All keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+  // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] have a
+  // primary. For other keys, this field will be omitted.
+  CryptoKeyVersion primary = 2;
+
+  // The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+  CryptoKeyPurpose purpose = 3;
+
+  // Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
+  google.protobuf.Timestamp create_time = 5;
+
+  // At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], the Key Management Service will automatically:
+  //
+  // 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+  // 2. Mark the new version as primary.
+  //
+  // Key rotations performed manually via
+  // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and
+  // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]
+  // do not affect [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time].
+  //
+  // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+  // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support
+  // automatic rotation. For other keys, this field must be omitted.
+  google.protobuf.Timestamp next_rotation_time = 7;
+
+  // Controls the rate of automatic rotation.
+  oneof rotation_schedule {
+    // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] will be advanced by this period when the service
+    // automatically rotates a key. Must be at least one day.
+    //
+    // If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set.
+    //
+    // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
+    // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support
+    // automatic rotation. For other keys, this field must be omitted.
+    google.protobuf.Duration rotation_period = 8;
+  }
+
+  // A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances.
+  // The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either
+  // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or
+  // auto-rotation are controlled by this template.
+  CryptoKeyVersionTemplate version_template = 11;
+
+  // Labels with user-defined metadata. For more information, see
+  // [Labeling Keys](/kms/docs/labeling-keys).
+  map<string, string> labels = 10;
+}
+
+// A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating
+// a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with
+// [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or
+// automatically as a result of auto-rotation.
+message CryptoKeyVersionTemplate {
+  // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on
+  // this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
+  ProtectionLevel protection_level = 1;
+
+  // Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] to use
+  // when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template.
+  //
+  // For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+  // this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is
+  // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+  CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3;
+}
+
+// Contains an HSM-generated attestation about a key operation. For more
+// information, see [Verifying attestations]
+// (https://cloud.google.com/kms/docs/attest-key).
+message KeyOperationAttestation {
+  // Attestation formats provided by the HSM.
+  enum AttestationFormat {
+    // Not specified.
+    ATTESTATION_FORMAT_UNSPECIFIED = 0;
+
+    // Cavium HSM attestation compressed with gzip. Note that this format is
+    // defined by Cavium and subject to change at any time.
+    CAVIUM_V1_COMPRESSED = 3;
+
+    // Cavium HSM attestation V2 compressed with gzip. This is a new format
+    // introduced in Cavium's version 3.2-08.
+    CAVIUM_V2_COMPRESSED = 4;
+  }
+
+  // Output only. The format of the attestation data.
+  AttestationFormat format = 4;
+
+  // Output only. The attestation data provided by the HSM when the key
+  // operation was performed.
+  bytes content = 5;
+}
+
+// A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
+// associated key material.
+//
+// An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be
+// used for cryptographic operations.
+//
+// For security reasons, the raw cryptographic key material represented by a
+// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to
+// encrypt, decrypt, or sign data when an authorized user or application invokes
+// Cloud KMS.
+message CryptoKeyVersion {
+  // The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what
+  // parameters must be used for each cryptographic operation.
+  //
+  // The
+  // [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION]
+  // algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+  // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+  //
+  // Algorithms beginning with "RSA_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+  // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].
+  //
+  // The fields in the name after "RSA_SIGN_" correspond to the following
+  // parameters: padding algorithm, modulus bit length, and digest algorithm.
+  //
+  // For PSS, the salt length used is equal to the length of digest
+  // algorithm. For example,
+  // [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256]
+  // will use PSS with a salt length of 256 bits or 32 bytes.
+  //
+  // Algorithms beginning with "RSA_DECRYPT_" are usable with
+  // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+  // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+  //
+  // The fields in the name after "RSA_DECRYPT_" correspond to the following
+  // parameters: padding algorithm, modulus bit length, and digest algorithm.
+  //
+  // Algorithms beginning with "EC_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+  // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].
+  //
+  // The fields in the name after "EC_SIGN_" correspond to the following
+  // parameters: elliptic curve, digest algorithm.
+  //
+  // For more information, see [Key purposes and algorithms]
+  // (https://cloud.google.com/kms/docs/algorithms).
+  enum CryptoKeyVersionAlgorithm {
+    // Not specified.
+    CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0;
+
+    // Creates symmetric encryption keys.
+    GOOGLE_SYMMETRIC_ENCRYPTION = 1;
+
+    // RSASSA-PSS 2048 bit key with a SHA256 digest.
+    RSA_SIGN_PSS_2048_SHA256 = 2;
+
+    // RSASSA-PSS 3072 bit key with a SHA256 digest.
+    RSA_SIGN_PSS_3072_SHA256 = 3;
+
+    // RSASSA-PSS 4096 bit key with a SHA256 digest.
+    RSA_SIGN_PSS_4096_SHA256 = 4;
+
+    // RSASSA-PSS 4096 bit key with a SHA512 digest.
+    RSA_SIGN_PSS_4096_SHA512 = 15;
+
+    // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
+    RSA_SIGN_PKCS1_2048_SHA256 = 5;
+
+    // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
+    RSA_SIGN_PKCS1_3072_SHA256 = 6;
+
+    // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
+    RSA_SIGN_PKCS1_4096_SHA256 = 7;
+
+    // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
+    RSA_SIGN_PKCS1_4096_SHA512 = 16;
+
+    // RSAES-OAEP 2048 bit key with a SHA256 digest.
+    RSA_DECRYPT_OAEP_2048_SHA256 = 8;
+
+    // RSAES-OAEP 3072 bit key with a SHA256 digest.
+    RSA_DECRYPT_OAEP_3072_SHA256 = 9;
+
+    // RSAES-OAEP 4096 bit key with a SHA256 digest.
+    RSA_DECRYPT_OAEP_4096_SHA256 = 10;
+
+    // RSAES-OAEP 4096 bit key with a SHA512 digest.
+    RSA_DECRYPT_OAEP_4096_SHA512 = 17;
+
+    // ECDSA on the NIST P-256 curve with a SHA256 digest.
+    EC_SIGN_P256_SHA256 = 12;
+
+    // ECDSA on the NIST P-384 curve with a SHA384 digest.
+    EC_SIGN_P384_SHA384 = 13;
+  }
+
+  // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used.
+  enum CryptoKeyVersionState {
+    // Not specified.
+    CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0;
+
+    // This version is still being generated. It may not be used, enabled,
+    // disabled, or destroyed yet. Cloud KMS will automatically mark this
+    // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready.
+    PENDING_GENERATION = 5;
+
+    // This version may be used for cryptographic operations.
+    ENABLED = 1;
+
+    // This version may not be used, but the key material is still available,
+    // and the version can be placed back into the [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] state.
+    DISABLED = 2;
+
+    // This version is destroyed, and the key material is no longer stored.
+    // A version may not leave this state once entered.
+    DESTROYED = 3;
+
+    // This version is scheduled for destruction, and will be destroyed soon.
+    // Call
+    // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
+    // to put it back into the [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] state.
+    DESTROY_SCHEDULED = 4;
+
+    // This version is still being imported. It may not be used, enabled,
+    // disabled, or destroyed yet. Cloud KMS will automatically mark this
+    // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready.
+    PENDING_IMPORT = 6;
+
+    // This version was not imported successfully. It may not be used, enabled,
+    // disabled, or destroyed. The submitted key material has been discarded.
+    // Additional details can be found in
+    // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason].
+    IMPORT_FAILED = 7;
+  }
+
+  // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned
+  // for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in
+  // [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and
+  // [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+  enum CryptoKeyVersionView {
+    // Default view for each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not include
+    // the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field.
+    CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0;
+
+    // Provides all fields in each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the
+    // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation].
+    FULL = 1;
+  }
+
+  // Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format
+  // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+  string name = 1;
+
+  // The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+  CryptoKeyVersionState state = 3;
+
+  // Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are
+  // performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+  ProtectionLevel protection_level = 7;
+
+  // Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this
+  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports.
+  CryptoKeyVersionAlgorithm algorithm = 10;
+
+  // Output only. Statement that was generated and signed by the HSM at key
+  // creation time. Use this statement to verify attributes of the key as stored
+  // on the HSM, independently of Google. Only provided for key versions with
+  // [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+  KeyOperationAttestation attestation = 8;
+
+  // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.
+  google.protobuf.Timestamp create_time = 4;
+
+  // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
+  // generated.
+  google.protobuf.Timestamp generate_time = 11;
+
+  // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is scheduled
+  // for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+  // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED].
+  google.protobuf.Timestamp destroy_time = 5;
+
+  // Output only. The time this CryptoKeyVersion's key material was
+  // destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+  // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
+  google.protobuf.Timestamp destroy_event_time = 6;
+
+  // Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this
+  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was
+  // imported.
+  string import_job = 14;
+
+  // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material
+  // was imported.
+  google.protobuf.Timestamp import_time = 15;
+
+  // Output only. The root cause of an import failure. Only present if
+  // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+  // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
+  string import_failure_reason = 16;
+}
+
+// The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via
+// [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+message PublicKey {
+  // The public key, encoded in PEM format. For more information, see the
+  // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
+  // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+  // [Textual Encoding of Subject Public Key Info]
+  // (https://tools.ietf.org/html/rfc7468#section-13).
+  string pem = 1;
+
+  // The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] associated
+  // with this key.
+  CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2;
+}
+
+// [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed.
+// For more information, see [Protection levels]
+// (https://cloud.google.com/kms/docs/algorithms#protection_levels).
+enum ProtectionLevel {
+  // Not specified.
+  PROTECTION_LEVEL_UNSPECIFIED = 0;
+
+  // Crypto operations are performed in software.
+  SOFTWARE = 1;
+
+  // Crypto operations are performed in a Hardware Security Module.
+  HSM = 2;
+}
+
+// An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material,
+// generated outside of Cloud KMS.
+//
+// When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a "wrapping key",
+// which is a public/private key pair. You use the wrapping key to encrypt (also
+// known as wrap) the pre-existing key material to protect it during the import
+// process. The nature of the wrapping key depends on the choice of
+// [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation
+// is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to
+// [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key]
+// can be fetched. The fetched public key can then be used to wrap your
+// pre-existing key material.
+//
+// Once the key material is wrapped, it can be imported into a new
+// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
+// [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+// Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single
+// [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to
+// unwrap the key material. Only Cloud KMS has access to the private key.
+//
+// An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS
+// will no longer be able to import or unwrap any key material that was wrapped
+// with the [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.
+//
+// For more information, see
+// [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
+message ImportJob {
+  // The public key component of the wrapping key. For details of the type of
+  // key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod].
+  message WrappingPublicKey {
+    // The public key, encoded in PEM format. For more information, see the [RFC
+    // 7468](https://tools.ietf.org/html/rfc7468) sections for [General
+    // Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+    // [Textual Encoding of Subject Public Key Info]
+    // (https://tools.ietf.org/html/rfc7468#section-13).
+    string pem = 1;
+  }
+
+  // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the key wrapping method chosen for this
+  // [ImportJob][google.cloud.kms.v1.ImportJob].
+  enum ImportMethod {
+    // Not specified.
+    IMPORT_METHOD_UNSPECIFIED = 0;
+
+    // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+    // scheme defined in the PKCS #11 standard. In summary, this involves
+    // wrapping the raw key with an ephemeral AES key, and wrapping the
+    // ephemeral AES key with a 3072 bit RSA key. For more details, see
+    // [RSA AES key wrap
+    // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+    RSA_OAEP_3072_SHA1_AES_256 = 1;
+
+    // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+    // scheme defined in the PKCS #11 standard. In summary, this involves
+    // wrapping the raw key with an ephemeral AES key, and wrapping the
+    // ephemeral AES key with a 4096 bit RSA key. For more details, see
+    // [RSA AES key wrap
+    // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+    RSA_OAEP_4096_SHA1_AES_256 = 2;
+  }
+
+  // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.
+  enum ImportJobState {
+    // Not specified.
+    IMPORT_JOB_STATE_UNSPECIFIED = 0;
+
+    // The wrapping key for this job is still being generated. It may not be
+    // used. Cloud KMS will automatically mark this job as
+    // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as the wrapping key is generated.
+    PENDING_GENERATION = 1;
+
+    // This job may be used in
+    // [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] and
+    // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
+    // requests.
+    ACTIVE = 2;
+
+    // This job can no longer be used and may not leave this state once entered.
+    EXPIRED = 3;
+  }
+
+  // Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format
+  // `projects/*/locations/*/keyRings/*/importJobs/*`.
+  string name = 1;
+
+  // Required and immutable. The wrapping method to be used for incoming
+  // key material.
+  ImportMethod import_method = 2;
+
+  // Required and immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This
+  // must match the
+  // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] of the
+  // [version_template][google.cloud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you
+  // attempt to import into.
+  ProtectionLevel protection_level = 9;
+
+  // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created.
+  google.protobuf.Timestamp create_time = 3;
+
+  // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key material was generated.
+  google.protobuf.Timestamp generate_time = 4;
+
+  // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for
+  // expiration and can no longer be used to import key material.
+  google.protobuf.Timestamp expire_time = 5;
+
+  // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if
+  // [state][google.cloud.kms.v1.ImportJob.state] is [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
+  google.protobuf.Timestamp expire_event_time = 10;
+
+  // Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can
+  // be used.
+  ImportJobState state = 6;
+
+  // Output only. The public key with which to wrap key material prior to
+  // import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is
+  // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
+  WrappingPublicKey public_key = 7;
+
+  // Output only. Statement that was generated and signed by the key creator
+  // (for example, an HSM) at key creation time. Use this statement to verify
+  // attributes of the key as stored on the HSM, independently of Google.
+  // Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection
+  // level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
+  KeyOperationAttestation attestation = 8;
+}
diff --git a/typescript/test/protos/google/kms/v1/service.proto b/typescript/test/protos/google/kms/v1/service.proto
new file mode 100644
index 000000000..6210923ea
--- /dev/null
+++ b/typescript/test/protos/google/kms/v1/service.proto
@@ -0,0 +1,718 @@
+// Copyright 2019 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package google.cloud.kms.v1;
+
+import "google/api/annotations.proto";
+import "google/kms/v1/resources.proto";
+import "google/protobuf/field_mask.proto";
+import "google/api/client.proto";
+
+option cc_enable_arenas = true;
+option csharp_namespace = "Google.Cloud.Kms.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms";
+option java_multiple_files = true;
+option java_outer_classname = "KmsProto";
+option java_package = "com.google.cloud.kms.v1";
+option php_namespace = "Google\\Cloud\\Kms\\V1";
+
+// Google Cloud Key Management Service
+//
+// Manages cryptographic keys and operations using those keys. Implements a REST
+// model with the following objects:
+//
+// * [KeyRing][google.cloud.kms.v1.KeyRing]
+// * [CryptoKey][google.cloud.kms.v1.CryptoKey]
+// * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+//
+// If you are using manual gRPC libraries, see
+// [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
+service KeyManagementService {
+  option (google.api.default_host) = "cloudkms.googleapis.com";
+  option (google.api.oauth_scopes) =
+      "https://www.googleapis.com/auth/cloud-platform,"
+      "https://www.googleapis.com/auth/cloudkms";
+
+  // Lists [KeyRings][google.cloud.kms.v1.KeyRing].
+  rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/locations/*}/keyRings"
+    };
+  }
+
+  // Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+  rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
+    };
+  }
+
+  // Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+  rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest) returns (ListCryptoKeyVersionsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
+    };
+  }
+
+  // Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
+  rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
+    };
+  }
+
+  // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
+  rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/keyRings/*}"
+    };
+  }
+
+  // Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its
+  // [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+  rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
+    };
+  }
+
+  // Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+  rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
+    };
+  }
+
+  // Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
+  // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+  // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or
+  // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+  rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey"
+    };
+  }
+
+  // Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
+  rpc GetImportJob(GetImportJobRequest) returns (ImportJob) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}"
+    };
+  }
+
+  // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.
+  rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/locations/*}/keyRings"
+      body: "key_ring"
+    };
+  }
+
+  // Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing].
+  //
+  // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
+  // [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
+  // are required.
+  rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
+      body: "crypto_key"
+    };
+  }
+
+  // Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+  //
+  // The server will assign the next sequential id. If unset,
+  // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
+  // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
+  rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
+      body: "crypto_key_version"
+    };
+  }
+
+  // Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
+  // wrapped key material provided in the request.
+  //
+  // The version ID will be assigned the next sequential id within the
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey].
+  rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import"
+      body: "*"
+    };
+  }
+
+  // Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing].
+  //
+  // [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required.
+  rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
+      body: "import_job"
+    };
+  }
+
+  // Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+  rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) {
+    option (google.api.http) = {
+      patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
+      body: "crypto_key"
+    };
+  }
+
+  // Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s metadata.
+  //
+  // [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between
+  // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and
+  // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this
+  // method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to
+  // move between other states.
+  rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
+    option (google.api.http) = {
+      patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
+      body: "crypto_key_version"
+    };
+  }
+
+  // Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+  // The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+  // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+  rpc Encrypt(EncryptRequest) returns (EncryptResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt"
+      body: "*"
+    };
+  }
+
+  // Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+  // must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
+  rpc Decrypt(DecryptRequest) returns (DecryptResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt"
+      body: "*"
+    };
+  }
+
+  // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+  // ASYMMETRIC_SIGN, producing a signature that can be verified with the public
+  // key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+  rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign"
+      body: "*"
+    };
+  }
+
+  // Decrypts data that was encrypted with a public key retrieved from
+  // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+  // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
+  rpc AsymmetricDecrypt(AsymmetricDecryptRequest) returns (AsymmetricDecryptResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt"
+      body: "*"
+    };
+  }
+
+  // Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+  //
+  // Returns an error if called on an asymmetric key.
+  rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest) returns (CryptoKey) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion"
+      body: "*"
+    };
+  }
+
+  // Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.
+  //
+  // Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
+  // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+  // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24
+  // hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state]
+  // will be changed to
+  // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key
+  // material will be irrevocably destroyed.
+  //
+  // Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached,
+  // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.
+  rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy"
+      body: "*"
+    };
+  }
+
+  // Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
+  // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
+  // state.
+  //
+  // Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state]
+  // will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
+  // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.
+  rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore"
+      body: "*"
+    };
+  }
+}
+
+// Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+message ListKeyRingsRequest {
+  // Required. The resource name of the location associated with the
+  // [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
+  string parent = 1;
+
+  // Optional limit on the number of [KeyRings][google.cloud.kms.v1.KeyRing] to include in the
+  // response.  Further [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by
+  // including the [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] in a subsequent
+  // request.  If unspecified, the server will pick an appropriate default.
+  int32 page_size = 2;
+
+  // Optional pagination token, returned earlier via
+  // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
+  string page_token = 3;
+
+  // Optional. Only include resources that match the filter in the response.
+  string filter = 4;
+
+  // Optional. Specify how the results should be sorted. If not specified, the
+  // results will be sorted in the default order.
+  string order_by = 5;
+}
+
+// Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+message ListCryptoKeysRequest {
+  // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
+  // `projects/*/locations/*/keyRings/*`.
+  string parent = 1;
+
+  // Optional limit on the number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the
+  // response.  Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be obtained by
+  // including the [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] in a subsequent
+  // request.  If unspecified, the server will pick an appropriate default.
+  int32 page_size = 2;
+
+  // Optional pagination token, returned earlier via
+  // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
+  string page_token = 3;
+
+  // The fields of the primary version to include in the response.
+  CryptoKeyVersion.CryptoKeyVersionView version_view = 4;
+
+  // Optional. Only include resources that match the filter in the response.
+  string filter = 5;
+
+  // Optional. Specify how the results should be sorted. If not specified, the
+  // results will be sorted in the default order.
+  string order_by = 6;
+}
+
+// Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+message ListCryptoKeyVersionsRequest {
+  // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
+  // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+  string parent = 1;
+
+  // Optional limit on the number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to
+  // include in the response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can
+  // subsequently be obtained by including the
+  // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] in a subsequent request.
+  // If unspecified, the server will pick an appropriate default.
+  int32 page_size = 2;
+
+  // Optional pagination token, returned earlier via
+  // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
+  string page_token = 3;
+
+  // The fields to include in the response.
+  CryptoKeyVersion.CryptoKeyVersionView view = 4;
+
+  // Optional. Only include resources that match the filter in the response.
+  string filter = 5;
+
+  // Optional. Specify how the results should be sorted. If not specified, the
+  // results will be sorted in the default order.
+  string order_by = 6;
+}
+
+// Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+message ListImportJobsRequest {
+  // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
+  // `projects/*/locations/*/keyRings/*`.
+  string parent = 1;
+
+  // Optional limit on the number of [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the
+  // response. Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be obtained by
+  // including the [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token] in a subsequent
+  // request. If unspecified, the server will pick an appropriate default.
+  int32 page_size = 2;
+
+  // Optional pagination token, returned earlier via
+  // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
+  string page_token = 3;
+
+  // Optional. Only include resources that match the filter in the response.
+  string filter = 4;
+
+  // Optional. Specify how the results should be sorted. If not specified, the
+  // results will be sorted in the default order.
+  string order_by = 5;
+}
+
+// Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
+message ListKeyRingsResponse {
+  // The list of [KeyRings][google.cloud.kms.v1.KeyRing].
+  repeated KeyRing key_rings = 1;
+
+  // A token to retrieve next page of results. Pass this value in
+  // [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] to retrieve the next page of results.
+  string next_page_token = 2;
+
+  // The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched the query.
+  int32 total_size = 3;
+}
+
+// Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
+message ListCryptoKeysResponse {
+  // The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+  repeated CryptoKey crypto_keys = 1;
+
+  // A token to retrieve next page of results. Pass this value in
+  // [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] to retrieve the next page of results.
+  string next_page_token = 2;
+
+  // The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the query.
+  int32 total_size = 3;
+}
+
+// Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
+message ListCryptoKeyVersionsResponse {
+  // The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+  repeated CryptoKeyVersion crypto_key_versions = 1;
+
+  // A token to retrieve next page of results. Pass this value in
+  // [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] to retrieve the next page of
+  // results.
+  string next_page_token = 2;
+
+  // The total number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the
+  // query.
+  int32 total_size = 3;
+}
+
+// Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
+message ListImportJobsResponse {
+  // The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
+  repeated ImportJob import_jobs = 1;
+
+  // A token to retrieve next page of results. Pass this value in
+  // [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token] to retrieve the next page of results.
+  string next_page_token = 2;
+
+  // The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that matched the query.
+  int32 total_size = 3;
+}
+
+// Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
+message GetKeyRingRequest {
+  // The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
+  string name = 1;
+}
+
+// Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
+message GetCryptoKeyRequest {
+  // The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
+  string name = 1;
+}
+
+// Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
+message GetCryptoKeyVersionRequest {
+  // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
+  string name = 1;
+}
+
+// Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+message GetPublicKeyRequest {
+  // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to
+  // get.
+  string name = 1;
+}
+
+// Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
+message GetImportJobRequest {
+  // The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.
+  string name = 1;
+}
+
+// Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
+message CreateKeyRingRequest {
+  // Required. The resource name of the location associated with the
+  // [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
+  string parent = 1;
+
+  // Required. It must be unique within a location and match the regular
+  // expression `[a-zA-Z0-9_-]{1,63}`
+  string key_ring_id = 2;
+
+  // A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.
+  KeyRing key_ring = 3;
+}
+
+// Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
+message CreateCryptoKeyRequest {
+  // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the
+  // [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+  string parent = 1;
+
+  // Required. It must be unique within a KeyRing and match the regular
+  // expression `[a-zA-Z0-9_-]{1,63}`
+  string crypto_key_id = 2;
+
+  // A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.
+  CryptoKey crypto_key = 3;
+
+  // If set to true, the request will create a [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
+  // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must manually call
+  // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or
+  // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
+  // before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
+  bool skip_initial_version_creation = 5;
+}
+
+// Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
+message CreateCryptoKeyVersionRequest {
+  // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with
+  // the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
+  string parent = 1;
+
+  // A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.
+  CryptoKeyVersion crypto_key_version = 2;
+}
+
+// Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
+message ImportCryptoKeyVersionRequest {
+  // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to
+  // be imported into.
+  string parent = 1;
+
+  // Required. The [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] of
+  // the key being imported. This does not need to match the
+  // [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] this
+  // version imports into.
+  CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2;
+
+  // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] that was used to
+  // wrap this key material.
+  string import_job = 4;
+
+  // Required. The incoming wrapped key material that is to be imported.
+  oneof wrapped_key_material {
+    // Wrapped key material produced with
+    // [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
+    // or
+    // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256].
+    //
+    // This field contains the concatenation of two wrapped keys:
+    // <ol>
+    //   <li>An ephemeral AES-256 wrapping key wrapped with the
+    //       [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP with SHA-1,
+    //       MGF1 with SHA-1, and an empty label.
+    //   </li>
+    //   <li>The key to be imported, wrapped with the ephemeral AES-256 key
+    //       using AES-KWP (RFC 5649).
+    //   </li>
+    // </ol>
+    //
+    // This format is the same as the format produced by PKCS#11 mechanism
+    // CKM_RSA_AES_KEY_WRAP.
+    bytes rsa_aes_wrapped_key = 5;
+  }
+}
+
+// Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
+message CreateImportJobRequest {
+  // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
+  // [ImportJobs][google.cloud.kms.v1.ImportJob].
+  string parent = 1;
+
+  // Required. It must be unique within a KeyRing and match the regular
+  // expression `[a-zA-Z0-9_-]{1,63}`
+  string import_job_id = 2;
+
+  // Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.
+  ImportJob import_job = 3;
+}
+
+// Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
+message UpdateCryptoKeyRequest {
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
+  CryptoKey crypto_key = 1;
+
+  // Required list of fields to be updated in this request.
+  google.protobuf.FieldMask update_mask = 2;
+}
+
+// Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
+message UpdateCryptoKeyVersionRequest {
+  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.
+  CryptoKeyVersion crypto_key_version = 1;
+
+  // Required list of fields to be updated in this request.
+  google.protobuf.FieldMask update_mask = 2;
+}
+
+// Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+message EncryptRequest {
+  // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+  // to use for encryption.
+  //
+  // If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its
+  // [primary version][google.cloud.kms.v1.CryptoKey.primary].
+  string name = 1;
+
+  // Required. The data to encrypt. Must be no larger than 64KiB.
+  //
+  // The maximum size depends on the key version's
+  // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For
+  // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger
+  // than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the
+  // plaintext and additional_authenticated_data fields must be no larger than
+  // 8KiB.
+  bytes plaintext = 2;
+
+  // Optional data that, if specified, must also be provided during decryption
+  // through [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
+  //
+  // The maximum size depends on the key version's
+  // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For
+  // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD must be no larger than
+  // 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the
+  // plaintext and additional_authenticated_data fields must be no larger than
+  // 8KiB.
+  bytes additional_authenticated_data = 3;
+}
+
+// Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+message DecryptRequest {
+  // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption.
+  // The server will choose the appropriate version.
+  string name = 1;
+
+  // Required. The encrypted data originally returned in
+  // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
+  bytes ciphertext = 2;
+
+  // Optional data that must match the data originally supplied in
+  // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
+  bytes additional_authenticated_data = 3;
+}
+
+// Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+message AsymmetricSignRequest {
+  // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
+  string name = 1;
+
+  // Required. The digest of the data to sign. The digest must be produced with
+  // the same digest algorithm as specified by the key version's
+  // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
+  Digest digest = 3;
+}
+
+// Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+message AsymmetricDecryptRequest {
+  // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+  // decryption.
+  string name = 1;
+
+  // Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public
+  // key using OAEP.
+  bytes ciphertext = 3;
+}
+
+// Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+message DecryptResponse {
+  // The decrypted data originally supplied in [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
+  bytes plaintext = 1;
+}
+
+// Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+message EncryptResponse {
+  // The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in encryption.
+  string name = 1;
+
+  // The encrypted data.
+  bytes ciphertext = 2;
+}
+
+// Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
+message AsymmetricSignResponse {
+  // The created signature.
+  bytes signature = 1;
+}
+
+// Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
+message AsymmetricDecryptResponse {
+  // The decrypted data originally encrypted with the matching public key.
+  bytes plaintext = 1;
+}
+
+// Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
+message UpdateCryptoKeyPrimaryVersionRequest {
+  // The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
+  string name = 1;
+
+  // The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
+  string crypto_key_version_id = 2;
+}
+
+// Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
+message DestroyCryptoKeyVersionRequest {
+  // The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
+  string name = 1;
+}
+
+// Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
+message RestoreCryptoKeyVersionRequest {
+  // The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
+  string name = 1;
+}
+
+// A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.
+message Digest {
+  // Required. The message digest.
+  oneof digest {
+    // A message digest produced with the SHA-256 algorithm.
+    bytes sha256 = 1;
+
+    // A message digest produced with the SHA-384 algorithm.
+    bytes sha384 = 2;
+
+    // A message digest produced with the SHA-512 algorithm.
+    bytes sha512 = 3;
+  }
+}
+
+// Cloud KMS metadata for the given [google.cloud.location.Location][google.cloud.location.Location].
+message LocationMetadata {
+  // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
+  // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
+  // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this location.
+  bool hsm_available = 1;
+}
diff --git a/typescript/test/testdata/keymanagementservice_proto_list.json b/typescript/test/testdata/keymanagementservice_proto_list.json
new file mode 100644
index 000000000..32ef7312b
--- /dev/null
+++ b/typescript/test/testdata/keymanagementservice_proto_list.json
@@ -0,0 +1,4 @@
+[
+  "../../protos/google/kms/v1/resources.proto",
+  "../../protos/google/kms/v1/service.proto"
+]