feat: Checksums in Secret Manager (#335)

Users can now use checksums for data integrity assurance when adding and accessing SecretVersions. PiperOrigin-RevId: 425369494 Source-Link: googleapis/googleapis@70d389c Source-Link: googleapis/googleapis-gen@cf92905 Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiY2Y5MjkwNTY4Mjg0ZDJmMDk5YjlhMDBjYzgyYTJhMTMzYmU2ZGZkYSJ9 See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
googleapis · Feb 1, 2022 · 2d7e291 · 2d7e291
1 parent ed4243c
commit 2d7e291
Show file tree

Hide file tree

Showing 4 changed files with 1,361 additions and 1,234 deletions.
diff --git a/packages/google-cloud-secretmanager/protos/google/cloud/secretmanager/v1/resources.proto b/packages/google-cloud-secretmanager/protos/google/cloud/secretmanager/v1/resources.proto
@@ -16,11 +16,11 @@ syntax = "proto3";
 
 package google.cloud.secretmanager.v1;
 
+import "google/api/annotations.proto";
 import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/timestamp.proto";
-import "google/api/annotations.proto";
 
 option cc_enable_arenas = true;
 option csharp_namespace = "Google.Cloud.SecretManager.V1";
@@ -147,6 +147,11 @@ message SecretVersion {
 
   // Output only. Etag of the currently stored [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
   string etag = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. True if payload checksum specified in [SecretPayload][google.cloud.secretmanager.v1.SecretPayload] object has been
+  // received by [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService] on
+  // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion].
+  bool client_specified_payload_checksum = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // A policy that defines the replication and encryption configuration of data.
@@ -313,4 +318,16 @@ message Rotation {
 message SecretPayload {
   // The secret data. Must be no larger than 64KiB.
   bytes data = 1;
+
+  // Optional. If specified, [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService] will verify the integrity of the
+  // received [data][google.cloud.secretmanager.v1.SecretPayload.data] on [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion] calls using
+  // the crc32c checksum and store it to include in future
+  // [SecretManagerService.AccessSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion] responses. If a checksum is
+  // not provided in the [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion] request, the
+  // [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService] will generate and store one for you.
+  //
+  // The CRC32C value is encoded as a Int64 for compatibility, and can be
+  // safely downconverted to uint32 in languages that support this type.
+  // https://cloud.google.com/apis/design/design_patterns#integer_types
+  optional int64 data_crc32c = 2 [(google.api.field_behavior) = OPTIONAL];
 }