BINARYAUTHORIZATION

binaryauthorization.projects.attestors.create

enum_PkixPublicKeySignatureAlgorithm := [ "SIGNATURE_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_SIGN_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_SIGN_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_SIGN_PSS_4096_SHA256", "RSA_PSS_4096_SHA512", "RSA_SIGN_PSS_4096_SHA512", "RSA_SIGN_PKCS1_2048_SHA256", "RSA_SIGN_PKCS1_3072_SHA256", "RSA_SIGN_PKCS1_4096_SHA256", "RSA_SIGN_PKCS1_4096_SHA512", "ECDSA_P256_SHA256", "EC_SIGN_P256_SHA256", "ECDSA_P384_SHA384", "EC_SIGN_P384_SHA384", "ECDSA_P521_SHA512", "EC_SIGN_P521_SHA512" ]

valid {
    input.Body.description == STRING
    input.Body.etag == STRING
    input.Body.name == STRING
    input.Body.userOwnedGrafeasNote.noteReference == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].asciiArmoredPgpPublicKey == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].comment == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].id == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.keyId == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.publicKeyPem == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.signatureAlgorithm == enum_PkixPublicKeySignatureAlgorithm[_]
    input.ReqMap.parent == STRING
    input.Qs.attestorId == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.attestors.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.attestors.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.attestors.getIamPolicy

valid {
    input.ReqMap.resource == STRING
    input.Qs.options.requestedPolicyVersion == INTEGER
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.attestors.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.attestors.setIamPolicy

valid {
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.attestors.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.attestors.update

enum_PkixPublicKeySignatureAlgorithm := [ "SIGNATURE_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_SIGN_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_SIGN_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_SIGN_PSS_4096_SHA256", "RSA_PSS_4096_SHA512", "RSA_SIGN_PSS_4096_SHA512", "RSA_SIGN_PKCS1_2048_SHA256", "RSA_SIGN_PKCS1_3072_SHA256", "RSA_SIGN_PKCS1_4096_SHA256", "RSA_SIGN_PKCS1_4096_SHA512", "ECDSA_P256_SHA256", "EC_SIGN_P256_SHA256", "ECDSA_P384_SHA384", "EC_SIGN_P384_SHA384", "ECDSA_P521_SHA512", "EC_SIGN_P521_SHA512" ]

valid {
    input.Body.description == STRING
    input.Body.etag == STRING
    input.Body.name == STRING
    input.Body.userOwnedGrafeasNote.noteReference == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].asciiArmoredPgpPublicKey == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].comment == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].id == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.keyId == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.publicKeyPem == STRING
    input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.signatureAlgorithm == enum_PkixPublicKeySignatureAlgorithm[_]
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.attestors.validateAttestationOccurrence

valid {
    input.Body.attestation.jwts[_].compactJwt == STRING
    input.Body.attestation.serializedPayload == STRING
    input.Body.attestation.signatures[_].publicKeyId == STRING
    input.Body.attestation.signatures[_].signature == STRING
    input.Body.occurrenceNote == STRING
    input.Body.occurrenceResourceUri == STRING
    input.ReqMap.attestor == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.getPolicy

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.platforms.gke.policies.evaluate

valid {
    input.Body.resource.STRING == ANY
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.platforms.policies.create

enum_PkixPublicKeySignatureAlgorithm := [ "SIGNATURE_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_SIGN_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_SIGN_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_SIGN_PSS_4096_SHA256", "RSA_PSS_4096_SHA512", "RSA_SIGN_PSS_4096_SHA512", "RSA_SIGN_PKCS1_2048_SHA256", "RSA_SIGN_PKCS1_3072_SHA256", "RSA_SIGN_PKCS1_4096_SHA256", "RSA_SIGN_PKCS1_4096_SHA512", "ECDSA_P256_SHA256", "EC_SIGN_P256_SHA256", "ECDSA_P384_SHA384", "EC_SIGN_P384_SHA384", "ECDSA_P521_SHA512", "EC_SIGN_P521_SHA512" ]
enum_VerificationRuleTrustedBuilder := [ "BUILDER_UNSPECIFIED", "GOOGLE_CLOUD_BUILD" ]
enum_VulnerabilityCheckMaximumFixableSeverity := [ "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED", "BLOCK_ALL", "MINIMAL", "LOW", "MEDIUM", "HIGH", "CRITICAL", "ALLOW_ALL" ]
enum_VulnerabilityCheckMaximumUnfixableSeverity := [ "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED", "BLOCK_ALL", "MINIMAL", "LOW", "MEDIUM", "HIGH", "CRITICAL", "ALLOW_ALL" ]

valid {
    input.Body.description == STRING
    input.Body.etag == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].alwaysDeny == BOOLEAN
    input.Body.gkePolicy.checkSets[_].checks[_].displayName == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].imageAllowlist.allowPattern[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].imageFreshnessCheck.maxUploadAgeDays == INTEGER
    input.Body.gkePolicy.checkSets[_].checks[_].sigstoreSignatureCheck.sigstoreAuthorities[_].displayName == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].sigstoreSignatureCheck.sigstoreAuthorities[_].publicKeySet.publicKeys[_].publicKeyPem == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].displayName == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].keyId == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].publicKeyPem == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].signatureAlgorithm == enum_PkixPublicKeySignatureAlgorithm[_]
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.containerAnalysisAttestationProjects[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].attestationSource.containerAnalysisAttestationProjects[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].configBasedBuildRequired == BOOLEAN
    input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].trustedBuilder == enum_VerificationRuleTrustedBuilder[_]
    input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].trustedSourceRepoPatterns[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].trustedDirectoryCheck.trustedDirPatterns[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.allowedCves[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.blockedCves[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.containerAnalysisVulnerabilityProjects[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.maximumFixableSeverity == enum_VulnerabilityCheckMaximumFixableSeverity[_]
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.maximumUnfixableSeverity == enum_VulnerabilityCheckMaximumUnfixableSeverity[_]
    input.Body.gkePolicy.checkSets[_].displayName == STRING
    input.Body.gkePolicy.checkSets[_].imageAllowlist.allowPattern[_] == STRING
    input.Body.gkePolicy.checkSets[_].scope.kubernetesNamespace == STRING
    input.Body.gkePolicy.checkSets[_].scope.kubernetesServiceAccount == STRING
    input.Body.gkePolicy.imageAllowlist.allowPattern[_] == STRING
    input.ReqMap.parent == STRING
    input.Qs.policyId == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.platforms.policies.delete

valid {
    input.ReqMap.name == STRING
    input.Qs.etag == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.platforms.policies.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.platforms.policies.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.platforms.policies.replacePlatformPolicy

enum_PkixPublicKeySignatureAlgorithm := [ "SIGNATURE_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_SIGN_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_SIGN_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_SIGN_PSS_4096_SHA256", "RSA_PSS_4096_SHA512", "RSA_SIGN_PSS_4096_SHA512", "RSA_SIGN_PKCS1_2048_SHA256", "RSA_SIGN_PKCS1_3072_SHA256", "RSA_SIGN_PKCS1_4096_SHA256", "RSA_SIGN_PKCS1_4096_SHA512", "ECDSA_P256_SHA256", "EC_SIGN_P256_SHA256", "ECDSA_P384_SHA384", "EC_SIGN_P384_SHA384", "ECDSA_P521_SHA512", "EC_SIGN_P521_SHA512" ]
enum_VerificationRuleTrustedBuilder := [ "BUILDER_UNSPECIFIED", "GOOGLE_CLOUD_BUILD" ]
enum_VulnerabilityCheckMaximumFixableSeverity := [ "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED", "BLOCK_ALL", "MINIMAL", "LOW", "MEDIUM", "HIGH", "CRITICAL", "ALLOW_ALL" ]
enum_VulnerabilityCheckMaximumUnfixableSeverity := [ "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED", "BLOCK_ALL", "MINIMAL", "LOW", "MEDIUM", "HIGH", "CRITICAL", "ALLOW_ALL" ]

valid {
    input.Body.description == STRING
    input.Body.etag == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].alwaysDeny == BOOLEAN
    input.Body.gkePolicy.checkSets[_].checks[_].displayName == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].imageAllowlist.allowPattern[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].imageFreshnessCheck.maxUploadAgeDays == INTEGER
    input.Body.gkePolicy.checkSets[_].checks[_].sigstoreSignatureCheck.sigstoreAuthorities[_].displayName == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].sigstoreSignatureCheck.sigstoreAuthorities[_].publicKeySet.publicKeys[_].publicKeyPem == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].displayName == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].keyId == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].publicKeyPem == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].signatureAlgorithm == enum_PkixPublicKeySignatureAlgorithm[_]
    input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.containerAnalysisAttestationProjects[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].attestationSource.containerAnalysisAttestationProjects[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].configBasedBuildRequired == BOOLEAN
    input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].trustedBuilder == enum_VerificationRuleTrustedBuilder[_]
    input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].trustedSourceRepoPatterns[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].trustedDirectoryCheck.trustedDirPatterns[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.allowedCves[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.blockedCves[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.containerAnalysisVulnerabilityProjects[_] == STRING
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.maximumFixableSeverity == enum_VulnerabilityCheckMaximumFixableSeverity[_]
    input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.maximumUnfixableSeverity == enum_VulnerabilityCheckMaximumUnfixableSeverity[_]
    input.Body.gkePolicy.checkSets[_].displayName == STRING
    input.Body.gkePolicy.checkSets[_].imageAllowlist.allowPattern[_] == STRING
    input.Body.gkePolicy.checkSets[_].scope.kubernetesNamespace == STRING
    input.Body.gkePolicy.checkSets[_].scope.kubernetesServiceAccount == STRING
    input.Body.gkePolicy.imageAllowlist.allowPattern[_] == STRING
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.policy.getIamPolicy

valid {
    input.ReqMap.resource == STRING
    input.Qs.options.requestedPolicyVersion == INTEGER
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.policy.setIamPolicy

valid {
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.policy.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.projects.updatePolicy

enum_AdmissionRuleEnforcementMode := [ "ENFORCEMENT_MODE_UNSPECIFIED", "ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY" ]
enum_AdmissionRuleEvaluationMode := [ "EVALUATION_MODE_UNSPECIFIED", "ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY" ]
enum_PolicyGlobalPolicyEvaluationMode := [ "GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED", "ENABLE", "DISABLE" ]

valid {
    input.Body.admissionWhitelistPatterns[_].namePattern == STRING
    input.Body.clusterAdmissionRules.STRING.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
    input.Body.clusterAdmissionRules.STRING.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
    input.Body.clusterAdmissionRules.STRING.requireAttestationsBy[_] == STRING
    input.Body.defaultAdmissionRule.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
    input.Body.defaultAdmissionRule.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
    input.Body.defaultAdmissionRule.requireAttestationsBy[_] == STRING
    input.Body.description == STRING
    input.Body.etag == STRING
    input.Body.globalPolicyEvaluationMode == enum_PolicyGlobalPolicyEvaluationMode[_]
    input.Body.istioServiceIdentityAdmissionRules.STRING.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
    input.Body.istioServiceIdentityAdmissionRules.STRING.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
    input.Body.istioServiceIdentityAdmissionRules.STRING.requireAttestationsBy[_] == STRING
    input.Body.kubernetesNamespaceAdmissionRules.STRING.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
    input.Body.kubernetesNamespaceAdmissionRules.STRING.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
    input.Body.kubernetesNamespaceAdmissionRules.STRING.requireAttestationsBy[_] == STRING
    input.Body.kubernetesServiceAccountAdmissionRules.STRING.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
    input.Body.kubernetesServiceAccountAdmissionRules.STRING.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
    input.Body.kubernetesServiceAccountAdmissionRules.STRING.requireAttestationsBy[_] == STRING
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

binaryauthorization.systempolicy.getPolicy

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}