// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.ads.datamanager.v1;

import "google/api/field_behavior.proto";

option csharp_namespace = "Google.Ads.DataManager.V1";
option go_package = "google.golang.org/genproto/googleapis/ads/datamanager/v1;datamanager";
option java_multiple_files = true;
option java_outer_classname = "EncryptionInfoProto";
option java_package = "com.google.ads.datamanager.v1";
option php_namespace = "Google\\Ads\\DataManager\\V1";
option ruby_package = "Google::Ads::DataManager::V1";

// Encryption information for the data being ingested.
message EncryptionInfo {
  // The [wrapped key](//cloud.google.com/kms/docs/key-wrapping) used to encrypt
  // the data.
  oneof wrapped_key {
    // Google Cloud Platform wrapped key information.
    GcpWrappedKeyInfo gcp_wrapped_key_info = 1;
  }
}

// Information about the Google Cloud Platform wrapped
// key.
message GcpWrappedKeyInfo {
  // The type of algorithm used to encrypt the data.
  enum KeyType {
    // Unspecified key type. Should never be used.
    KEY_TYPE_UNSPECIFIED = 0;

    // Algorithm XChaCha20-Poly1305
    XCHACHA20_POLY1305 = 1;
  }

  // Required. The type of algorithm used to encrypt the data.
  KeyType key_type = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The [Workload
  // Identity](//cloud.google.com/iam/docs/workload-identity-federation) pool
  // provider required to use KEK.
  string wip_provider = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. Google Cloud Platform [Cloud Key Management Service resource
  // ID](//cloud.google.com/kms/docs/getting-resource-ids).
  string kek_uri = 3 [(google.api.field_behavior) = REQUIRED];

  // Required. The base64 encoded encrypted data encryption key.
  string encrypted_dek = 4 [(google.api.field_behavior) = REQUIRED];
}