google-apis-policysimulator_v1beta 0.2.0 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -63,7 +63,7 @@ module Google
63
63
  attr_accessor :action_type
64
64
 
65
65
  # Org policy condition/expression. For example: `resource.instanceName.matches("[
66
- # production|test]_.*_(\d)+")'` or, `resource.management.auto_upgrade == true`
66
+ # production|test]_.*_(\d)+")` or, `resource.management.auto_upgrade == true`
67
67
  # The max length of the condition is 1000 characters.
68
68
  # Corresponds to the JSON property `condition`
69
69
  # @return [String]
@@ -144,11 +144,11 @@ module Google
144
144
  attr_accessor :dry_run_spec
145
145
 
146
146
  # Immutable. The resource name of the policy. Must be one of the following forms,
147
- # where constraint_name is the name of the constraint which this policy
147
+ # where `constraint_name` is the name of the constraint which this policy
148
148
  # configures: * `projects/`project_number`/policies/`constraint_name`` * `
149
149
  # folders/`folder_id`/policies/`constraint_name`` * `organizations/`
150
- # organization_id`/policies/`constraint_name`` For example, "projects/123/
151
- # policies/compute.disableSerialPortAccess". Note: `projects/`project_id`/
150
+ # organization_id`/policies/`constraint_name`` For example, `projects/123/
151
+ # policies/compute.disableSerialPortAccess`. Note: `projects/`project_id`/
152
152
  # policies/`constraint_name`` is also an acceptable name for API requests, but
153
153
  # responses will return the name using the equivalent project number.
154
154
  # Corresponds to the JSON property `name`
@@ -288,10 +288,11 @@ module Google
288
288
  # prefix is used to denote resource subtree values. The `is:` prefix is used to
289
289
  # denote specific values, and is required only if the value contains a ":".
290
290
  # Values prefixed with "is:" are treated the same as values with no prefix.
291
- # Ancestry subtrees must be in one of the following formats: - "projects/", e.g.
292
- # "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/",
293
- # e.g. "organizations/1234" The `supports_under` field of the associated `
294
- # Constraint` defines whether ancestry prefixes can be used.
291
+ # Ancestry subtrees must be in one of the following formats: - `projects/` (for
292
+ # example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`)
293
+ # - `organizations/` (for example, `organizations/1234`) The `supports_under`
294
+ # field of the associated `Constraint` defines whether ancestry prefixes can be
295
+ # used.
295
296
  # Corresponds to the JSON property `values`
296
297
  # @return [Google::Apis::PolicysimulatorV1beta::GoogleCloudOrgpolicyV2PolicySpecPolicyRuleStringValues]
297
298
  attr_accessor :values
@@ -317,10 +318,11 @@ module Google
317
318
  # prefix is used to denote resource subtree values. The `is:` prefix is used to
318
319
  # denote specific values, and is required only if the value contains a ":".
319
320
  # Values prefixed with "is:" are treated the same as values with no prefix.
320
- # Ancestry subtrees must be in one of the following formats: - "projects/", e.g.
321
- # "projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/",
322
- # e.g. "organizations/1234" The `supports_under` field of the associated `
323
- # Constraint` defines whether ancestry prefixes can be used.
321
+ # Ancestry subtrees must be in one of the following formats: - `projects/` (for
322
+ # example, `projects/tokyo-rain-123`) - `folders/` (for example, `folders/1234`)
323
+ # - `organizations/` (for example, `organizations/1234`) The `supports_under`
324
+ # field of the associated `Constraint` defines whether ancestry prefixes can be
325
+ # used.
324
326
  class GoogleCloudOrgpolicyV2PolicySpecPolicyRuleStringValues
325
327
  include Google::Apis::Core::Hashable
326
328
 
@@ -742,6 +744,320 @@ module Google
742
744
  end
743
745
  end
744
746
 
747
+ # A summary and comparison of the principal's access under the current (baseline)
748
+ # policies and the proposed (simulated) policies for a single access tuple.
749
+ class GoogleCloudPolicysimulatorV1betaAccessStateDiff
750
+ include Google::Apis::Core::Hashable
751
+
752
+ # How the principal's access, specified in the AccessState field, changed
753
+ # between the current (baseline) policies and proposed (simulated) policies.
754
+ # Corresponds to the JSON property `accessChange`
755
+ # @return [String]
756
+ attr_accessor :access_change
757
+
758
+ # Details about how a set of policies, listed in ExplainedPolicy, resulted in a
759
+ # certain AccessState when replaying an access tuple.
760
+ # Corresponds to the JSON property `baseline`
761
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaExplainedAccess]
762
+ attr_accessor :baseline
763
+
764
+ # Details about how a set of policies, listed in ExplainedPolicy, resulted in a
765
+ # certain AccessState when replaying an access tuple.
766
+ # Corresponds to the JSON property `simulated`
767
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaExplainedAccess]
768
+ attr_accessor :simulated
769
+
770
+ def initialize(**args)
771
+ update!(**args)
772
+ end
773
+
774
+ # Update properties of this object
775
+ def update!(**args)
776
+ @access_change = args[:access_change] if args.key?(:access_change)
777
+ @baseline = args[:baseline] if args.key?(:baseline)
778
+ @simulated = args[:simulated] if args.key?(:simulated)
779
+ end
780
+ end
781
+
782
+ # Information about the principal, resource, and permission to check.
783
+ class GoogleCloudPolicysimulatorV1betaAccessTuple
784
+ include Google::Apis::Core::Hashable
785
+
786
+ # Required. The full resource name that identifies the resource. For example, `//
787
+ # compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-
788
+ # instance`. For examples of full resource names for Google Cloud services, see
789
+ # https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
790
+ # Corresponds to the JSON property `fullResourceName`
791
+ # @return [String]
792
+ attr_accessor :full_resource_name
793
+
794
+ # Required. The IAM permission to check for the specified principal and resource.
795
+ # For a complete list of IAM permissions, see https://cloud.google.com/iam/help/
796
+ # permissions/reference. For a complete list of predefined IAM roles and the
797
+ # permissions in each role, see https://cloud.google.com/iam/help/roles/
798
+ # reference.
799
+ # Corresponds to the JSON property `permission`
800
+ # @return [String]
801
+ attr_accessor :permission
802
+
803
+ # Required. The principal whose access you want to check, in the form of the
804
+ # email address that represents that principal. For example, `alice@example.com`
805
+ # or `my-service-account@my-project.iam.gserviceaccount.com`. The principal must
806
+ # be a Google Account or a service account. Other types of principals are not
807
+ # supported.
808
+ # Corresponds to the JSON property `principal`
809
+ # @return [String]
810
+ attr_accessor :principal
811
+
812
+ def initialize(**args)
813
+ update!(**args)
814
+ end
815
+
816
+ # Update properties of this object
817
+ def update!(**args)
818
+ @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
819
+ @permission = args[:permission] if args.key?(:permission)
820
+ @principal = args[:principal] if args.key?(:principal)
821
+ end
822
+ end
823
+
824
+ # Details about how a binding in a policy affects a principal's ability to use a
825
+ # permission.
826
+ class GoogleCloudPolicysimulatorV1betaBindingExplanation
827
+ include Google::Apis::Core::Hashable
828
+
829
+ # Required. Indicates whether _this binding_ provides the specified permission
830
+ # to the specified principal for the specified resource. This field does _not_
831
+ # indicate whether the principal actually has the permission for the resource.
832
+ # There might be another binding that overrides this binding. To determine
833
+ # whether the principal actually has the permission, use the `access` field in
834
+ # the TroubleshootIamPolicyResponse.
835
+ # Corresponds to the JSON property `access`
836
+ # @return [String]
837
+ attr_accessor :access
838
+
839
+ # Represents a textual expression in the Common Expression Language (CEL) syntax.
840
+ # CEL is a C-like expression language. The syntax and semantics of CEL are
841
+ # documented at https://github.com/google/cel-spec. Example (Comparison): title:
842
+ # "Summary size limit" description: "Determines if a summary is less than 100
843
+ # chars" expression: "document.summary.size() < 100" Example (Equality): title: "
844
+ # Requestor is owner" description: "Determines if requestor is the document
845
+ # owner" expression: "document.owner == request.auth.claims.email" Example (
846
+ # Logic): title: "Public documents" description: "Determine whether the document
847
+ # should be publicly visible" expression: "document.type != 'private' &&
848
+ # document.type != 'internal'" Example (Data Manipulation): title: "Notification
849
+ # string" description: "Create a notification string with a timestamp."
850
+ # expression: "'New message received at ' + string(document.create_time)" The
851
+ # exact variables and functions that may be referenced within an expression are
852
+ # determined by the service that evaluates it. See the service documentation for
853
+ # additional information.
854
+ # Corresponds to the JSON property `condition`
855
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleTypeExpr]
856
+ attr_accessor :condition
857
+
858
+ # Indicates whether each principal in the binding includes the principal
859
+ # specified in the request, either directly or indirectly. Each key identifies a
860
+ # principal in the binding, and each value indicates whether the principal in
861
+ # the binding includes the principal in the request. For example, suppose that a
862
+ # binding includes the following principals: * `user:alice@example.com` * `group:
863
+ # product-eng@example.com` The principal in the replayed access tuple is `user:
864
+ # bob@example.com`. This user is a principal of the group `group:product-eng@
865
+ # example.com`. For the first principal in the binding, the key is `user:alice@
866
+ # example.com`, and the `membership` field in the value is set to `
867
+ # MEMBERSHIP_NOT_INCLUDED`. For the second principal in the binding, the key is `
868
+ # group:product-eng@example.com`, and the `membership` field in the value is set
869
+ # to `MEMBERSHIP_INCLUDED`.
870
+ # Corresponds to the JSON property `memberships`
871
+ # @return [Hash<String,Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaBindingExplanationAnnotatedMembership>]
872
+ attr_accessor :memberships
873
+
874
+ # The relevance of this binding to the overall determination for the entire
875
+ # policy.
876
+ # Corresponds to the JSON property `relevance`
877
+ # @return [String]
878
+ attr_accessor :relevance
879
+
880
+ # The role that this binding grants. For example, `roles/compute.serviceAgent`.
881
+ # For a complete list of predefined IAM roles, as well as the permissions in
882
+ # each role, see https://cloud.google.com/iam/help/roles/reference.
883
+ # Corresponds to the JSON property `role`
884
+ # @return [String]
885
+ attr_accessor :role
886
+
887
+ # Indicates whether the role granted by this binding contains the specified
888
+ # permission.
889
+ # Corresponds to the JSON property `rolePermission`
890
+ # @return [String]
891
+ attr_accessor :role_permission
892
+
893
+ # The relevance of the permission's existence, or nonexistence, in the role to
894
+ # the overall determination for the entire policy.
895
+ # Corresponds to the JSON property `rolePermissionRelevance`
896
+ # @return [String]
897
+ attr_accessor :role_permission_relevance
898
+
899
+ def initialize(**args)
900
+ update!(**args)
901
+ end
902
+
903
+ # Update properties of this object
904
+ def update!(**args)
905
+ @access = args[:access] if args.key?(:access)
906
+ @condition = args[:condition] if args.key?(:condition)
907
+ @memberships = args[:memberships] if args.key?(:memberships)
908
+ @relevance = args[:relevance] if args.key?(:relevance)
909
+ @role = args[:role] if args.key?(:role)
910
+ @role_permission = args[:role_permission] if args.key?(:role_permission)
911
+ @role_permission_relevance = args[:role_permission_relevance] if args.key?(:role_permission_relevance)
912
+ end
913
+ end
914
+
915
+ # Details about whether the binding includes the principal.
916
+ class GoogleCloudPolicysimulatorV1betaBindingExplanationAnnotatedMembership
917
+ include Google::Apis::Core::Hashable
918
+
919
+ # Indicates whether the binding includes the principal.
920
+ # Corresponds to the JSON property `membership`
921
+ # @return [String]
922
+ attr_accessor :membership
923
+
924
+ # The relevance of the principal's status to the overall determination for the
925
+ # binding.
926
+ # Corresponds to the JSON property `relevance`
927
+ # @return [String]
928
+ attr_accessor :relevance
929
+
930
+ def initialize(**args)
931
+ update!(**args)
932
+ end
933
+
934
+ # Update properties of this object
935
+ def update!(**args)
936
+ @membership = args[:membership] if args.key?(:membership)
937
+ @relevance = args[:relevance] if args.key?(:relevance)
938
+ end
939
+ end
940
+
941
+ # Details about how a set of policies, listed in ExplainedPolicy, resulted in a
942
+ # certain AccessState when replaying an access tuple.
943
+ class GoogleCloudPolicysimulatorV1betaExplainedAccess
944
+ include Google::Apis::Core::Hashable
945
+
946
+ # Whether the principal in the access tuple has permission to access the
947
+ # resource in the access tuple under the given policies.
948
+ # Corresponds to the JSON property `accessState`
949
+ # @return [String]
950
+ attr_accessor :access_state
951
+
952
+ # If the AccessState is `UNKNOWN`, this field contains a list of errors
953
+ # explaining why the result is `UNKNOWN`. If the `AccessState` is `GRANTED` or `
954
+ # NOT_GRANTED`, this field is omitted.
955
+ # Corresponds to the JSON property `errors`
956
+ # @return [Array<Google::Apis::PolicysimulatorV1beta::GoogleRpcStatus>]
957
+ attr_accessor :errors
958
+
959
+ # If the AccessState is `UNKNOWN`, this field contains the policies that led to
960
+ # that result. If the `AccessState` is `GRANTED` or `NOT_GRANTED`, this field is
961
+ # omitted.
962
+ # Corresponds to the JSON property `policies`
963
+ # @return [Array<Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaExplainedPolicy>]
964
+ attr_accessor :policies
965
+
966
+ def initialize(**args)
967
+ update!(**args)
968
+ end
969
+
970
+ # Update properties of this object
971
+ def update!(**args)
972
+ @access_state = args[:access_state] if args.key?(:access_state)
973
+ @errors = args[:errors] if args.key?(:errors)
974
+ @policies = args[:policies] if args.key?(:policies)
975
+ end
976
+ end
977
+
978
+ # Details about how a specific IAM Policy contributed to the access check.
979
+ class GoogleCloudPolicysimulatorV1betaExplainedPolicy
980
+ include Google::Apis::Core::Hashable
981
+
982
+ # Indicates whether _this policy_ provides the specified permission to the
983
+ # specified principal for the specified resource. This field does _not_ indicate
984
+ # whether the principal actually has the permission for the resource. There
985
+ # might be another policy that overrides this policy. To determine whether the
986
+ # principal actually has the permission, use the `access` field in the
987
+ # TroubleshootIamPolicyResponse.
988
+ # Corresponds to the JSON property `access`
989
+ # @return [String]
990
+ attr_accessor :access
991
+
992
+ # Details about how each binding in the policy affects the principal's ability,
993
+ # or inability, to use the permission for the resource. If the user who created
994
+ # the Replay does not have access to the policy, this field is omitted.
995
+ # Corresponds to the JSON property `bindingExplanations`
996
+ # @return [Array<Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaBindingExplanation>]
997
+ attr_accessor :binding_explanations
998
+
999
+ # The full resource name that identifies the resource. For example, `//compute.
1000
+ # googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
1001
+ # If the user who created the Replay does not have access to the policy, this
1002
+ # field is omitted. For examples of full resource names for Google Cloud
1003
+ # services, see https://cloud.google.com/iam/help/troubleshooter/full-resource-
1004
+ # names.
1005
+ # Corresponds to the JSON property `fullResourceName`
1006
+ # @return [String]
1007
+ attr_accessor :full_resource_name
1008
+
1009
+ # An Identity and Access Management (IAM) policy, which specifies access
1010
+ # controls for Google Cloud resources. A `Policy` is a collection of `bindings`.
1011
+ # A `binding` binds one or more `members`, or principals, to a single `role`.
1012
+ # Principals can be user accounts, service accounts, Google groups, and domains (
1013
+ # such as G Suite). A `role` is a named list of permissions; each `role` can be
1014
+ # an IAM predefined role or a user-created custom role. For some types of Google
1015
+ # Cloud resources, a `binding` can also specify a `condition`, which is a
1016
+ # logical expression that allows access to a resource only if the expression
1017
+ # evaluates to `true`. A condition can add constraints based on attributes of
1018
+ # the request, the resource, or both. To learn which resources support
1019
+ # conditions in their IAM policies, see the [IAM documentation](https://cloud.
1020
+ # google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
1021
+ # bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
1022
+ # "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
1023
+ # serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
1024
+ # roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
1025
+ # ], "condition": ` "title": "expirable access", "description": "Does not grant
1026
+ # access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
1027
+ # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
1028
+ # example:** ``` bindings: - members: - user:mike@example.com - group:admins@
1029
+ # example.com - domain:google.com - serviceAccount:my-project-id@appspot.
1030
+ # gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
1031
+ # user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
1032
+ # title: expirable access description: Does not grant access after Sep 2020
1033
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
1034
+ # BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
1035
+ # [IAM documentation](https://cloud.google.com/iam/docs/).
1036
+ # Corresponds to the JSON property `policy`
1037
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleIamV1Policy]
1038
+ attr_accessor :policy
1039
+
1040
+ # The relevance of this policy to the overall determination in the
1041
+ # TroubleshootIamPolicyResponse. If the user who created the Replay does not
1042
+ # have access to the policy, this field is omitted.
1043
+ # Corresponds to the JSON property `relevance`
1044
+ # @return [String]
1045
+ attr_accessor :relevance
1046
+
1047
+ def initialize(**args)
1048
+ update!(**args)
1049
+ end
1050
+
1051
+ # Update properties of this object
1052
+ def update!(**args)
1053
+ @access = args[:access] if args.key?(:access)
1054
+ @binding_explanations = args[:binding_explanations] if args.key?(:binding_explanations)
1055
+ @full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
1056
+ @policy = args[:policy] if args.key?(:policy)
1057
+ @relevance = args[:relevance] if args.key?(:relevance)
1058
+ end
1059
+ end
1060
+
745
1061
  # GenerateOrgPolicyViolationsPreviewOperationMetadata is metadata about an
746
1062
  # OrgPolicyViolationsPreview generations operation.
747
1063
  class GoogleCloudPolicysimulatorV1betaGenerateOrgPolicyViolationsPreviewOperationMetadata
@@ -848,6 +1164,58 @@ module Google
848
1164
  end
849
1165
  end
850
1166
 
1167
+ # Response message for Simulator.ListReplayResults.
1168
+ class GoogleCloudPolicysimulatorV1betaListReplayResultsResponse
1169
+ include Google::Apis::Core::Hashable
1170
+
1171
+ # A token that you can use to retrieve the next page of ReplayResult objects. If
1172
+ # this field is omitted, there are no subsequent pages.
1173
+ # Corresponds to the JSON property `nextPageToken`
1174
+ # @return [String]
1175
+ attr_accessor :next_page_token
1176
+
1177
+ # The results of running a Replay.
1178
+ # Corresponds to the JSON property `replayResults`
1179
+ # @return [Array<Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaReplayResult>]
1180
+ attr_accessor :replay_results
1181
+
1182
+ def initialize(**args)
1183
+ update!(**args)
1184
+ end
1185
+
1186
+ # Update properties of this object
1187
+ def update!(**args)
1188
+ @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
1189
+ @replay_results = args[:replay_results] if args.key?(:replay_results)
1190
+ end
1191
+ end
1192
+
1193
+ # Response message for Simulator.ListReplays.
1194
+ class GoogleCloudPolicysimulatorV1betaListReplaysResponse
1195
+ include Google::Apis::Core::Hashable
1196
+
1197
+ # A token that you can use to retrieve the next page of results. If this field
1198
+ # is omitted, there are no subsequent pages.
1199
+ # Corresponds to the JSON property `nextPageToken`
1200
+ # @return [String]
1201
+ attr_accessor :next_page_token
1202
+
1203
+ # The list of Replay objects.
1204
+ # Corresponds to the JSON property `replays`
1205
+ # @return [Array<Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaReplay>]
1206
+ attr_accessor :replays
1207
+
1208
+ def initialize(**args)
1209
+ update!(**args)
1210
+ end
1211
+
1212
+ # Update properties of this object
1213
+ def update!(**args)
1214
+ @next_page_token = args[:next_page_token] if args.key?(:next_page_token)
1215
+ @replays = args[:replays] if args.key?(:replays)
1216
+ end
1217
+ end
1218
+
851
1219
  # The proposed changes to OrgPolicy.
852
1220
  class GoogleCloudPolicysimulatorV1betaOrgPolicyOverlay
853
1221
  include Google::Apis::Core::Hashable
@@ -1084,6 +1452,237 @@ module Google
1084
1452
  end
1085
1453
  end
1086
1454
 
1455
+ # A resource describing a `Replay`, or simulation.
1456
+ class GoogleCloudPolicysimulatorV1betaReplay
1457
+ include Google::Apis::Core::Hashable
1458
+
1459
+ # The configuration used for a Replay.
1460
+ # Corresponds to the JSON property `config`
1461
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaReplayConfig]
1462
+ attr_accessor :config
1463
+
1464
+ # Output only. The resource name of the `Replay`, which has the following format:
1465
+ # ``projects|folders|organizations`/`resource-id`/locations/global/replays/`
1466
+ # replay-id``, where ``resource-id`` is the ID of the project, folder, or
1467
+ # organization that owns the Replay. Example: `projects/my-example-project/
1468
+ # locations/global/replays/506a5f7f-38ce-4d7d-8e03-479ce1833c36`
1469
+ # Corresponds to the JSON property `name`
1470
+ # @return [String]
1471
+ attr_accessor :name
1472
+
1473
+ # Summary statistics about the replayed log entries.
1474
+ # Corresponds to the JSON property `resultsSummary`
1475
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaReplayResultsSummary]
1476
+ attr_accessor :results_summary
1477
+
1478
+ # Output only. The current state of the `Replay`.
1479
+ # Corresponds to the JSON property `state`
1480
+ # @return [String]
1481
+ attr_accessor :state
1482
+
1483
+ def initialize(**args)
1484
+ update!(**args)
1485
+ end
1486
+
1487
+ # Update properties of this object
1488
+ def update!(**args)
1489
+ @config = args[:config] if args.key?(:config)
1490
+ @name = args[:name] if args.key?(:name)
1491
+ @results_summary = args[:results_summary] if args.key?(:results_summary)
1492
+ @state = args[:state] if args.key?(:state)
1493
+ end
1494
+ end
1495
+
1496
+ # The configuration used for a Replay.
1497
+ class GoogleCloudPolicysimulatorV1betaReplayConfig
1498
+ include Google::Apis::Core::Hashable
1499
+
1500
+ # The logs to use as input for the Replay.
1501
+ # Corresponds to the JSON property `logSource`
1502
+ # @return [String]
1503
+ attr_accessor :log_source
1504
+
1505
+ # A mapping of the resources that you want to simulate policies for and the
1506
+ # policies that you want to simulate. Keys are the full resource names for the
1507
+ # resources. For example, `//cloudresourcemanager.googleapis.com/projects/my-
1508
+ # project`. For examples of full resource names for Google Cloud services, see
1509
+ # https://cloud.google.com/iam/help/troubleshooter/full-resource-names. Values
1510
+ # are Policy objects representing the policies that you want to simulate.
1511
+ # Replays automatically take into account any IAM policies inherited through the
1512
+ # resource hierarchy, and any policies set on descendant resources. You do not
1513
+ # need to include these policies in the policy overlay.
1514
+ # Corresponds to the JSON property `policyOverlay`
1515
+ # @return [Hash<String,Google::Apis::PolicysimulatorV1beta::GoogleIamV1Policy>]
1516
+ attr_accessor :policy_overlay
1517
+
1518
+ def initialize(**args)
1519
+ update!(**args)
1520
+ end
1521
+
1522
+ # Update properties of this object
1523
+ def update!(**args)
1524
+ @log_source = args[:log_source] if args.key?(:log_source)
1525
+ @policy_overlay = args[:policy_overlay] if args.key?(:policy_overlay)
1526
+ end
1527
+ end
1528
+
1529
+ # The difference between the results of evaluating an access tuple under the
1530
+ # current (baseline) policies and under the proposed (simulated) policies. This
1531
+ # difference explains how a principal's access could change if the proposed
1532
+ # policies were applied.
1533
+ class GoogleCloudPolicysimulatorV1betaReplayDiff
1534
+ include Google::Apis::Core::Hashable
1535
+
1536
+ # A summary and comparison of the principal's access under the current (baseline)
1537
+ # policies and the proposed (simulated) policies for a single access tuple.
1538
+ # Corresponds to the JSON property `accessDiff`
1539
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaAccessStateDiff]
1540
+ attr_accessor :access_diff
1541
+
1542
+ def initialize(**args)
1543
+ update!(**args)
1544
+ end
1545
+
1546
+ # Update properties of this object
1547
+ def update!(**args)
1548
+ @access_diff = args[:access_diff] if args.key?(:access_diff)
1549
+ end
1550
+ end
1551
+
1552
+ # The result of replaying a single access tuple against a simulated state.
1553
+ class GoogleCloudPolicysimulatorV1betaReplayResult
1554
+ include Google::Apis::Core::Hashable
1555
+
1556
+ # Information about the principal, resource, and permission to check.
1557
+ # Corresponds to the JSON property `accessTuple`
1558
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaAccessTuple]
1559
+ attr_accessor :access_tuple
1560
+
1561
+ # The difference between the results of evaluating an access tuple under the
1562
+ # current (baseline) policies and under the proposed (simulated) policies. This
1563
+ # difference explains how a principal's access could change if the proposed
1564
+ # policies were applied.
1565
+ # Corresponds to the JSON property `diff`
1566
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleCloudPolicysimulatorV1betaReplayDiff]
1567
+ attr_accessor :diff
1568
+
1569
+ # The `Status` type defines a logical error model that is suitable for different
1570
+ # programming environments, including REST APIs and RPC APIs. It is used by [
1571
+ # gRPC](https://github.com/grpc). Each `Status` message contains three pieces of
1572
+ # data: error code, error message, and error details. You can find out more
1573
+ # about this error model and how to work with it in the [API Design Guide](https:
1574
+ # //cloud.google.com/apis/design/errors).
1575
+ # Corresponds to the JSON property `error`
1576
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleRpcStatus]
1577
+ attr_accessor :error
1578
+
1579
+ # Represents a whole or partial calendar date, such as a birthday. The time of
1580
+ # day and time zone are either specified elsewhere or are insignificant. The
1581
+ # date is relative to the Gregorian Calendar. This can represent one of the
1582
+ # following: * A full date, with non-zero year, month, and day values. * A month
1583
+ # and day, with a zero year (for example, an anniversary). * A year on its own,
1584
+ # with a zero month and a zero day. * A year and month, with a zero day (for
1585
+ # example, a credit card expiration date). Related types: * google.type.
1586
+ # TimeOfDay * google.type.DateTime * google.protobuf.Timestamp
1587
+ # Corresponds to the JSON property `lastSeenDate`
1588
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleTypeDate]
1589
+ attr_accessor :last_seen_date
1590
+
1591
+ # The resource name of the `ReplayResult`, in the following format: ``projects|
1592
+ # folders|organizations`/`resource-id`/locations/global/replays/`replay-id`/
1593
+ # results/`replay-result-id``, where ``resource-id`` is the ID of the project,
1594
+ # folder, or organization that owns the Replay. Example: `projects/my-example-
1595
+ # project/locations/global/replays/506a5f7f-38ce-4d7d-8e03-479ce1833c36/results/
1596
+ # 1234`
1597
+ # Corresponds to the JSON property `name`
1598
+ # @return [String]
1599
+ attr_accessor :name
1600
+
1601
+ # The Replay that the access tuple was included in.
1602
+ # Corresponds to the JSON property `parent`
1603
+ # @return [String]
1604
+ attr_accessor :parent
1605
+
1606
+ def initialize(**args)
1607
+ update!(**args)
1608
+ end
1609
+
1610
+ # Update properties of this object
1611
+ def update!(**args)
1612
+ @access_tuple = args[:access_tuple] if args.key?(:access_tuple)
1613
+ @diff = args[:diff] if args.key?(:diff)
1614
+ @error = args[:error] if args.key?(:error)
1615
+ @last_seen_date = args[:last_seen_date] if args.key?(:last_seen_date)
1616
+ @name = args[:name] if args.key?(:name)
1617
+ @parent = args[:parent] if args.key?(:parent)
1618
+ end
1619
+ end
1620
+
1621
+ # Summary statistics about the replayed log entries.
1622
+ class GoogleCloudPolicysimulatorV1betaReplayResultsSummary
1623
+ include Google::Apis::Core::Hashable
1624
+
1625
+ # The number of replayed log entries with a difference between baseline and
1626
+ # simulated policies.
1627
+ # Corresponds to the JSON property `differenceCount`
1628
+ # @return [Fixnum]
1629
+ attr_accessor :difference_count
1630
+
1631
+ # The number of log entries that could not be replayed.
1632
+ # Corresponds to the JSON property `errorCount`
1633
+ # @return [Fixnum]
1634
+ attr_accessor :error_count
1635
+
1636
+ # The total number of log entries replayed.
1637
+ # Corresponds to the JSON property `logCount`
1638
+ # @return [Fixnum]
1639
+ attr_accessor :log_count
1640
+
1641
+ # Represents a whole or partial calendar date, such as a birthday. The time of
1642
+ # day and time zone are either specified elsewhere or are insignificant. The
1643
+ # date is relative to the Gregorian Calendar. This can represent one of the
1644
+ # following: * A full date, with non-zero year, month, and day values. * A month
1645
+ # and day, with a zero year (for example, an anniversary). * A year on its own,
1646
+ # with a zero month and a zero day. * A year and month, with a zero day (for
1647
+ # example, a credit card expiration date). Related types: * google.type.
1648
+ # TimeOfDay * google.type.DateTime * google.protobuf.Timestamp
1649
+ # Corresponds to the JSON property `newestDate`
1650
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleTypeDate]
1651
+ attr_accessor :newest_date
1652
+
1653
+ # Represents a whole or partial calendar date, such as a birthday. The time of
1654
+ # day and time zone are either specified elsewhere or are insignificant. The
1655
+ # date is relative to the Gregorian Calendar. This can represent one of the
1656
+ # following: * A full date, with non-zero year, month, and day values. * A month
1657
+ # and day, with a zero year (for example, an anniversary). * A year on its own,
1658
+ # with a zero month and a zero day. * A year and month, with a zero day (for
1659
+ # example, a credit card expiration date). Related types: * google.type.
1660
+ # TimeOfDay * google.type.DateTime * google.protobuf.Timestamp
1661
+ # Corresponds to the JSON property `oldestDate`
1662
+ # @return [Google::Apis::PolicysimulatorV1beta::GoogleTypeDate]
1663
+ attr_accessor :oldest_date
1664
+
1665
+ # The number of replayed log entries with no difference between baseline and
1666
+ # simulated policies.
1667
+ # Corresponds to the JSON property `unchangedCount`
1668
+ # @return [Fixnum]
1669
+ attr_accessor :unchanged_count
1670
+
1671
+ def initialize(**args)
1672
+ update!(**args)
1673
+ end
1674
+
1675
+ # Update properties of this object
1676
+ def update!(**args)
1677
+ @difference_count = args[:difference_count] if args.key?(:difference_count)
1678
+ @error_count = args[:error_count] if args.key?(:error_count)
1679
+ @log_count = args[:log_count] if args.key?(:log_count)
1680
+ @newest_date = args[:newest_date] if args.key?(:newest_date)
1681
+ @oldest_date = args[:oldest_date] if args.key?(:oldest_date)
1682
+ @unchanged_count = args[:unchanged_count] if args.key?(:unchanged_count)
1683
+ end
1684
+ end
1685
+
1087
1686
  # ResourceContext provides the context we know about a resource. It is similar
1088
1687
  # in concept to google.cloud.asset.v1.Resource, but focuses on the information
1089
1688
  # specifically used by Simulator.
@@ -1285,22 +1884,22 @@ module Google
1285
1884
  # evaluates to `true`. A condition can add constraints based on attributes of
1286
1885
  # the request, the resource, or both. To learn which resources support
1287
1886
  # conditions in their IAM policies, see the [IAM documentation](https://cloud.
1288
- # google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
1887
+ # google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
1289
1888
  # bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
1290
1889
  # "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
1291
1890
  # serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
1292
1891
  # roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
1293
1892
  # ], "condition": ` "title": "expirable access", "description": "Does not grant
1294
1893
  # access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
1295
- # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML example:**
1296
- # bindings: - members: - user:mike@example.com - group:admins@example.com -
1297
- # domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com
1298
- # role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.
1299
- # com role: roles/resourcemanager.organizationViewer condition: title: expirable
1300
- # access description: Does not grant access after Sep 2020 expression: request.
1301
- # time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For
1302
- # a description of IAM and its features, see the [IAM documentation](https://
1303
- # cloud.google.com/iam/docs/).
1894
+ # 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
1895
+ # example:** ``` bindings: - members: - user:mike@example.com - group:admins@
1896
+ # example.com - domain:google.com - serviceAccount:my-project-id@appspot.
1897
+ # gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
1898
+ # user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
1899
+ # title: expirable access description: Does not grant access after Sep 2020
1900
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
1901
+ # BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
1902
+ # [IAM documentation](https://cloud.google.com/iam/docs/).
1304
1903
  class GoogleIamV1Policy
1305
1904
  include Google::Apis::Core::Hashable
1306
1905
 
@@ -1431,13 +2030,13 @@ module Google
1431
2030
  # @return [String]
1432
2031
  attr_accessor :name
1433
2032
 
1434
- # The normal response of the operation in case of success. If the original
1435
- # method returns no data on success, such as `Delete`, the response is `google.
1436
- # protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`,
1437
- # the response should be the resource. For other methods, the response should
1438
- # have the type `XxxResponse`, where `Xxx` is the original method name. For
1439
- # example, if the original method name is `TakeSnapshot()`, the inferred
1440
- # response type is `TakeSnapshotResponse`.
2033
+ # The normal, successful response of the operation. If the original method
2034
+ # returns no data on success, such as `Delete`, the response is `google.protobuf.
2035
+ # Empty`. If the original method is standard `Get`/`Create`/`Update`, the
2036
+ # response should be the resource. For other methods, the response should have
2037
+ # the type `XxxResponse`, where `Xxx` is the original method name. For example,
2038
+ # if the original method name is `TakeSnapshot()`, the inferred response type is
2039
+ # `TakeSnapshotResponse`.
1441
2040
  # Corresponds to the JSON property `response`
1442
2041
  # @return [Hash<String,Object>]
1443
2042
  attr_accessor :response