google-cloud-policy_troubleshooter-iam-v3 0.a → 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (34) hide show
  1. checksums.yaml +4 -4
  2. data/.yardopts +12 -0
  3. data/AUTHENTICATION.md +149 -0
  4. data/README.md +144 -8
  5. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/client.rb +391 -0
  6. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/credentials.rb +49 -0
  7. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/rest/client.rb +356 -0
  8. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/rest/service_stub.rb +108 -0
  9. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/rest.rb +55 -0
  10. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter.rb +58 -0
  11. data/lib/google/cloud/policy_troubleshooter/iam/v3/rest.rb +39 -0
  12. data/lib/google/cloud/policy_troubleshooter/iam/v3/version.rb +7 -2
  13. data/lib/google/cloud/policy_troubleshooter/iam/v3.rb +47 -0
  14. data/lib/google/cloud/policytroubleshooter/iam/v3/troubleshooter_pb.rb +86 -0
  15. data/lib/google/cloud/policytroubleshooter/iam/v3/troubleshooter_services_pb.rb +51 -0
  16. data/lib/google-cloud-policy_troubleshooter-iam-v3.rb +21 -0
  17. data/proto_docs/README.md +4 -0
  18. data/proto_docs/google/api/client.rb +381 -0
  19. data/proto_docs/google/api/field_behavior.rb +85 -0
  20. data/proto_docs/google/api/launch_stage.rb +71 -0
  21. data/proto_docs/google/api/resource.rb +222 -0
  22. data/proto_docs/google/cloud/policytroubleshooter/iam/v3/troubleshooter.rb +826 -0
  23. data/proto_docs/google/iam/v1/policy.rb +426 -0
  24. data/proto_docs/google/iam/v2/deny.rb +110 -0
  25. data/proto_docs/google/iam/v2/policy.rb +241 -0
  26. data/proto_docs/google/longrunning/operations.rb +164 -0
  27. data/proto_docs/google/protobuf/any.rb +144 -0
  28. data/proto_docs/google/protobuf/duration.rb +98 -0
  29. data/proto_docs/google/protobuf/empty.rb +34 -0
  30. data/proto_docs/google/protobuf/struct.rb +96 -0
  31. data/proto_docs/google/protobuf/timestamp.rb +127 -0
  32. data/proto_docs/google/rpc/status.rb +48 -0
  33. data/proto_docs/google/type/expr.rb +75 -0
  34. metadata +229 -13
@@ -0,0 +1,826 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2023 Google LLC
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # https://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
17
+ # Auto-generated by gapic-generator-ruby. DO NOT EDIT!
18
+
19
+
20
+ module Google
21
+ module Cloud
22
+ module PolicyTroubleshooter
23
+ module Iam
24
+ module V3
25
+ # Request for
26
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::PolicyTroubleshooter::Client#troubleshoot_iam_policy TroubleshootIamPolicy}.
27
+ # @!attribute [rw] access_tuple
28
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::AccessTuple]
29
+ # The information to use for checking whether a principal has a permission
30
+ # for a resource.
31
+ class TroubleshootIamPolicyRequest
32
+ include ::Google::Protobuf::MessageExts
33
+ extend ::Google::Protobuf::MessageExts::ClassMethods
34
+ end
35
+
36
+ # Response for
37
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::PolicyTroubleshooter::Client#troubleshoot_iam_policy TroubleshootIamPolicy}.
38
+ # @!attribute [rw] overall_access_state
39
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::TroubleshootIamPolicyResponse::OverallAccessState]
40
+ # Indicates whether the principal has the specified permission for the
41
+ # specified resource, based on evaluating all types of the applicable IAM
42
+ # policies.
43
+ # @!attribute [rw] access_tuple
44
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::AccessTuple]
45
+ # The access tuple from the request, including any provided context used to
46
+ # evaluate the condition.
47
+ # @!attribute [rw] allow_policy_explanation
48
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::AllowPolicyExplanation]
49
+ # An explanation of how the applicable IAM allow policies affect the final
50
+ # access state.
51
+ # @!attribute [rw] deny_policy_explanation
52
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyPolicyExplanation]
53
+ # An explanation of how the applicable IAM deny policies affect the final
54
+ # access state.
55
+ class TroubleshootIamPolicyResponse
56
+ include ::Google::Protobuf::MessageExts
57
+ extend ::Google::Protobuf::MessageExts::ClassMethods
58
+
59
+ # Whether the principal has the permission on the resource.
60
+ module OverallAccessState
61
+ # Not specified.
62
+ OVERALL_ACCESS_STATE_UNSPECIFIED = 0
63
+
64
+ # The principal has the permission.
65
+ CAN_ACCESS = 1
66
+
67
+ # The principal doesn't have the permission.
68
+ CANNOT_ACCESS = 2
69
+
70
+ # The principal might have the permission, but the sender can't access all
71
+ # of the information needed to fully evaluate the principal's access.
72
+ UNKNOWN_INFO = 3
73
+
74
+ # The principal might have the permission, but Policy Troubleshooter can't
75
+ # fully evaluate the principal's access because the sender didn't provide
76
+ # the required context to evaluate the condition.
77
+ UNKNOWN_CONDITIONAL = 4
78
+ end
79
+ end
80
+
81
+ # Information about the principal, resource, and permission to check.
82
+ # @!attribute [rw] principal
83
+ # @return [::String]
84
+ # Required. The email address of the principal whose access you want to
85
+ # check. For example, `alice@example.com` or
86
+ # `my-service-account@my-project.iam.gserviceaccount.com`.
87
+ #
88
+ # The principal must be a Google Account or a service account. Other types of
89
+ # principals are not supported.
90
+ # @!attribute [rw] full_resource_name
91
+ # @return [::String]
92
+ # Required. The full resource name that identifies the resource. For example,
93
+ # `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
94
+ #
95
+ # For examples of full resource names for Google Cloud services, see
96
+ # https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
97
+ # @!attribute [rw] permission
98
+ # @return [::String]
99
+ # Required. The IAM permission to check for, either in the `v1` permission
100
+ # format or the `v2` permission format.
101
+ #
102
+ # For a complete list of IAM permissions in the `v1` format, see
103
+ # https://cloud.google.com/iam/help/permissions/reference.
104
+ #
105
+ # For a list of IAM permissions in the `v2` format, see
106
+ # https://cloud.google.com/iam/help/deny/supported-permissions.
107
+ #
108
+ # For a complete list of predefined IAM roles and the permissions in each
109
+ # role, see https://cloud.google.com/iam/help/roles/reference.
110
+ # @!attribute [r] permission_fqdn
111
+ # @return [::String]
112
+ # Output only. The permission that Policy Troubleshooter checked for, in
113
+ # the `v2` format.
114
+ # @!attribute [rw] condition_context
115
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::ConditionContext]
116
+ # Optional. Additional context for the request, such as the request time or
117
+ # IP address. This context allows Policy Troubleshooter to troubleshoot
118
+ # conditional role bindings and deny rules.
119
+ class AccessTuple
120
+ include ::Google::Protobuf::MessageExts
121
+ extend ::Google::Protobuf::MessageExts::ClassMethods
122
+ end
123
+
124
+ # Additional context for troubleshooting conditional role bindings and deny
125
+ # rules.
126
+ # @!attribute [rw] resource
127
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::ConditionContext::Resource]
128
+ # Represents a target resource that is involved with a network activity.
129
+ # If multiple resources are involved with an activity, this must be the
130
+ # primary one.
131
+ # @!attribute [rw] destination
132
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::ConditionContext::Peer]
133
+ # The destination of a network activity, such as accepting a TCP connection.
134
+ # In a multi-hop network activity, the destination represents the receiver of
135
+ # the last hop.
136
+ # @!attribute [rw] request
137
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::ConditionContext::Request]
138
+ # Represents a network request, such as an HTTP request.
139
+ # @!attribute [r] effective_tags
140
+ # @return [::Array<::Google::Cloud::PolicyTroubleshooter::Iam::V3::ConditionContext::EffectiveTag>]
141
+ # Output only. The effective tags on the resource. The effective tags are
142
+ # fetched during troubleshooting.
143
+ class ConditionContext
144
+ include ::Google::Protobuf::MessageExts
145
+ extend ::Google::Protobuf::MessageExts::ClassMethods
146
+
147
+ # Core attributes for a resource. A resource is an
148
+ # addressable (named) entity provided by the destination service. For
149
+ # example, a Compute Engine instance.
150
+ # @!attribute [rw] service
151
+ # @return [::String]
152
+ # The name of the service that this resource belongs to, such as
153
+ # `compute.googleapis.com`. The service name might not match the DNS
154
+ # hostname that actually serves the request.
155
+ #
156
+ # For a full list of resource service values, see
157
+ # https://cloud.google.com/iam/help/conditions/resource-services
158
+ # @!attribute [rw] name
159
+ # @return [::String]
160
+ # The stable identifier (name) of a resource on the `service`. A resource
161
+ # can be logically identified as `//{resource.service}/{resource.name}`.
162
+ # Unlike the resource URI, the resource name doesn't contain any protocol
163
+ # and version information.
164
+ #
165
+ # For a list of full resource name formats, see
166
+ # https://cloud.google.com/iam/help/troubleshooter/full-resource-names
167
+ # @!attribute [rw] type
168
+ # @return [::String]
169
+ # The type of the resource, in the format `{service}/{kind}`.
170
+ #
171
+ # For a full list of resource type values, see
172
+ # https://cloud.google.com/iam/help/conditions/resource-types
173
+ class Resource
174
+ include ::Google::Protobuf::MessageExts
175
+ extend ::Google::Protobuf::MessageExts::ClassMethods
176
+ end
177
+
178
+ # This message defines attributes for a node that handles a network request.
179
+ # The node can be either a service or an application that sends, forwards,
180
+ # or receives the request. Service peers should fill in
181
+ # `principal` and `labels` as appropriate.
182
+ # @!attribute [rw] ip
183
+ # @return [::String]
184
+ # The IPv4 or IPv6 address of the peer.
185
+ # @!attribute [rw] port
186
+ # @return [::Integer]
187
+ # The network port of the peer.
188
+ class Peer
189
+ include ::Google::Protobuf::MessageExts
190
+ extend ::Google::Protobuf::MessageExts::ClassMethods
191
+ end
192
+
193
+ # This message defines attributes for an HTTP request. If the actual
194
+ # request is not an HTTP request, the runtime system should try to map
195
+ # the actual request to an equivalent HTTP request.
196
+ # @!attribute [rw] receive_time
197
+ # @return [::Google::Protobuf::Timestamp]
198
+ # Optional. The timestamp when the destination service receives the first
199
+ # byte of the request.
200
+ class Request
201
+ include ::Google::Protobuf::MessageExts
202
+ extend ::Google::Protobuf::MessageExts::ClassMethods
203
+ end
204
+
205
+ # A tag that applies to a resource during policy evaluation. Tags can be
206
+ # either directly bound to a resource or inherited from its ancestor.
207
+ # `EffectiveTag` contains the `name` and `namespaced_name` of the tag value
208
+ # and tag key, with additional fields of `inherited` to indicate the
209
+ # inheritance status of the effective tag.
210
+ # @!attribute [r] tag_value
211
+ # @return [::String]
212
+ # Output only. Resource name for TagValue in the format `tagValues/456`.
213
+ # @!attribute [r] namespaced_tag_value
214
+ # @return [::String]
215
+ # Output only. The namespaced name of the TagValue. Can be in the form
216
+ # `{organization_id}/{tag_key_short_name}/{tag_value_short_name}` or
217
+ # `{project_id}/{tag_key_short_name}/{tag_value_short_name}` or
218
+ # `{project_number}/{tag_key_short_name}/{tag_value_short_name}`.
219
+ # @!attribute [r] tag_key
220
+ # @return [::String]
221
+ # Output only. The name of the TagKey, in the format `tagKeys/{id}`, such
222
+ # as `tagKeys/123`.
223
+ # @!attribute [r] namespaced_tag_key
224
+ # @return [::String]
225
+ # Output only. The namespaced name of the TagKey. Can be in the form
226
+ # `{organization_id}/{tag_key_short_name}` or
227
+ # `{project_id}/{tag_key_short_name}` or
228
+ # `{project_number}/{tag_key_short_name}`.
229
+ # @!attribute [rw] tag_key_parent_name
230
+ # @return [::String]
231
+ # The parent name of the tag key.
232
+ # Must be in the format `organizations/{organization_id}` or
233
+ # `projects/{project_number}`
234
+ # @!attribute [r] inherited
235
+ # @return [::Boolean]
236
+ # Output only. Indicates the inheritance status of a tag value
237
+ # attached to the given resource. If the tag value is inherited from one of
238
+ # the resource's ancestors, inherited will be true. If false, then the tag
239
+ # value is directly attached to the resource, inherited will be false.
240
+ class EffectiveTag
241
+ include ::Google::Protobuf::MessageExts
242
+ extend ::Google::Protobuf::MessageExts::ClassMethods
243
+ end
244
+ end
245
+
246
+ # Details about how the relevant IAM allow policies affect the final access
247
+ # state.
248
+ # @!attribute [rw] allow_access_state
249
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::AllowAccessState]
250
+ # Indicates whether the principal has the specified permission for the
251
+ # specified resource, based on evaluating all applicable IAM allow policies.
252
+ # @!attribute [rw] explained_policies
253
+ # @return [::Array<::Google::Cloud::PolicyTroubleshooter::Iam::V3::ExplainedAllowPolicy>]
254
+ # List of IAM allow policies that were evaluated to check the principal's
255
+ # permissions, with annotations to indicate how each policy contributed to
256
+ # the final result.
257
+ #
258
+ # The list of policies includes the policy for the resource itself, as well
259
+ # as allow policies that are inherited from higher levels of the resource
260
+ # hierarchy, including the organization, the folder, and the project.
261
+ #
262
+ # To learn more about the resource hierarchy, see
263
+ # https://cloud.google.com/iam/help/resource-hierarchy.
264
+ # @!attribute [rw] relevance
265
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
266
+ # The relevance of the allow policy type to the overall access state.
267
+ class AllowPolicyExplanation
268
+ include ::Google::Protobuf::MessageExts
269
+ extend ::Google::Protobuf::MessageExts::ClassMethods
270
+ end
271
+
272
+ # Details about how a specific IAM allow policy contributed to the final access
273
+ # state.
274
+ # @!attribute [rw] allow_access_state
275
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::AllowAccessState]
276
+ # Required. Indicates whether _this policy_ provides the specified permission
277
+ # to the specified principal for the specified resource.
278
+ #
279
+ # This field does _not_ indicate whether the principal actually has the
280
+ # permission for the resource. There might be another policy that overrides
281
+ # this policy. To determine whether the principal actually has the
282
+ # permission, use the `overall_access_state` field in the
283
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::TroubleshootIamPolicyResponse TroubleshootIamPolicyResponse}.
284
+ # @!attribute [rw] full_resource_name
285
+ # @return [::String]
286
+ # The full resource name that identifies the resource. For example,
287
+ # `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
288
+ #
289
+ # If the sender of the request does not have access to the policy, this field
290
+ # is omitted.
291
+ #
292
+ # For examples of full resource names for Google Cloud services, see
293
+ # https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
294
+ # @!attribute [rw] binding_explanations
295
+ # @return [::Array<::Google::Cloud::PolicyTroubleshooter::Iam::V3::AllowBindingExplanation>]
296
+ # Details about how each role binding in the policy affects the principal's
297
+ # ability, or inability, to use the permission for the resource. The order of
298
+ # the role bindings matches the role binding order in the policy.
299
+ #
300
+ # If the sender of the request does not have access to the policy, this field
301
+ # is omitted.
302
+ # @!attribute [rw] relevance
303
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
304
+ # The relevance of this policy to the overall access state in the
305
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::TroubleshootIamPolicyResponse TroubleshootIamPolicyResponse}.
306
+ #
307
+ # If the sender of the request does not have access to the policy, this field
308
+ # is omitted.
309
+ # @!attribute [rw] policy
310
+ # @return [::Google::Iam::V1::Policy]
311
+ # The IAM allow policy attached to the resource.
312
+ #
313
+ # If the sender of the request does not have access to the policy, this field
314
+ # is empty.
315
+ class ExplainedAllowPolicy
316
+ include ::Google::Protobuf::MessageExts
317
+ extend ::Google::Protobuf::MessageExts::ClassMethods
318
+ end
319
+
320
+ # Details about how a role binding in an allow policy affects a principal's
321
+ # ability to use a permission.
322
+ # @!attribute [rw] allow_access_state
323
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::AllowAccessState]
324
+ # Required. Indicates whether _this role binding_ gives the specified
325
+ # permission to the specified principal on the specified resource.
326
+ #
327
+ # This field does _not_ indicate whether the principal actually has the
328
+ # permission on the resource. There might be another role binding that
329
+ # overrides this role binding. To determine whether the principal actually
330
+ # has the permission, use the `overall_access_state` field in the
331
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::TroubleshootIamPolicyResponse TroubleshootIamPolicyResponse}.
332
+ # @!attribute [rw] role
333
+ # @return [::String]
334
+ # The role that this role binding grants. For example,
335
+ # `roles/compute.admin`.
336
+ #
337
+ # For a complete list of predefined IAM roles, as well as the permissions in
338
+ # each role, see https://cloud.google.com/iam/help/roles/reference.
339
+ # @!attribute [rw] role_permission
340
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::RolePermissionInclusionState]
341
+ # Indicates whether the role granted by this role binding contains the
342
+ # specified permission.
343
+ # @!attribute [rw] role_permission_relevance
344
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
345
+ # The relevance of the permission's existence, or nonexistence, in the role
346
+ # to the overall determination for the entire policy.
347
+ # @!attribute [rw] combined_membership
348
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::AllowBindingExplanation::AnnotatedAllowMembership]
349
+ # The combined result of all memberships. Indicates if the principal is
350
+ # included in any role binding, either directly or indirectly.
351
+ # @!attribute [rw] memberships
352
+ # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::PolicyTroubleshooter::Iam::V3::AllowBindingExplanation::AnnotatedAllowMembership}]
353
+ # Indicates whether each role binding includes the principal specified in the
354
+ # request, either directly or indirectly. Each key identifies a principal in
355
+ # the role binding, and each value indicates whether the principal in the
356
+ # role binding includes the principal in the request.
357
+ #
358
+ # For example, suppose that a role binding includes the following principals:
359
+ #
360
+ # * `user:alice@example.com`
361
+ # * `group:product-eng@example.com`
362
+ #
363
+ # You want to troubleshoot access for `user:bob@example.com`. This user is a
364
+ # member of the group `group:product-eng@example.com`.
365
+ #
366
+ # For the first principal in the role binding, the key is
367
+ # `user:alice@example.com`, and the `membership` field in the value is set to
368
+ # `NOT_INCLUDED`.
369
+ #
370
+ # For the second principal in the role binding, the key is
371
+ # `group:product-eng@example.com`, and the `membership` field in the value is
372
+ # set to `INCLUDED`.
373
+ # @!attribute [rw] relevance
374
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
375
+ # The relevance of this role binding to the overall determination for the
376
+ # entire policy.
377
+ # @!attribute [rw] condition
378
+ # @return [::Google::Type::Expr]
379
+ # A condition expression that specifies when the role binding grants access.
380
+ #
381
+ # To learn about IAM Conditions, see
382
+ # https://cloud.google.com/iam/help/conditions/overview.
383
+ # @!attribute [rw] condition_explanation
384
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::ConditionExplanation]
385
+ # Condition evaluation state for this role binding.
386
+ class AllowBindingExplanation
387
+ include ::Google::Protobuf::MessageExts
388
+ extend ::Google::Protobuf::MessageExts::ClassMethods
389
+
390
+ # Details about whether the role binding includes the principal.
391
+ # @!attribute [rw] membership
392
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::MembershipMatchingState]
393
+ # Indicates whether the role binding includes the principal.
394
+ # @!attribute [rw] relevance
395
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
396
+ # The relevance of the principal's status to the overall determination for
397
+ # the role binding.
398
+ class AnnotatedAllowMembership
399
+ include ::Google::Protobuf::MessageExts
400
+ extend ::Google::Protobuf::MessageExts::ClassMethods
401
+ end
402
+
403
+ # @!attribute [rw] key
404
+ # @return [::String]
405
+ # @!attribute [rw] value
406
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::AllowBindingExplanation::AnnotatedAllowMembership]
407
+ class MembershipsEntry
408
+ include ::Google::Protobuf::MessageExts
409
+ extend ::Google::Protobuf::MessageExts::ClassMethods
410
+ end
411
+ end
412
+
413
+ # Details about how the relevant IAM deny policies affect the final access
414
+ # state.
415
+ # @!attribute [rw] deny_access_state
416
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyAccessState]
417
+ # Indicates whether the principal is denied the specified permission for
418
+ # the specified resource, based on evaluating all applicable IAM deny
419
+ # policies.
420
+ # @!attribute [rw] explained_resources
421
+ # @return [::Array<::Google::Cloud::PolicyTroubleshooter::Iam::V3::ExplainedDenyResource>]
422
+ # List of resources with IAM deny policies that were evaluated to check the
423
+ # principal's denied permissions, with annotations to indicate how each
424
+ # policy contributed to the final result.
425
+ #
426
+ # The list of resources includes the policy for the resource itself, as well
427
+ # as policies that are inherited from higher levels of the resource
428
+ # hierarchy, including the organization, the folder, and the project. The
429
+ # order of the resources starts from the resource and climbs up the resource
430
+ # hierarchy.
431
+ #
432
+ # To learn more about the resource hierarchy, see
433
+ # https://cloud.google.com/iam/help/resource-hierarchy.
434
+ # @!attribute [rw] relevance
435
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
436
+ # The relevance of the deny policy result to the overall access state.
437
+ # @!attribute [rw] permission_deniable
438
+ # @return [::Boolean]
439
+ # Indicates whether the permission to troubleshoot is supported in deny
440
+ # policies.
441
+ class DenyPolicyExplanation
442
+ include ::Google::Protobuf::MessageExts
443
+ extend ::Google::Protobuf::MessageExts::ClassMethods
444
+ end
445
+
446
+ # Details about how a specific resource contributed to the deny policy
447
+ # evaluation.
448
+ # @!attribute [rw] deny_access_state
449
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyAccessState]
450
+ # Required. Indicates whether any policies attached to _this resource_ deny
451
+ # the specific permission to the specified principal for the specified
452
+ # resource.
453
+ #
454
+ # This field does _not_ indicate whether the principal actually has the
455
+ # permission for the resource. There might be another policy that overrides
456
+ # this policy. To determine whether the principal actually has the
457
+ # permission, use the `overall_access_state` field in the
458
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::TroubleshootIamPolicyResponse TroubleshootIamPolicyResponse}.
459
+ # @!attribute [rw] full_resource_name
460
+ # @return [::String]
461
+ # The full resource name that identifies the resource. For example,
462
+ # `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
463
+ #
464
+ # If the sender of the request does not have access to the policy, this field
465
+ # is omitted.
466
+ #
467
+ # For examples of full resource names for Google Cloud services, see
468
+ # https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
469
+ # @!attribute [rw] explained_policies
470
+ # @return [::Array<::Google::Cloud::PolicyTroubleshooter::Iam::V3::ExplainedDenyPolicy>]
471
+ # List of IAM deny policies that were evaluated to check the principal's
472
+ # denied permissions, with annotations to indicate how each policy
473
+ # contributed to the final result.
474
+ # @!attribute [rw] relevance
475
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
476
+ # The relevance of this policy to the overall access state in the
477
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::TroubleshootIamPolicyResponse TroubleshootIamPolicyResponse}.
478
+ #
479
+ # If the sender of the request does not have access to the policy, this field
480
+ # is omitted.
481
+ class ExplainedDenyResource
482
+ include ::Google::Protobuf::MessageExts
483
+ extend ::Google::Protobuf::MessageExts::ClassMethods
484
+ end
485
+
486
+ # Details about how a specific IAM deny policy {::Google::Iam::V2::Policy Policy}
487
+ # contributed to the access check.
488
+ # @!attribute [rw] deny_access_state
489
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyAccessState]
490
+ # Required. Indicates whether _this policy_ denies the specified permission
491
+ # to the specified principal for the specified resource.
492
+ #
493
+ # This field does _not_ indicate whether the principal actually has the
494
+ # permission for the resource. There might be another policy that overrides
495
+ # this policy. To determine whether the principal actually has the
496
+ # permission, use the `overall_access_state` field in the
497
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::TroubleshootIamPolicyResponse TroubleshootIamPolicyResponse}.
498
+ # @!attribute [rw] policy
499
+ # @return [::Google::Iam::V2::Policy]
500
+ # The IAM deny policy attached to the resource.
501
+ #
502
+ # If the sender of the request does not have access to the policy, this field
503
+ # is omitted.
504
+ # @!attribute [rw] rule_explanations
505
+ # @return [::Array<::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation>]
506
+ # Details about how each rule in the policy affects the principal's inability
507
+ # to use the permission for the resource. The order of the deny rule matches
508
+ # the order of the rules in the deny policy.
509
+ #
510
+ # If the sender of the request does not have access to the policy, this field
511
+ # is omitted.
512
+ # @!attribute [rw] relevance
513
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
514
+ # The relevance of this policy to the overall access state in the
515
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::TroubleshootIamPolicyResponse TroubleshootIamPolicyResponse}.
516
+ #
517
+ # If the sender of the request does not have access to the policy, this field
518
+ # is omitted.
519
+ class ExplainedDenyPolicy
520
+ include ::Google::Protobuf::MessageExts
521
+ extend ::Google::Protobuf::MessageExts::ClassMethods
522
+ end
523
+
524
+ # Details about how a deny rule in a deny policy affects a principal's ability
525
+ # to use a permission.
526
+ # @!attribute [rw] deny_access_state
527
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyAccessState]
528
+ # Required. Indicates whether _this rule_ denies the specified permission to
529
+ # the specified principal for the specified resource.
530
+ #
531
+ # This field does _not_ indicate whether the principal is actually denied on
532
+ # the permission for the resource. There might be another rule that overrides
533
+ # this rule. To determine whether the principal actually has the permission,
534
+ # use the `overall_access_state` field in the
535
+ # {::Google::Cloud::PolicyTroubleshooter::Iam::V3::TroubleshootIamPolicyResponse TroubleshootIamPolicyResponse}.
536
+ # @!attribute [rw] combined_denied_permission
537
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedPermissionMatching]
538
+ # Indicates whether the permission in the request is listed as a denied
539
+ # permission in the deny rule.
540
+ # @!attribute [rw] denied_permissions
541
+ # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedPermissionMatching}]
542
+ # Lists all denied permissions in the deny rule and indicates whether each
543
+ # permission matches the permission in the request.
544
+ #
545
+ # Each key identifies a denied permission in the rule, and each value
546
+ # indicates whether the denied permission matches the permission in the
547
+ # request.
548
+ # @!attribute [rw] combined_exception_permission
549
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedPermissionMatching]
550
+ # Indicates whether the permission in the request is listed as an exception
551
+ # permission in the deny rule.
552
+ # @!attribute [rw] exception_permissions
553
+ # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedPermissionMatching}]
554
+ # Lists all exception permissions in the deny rule and indicates whether each
555
+ # permission matches the permission in the request.
556
+ #
557
+ # Each key identifies a exception permission in the rule, and each value
558
+ # indicates whether the exception permission matches the permission in the
559
+ # request.
560
+ # @!attribute [rw] combined_denied_principal
561
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedDenyPrincipalMatching]
562
+ # Indicates whether the principal is listed as a denied principal in the
563
+ # deny rule, either directly or through membership in a principal set.
564
+ # @!attribute [rw] denied_principals
565
+ # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedDenyPrincipalMatching}]
566
+ # Lists all denied principals in the deny rule and indicates whether each
567
+ # principal matches the principal in the request, either directly or through
568
+ # membership in a principal set.
569
+ #
570
+ # Each key identifies a denied principal in the rule, and each value
571
+ # indicates whether the denied principal matches the principal in the
572
+ # request.
573
+ # @!attribute [rw] combined_exception_principal
574
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedDenyPrincipalMatching]
575
+ # Indicates whether the principal is listed as an exception principal in the
576
+ # deny rule, either directly or through membership in a principal set.
577
+ # @!attribute [rw] exception_principals
578
+ # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedDenyPrincipalMatching}]
579
+ # Lists all exception principals in the deny rule and indicates whether each
580
+ # principal matches the principal in the request, either directly or through
581
+ # membership in a principal set.
582
+ #
583
+ # Each key identifies a exception principal in the rule, and each value
584
+ # indicates whether the exception principal matches the principal in the
585
+ # request.
586
+ # @!attribute [rw] relevance
587
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
588
+ # The relevance of this role binding to the overall determination for the
589
+ # entire policy.
590
+ # @!attribute [rw] condition
591
+ # @return [::Google::Type::Expr]
592
+ # A condition expression that specifies when the deny rule denies the
593
+ # principal access.
594
+ #
595
+ # To learn about IAM Conditions, see
596
+ # https://cloud.google.com/iam/help/conditions/overview.
597
+ # @!attribute [rw] condition_explanation
598
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::ConditionExplanation]
599
+ # Condition evaluation state for this role binding.
600
+ class DenyRuleExplanation
601
+ include ::Google::Protobuf::MessageExts
602
+ extend ::Google::Protobuf::MessageExts::ClassMethods
603
+
604
+ # Details about whether the permission in the request is denied by the
605
+ # deny rule.
606
+ # @!attribute [rw] permission_matching_state
607
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::PermissionPatternMatchingState]
608
+ # Indicates whether the permission in the request is denied by the deny
609
+ # rule.
610
+ # @!attribute [rw] relevance
611
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
612
+ # The relevance of the permission status to the overall determination for
613
+ # the rule.
614
+ class AnnotatedPermissionMatching
615
+ include ::Google::Protobuf::MessageExts
616
+ extend ::Google::Protobuf::MessageExts::ClassMethods
617
+ end
618
+
619
+ # Details about whether the principal in the request is listed as a denied
620
+ # principal in the deny rule, either directly or through membership in a
621
+ # principal set.
622
+ # @!attribute [rw] membership
623
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::MembershipMatchingState]
624
+ # Indicates whether the principal is listed as a denied principal in the
625
+ # deny rule, either directly or through membership in a principal set.
626
+ # @!attribute [rw] relevance
627
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::HeuristicRelevance]
628
+ # The relevance of the principal's status to the overall determination for
629
+ # the role binding.
630
+ class AnnotatedDenyPrincipalMatching
631
+ include ::Google::Protobuf::MessageExts
632
+ extend ::Google::Protobuf::MessageExts::ClassMethods
633
+ end
634
+
635
+ # @!attribute [rw] key
636
+ # @return [::String]
637
+ # @!attribute [rw] value
638
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedPermissionMatching]
639
+ class DeniedPermissionsEntry
640
+ include ::Google::Protobuf::MessageExts
641
+ extend ::Google::Protobuf::MessageExts::ClassMethods
642
+ end
643
+
644
+ # @!attribute [rw] key
645
+ # @return [::String]
646
+ # @!attribute [rw] value
647
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedPermissionMatching]
648
+ class ExceptionPermissionsEntry
649
+ include ::Google::Protobuf::MessageExts
650
+ extend ::Google::Protobuf::MessageExts::ClassMethods
651
+ end
652
+
653
+ # @!attribute [rw] key
654
+ # @return [::String]
655
+ # @!attribute [rw] value
656
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedDenyPrincipalMatching]
657
+ class DeniedPrincipalsEntry
658
+ include ::Google::Protobuf::MessageExts
659
+ extend ::Google::Protobuf::MessageExts::ClassMethods
660
+ end
661
+
662
+ # @!attribute [rw] key
663
+ # @return [::String]
664
+ # @!attribute [rw] value
665
+ # @return [::Google::Cloud::PolicyTroubleshooter::Iam::V3::DenyRuleExplanation::AnnotatedDenyPrincipalMatching]
666
+ class ExceptionPrincipalsEntry
667
+ include ::Google::Protobuf::MessageExts
668
+ extend ::Google::Protobuf::MessageExts::ClassMethods
669
+ end
670
+ end
671
+
672
+ # Explanation for how a condition affects a principal's access
673
+ # @!attribute [rw] value
674
+ # @return [::Google::Protobuf::Value]
675
+ # Value of the condition.
676
+ # @!attribute [rw] errors
677
+ # @return [::Array<::Google::Rpc::Status>]
678
+ # Any errors that prevented complete evaluation of the condition expression.
679
+ # @!attribute [rw] evaluation_states
680
+ # @return [::Array<::Google::Cloud::PolicyTroubleshooter::Iam::V3::ConditionExplanation::EvaluationState>]
681
+ # The value of each statement of the condition expression. The value can be
682
+ # `true`, `false`, or `null`. The value is `null` if the statement can't be
683
+ # evaluated.
684
+ class ConditionExplanation
685
+ include ::Google::Protobuf::MessageExts
686
+ extend ::Google::Protobuf::MessageExts::ClassMethods
687
+
688
+ # Evaluated state of a condition expression.
689
+ # @!attribute [rw] start
690
+ # @return [::Integer]
691
+ # Start position of an expression in the condition, by character.
692
+ # @!attribute [rw] end
693
+ # @return [::Integer]
694
+ # End position of an expression in the condition, by character,
695
+ # end included, for example: the end position of the first part of
696
+ # `a==b || c==d` would be 4.
697
+ # @!attribute [rw] value
698
+ # @return [::Google::Protobuf::Value]
699
+ # Value of this expression.
700
+ # @!attribute [rw] errors
701
+ # @return [::Array<::Google::Rpc::Status>]
702
+ # Any errors that prevented complete evaluation of the condition
703
+ # expression.
704
+ class EvaluationState
705
+ include ::Google::Protobuf::MessageExts
706
+ extend ::Google::Protobuf::MessageExts::ClassMethods
707
+ end
708
+ end
709
+
710
+ # Whether IAM allow policies gives the principal the permission.
711
+ module AllowAccessState
712
+ # Not specified.
713
+ ALLOW_ACCESS_STATE_UNSPECIFIED = 0
714
+
715
+ # The allow policy gives the principal the permission.
716
+ ALLOW_ACCESS_STATE_GRANTED = 1
717
+
718
+ # The allow policy doesn't give the principal the permission.
719
+ ALLOW_ACCESS_STATE_NOT_GRANTED = 2
720
+
721
+ # The allow policy gives the principal the permission if a condition
722
+ # expression evaluate to `true`. However, the sender of the request didn't
723
+ # provide enough context for Policy Troubleshooter to evaluate the condition
724
+ # expression.
725
+ ALLOW_ACCESS_STATE_UNKNOWN_CONDITIONAL = 3
726
+
727
+ # The sender of the request doesn't have access to all of the allow policies
728
+ # that Policy Troubleshooter needs to evaluate the principal's access.
729
+ ALLOW_ACCESS_STATE_UNKNOWN_INFO = 4
730
+ end
731
+
732
+ # Whether IAM deny policies deny the principal the permission.
733
+ module DenyAccessState
734
+ # Not specified.
735
+ DENY_ACCESS_STATE_UNSPECIFIED = 0
736
+
737
+ # The deny policy denies the principal the permission.
738
+ DENY_ACCESS_STATE_DENIED = 1
739
+
740
+ # The deny policy doesn't deny the principal the permission.
741
+ DENY_ACCESS_STATE_NOT_DENIED = 2
742
+
743
+ # The deny policy denies the principal the permission if a condition
744
+ # expression evaluates to `true`. However, the sender of the request didn't
745
+ # provide enough context for Policy Troubleshooter to evaluate the condition
746
+ # expression.
747
+ DENY_ACCESS_STATE_UNKNOWN_CONDITIONAL = 3
748
+
749
+ # The sender of the request does not have access to all of the deny policies
750
+ # that Policy Troubleshooter needs to evaluate the principal's access.
751
+ DENY_ACCESS_STATE_UNKNOWN_INFO = 4
752
+ end
753
+
754
+ # Whether a role includes a specific permission.
755
+ module RolePermissionInclusionState
756
+ # Not specified.
757
+ ROLE_PERMISSION_INCLUSION_STATE_UNSPECIFIED = 0
758
+
759
+ # The permission is included in the role.
760
+ ROLE_PERMISSION_INCLUDED = 1
761
+
762
+ # The permission is not included in the role.
763
+ ROLE_PERMISSION_NOT_INCLUDED = 2
764
+
765
+ # The sender of the request is not allowed to access the role definition.
766
+ ROLE_PERMISSION_UNKNOWN_INFO = 3
767
+ end
768
+
769
+ # Whether the permission in the request matches the permission in the policy.
770
+ module PermissionPatternMatchingState
771
+ # Not specified.
772
+ PERMISSION_PATTERN_MATCHING_STATE_UNSPECIFIED = 0
773
+
774
+ # The permission in the request matches the permission in the policy.
775
+ PERMISSION_PATTERN_MATCHED = 1
776
+
777
+ # The permission in the request matches the permission in the policy.
778
+ PERMISSION_PATTERN_NOT_MATCHED = 2
779
+ end
780
+
781
+ # Whether the principal in the request matches the principal in the policy.
782
+ module MembershipMatchingState
783
+ # Not specified.
784
+ MEMBERSHIP_MATCHING_STATE_UNSPECIFIED = 0
785
+
786
+ # The principal in the request matches the principal in the policy. The
787
+ # principal can be included directly or indirectly:
788
+ #
789
+ # * A principal is included directly if that principal is listed in the
790
+ # role binding.
791
+ # * A principal is included indirectly if that principal is in a Google
792
+ # group, Google Workspace account, or Cloud Identity domain that is listed
793
+ # in the policy.
794
+ MEMBERSHIP_MATCHED = 1
795
+
796
+ # The principal in the request doesn't match the principal in the policy.
797
+ MEMBERSHIP_NOT_MATCHED = 2
798
+
799
+ # The principal in the policy is a group or domain, and the sender of the
800
+ # request doesn't have permission to view whether the principal in the
801
+ # request is a member of the group or domain.
802
+ MEMBERSHIP_UNKNOWN_INFO = 3
803
+
804
+ # The principal is an unsupported type.
805
+ MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
806
+ end
807
+
808
+ # The extent to which a single data point contributes to an overall
809
+ # determination.
810
+ module HeuristicRelevance
811
+ # Not specified.
812
+ HEURISTIC_RELEVANCE_UNSPECIFIED = 0
813
+
814
+ # The data point has a limited effect on the result. Changing the data point
815
+ # is unlikely to affect the overall determination.
816
+ HEURISTIC_RELEVANCE_NORMAL = 1
817
+
818
+ # The data point has a strong effect on the result. Changing the data point
819
+ # is likely to affect the overall determination.
820
+ HEURISTIC_RELEVANCE_HIGH = 2
821
+ end
822
+ end
823
+ end
824
+ end
825
+ end
826
+ end