google-cloud-policy_troubleshooter-iam-v3 0.a → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (34) hide show
  1. checksums.yaml +4 -4
  2. data/.yardopts +12 -0
  3. data/AUTHENTICATION.md +149 -0
  4. data/README.md +144 -8
  5. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/client.rb +400 -0
  6. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/credentials.rb +49 -0
  7. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/rest/client.rb +372 -0
  8. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/rest/service_stub.rb +108 -0
  9. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter/rest.rb +55 -0
  10. data/lib/google/cloud/policy_troubleshooter/iam/v3/policy_troubleshooter.rb +58 -0
  11. data/lib/google/cloud/policy_troubleshooter/iam/v3/rest.rb +39 -0
  12. data/lib/google/cloud/policy_troubleshooter/iam/v3/version.rb +7 -2
  13. data/lib/google/cloud/policy_troubleshooter/iam/v3.rb +47 -0
  14. data/lib/google/cloud/policytroubleshooter/iam/v3/troubleshooter_pb.rb +86 -0
  15. data/lib/google/cloud/policytroubleshooter/iam/v3/troubleshooter_services_pb.rb +51 -0
  16. data/lib/google-cloud-policy_troubleshooter-iam-v3.rb +21 -0
  17. data/proto_docs/README.md +4 -0
  18. data/proto_docs/google/api/client.rb +381 -0
  19. data/proto_docs/google/api/field_behavior.rb +85 -0
  20. data/proto_docs/google/api/launch_stage.rb +71 -0
  21. data/proto_docs/google/api/resource.rb +222 -0
  22. data/proto_docs/google/cloud/policytroubleshooter/iam/v3/troubleshooter.rb +826 -0
  23. data/proto_docs/google/iam/v1/policy.rb +426 -0
  24. data/proto_docs/google/iam/v2/deny.rb +110 -0
  25. data/proto_docs/google/iam/v2/policy.rb +241 -0
  26. data/proto_docs/google/longrunning/operations.rb +164 -0
  27. data/proto_docs/google/protobuf/any.rb +144 -0
  28. data/proto_docs/google/protobuf/duration.rb +98 -0
  29. data/proto_docs/google/protobuf/empty.rb +34 -0
  30. data/proto_docs/google/protobuf/struct.rb +96 -0
  31. data/proto_docs/google/protobuf/timestamp.rb +127 -0
  32. data/proto_docs/google/rpc/status.rb +48 -0
  33. data/proto_docs/google/type/expr.rb +75 -0
  34. metadata +229 -13
@@ -0,0 +1,426 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2023 Google LLC
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # https://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
17
+ # Auto-generated by gapic-generator-ruby. DO NOT EDIT!
18
+
19
+
20
+ module Google
21
+ module Iam
22
+ module V1
23
+ # An Identity and Access Management (IAM) policy, which specifies access
24
+ # controls for Google Cloud resources.
25
+ #
26
+ #
27
+ # A `Policy` is a collection of `bindings`. A `binding` binds one or more
28
+ # `members`, or principals, to a single `role`. Principals can be user
29
+ # accounts, service accounts, Google groups, and domains (such as G Suite). A
30
+ # `role` is a named list of permissions; each `role` can be an IAM predefined
31
+ # role or a user-created custom role.
32
+ #
33
+ # For some types of Google Cloud resources, a `binding` can also specify a
34
+ # `condition`, which is a logical expression that allows access to a resource
35
+ # only if the expression evaluates to `true`. A condition can add constraints
36
+ # based on attributes of the request, the resource, or both. To learn which
37
+ # resources support conditions in their IAM policies, see the
38
+ # [IAM
39
+ # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
40
+ #
41
+ # **JSON example:**
42
+ #
43
+ # ```
44
+ # {
45
+ # "bindings": [
46
+ # {
47
+ # "role": "roles/resourcemanager.organizationAdmin",
48
+ # "members": [
49
+ # "user:mike@example.com",
50
+ # "group:admins@example.com",
51
+ # "domain:google.com",
52
+ # "serviceAccount:my-project-id@appspot.gserviceaccount.com"
53
+ # ]
54
+ # },
55
+ # {
56
+ # "role": "roles/resourcemanager.organizationViewer",
57
+ # "members": [
58
+ # "user:eve@example.com"
59
+ # ],
60
+ # "condition": {
61
+ # "title": "expirable access",
62
+ # "description": "Does not grant access after Sep 2020",
63
+ # "expression": "request.time <
64
+ # timestamp('2020-10-01T00:00:00.000Z')",
65
+ # }
66
+ # }
67
+ # ],
68
+ # "etag": "BwWWja0YfJA=",
69
+ # "version": 3
70
+ # }
71
+ # ```
72
+ #
73
+ # **YAML example:**
74
+ #
75
+ # ```
76
+ # bindings:
77
+ # - members:
78
+ # - user:mike@example.com
79
+ # - group:admins@example.com
80
+ # - domain:google.com
81
+ # - serviceAccount:my-project-id@appspot.gserviceaccount.com
82
+ # role: roles/resourcemanager.organizationAdmin
83
+ # - members:
84
+ # - user:eve@example.com
85
+ # role: roles/resourcemanager.organizationViewer
86
+ # condition:
87
+ # title: expirable access
88
+ # description: Does not grant access after Sep 2020
89
+ # expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
90
+ # etag: BwWWja0YfJA=
91
+ # version: 3
92
+ # ```
93
+ #
94
+ # For a description of IAM and its features, see the
95
+ # [IAM documentation](https://cloud.google.com/iam/docs/).
96
+ # @!attribute [rw] version
97
+ # @return [::Integer]
98
+ # Specifies the format of the policy.
99
+ #
100
+ # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
101
+ # are rejected.
102
+ #
103
+ # Any operation that affects conditional role bindings must specify version
104
+ # `3`. This requirement applies to the following operations:
105
+ #
106
+ # * Getting a policy that includes a conditional role binding
107
+ # * Adding a conditional role binding to a policy
108
+ # * Changing a conditional role binding in a policy
109
+ # * Removing any role binding, with or without a condition, from a policy
110
+ # that includes conditions
111
+ #
112
+ # **Important:** If you use IAM Conditions, you must include the `etag` field
113
+ # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
114
+ # you to overwrite a version `3` policy with a version `1` policy, and all of
115
+ # the conditions in the version `3` policy are lost.
116
+ #
117
+ # If a policy does not include any conditions, operations on that policy may
118
+ # specify any valid version or leave the field unset.
119
+ #
120
+ # To learn which resources support conditions in their IAM policies, see the
121
+ # [IAM
122
+ # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
123
+ # @!attribute [rw] bindings
124
+ # @return [::Array<::Google::Iam::V1::Binding>]
125
+ # Associates a list of `members`, or principals, with a `role`. Optionally,
126
+ # may specify a `condition` that determines how and when the `bindings` are
127
+ # applied. Each of the `bindings` must contain at least one principal.
128
+ #
129
+ # The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
130
+ # of these principals can be Google groups. Each occurrence of a principal
131
+ # counts towards these limits. For example, if the `bindings` grant 50
132
+ # different roles to `user:alice@example.com`, and not to any other
133
+ # principal, then you can add another 1,450 principals to the `bindings` in
134
+ # the `Policy`.
135
+ # @!attribute [rw] audit_configs
136
+ # @return [::Array<::Google::Iam::V1::AuditConfig>]
137
+ # Specifies cloud audit logging configuration for this policy.
138
+ # @!attribute [rw] etag
139
+ # @return [::String]
140
+ # `etag` is used for optimistic concurrency control as a way to help
141
+ # prevent simultaneous updates of a policy from overwriting each other.
142
+ # It is strongly suggested that systems make use of the `etag` in the
143
+ # read-modify-write cycle to perform policy updates in order to avoid race
144
+ # conditions: An `etag` is returned in the response to `getIamPolicy`, and
145
+ # systems are expected to put that etag in the request to `setIamPolicy` to
146
+ # ensure that their change will be applied to the same version of the policy.
147
+ #
148
+ # **Important:** If you use IAM Conditions, you must include the `etag` field
149
+ # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
150
+ # you to overwrite a version `3` policy with a version `1` policy, and all of
151
+ # the conditions in the version `3` policy are lost.
152
+ class Policy
153
+ include ::Google::Protobuf::MessageExts
154
+ extend ::Google::Protobuf::MessageExts::ClassMethods
155
+ end
156
+
157
+ # Associates `members`, or principals, with a `role`.
158
+ # @!attribute [rw] role
159
+ # @return [::String]
160
+ # Role that is assigned to the list of `members`, or principals.
161
+ # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
162
+ # @!attribute [rw] members
163
+ # @return [::Array<::String>]
164
+ # Specifies the principals requesting access for a Google Cloud resource.
165
+ # `members` can have the following values:
166
+ #
167
+ # * `allUsers`: A special identifier that represents anyone who is
168
+ # on the internet; with or without a Google account.
169
+ #
170
+ # * `allAuthenticatedUsers`: A special identifier that represents anyone
171
+ # who is authenticated with a Google account or a service account.
172
+ #
173
+ # * `user:{emailid}`: An email address that represents a specific Google
174
+ # account. For example, `alice@example.com` .
175
+ #
176
+ #
177
+ # * `serviceAccount:{emailid}`: An email address that represents a service
178
+ # account. For example, `my-other-app@appspot.gserviceaccount.com`.
179
+ #
180
+ # * `group:{emailid}`: An email address that represents a Google group.
181
+ # For example, `admins@example.com`.
182
+ #
183
+ # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
184
+ # identifier) representing a user that has been recently deleted. For
185
+ # example, `alice@example.com?uid=123456789012345678901`. If the user is
186
+ # recovered, this value reverts to `user:{emailid}` and the recovered user
187
+ # retains the role in the binding.
188
+ #
189
+ # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
190
+ # unique identifier) representing a service account that has been recently
191
+ # deleted. For example,
192
+ # `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
193
+ # If the service account is undeleted, this value reverts to
194
+ # `serviceAccount:{emailid}` and the undeleted service account retains the
195
+ # role in the binding.
196
+ #
197
+ # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
198
+ # identifier) representing a Google group that has been recently
199
+ # deleted. For example, `admins@example.com?uid=123456789012345678901`. If
200
+ # the group is recovered, this value reverts to `group:{emailid}` and the
201
+ # recovered group retains the role in the binding.
202
+ #
203
+ #
204
+ # * `domain:{domain}`: The G Suite domain (primary) that represents all the
205
+ # users of that domain. For example, `google.com` or `example.com`.
206
+ # @!attribute [rw] condition
207
+ # @return [::Google::Type::Expr]
208
+ # The condition that is associated with this binding.
209
+ #
210
+ # If the condition evaluates to `true`, then this binding applies to the
211
+ # current request.
212
+ #
213
+ # If the condition evaluates to `false`, then this binding does not apply to
214
+ # the current request. However, a different role binding might grant the same
215
+ # role to one or more of the principals in this binding.
216
+ #
217
+ # To learn which resources support conditions in their IAM policies, see the
218
+ # [IAM
219
+ # documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
220
+ class Binding
221
+ include ::Google::Protobuf::MessageExts
222
+ extend ::Google::Protobuf::MessageExts::ClassMethods
223
+ end
224
+
225
+ # Specifies the audit configuration for a service.
226
+ # The configuration determines which permission types are logged, and what
227
+ # identities, if any, are exempted from logging.
228
+ # An AuditConfig must have one or more AuditLogConfigs.
229
+ #
230
+ # If there are AuditConfigs for both `allServices` and a specific service,
231
+ # the union of the two AuditConfigs is used for that service: the log_types
232
+ # specified in each AuditConfig are enabled, and the exempted_members in each
233
+ # AuditLogConfig are exempted.
234
+ #
235
+ # Example Policy with multiple AuditConfigs:
236
+ #
237
+ # {
238
+ # "audit_configs": [
239
+ # {
240
+ # "service": "allServices",
241
+ # "audit_log_configs": [
242
+ # {
243
+ # "log_type": "DATA_READ",
244
+ # "exempted_members": [
245
+ # "user:jose@example.com"
246
+ # ]
247
+ # },
248
+ # {
249
+ # "log_type": "DATA_WRITE"
250
+ # },
251
+ # {
252
+ # "log_type": "ADMIN_READ"
253
+ # }
254
+ # ]
255
+ # },
256
+ # {
257
+ # "service": "sampleservice.googleapis.com",
258
+ # "audit_log_configs": [
259
+ # {
260
+ # "log_type": "DATA_READ"
261
+ # },
262
+ # {
263
+ # "log_type": "DATA_WRITE",
264
+ # "exempted_members": [
265
+ # "user:aliya@example.com"
266
+ # ]
267
+ # }
268
+ # ]
269
+ # }
270
+ # ]
271
+ # }
272
+ #
273
+ # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
274
+ # logging. It also exempts `jose@example.com` from DATA_READ logging, and
275
+ # `aliya@example.com` from DATA_WRITE logging.
276
+ # @!attribute [rw] service
277
+ # @return [::String]
278
+ # Specifies a service that will be enabled for audit logging.
279
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
280
+ # `allServices` is a special value that covers all services.
281
+ # @!attribute [rw] audit_log_configs
282
+ # @return [::Array<::Google::Iam::V1::AuditLogConfig>]
283
+ # The configuration for logging of each type of permission.
284
+ class AuditConfig
285
+ include ::Google::Protobuf::MessageExts
286
+ extend ::Google::Protobuf::MessageExts::ClassMethods
287
+ end
288
+
289
+ # Provides the configuration for logging a type of permissions.
290
+ # Example:
291
+ #
292
+ # {
293
+ # "audit_log_configs": [
294
+ # {
295
+ # "log_type": "DATA_READ",
296
+ # "exempted_members": [
297
+ # "user:jose@example.com"
298
+ # ]
299
+ # },
300
+ # {
301
+ # "log_type": "DATA_WRITE"
302
+ # }
303
+ # ]
304
+ # }
305
+ #
306
+ # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
307
+ # jose@example.com from DATA_READ logging.
308
+ # @!attribute [rw] log_type
309
+ # @return [::Google::Iam::V1::AuditLogConfig::LogType]
310
+ # The log type that this config enables.
311
+ # @!attribute [rw] exempted_members
312
+ # @return [::Array<::String>]
313
+ # Specifies the identities that do not cause logging for this type of
314
+ # permission.
315
+ # Follows the same format of
316
+ # {::Google::Iam::V1::Binding#members Binding.members}.
317
+ class AuditLogConfig
318
+ include ::Google::Protobuf::MessageExts
319
+ extend ::Google::Protobuf::MessageExts::ClassMethods
320
+
321
+ # The list of valid permission types for which logging can be configured.
322
+ # Admin writes are always logged, and are not configurable.
323
+ module LogType
324
+ # Default case. Should never be this.
325
+ LOG_TYPE_UNSPECIFIED = 0
326
+
327
+ # Admin reads. Example: CloudIAM getIamPolicy
328
+ ADMIN_READ = 1
329
+
330
+ # Data writes. Example: CloudSQL Users create
331
+ DATA_WRITE = 2
332
+
333
+ # Data reads. Example: CloudSQL Users list
334
+ DATA_READ = 3
335
+ end
336
+ end
337
+
338
+ # The difference delta between two policies.
339
+ # @!attribute [rw] binding_deltas
340
+ # @return [::Array<::Google::Iam::V1::BindingDelta>]
341
+ # The delta for Bindings between two policies.
342
+ # @!attribute [rw] audit_config_deltas
343
+ # @return [::Array<::Google::Iam::V1::AuditConfigDelta>]
344
+ # The delta for AuditConfigs between two policies.
345
+ class PolicyDelta
346
+ include ::Google::Protobuf::MessageExts
347
+ extend ::Google::Protobuf::MessageExts::ClassMethods
348
+ end
349
+
350
+ # One delta entry for Binding. Each individual change (only one member in each
351
+ # entry) to a binding will be a separate entry.
352
+ # @!attribute [rw] action
353
+ # @return [::Google::Iam::V1::BindingDelta::Action]
354
+ # The action that was performed on a Binding.
355
+ # Required
356
+ # @!attribute [rw] role
357
+ # @return [::String]
358
+ # Role that is assigned to `members`.
359
+ # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
360
+ # Required
361
+ # @!attribute [rw] member
362
+ # @return [::String]
363
+ # A single identity requesting access for a Google Cloud resource.
364
+ # Follows the same format of Binding.members.
365
+ # Required
366
+ # @!attribute [rw] condition
367
+ # @return [::Google::Type::Expr]
368
+ # The condition that is associated with this binding.
369
+ class BindingDelta
370
+ include ::Google::Protobuf::MessageExts
371
+ extend ::Google::Protobuf::MessageExts::ClassMethods
372
+
373
+ # The type of action performed on a Binding in a policy.
374
+ module Action
375
+ # Unspecified.
376
+ ACTION_UNSPECIFIED = 0
377
+
378
+ # Addition of a Binding.
379
+ ADD = 1
380
+
381
+ # Removal of a Binding.
382
+ REMOVE = 2
383
+ end
384
+ end
385
+
386
+ # One delta entry for AuditConfig. Each individual change (only one
387
+ # exempted_member in each entry) to a AuditConfig will be a separate entry.
388
+ # @!attribute [rw] action
389
+ # @return [::Google::Iam::V1::AuditConfigDelta::Action]
390
+ # The action that was performed on an audit configuration in a policy.
391
+ # Required
392
+ # @!attribute [rw] service
393
+ # @return [::String]
394
+ # Specifies a service that was configured for Cloud Audit Logging.
395
+ # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
396
+ # `allServices` is a special value that covers all services.
397
+ # Required
398
+ # @!attribute [rw] exempted_member
399
+ # @return [::String]
400
+ # A single identity that is exempted from "data access" audit
401
+ # logging for the `service` specified above.
402
+ # Follows the same format of Binding.members.
403
+ # @!attribute [rw] log_type
404
+ # @return [::String]
405
+ # Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
406
+ # enabled, and cannot be configured.
407
+ # Required
408
+ class AuditConfigDelta
409
+ include ::Google::Protobuf::MessageExts
410
+ extend ::Google::Protobuf::MessageExts::ClassMethods
411
+
412
+ # The type of action performed on an audit configuration in a policy.
413
+ module Action
414
+ # Unspecified.
415
+ ACTION_UNSPECIFIED = 0
416
+
417
+ # Addition of an audit configuration.
418
+ ADD = 1
419
+
420
+ # Removal of an audit configuration.
421
+ REMOVE = 2
422
+ end
423
+ end
424
+ end
425
+ end
426
+ end
@@ -0,0 +1,110 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2023 Google LLC
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # https://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
17
+ # Auto-generated by gapic-generator-ruby. DO NOT EDIT!
18
+
19
+
20
+ module Google
21
+ module Iam
22
+ module V2
23
+ # A deny rule in an IAM deny policy.
24
+ # @!attribute [rw] denied_principals
25
+ # @return [::Array<::String>]
26
+ # The identities that are prevented from using one or more permissions on
27
+ # Google Cloud resources. This field can contain the following values:
28
+ #
29
+ # * `principalSet://goog/public:all`: A special identifier that represents
30
+ # any principal that is on the internet, even if they do not have a Google
31
+ # Account or are not logged in.
32
+ #
33
+ # * `principal://goog/subject/{email_id}`: A specific Google Account.
34
+ # Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
35
+ # example, `principal://goog/subject/alice@example.com`.
36
+ #
37
+ # * `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific
38
+ # Google Account that was deleted recently. For example,
39
+ # `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If
40
+ # the Google Account is recovered, this identifier reverts to the standard
41
+ # identifier for a Google Account.
42
+ #
43
+ # * `principalSet://goog/group/{group_id}`: A Google group. For example,
44
+ # `principalSet://goog/group/admins@example.com`.
45
+ #
46
+ # * `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group
47
+ # that was deleted recently. For example,
48
+ # `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If
49
+ # the Google group is restored, this identifier reverts to the standard
50
+ # identifier for a Google group.
51
+ #
52
+ # * `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`:
53
+ # A Google Cloud service account. For example,
54
+ # `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`.
55
+ #
56
+ # * `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`:
57
+ # A Google Cloud service account that was deleted recently. For example,
58
+ # `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`.
59
+ # If the service account is undeleted, this identifier reverts to the
60
+ # standard identifier for a service account.
61
+ #
62
+ # * `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the
63
+ # principals associated with the specified Google Workspace or Cloud
64
+ # Identity customer ID. For example,
65
+ # `principalSet://goog/cloudIdentityCustomerId/C01Abc35`.
66
+ # @!attribute [rw] exception_principals
67
+ # @return [::Array<::String>]
68
+ # The identities that are excluded from the deny rule, even if they are
69
+ # listed in the `denied_principals`. For example, you could add a Google
70
+ # group to the `denied_principals`, then exclude specific users who belong to
71
+ # that group.
72
+ #
73
+ # This field can contain the same values as the `denied_principals` field,
74
+ # excluding `principalSet://goog/public:all`, which represents all users on
75
+ # the internet.
76
+ # @!attribute [rw] denied_permissions
77
+ # @return [::Array<::String>]
78
+ # The permissions that are explicitly denied by this rule. Each permission
79
+ # uses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}`
80
+ # is the fully qualified domain name for the service. For example,
81
+ # `iam.googleapis.com/roles.list`.
82
+ # @!attribute [rw] exception_permissions
83
+ # @return [::Array<::String>]
84
+ # Specifies the permissions that this rule excludes from the set of denied
85
+ # permissions given by `denied_permissions`. If a permission appears in
86
+ # `denied_permissions` _and_ in `exception_permissions` then it will _not_ be
87
+ # denied.
88
+ #
89
+ # The excluded permissions can be specified using the same syntax as
90
+ # `denied_permissions`.
91
+ # @!attribute [rw] denial_condition
92
+ # @return [::Google::Type::Expr]
93
+ # The condition that determines whether this deny rule applies to a request.
94
+ # If the condition expression evaluates to `true`, then the deny rule is
95
+ # applied; otherwise, the deny rule is not applied.
96
+ #
97
+ # Each deny rule is evaluated independently. If this deny rule does not apply
98
+ # to a request, other deny rules might still apply.
99
+ #
100
+ # The condition can use CEL functions that evaluate
101
+ # [resource
102
+ # tags](https://cloud.google.com/iam/help/conditions/resource-tags). Other
103
+ # functions and operators are not supported.
104
+ class DenyRule
105
+ include ::Google::Protobuf::MessageExts
106
+ extend ::Google::Protobuf::MessageExts::ClassMethods
107
+ end
108
+ end
109
+ end
110
+ end