google-identity-access_context_manager-v1 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (38) hide show
  1. checksums.yaml +7 -0
  2. data/.yardopts +12 -0
  3. data/AUTHENTICATION.md +167 -0
  4. data/LICENSE.md +201 -0
  5. data/README.md +139 -0
  6. data/lib/google/identity/access_context_manager/v1/access_context_manager/client.rb +2358 -0
  7. data/lib/google/identity/access_context_manager/v1/access_context_manager/credentials.rb +47 -0
  8. data/lib/google/identity/access_context_manager/v1/access_context_manager/operations.rb +664 -0
  9. data/lib/google/identity/access_context_manager/v1/access_context_manager/paths.rb +112 -0
  10. data/lib/google/identity/access_context_manager/v1/access_context_manager.rb +60 -0
  11. data/lib/google/identity/access_context_manager/v1/version.rb +28 -0
  12. data/lib/google/identity/access_context_manager/v1.rb +38 -0
  13. data/lib/google/identity/accesscontextmanager/type/device_resources_pb.rb +43 -0
  14. data/lib/google/identity/accesscontextmanager/v1/access_context_manager_pb.rb +182 -0
  15. data/lib/google/identity/accesscontextmanager/v1/access_context_manager_services_pb.rb +224 -0
  16. data/lib/google/identity/accesscontextmanager/v1/access_level_pb.rb +73 -0
  17. data/lib/google/identity/accesscontextmanager/v1/access_policy_pb.rb +30 -0
  18. data/lib/google/identity/accesscontextmanager/v1/gcp_user_access_binding_pb.rb +27 -0
  19. data/lib/google/identity/accesscontextmanager/v1/service_perimeter_pb.rb +109 -0
  20. data/lib/google-identity-access_context_manager-v1.rb +21 -0
  21. data/proto_docs/README.md +4 -0
  22. data/proto_docs/google/api/field_behavior.rb +71 -0
  23. data/proto_docs/google/api/resource.rb +283 -0
  24. data/proto_docs/google/identity/accesscontextmanager/type/device_resources.rb +84 -0
  25. data/proto_docs/google/identity/accesscontextmanager/v1/access_context_manager.rb +539 -0
  26. data/proto_docs/google/identity/accesscontextmanager/v1/access_level.rb +197 -0
  27. data/proto_docs/google/identity/accesscontextmanager/v1/access_policy.rb +60 -0
  28. data/proto_docs/google/identity/accesscontextmanager/v1/gcp_user_access_binding.rb +55 -0
  29. data/proto_docs/google/identity/accesscontextmanager/v1/service_perimeter.rb +484 -0
  30. data/proto_docs/google/longrunning/operations.rb +164 -0
  31. data/proto_docs/google/protobuf/any.rb +141 -0
  32. data/proto_docs/google/protobuf/duration.rb +98 -0
  33. data/proto_docs/google/protobuf/empty.rb +36 -0
  34. data/proto_docs/google/protobuf/field_mask.rb +229 -0
  35. data/proto_docs/google/protobuf/timestamp.rb +129 -0
  36. data/proto_docs/google/rpc/status.rb +46 -0
  37. data/proto_docs/google/type/expr.rb +75 -0
  38. metadata +228 -0
@@ -0,0 +1,484 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2021 Google LLC
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # https://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
17
+ # Auto-generated by gapic-generator-ruby. DO NOT EDIT!
18
+
19
+
20
+ module Google
21
+ module Identity
22
+ module AccessContextManager
23
+ module V1
24
+ # `ServicePerimeter` describes a set of Google Cloud resources which can freely
25
+ # import and export data amongst themselves, but not export outside of the
26
+ # `ServicePerimeter`. If a request with a source within this `ServicePerimeter`
27
+ # has a target outside of the `ServicePerimeter`, the request will be blocked.
28
+ # Otherwise the request is allowed. There are two types of Service Perimeter -
29
+ # Regular and Bridge. Regular Service Perimeters cannot overlap, a single
30
+ # Google Cloud project can only belong to a single regular Service Perimeter.
31
+ # Service Perimeter Bridges can contain only Google Cloud projects as members,
32
+ # a single Google Cloud project may belong to multiple Service Perimeter
33
+ # Bridges.
34
+ # @!attribute [rw] name
35
+ # @return [::String]
36
+ # Required. Resource name for the ServicePerimeter. The `short_name`
37
+ # component must begin with a letter and only include alphanumeric and '_'.
38
+ # Format:
39
+ # `accessPolicies/{access_policy}/servicePerimeters/{service_perimeter}`
40
+ # @!attribute [rw] title
41
+ # @return [::String]
42
+ # Human readable title. Must be unique within the Policy.
43
+ # @!attribute [rw] description
44
+ # @return [::String]
45
+ # Description of the `ServicePerimeter` and its use. Does not affect
46
+ # behavior.
47
+ # @!attribute [rw] create_time
48
+ # @return [::Google::Protobuf::Timestamp]
49
+ # Output only. Time the `ServicePerimeter` was created in UTC.
50
+ # @!attribute [rw] update_time
51
+ # @return [::Google::Protobuf::Timestamp]
52
+ # Output only. Time the `ServicePerimeter` was updated in UTC.
53
+ # @!attribute [rw] perimeter_type
54
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeter::PerimeterType]
55
+ # Perimeter type indicator. A single project is
56
+ # allowed to be a member of single regular perimeter, but multiple service
57
+ # perimeter bridges. A project cannot be a included in a perimeter bridge
58
+ # without being included in regular perimeter. For perimeter bridges,
59
+ # the restricted service list as well as access level lists must be
60
+ # empty.
61
+ # @!attribute [rw] status
62
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig]
63
+ # Current ServicePerimeter configuration. Specifies sets of resources,
64
+ # restricted services and access levels that determine perimeter
65
+ # content and boundaries.
66
+ # @!attribute [rw] spec
67
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig]
68
+ # Proposed (or dry run) ServicePerimeter configuration. This configuration
69
+ # allows to specify and test ServicePerimeter configuration without enforcing
70
+ # actual access restrictions. Only allowed to be set when the
71
+ # "use_explicit_dry_run_spec" flag is set.
72
+ # @!attribute [rw] use_explicit_dry_run_spec
73
+ # @return [::Boolean]
74
+ # Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly
75
+ # exists for all Service Perimeters, and that spec is identical to the
76
+ # status for those Service Perimeters. When this flag is set, it inhibits the
77
+ # generation of the implicit spec, thereby allowing the user to explicitly
78
+ # provide a configuration ("spec") to use in a dry-run version of the Service
79
+ # Perimeter. This allows the user to test changes to the enforced config
80
+ # ("status") without actually enforcing them. This testing is done through
81
+ # analyzing the differences between currently enforced and suggested
82
+ # restrictions. use_explicit_dry_run_spec must bet set to True if any of the
83
+ # fields in the spec are set to non-default values.
84
+ class ServicePerimeter
85
+ include ::Google::Protobuf::MessageExts
86
+ extend ::Google::Protobuf::MessageExts::ClassMethods
87
+
88
+ # Specifies the type of the Perimeter. There are two types: regular and
89
+ # bridge. Regular Service Perimeter contains resources, access levels, and
90
+ # restricted services. Every resource can be in at most ONE
91
+ # regular Service Perimeter.
92
+ #
93
+ # In addition to being in a regular service perimeter, a resource can also
94
+ # be in zero or more perimeter bridges. A perimeter bridge only contains
95
+ # resources. Cross project operations are permitted if all effected
96
+ # resources share some perimeter (whether bridge or regular). Perimeter
97
+ # Bridge does not contain access levels or services: those are governed
98
+ # entirely by the regular perimeter that resource is in.
99
+ #
100
+ # Perimeter Bridges are typically useful when building more complex toplogies
101
+ # with many independent perimeters that need to share some data with a common
102
+ # perimeter, but should not be able to share data among themselves.
103
+ module PerimeterType
104
+ # Regular Perimeter.
105
+ PERIMETER_TYPE_REGULAR = 0
106
+
107
+ # Perimeter Bridge.
108
+ PERIMETER_TYPE_BRIDGE = 1
109
+ end
110
+ end
111
+
112
+ # `ServicePerimeterConfig` specifies a set of Google Cloud resources that
113
+ # describe specific Service Perimeter configuration.
114
+ # @!attribute [rw] resources
115
+ # @return [::Array<::String>]
116
+ # A list of Google Cloud resources that are inside of the service perimeter.
117
+ # Currently only projects are allowed. Format: `projects/{project_number}`
118
+ # @!attribute [rw] access_levels
119
+ # @return [::Array<::String>]
120
+ # A list of `AccessLevel` resource names that allow resources within the
121
+ # `ServicePerimeter` to be accessed from the internet. `AccessLevels` listed
122
+ # must be in the same policy as this `ServicePerimeter`. Referencing a
123
+ # nonexistent `AccessLevel` is a syntax error. If no `AccessLevel` names are
124
+ # listed, resources within the perimeter can only be accessed via Google
125
+ # Cloud calls with request origins within the perimeter. Example:
126
+ # `"accessPolicies/MY_POLICY/accessLevels/MY_LEVEL"`.
127
+ # For Service Perimeter Bridge, must be empty.
128
+ # @!attribute [rw] restricted_services
129
+ # @return [::Array<::String>]
130
+ # Google Cloud services that are subject to the Service Perimeter
131
+ # restrictions. For example, if `storage.googleapis.com` is specified, access
132
+ # to the storage buckets inside the perimeter must meet the perimeter's
133
+ # access restrictions.
134
+ # @!attribute [rw] vpc_accessible_services
135
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::VpcAccessibleServices]
136
+ # Configuration for APIs allowed within Perimeter.
137
+ # @!attribute [rw] ingress_policies
138
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressPolicy>]
139
+ # List of [IngressPolicies]
140
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
141
+ # to apply to the perimeter. A perimeter may have multiple [IngressPolicies]
142
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy],
143
+ # each of which is evaluated separately. Access is granted if any [Ingress
144
+ # Policy]
145
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
146
+ # grants it. Must be empty for a perimeter bridge.
147
+ # @!attribute [rw] egress_policies
148
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressPolicy>]
149
+ # List of [EgressPolicies]
150
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
151
+ # to apply to the perimeter. A perimeter may have multiple [EgressPolicies]
152
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy],
153
+ # each of which is evaluated separately. Access is granted if any
154
+ # [EgressPolicy]
155
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
156
+ # grants it. Must be empty for a perimeter bridge.
157
+ class ServicePerimeterConfig
158
+ include ::Google::Protobuf::MessageExts
159
+ extend ::Google::Protobuf::MessageExts::ClassMethods
160
+
161
+ # Specifies how APIs are allowed to communicate within the Service
162
+ # Perimeter.
163
+ # @!attribute [rw] enable_restriction
164
+ # @return [::Boolean]
165
+ # Whether to restrict API calls within the Service Perimeter to the list of
166
+ # APIs specified in 'allowed_services'.
167
+ # @!attribute [rw] allowed_services
168
+ # @return [::Array<::String>]
169
+ # The list of APIs usable within the Service Perimeter. Must be empty
170
+ # unless 'enable_restriction' is True. You can specify a list of individual
171
+ # services, as well as include the 'RESTRICTED-SERVICES' value, which
172
+ # automatically includes all of the services protected by the perimeter.
173
+ class VpcAccessibleServices
174
+ include ::Google::Protobuf::MessageExts
175
+ extend ::Google::Protobuf::MessageExts::ClassMethods
176
+ end
177
+
178
+ # An allowed method or permission of a service specified in [ApiOperation]
179
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
180
+ # @!attribute [rw] method
181
+ # @return [::String]
182
+ # Value for `method` should be a valid method name for the corresponding
183
+ # `service_name` in [ApiOperation]
184
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
185
+ # If `*` used as value for `method`, then ALL methods and permissions are
186
+ # allowed.
187
+ # @!attribute [rw] permission
188
+ # @return [::String]
189
+ # Value for `permission` should be a valid Cloud IAM permission for the
190
+ # corresponding `service_name` in [ApiOperation]
191
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].
192
+ class MethodSelector
193
+ include ::Google::Protobuf::MessageExts
194
+ extend ::Google::Protobuf::MessageExts::ClassMethods
195
+ end
196
+
197
+ # Identification for an API Operation.
198
+ # @!attribute [rw] service_name
199
+ # @return [::String]
200
+ # The name of the API whose methods or permissions the [IngressPolicy]
201
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
202
+ # or [EgressPolicy]
203
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
204
+ # want to allow. A single [ApiOperation]
205
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
206
+ # with `service_name` field set to `*` will allow all methods AND
207
+ # permissions for all services.
208
+ # @!attribute [rw] method_selectors
209
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::MethodSelector>]
210
+ # API methods or permissions to allow. Method or permission must belong to
211
+ # the service specified by `service_name` field. A single [MethodSelector]
212
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.MethodSelector]
213
+ # entry with `*` specified for the `method` field will allow all methods
214
+ # AND permissions for the service specified in `service_name`.
215
+ class ApiOperation
216
+ include ::Google::Protobuf::MessageExts
217
+ extend ::Google::Protobuf::MessageExts::ClassMethods
218
+ end
219
+
220
+ # The source that [IngressPolicy]
221
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
222
+ # authorizes access from.
223
+ # @!attribute [rw] access_level
224
+ # @return [::String]
225
+ # An [AccessLevel]
226
+ # [google.identity.accesscontextmanager.v1.AccessLevel] resource
227
+ # name that allow resources within the [ServicePerimeters]
228
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] to be
229
+ # accessed from the internet. [AccessLevels]
230
+ # [google.identity.accesscontextmanager.v1.AccessLevel] listed must
231
+ # be in the same policy as this [ServicePerimeter]
232
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter].
233
+ # Referencing a nonexistent [AccessLevel]
234
+ # [google.identity.accesscontextmanager.v1.AccessLevel] will cause
235
+ # an error. If no [AccessLevel]
236
+ # [google.identity.accesscontextmanager.v1.AccessLevel] names are
237
+ # listed, resources within the perimeter can only be accessed via Google
238
+ # Cloud calls with request origins within the perimeter. Example:
239
+ # `accessPolicies/MY_POLICY/accessLevels/MY_LEVEL`. If a single `*` is
240
+ # specified for `access_level`, then all [IngressSources]
241
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressSource]
242
+ # will be allowed.
243
+ # @!attribute [rw] resource
244
+ # @return [::String]
245
+ # A Google Cloud resource that is allowed to ingress the perimeter.
246
+ # Requests from these resources will be allowed to access perimeter data.
247
+ # Currently only projects are allowed.
248
+ # Format: `projects/{project_number}`
249
+ # The project may be in any Google Cloud organization, not just the
250
+ # organization that the perimeter is defined in. `*` is not allowed, the
251
+ # case of allowing all Google Cloud resources only is not supported.
252
+ class IngressSource
253
+ include ::Google::Protobuf::MessageExts
254
+ extend ::Google::Protobuf::MessageExts::ClassMethods
255
+ end
256
+
257
+ # Defines the conditions under which an [EgressPolicy]
258
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
259
+ # matches a request. Conditions are based on information about the
260
+ # [ApiOperation]
261
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
262
+ # intended to be performed on the `resources` specified. Note that if the
263
+ # destination of the request is also protected by a [ServicePerimeter]
264
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
265
+ # [ServicePerimeter]
266
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
267
+ # an [IngressPolicy]
268
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
269
+ # which allows access in order for this request to succeed. The request must
270
+ # match `operations` AND `resources` fields in order to be allowed egress out
271
+ # of the perimeter.
272
+ # @!attribute [rw] resources
273
+ # @return [::Array<::String>]
274
+ # A list of resources, currently only projects in the form
275
+ # `projects/<projectnumber>`, that are allowed to be accessed by sources
276
+ # defined in the corresponding [EgressFrom]
277
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
278
+ # A request matches if it contains a resource in this list. If `*` is
279
+ # specified for `resources`, then this [EgressTo]
280
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo]
281
+ # rule will authorize access to all resources outside the perimeter.
282
+ # @!attribute [rw] operations
283
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
284
+ # A list of [ApiOperations]
285
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
286
+ # allowed to be performed by the sources specified in the corresponding
287
+ # [EgressFrom]
288
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom].
289
+ # A request matches if it uses an operation/service in this list.
290
+ class EgressTo
291
+ include ::Google::Protobuf::MessageExts
292
+ extend ::Google::Protobuf::MessageExts::ClassMethods
293
+ end
294
+
295
+ # Defines the conditions under which an [IngressPolicy]
296
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
297
+ # matches a request. Conditions are based on information about the source of
298
+ # the request. The request must satisfy what is defined in `sources` AND
299
+ # identity related fields in order to match.
300
+ # @!attribute [rw] sources
301
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressSource>]
302
+ # Sources that this [IngressPolicy]
303
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
304
+ # authorizes access from.
305
+ # @!attribute [rw] identities
306
+ # @return [::Array<::String>]
307
+ # A list of identities that are allowed access through this ingress
308
+ # policy. Should be in the format of email address. The email address
309
+ # should represent individual user or service account only.
310
+ # @!attribute [rw] identity_type
311
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
312
+ # Specifies the type of identities that are allowed access from outside the
313
+ # perimeter. If left unspecified, then members of `identities` field will
314
+ # be allowed access.
315
+ class IngressFrom
316
+ include ::Google::Protobuf::MessageExts
317
+ extend ::Google::Protobuf::MessageExts::ClassMethods
318
+ end
319
+
320
+ # Defines the conditions under which an [IngressPolicy]
321
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
322
+ # matches a request. Conditions are based on information about the
323
+ # [ApiOperation]
324
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
325
+ # intended to be performed on the target resource of the request. The request
326
+ # must satisfy what is defined in `operations` AND `resources` in order to
327
+ # match.
328
+ # @!attribute [rw] operations
329
+ # @return [::Array<::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::ApiOperation>]
330
+ # A list of [ApiOperations]
331
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
332
+ # allowed to be performed by the sources specified in corresponding
333
+ # [IngressFrom]
334
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
335
+ # in this [ServicePerimeter]
336
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter].
337
+ # @!attribute [rw] resources
338
+ # @return [::Array<::String>]
339
+ # A list of resources, currently only projects in the form
340
+ # `projects/<projectnumber>`, protected by this [ServicePerimeter]
341
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] that are
342
+ # allowed to be accessed by sources defined in the corresponding
343
+ # [IngressFrom]
344
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom].
345
+ # If a single `*` is specified, then access to all resources inside the
346
+ # perimeter are allowed.
347
+ class IngressTo
348
+ include ::Google::Protobuf::MessageExts
349
+ extend ::Google::Protobuf::MessageExts::ClassMethods
350
+ end
351
+
352
+ # Policy for ingress into [ServicePerimeter]
353
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter].
354
+ #
355
+ # [IngressPolicies]
356
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
357
+ # match requests based on `ingress_from` and `ingress_to` stanzas. For an
358
+ # ingress policy to match, both the `ingress_from` and `ingress_to` stanzas
359
+ # must be matched. If an [IngressPolicy]
360
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
361
+ # matches a request, the request is allowed through the perimeter boundary
362
+ # from outside the perimeter.
363
+ #
364
+ # For example, access from the internet can be allowed either
365
+ # based on an [AccessLevel]
366
+ # [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic
367
+ # hosted on Google Cloud, the project of the source network. For access from
368
+ # private networks, using the project of the hosting network is required.
369
+ #
370
+ # Individual ingress policies can be limited by restricting which
371
+ # services and/or actions they match using the `ingress_to` field.
372
+ # @!attribute [rw] ingress_from
373
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressFrom]
374
+ # Defines the conditions on the source of a request causing this
375
+ # [IngressPolicy]
376
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
377
+ # to apply.
378
+ # @!attribute [rw] ingress_to
379
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IngressTo]
380
+ # Defines the conditions on the [ApiOperation]
381
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
382
+ # and request destination that cause this [IngressPolicy]
383
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
384
+ # to apply.
385
+ class IngressPolicy
386
+ include ::Google::Protobuf::MessageExts
387
+ extend ::Google::Protobuf::MessageExts::ClassMethods
388
+ end
389
+
390
+ # Policy for egress from perimeter.
391
+ #
392
+ # [EgressPolicies]
393
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
394
+ # match requests based on `egress_from` and `egress_to` stanzas. For an
395
+ # [EgressPolicy]
396
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
397
+ # to match, both `egress_from` and `egress_to` stanzas must be matched. If an
398
+ # [EgressPolicy]
399
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
400
+ # matches a request, the request is allowed to span the [ServicePerimeter]
401
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary.
402
+ # For example, an [EgressPolicy]
403
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
404
+ # can be used to allow VMs on networks within the [ServicePerimeter]
405
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a
406
+ # defined set of projects outside the perimeter in certain contexts (e.g. to
407
+ # read data from a Cloud Storage bucket or query against a BigQuery dataset).
408
+ #
409
+ # [EgressPolicies]
410
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
411
+ # are concerned with the *resources* that a request relates as well as the
412
+ # API services and API actions being used. They do not related to the
413
+ # direction of data movement. More detailed documentation for this concept
414
+ # can be found in the descriptions of [EgressFrom]
415
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
416
+ # and [EgressTo]
417
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].
418
+ # @!attribute [rw] egress_from
419
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressFrom]
420
+ # Defines conditions on the source of a request causing this [EgressPolicy]
421
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
422
+ # to apply.
423
+ # @!attribute [rw] egress_to
424
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::EgressTo]
425
+ # Defines the conditions on the [ApiOperation]
426
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation]
427
+ # and destination resources that cause this [EgressPolicy]
428
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
429
+ # to apply.
430
+ class EgressPolicy
431
+ include ::Google::Protobuf::MessageExts
432
+ extend ::Google::Protobuf::MessageExts::ClassMethods
433
+ end
434
+
435
+ # Defines the conditions under which an [EgressPolicy]
436
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy]
437
+ # matches a request. Conditions based on information about the source of the
438
+ # request. Note that if the destination of the request is also protected by a
439
+ # [ServicePerimeter]
440
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter], then that
441
+ # [ServicePerimeter]
442
+ # [google.identity.accesscontextmanager.v1.ServicePerimeter] must have
443
+ # an [IngressPolicy]
444
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy]
445
+ # which allows access in order for this request to succeed.
446
+ # @!attribute [rw] identities
447
+ # @return [::Array<::String>]
448
+ # A list of identities that are allowed access through this [EgressPolicy].
449
+ # Should be in the format of email address. The email address should
450
+ # represent individual user or service account only.
451
+ # @!attribute [rw] identity_type
452
+ # @return [::Google::Identity::AccessContextManager::V1::ServicePerimeterConfig::IdentityType]
453
+ # Specifies the type of identities that are allowed access to outside the
454
+ # perimeter. If left unspecified, then members of `identities` field will
455
+ # be allowed access.
456
+ class EgressFrom
457
+ include ::Google::Protobuf::MessageExts
458
+ extend ::Google::Protobuf::MessageExts::ClassMethods
459
+ end
460
+
461
+ # Specifies the types of identities that are allowed access in either
462
+ # [IngressFrom]
463
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom]
464
+ # or [EgressFrom]
465
+ # [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom]
466
+ # rules.
467
+ module IdentityType
468
+ # No blanket identity group specified.
469
+ IDENTITY_TYPE_UNSPECIFIED = 0
470
+
471
+ # Authorize access from all identities outside the perimeter.
472
+ ANY_IDENTITY = 1
473
+
474
+ # Authorize access from all human users outside the perimeter.
475
+ ANY_USER_ACCOUNT = 2
476
+
477
+ # Authorize access from all service accounts outside the perimeter.
478
+ ANY_SERVICE_ACCOUNT = 3
479
+ end
480
+ end
481
+ end
482
+ end
483
+ end
484
+ end
@@ -0,0 +1,164 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2021 Google LLC
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # https://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
17
+ # Auto-generated by gapic-generator-ruby. DO NOT EDIT!
18
+
19
+
20
+ module Google
21
+ module Longrunning
22
+ # This resource represents a long-running operation that is the result of a
23
+ # network API call.
24
+ # @!attribute [rw] name
25
+ # @return [::String]
26
+ # The server-assigned name, which is only unique within the same service that
27
+ # originally returns it. If you use the default HTTP mapping, the
28
+ # `name` should be a resource name ending with `operations/{unique_id}`.
29
+ # @!attribute [rw] metadata
30
+ # @return [::Google::Protobuf::Any]
31
+ # Service-specific metadata associated with the operation. It typically
32
+ # contains progress information and common metadata such as create time.
33
+ # Some services might not provide such metadata. Any method that returns a
34
+ # long-running operation should document the metadata type, if any.
35
+ # @!attribute [rw] done
36
+ # @return [::Boolean]
37
+ # If the value is `false`, it means the operation is still in progress.
38
+ # If `true`, the operation is completed, and either `error` or `response` is
39
+ # available.
40
+ # @!attribute [rw] error
41
+ # @return [::Google::Rpc::Status]
42
+ # The error result of the operation in case of failure or cancellation.
43
+ # @!attribute [rw] response
44
+ # @return [::Google::Protobuf::Any]
45
+ # The normal response of the operation in case of success. If the original
46
+ # method returns no data on success, such as `Delete`, the response is
47
+ # `google.protobuf.Empty`. If the original method is standard
48
+ # `Get`/`Create`/`Update`, the response should be the resource. For other
49
+ # methods, the response should have the type `XxxResponse`, where `Xxx`
50
+ # is the original method name. For example, if the original method name
51
+ # is `TakeSnapshot()`, the inferred response type is
52
+ # `TakeSnapshotResponse`.
53
+ class Operation
54
+ include ::Google::Protobuf::MessageExts
55
+ extend ::Google::Protobuf::MessageExts::ClassMethods
56
+ end
57
+
58
+ # The request message for Operations.GetOperation.
59
+ # @!attribute [rw] name
60
+ # @return [::String]
61
+ # The name of the operation resource.
62
+ class GetOperationRequest
63
+ include ::Google::Protobuf::MessageExts
64
+ extend ::Google::Protobuf::MessageExts::ClassMethods
65
+ end
66
+
67
+ # The request message for Operations.ListOperations.
68
+ # @!attribute [rw] name
69
+ # @return [::String]
70
+ # The name of the operation's parent resource.
71
+ # @!attribute [rw] filter
72
+ # @return [::String]
73
+ # The standard list filter.
74
+ # @!attribute [rw] page_size
75
+ # @return [::Integer]
76
+ # The standard list page size.
77
+ # @!attribute [rw] page_token
78
+ # @return [::String]
79
+ # The standard list page token.
80
+ class ListOperationsRequest
81
+ include ::Google::Protobuf::MessageExts
82
+ extend ::Google::Protobuf::MessageExts::ClassMethods
83
+ end
84
+
85
+ # The response message for Operations.ListOperations.
86
+ # @!attribute [rw] operations
87
+ # @return [::Array<::Google::Longrunning::Operation>]
88
+ # A list of operations that matches the specified filter in the request.
89
+ # @!attribute [rw] next_page_token
90
+ # @return [::String]
91
+ # The standard List next-page token.
92
+ class ListOperationsResponse
93
+ include ::Google::Protobuf::MessageExts
94
+ extend ::Google::Protobuf::MessageExts::ClassMethods
95
+ end
96
+
97
+ # The request message for Operations.CancelOperation.
98
+ # @!attribute [rw] name
99
+ # @return [::String]
100
+ # The name of the operation resource to be cancelled.
101
+ class CancelOperationRequest
102
+ include ::Google::Protobuf::MessageExts
103
+ extend ::Google::Protobuf::MessageExts::ClassMethods
104
+ end
105
+
106
+ # The request message for Operations.DeleteOperation.
107
+ # @!attribute [rw] name
108
+ # @return [::String]
109
+ # The name of the operation resource to be deleted.
110
+ class DeleteOperationRequest
111
+ include ::Google::Protobuf::MessageExts
112
+ extend ::Google::Protobuf::MessageExts::ClassMethods
113
+ end
114
+
115
+ # The request message for Operations.WaitOperation.
116
+ # @!attribute [rw] name
117
+ # @return [::String]
118
+ # The name of the operation resource to wait on.
119
+ # @!attribute [rw] timeout
120
+ # @return [::Google::Protobuf::Duration]
121
+ # The maximum duration to wait before timing out. If left blank, the wait
122
+ # will be at most the time permitted by the underlying HTTP/RPC protocol.
123
+ # If RPC context deadline is also specified, the shorter one will be used.
124
+ class WaitOperationRequest
125
+ include ::Google::Protobuf::MessageExts
126
+ extend ::Google::Protobuf::MessageExts::ClassMethods
127
+ end
128
+
129
+ # A message representing the message types used by a long-running operation.
130
+ #
131
+ # Example:
132
+ #
133
+ # rpc LongRunningRecognize(LongRunningRecognizeRequest)
134
+ # returns (google.longrunning.Operation) {
135
+ # option (google.longrunning.operation_info) = {
136
+ # response_type: "LongRunningRecognizeResponse"
137
+ # metadata_type: "LongRunningRecognizeMetadata"
138
+ # };
139
+ # }
140
+ # @!attribute [rw] response_type
141
+ # @return [::String]
142
+ # Required. The message name of the primary return type for this
143
+ # long-running operation.
144
+ # This type will be used to deserialize the LRO's response.
145
+ #
146
+ # If the response is in a different package from the rpc, a fully-qualified
147
+ # message name must be used (e.g. `google.protobuf.Struct`).
148
+ #
149
+ # Note: Altering this value constitutes a breaking change.
150
+ # @!attribute [rw] metadata_type
151
+ # @return [::String]
152
+ # Required. The message name of the metadata type for this long-running
153
+ # operation.
154
+ #
155
+ # If the response is in a different package from the rpc, a fully-qualified
156
+ # message name must be used (e.g. `google.protobuf.Struct`).
157
+ #
158
+ # Note: Altering this value constitutes a breaking change.
159
+ class OperationInfo
160
+ include ::Google::Protobuf::MessageExts
161
+ extend ::Google::Protobuf::MessageExts::ClassMethods
162
+ end
163
+ end
164
+ end