@maxim_mazurok/gapi.client.sts-v1beta 0.0.20220806

package/index.d.ts

@@ -0,0 +1,286 @@
+/* Type definitions for non-npm package Security Token Service API v1beta 0.0 */
+// Project: http://cloud.google.com/iam/docs/workload-identity-federation
+// Definitions by: Maxim Mazurok <https://github.com/Maxim-Mazurok>
+//                 Nick Amoscato <https://github.com/namoscato>
+//                 Declan Vong <https://github.com/declanvong>
+// Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
+// TypeScript Version: 2.8
+
+// IMPORTANT
+// This file was generated by https://github.com/Maxim-Mazurok/google-api-typings-generator. Please do not edit it manually.
+// In case of any problems please post issue to https://github.com/Maxim-Mazurok/google-api-typings-generator
+// Generated from: https://sts.googleapis.com/$discovery/rest?version=v1beta
+// Revision: 20220806
+
+/// <reference types="gapi.client" />
+
+declare namespace gapi.client {
+    /** Load Security Token Service API v1beta */
+    function load(urlOrObject: "https://sts.googleapis.com/$discovery/rest?version=v1beta"): Promise<void>;
+    /** @deprecated Please load APIs with discovery documents. */
+    function load(name: "sts", version: "v1beta"): Promise<void>;
+    /** @deprecated Please load APIs with discovery documents. */
+    function load(name: "sts", version: "v1beta", callback: () => any): void;
+
+    namespace sts {
+        interface GoogleIamV1Binding {
+            /**
+             * The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`,
+             * then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which
+             * resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+             */
+            condition?: GoogleTypeExpr;
+            /**
+             * Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on
+             * the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service
+             * account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that
+             * represents a Google service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An identifier
+             * for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example,
+             * `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. *
+             * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example,
+             * `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. *
+             * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example,
+             * `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service
+             * account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently
+             * deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in
+             * the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
+             */
+            members?: string[];
+            /** Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. */
+            role?: string;
+        }
+        interface GoogleIdentityStsV1AccessBoundary {
+            /**
+             * A list of access boundary rules which defines the upper bound of the permission a principal may carry. If multiple rules are specified, the effective access boundary is the union of
+             * all the access boundary rules attached. One access boundary can contain at most 10 rules.
+             */
+            accessBoundaryRules?: GoogleIdentityStsV1AccessBoundaryRule[];
+        }
+        interface GoogleIdentityStsV1AccessBoundaryRule {
+            /**
+             * The availability condition further constrains the access allowed by the access boundary rule. If the condition evaluates to `true`, then this access boundary rule will provide
+             * access to the specified resource, assuming the principal has the required permissions for the resource. If the condition does not evaluate to `true`, then access to the specified
+             * resource will not be available. Note that all access boundary rules in an access boundary are evaluated together as a union. As such, another access boundary rule may allow access
+             * to the resource, even if this access boundary rule does not allow access. To learn which resources support conditions in their IAM policies, see the [IAM
+             * documentation](https://cloud.google.com/iam/help/conditions/resource-policies). The maximum length of the `expression` field is 2048 characters.
+             */
+            availabilityCondition?: GoogleTypeExpr;
+            /**
+             * A list of permissions that may be allowed for use on the specified resource. The only supported values in the list are IAM roles, following the format of google.iam.v1.Binding.role.
+             * Example value: `inRole:roles/logging.viewer` for predefined roles and `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for custom roles.
+             */
+            availablePermissions?: string[];
+            /**
+             * The full resource name of a Google Cloud resource entity. The format definition is at https://cloud.google.com/apis/design/resource_names. Example value:
+             * `//cloudresourcemanager.googleapis.com/projects/my-project`.
+             */
+            availableResource?: string;
+        }
+        interface GoogleIdentityStsV1betaAccessBoundary {
+            /**
+             * A list of access boundary rules which defines the upper bound of the permission a principal may carry. If multiple rules are specified, the effective access boundary is the union of
+             * all the access boundary rules attached. One access boundary can contain at most 10 rules.
+             */
+            accessBoundaryRules?: GoogleIdentityStsV1betaAccessBoundaryRule[];
+        }
+        interface GoogleIdentityStsV1betaAccessBoundaryRule {
+            /**
+             * The availability condition further constrains the access allowed by the access boundary rule. If the condition evaluates to `true`, then this access boundary rule will provide
+             * access to the specified resource, assuming the principal has the required permissions for the resource. If the condition does not evaluate to `true`, then access to the specified
+             * resource will not be available. Note that all access boundary rules in an access boundary are evaluated together as a union. As such, another access boundary rule may allow access
+             * to the resource, even if this access boundary rule does not allow access. To learn which resources support conditions in their IAM policies, see the [IAM
+             * documentation](https://cloud.google.com/iam/help/conditions/resource-policies). The maximum length of the `expression` field is 2048 characters.
+             */
+            availabilityCondition?: GoogleTypeExpr;
+            /**
+             * A list of permissions that may be allowed for use on the specified resource. The only supported values in the list are IAM roles, following the format of google.iam.v1.Binding.role.
+             * Example value: `inRole:roles/logging.viewer` for predefined roles and `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for custom roles.
+             */
+            availablePermissions?: string[];
+            /**
+             * The full resource name of a Google Cloud resource entity. The format definition is at https://cloud.google.com/apis/design/resource_names. Example value:
+             * `//cloudresourcemanager.googleapis.com/projects/my-project`.
+             */
+            availableResource?: string;
+        }
+        interface GoogleIdentityStsV1betaExchangeTokenRequest {
+            /**
+             * The full resource name of the identity provider. For example, `//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/`. Required when exchanging an
+             * external credential for a Google access token.
+             */
+            audience?: string;
+            /** Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a token exchange. */
+            grantType?: string;
+            /**
+             * A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options. The size of the
+             * parameter value must not exceed 4096 characters.
+             */
+            options?: string;
+            /** Required. The type of security token. Must be `urn:ietf:params:oauth:token-type:access_token`, which indicates an OAuth 2.0 access token. */
+            requestedTokenType?: string;
+            /**
+             * The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a
+             * Google access token.
+             */
+            scope?: string;
+            /**
+             * Required. The input token. This token is either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google. If the token is
+             * an OIDC JWT, it must use the JWT format defined in [RFC 7523](https://tools.ietf.org/html/rfc7523), and the `subject_token_type` must be either
+             * `urn:ietf:params:oauth:token-type:jwt` or `urn:ietf:params:oauth:token-type:id_token`. The following headers are required: - `kid`: The identifier of the signing key securing the
+             * JWT. - `alg`: The cryptographic algorithm securing the JWT. Must be `RS256` or `ES256`. The following payload fields are required. For more information, see [RFC 7523, Section
+             * 3](https://tools.ietf.org/html/rfc7523#section-3): - `iss`: The issuer of the token. The issuer must provide a discovery document at the URL `/.well-known/openid-configuration`,
+             * where `` is the value of this field. The document must be formatted according to section 4.2 of the [OIDC 1.0 Discovery
+             * specification](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the
+             * past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If possible, we recommend
+             * setting an expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: For workload identity pools, this must be a value specified in the allowed
+             * audiences for the workload identity pool provider, or one of the audiences allowed by default if no audiences were specified. See
+             * https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc Example header: ``` { "alg": "RS256", "kid": "us-east-11" } ``` Example
+             * payload: ``` { "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud":
+             * "//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/my-pool/providers/my-provider", "sub": "113475438248934895348", "my_claims": {
+             * "additional_claim": "value" } } ``` If `subject_token` is for AWS, it must be a serialized `GetCallerIdentity` token. This token contains the same information as a request to the
+             * AWS [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity) method, as well as the AWS
+             * [signature](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) for the request information. Use Signature Version 4. Format the request as URL-encoded
+             * JSON, and set the `subject_token_type` parameter to `urn:ietf:params:aws:token-type:aws4_request`. The following parameters are required: - `url`: The URL of the AWS STS endpoint
+             * for `GetCallerIdentity()`, such as `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15`. Regional endpoints are also supported. - `method`: The HTTP request
+             * method: `POST`. - `headers`: The HTTP request headers, which must include: - `Authorization`: The request signature. - `x-amz-date`: The time you will send the request, formatted as
+             * an [ISO8601 Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date) string. This value is typically set to the current time and is used to help
+             * prevent replay attacks. - `host`: The hostname of the `url` field; for example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full, canonical resource name of the
+             * workload identity pool provider, with or without an `https:` prefix. To help ensure data integrity, we recommend including this header in the `SignedHeaders` field of the signed
+             * request. For example: //iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/
+             * https://iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the
+             * header `x-amz-security-token`, with the value set to the session token. The following example shows a `GetCallerIdentity` token: ``` { "headers": [ {"key": "x-amz-date", "value":
+             * "20200815T015049Z"}, {"key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature"},
+             * {"key": "x-goog-cloud-target-resource", "value": "//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/"}, {"key": "host", "value": "sts.amazonaws.com"}
+             * . ], "method": "POST", "url": "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } ``` You can also use a Google-issued OAuth 2.0 access token with this field
+             * to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, set `subject_token_type` to
+             * `urn:ietf:params:oauth:token-type:access_token`. If an access token already contains security attributes, you cannot apply additional security attributes.
+             */
+            subjectToken?: string;
+            /**
+             * Required. An identifier that indicates the type of the security token in the `subject_token` parameter. Supported values are `urn:ietf:params:oauth:token-type:jwt`,
+             * `urn:ietf:params:oauth:token-type:id_token`, `urn:ietf:params:aws:token-type:aws4_request`, and `urn:ietf:params:oauth:token-type:access_token`.
+             */
+            subjectTokenType?: string;
+        }
+        interface GoogleIdentityStsV1betaExchangeTokenResponse {
+            /**
+             * An OAuth 2.0 security token, issued by Google, in response to the token exchange request. Tokens can vary in size, depending in part on the size of mapped claims, up to a maximum of
+             * 12288 bytes (12 KB). Google reserves the right to change the token size and the maximum length at any time.
+             */
+            access_token?: string;
+            /**
+             * The amount of time, in seconds, between the time when the access token was issued and the time when the access token will expire. This field is absent when the `subject_token` in
+             * the request is a Google-issued, short-lived access token. In this case, the access token has the same expiration time as the `subject_token`.
+             */
+            expires_in?: number;
+            /** The token type. Always matches the value of `requested_token_type` from the request. */
+            issued_token_type?: string;
+            /** The type of access token. Always has the value `Bearer`. */
+            token_type?: string;
+        }
+        interface GoogleIdentityStsV1betaOptions {
+            /**
+             * An access boundary that defines the upper bound of permissions the credential may have. The value should be a JSON object of AccessBoundary. The access boundary can include up to 10
+             * rules. The size of the parameter value should not exceed 2048 characters.
+             */
+            accessBoundary?: GoogleIdentityStsV1betaAccessBoundary;
+            /**
+             * The intended audience(s) of the credential. The audience value(s) should be the name(s) of services intended to receive the credential. Example: `["https://pubsub.googleapis.com/",
+             * "https://storage.googleapis.com/"]`. A maximum of 5 audiences can be included. For each provided audience, the maximum length is 262 characters.
+             */
+            audiences?: string[];
+            /**
+             * A Google project used for quota and billing purposes when the credential is used to access Google APIs. The provided project overrides the project bound to the credential. The value
+             * must be a project number or a project ID. Example: `my-sample-project-191923`. The maximum length is 32 characters.
+             */
+            userProject?: string;
+        }
+        interface GoogleIdentityStsV1Options {
+            /**
+             * An access boundary that defines the upper bound of permissions the credential may have. The value should be a JSON object of AccessBoundary. The access boundary can include up to 10
+             * rules. The size of the parameter value should not exceed 2048 characters.
+             */
+            accessBoundary?: GoogleIdentityStsV1AccessBoundary;
+            /**
+             * The intended audience(s) of the credential. The audience value(s) should be the name(s) of services intended to receive the credential. Example: `["https://pubsub.googleapis.com/",
+             * "https://storage.googleapis.com/"]`. A maximum of 5 audiences can be included. For each provided audience, the maximum length is 262 characters.
+             */
+            audiences?: string[];
+            /**
+             * A Google project used for quota and billing purposes when the credential is used to access Google APIs. The provided project overrides the project bound to the credential. The value
+             * must be a project number or a project ID. Example: `my-sample-project-191923`. The maximum length is 32 characters.
+             */
+            userProject?: string;
+        }
+        interface GoogleTypeExpr {
+            /** Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. */
+            description?: string;
+            /** Textual representation of an expression in Common Expression Language syntax. */
+            expression?: string;
+            /** Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. */
+            location?: string;
+            /** Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. */
+            title?: string;
+        }
+        interface V1betaResource {
+            /**
+             * Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a
+             * Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the
+             * header can cause the request to fail.
+             */
+            token(request: {
+                /** V1 error format. */
+                "$.xgafv"?: string;
+                /** OAuth access token. */
+                access_token?: string;
+                /** Data format for response. */
+                alt?: string;
+                /** JSONP */
+                callback?: string;
+                /** Selector specifying which fields to include in a partial response. */
+                fields?: string;
+                /** API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token. */
+                key?: string;
+                /** OAuth 2.0 token for the current user. */
+                oauth_token?: string;
+                /** Returns response with indentations and line breaks. */
+                prettyPrint?: boolean;
+                /** Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. */
+                quotaUser?: string;
+                /** Upload protocol for media (e.g. "raw", "multipart"). */
+                upload_protocol?: string;
+                /** Legacy upload protocol for media (e.g. "media", "multipart"). */
+                uploadType?: string;
+                /** Request body */
+                resource: GoogleIdentityStsV1betaExchangeTokenRequest;
+            }): Request<GoogleIdentityStsV1betaExchangeTokenResponse>;
+            token(request: {
+                /** V1 error format. */
+                "$.xgafv"?: string;
+                /** OAuth access token. */
+                access_token?: string;
+                /** Data format for response. */
+                alt?: string;
+                /** JSONP */
+                callback?: string;
+                /** Selector specifying which fields to include in a partial response. */
+                fields?: string;
+                /** API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token. */
+                key?: string;
+                /** OAuth 2.0 token for the current user. */
+                oauth_token?: string;
+                /** Returns response with indentations and line breaks. */
+                prettyPrint?: boolean;
+                /** Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. */
+                quotaUser?: string;
+                /** Upload protocol for media (e.g. "raw", "multipart"). */
+                upload_protocol?: string;
+                /** Legacy upload protocol for media (e.g. "media", "multipart"). */
+                uploadType?: string;
+            },
+            body: GoogleIdentityStsV1betaExchangeTokenRequest): Request<GoogleIdentityStsV1betaExchangeTokenResponse>;
+        }
+
+        const v1beta: V1betaResource;
+    }
+}

package/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "@maxim_mazurok/gapi.client.sts-v1beta",
+  "version": "0.0.20220806",
+  "description": "TypeScript typings for Security Token Service API v1beta",
+  "license": "MIT",
+  "author": {
+    "email": "maxim@mazurok.com",
+    "name": "Maxim Mazurok",
+    "url": "https://maxim.mazurok.com"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Maxim-Mazurok/google-api-typings-generator.git"
+  },
+  "types": "index.d.ts",
+  "dependencies": {
+    "@types/gapi.client": "*",
+    "@types/gapi.client.discovery": "*"
+  }
+}

package/readme.md

@@ -0,0 +1,52 @@
+# TypeScript typings for Security Token Service API v1beta
+
+The Security Token Service exchanges Google or third-party credentials for a short-lived access token to Google Cloud resources.
+For detailed description please check [documentation](http://cloud.google.com/iam/docs/workload-identity-federation).
+
+## Installing
+
+Install typings for Security Token Service API:
+
+```
+npm install @types/gapi.client.sts-v1beta --save-dev
+```
+
+## Usage
+
+You need to initialize Google API client in your code:
+
+```typescript
+gapi.load('client', () => {
+  // now we can use gapi.client
+  // ...
+});
+```
+
+Then load api client wrapper:
+
+```typescript
+gapi.client.load('https://sts.googleapis.com/$discovery/rest?version=v1beta', () => {
+  // now we can use:
+  // gapi.client.sts
+});
+```
+
+```typescript
+// Deprecated, use discovery document URL, see https://github.com/google/google-api-javascript-client/blob/master/docs/reference.md#----gapiclientloadname----version----callback--
+gapi.client.load('sts', 'v1beta', () => {
+  // now we can use:
+  // gapi.client.sts
+});
+```
+
+
+
+After that you can use Security Token Service API resources: <!-- TODO: make this work for multiple namespaces -->
+
+```typescript
+
+/*
+Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.
+*/
+await gapi.client.sts.token({  });
+```

package/tests.ts

@@ -0,0 +1,33 @@
+/* This is stub file for gapi.client.sts-v1beta definition tests */
+// IMPORTANT
+// This file was generated by https://github.com/Maxim-Mazurok/google-api-typings-generator. Please do not edit it manually.
+// In case of any problems please post issue to https://github.com/Maxim-Mazurok/google-api-typings-generator
+
+// Revision: 20220806
+
+gapi.load('client', async () => {
+    /** now we can use gapi.client */
+
+    await gapi.client.load('https://sts.googleapis.com/$discovery/rest?version=v1beta');
+    /** now we can use gapi.client.sts */
+
+    run();
+
+    async function run() {
+        /**
+         * Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a
+         * Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header
+         * can cause the request to fail.
+         */
+        await gapi.client.sts.v1beta.token({
+        }, {
+            audience: "Test string",
+            grantType: "Test string",
+            options: "Test string",
+            requestedTokenType: "Test string",
+            scope: "Test string",
+            subjectToken: "Test string",
+            subjectTokenType: "Test string",
+        });
+    }
+});

package/tsconfig.json

@@ -0,0 +1,18 @@
+{
+    "compilerOptions": {
+        "module": "commonjs",
+        "lib": ["es6", "dom"],
+        "noImplicitAny": true,
+        "noImplicitThis": true,
+        "strictNullChecks": true,
+        "baseUrl": "../",
+        "typeRoots": [
+            "../"
+        ],
+        "types": [],
+        "noEmit": true,
+        "forceConsistentCasingInFileNames": true,
+        "strictFunctionTypes": true
+    },
+    "files": ["index.d.ts", "tests.ts"]
+}

package/tslint.json

@@ -0,0 +1,6 @@
+{
+    "extends": "dtslint/dtslint.json",
+    "rules": {
+        "no-redundant-jsdoc": false
+    }
+}