1*d5c09012SAndroid Build Coastguard Worker// Copyright 2023 Google LLC 2*d5c09012SAndroid Build Coastguard Worker// 3*d5c09012SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); 4*d5c09012SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License. 5*d5c09012SAndroid Build Coastguard Worker// You may obtain a copy of the License at 6*d5c09012SAndroid Build Coastguard Worker// 7*d5c09012SAndroid Build Coastguard Worker// http://www.apache.org/licenses/LICENSE-2.0 8*d5c09012SAndroid Build Coastguard Worker// 9*d5c09012SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software 10*d5c09012SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, 11*d5c09012SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*d5c09012SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and 13*d5c09012SAndroid Build Coastguard Worker// limitations under the License. 14*d5c09012SAndroid Build Coastguard Worker 15*d5c09012SAndroid Build Coastguard Workersyntax = "proto3"; 16*d5c09012SAndroid Build Coastguard Worker 17*d5c09012SAndroid Build Coastguard Workerpackage google.cloud.iap.v1; 18*d5c09012SAndroid Build Coastguard Worker 19*d5c09012SAndroid Build Coastguard Workerimport "google/api/annotations.proto"; 20*d5c09012SAndroid Build Coastguard Workerimport "google/api/client.proto"; 21*d5c09012SAndroid Build Coastguard Workerimport "google/api/field_behavior.proto"; 22*d5c09012SAndroid Build Coastguard Workerimport "google/api/resource.proto"; 23*d5c09012SAndroid Build Coastguard Workerimport "google/iam/v1/iam_policy.proto"; 24*d5c09012SAndroid Build Coastguard Workerimport "google/iam/v1/policy.proto"; 25*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/duration.proto"; 26*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/empty.proto"; 27*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/field_mask.proto"; 28*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/wrappers.proto"; 29*d5c09012SAndroid Build Coastguard Worker 30*d5c09012SAndroid Build Coastguard Workeroption csharp_namespace = "Google.Cloud.Iap.V1"; 31*d5c09012SAndroid Build Coastguard Workeroption go_package = "cloud.google.com/go/iap/apiv1/iappb;iappb"; 32*d5c09012SAndroid Build Coastguard Workeroption java_multiple_files = true; 33*d5c09012SAndroid Build Coastguard Workeroption java_package = "com.google.cloud.iap.v1"; 34*d5c09012SAndroid Build Coastguard Workeroption php_namespace = "Google\\Cloud\\Iap\\V1"; 35*d5c09012SAndroid Build Coastguard Workeroption ruby_package = "Google::Cloud::Iap::V1"; 36*d5c09012SAndroid Build Coastguard Workeroption (google.api.resource_definition) = { 37*d5c09012SAndroid Build Coastguard Worker type: "iap.googleapis.com/TunnelLocation" 38*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/iap_tunnel/locations/{location}" 39*d5c09012SAndroid Build Coastguard Worker}; 40*d5c09012SAndroid Build Coastguard Worker 41*d5c09012SAndroid Build Coastguard Worker// The Cloud Identity-Aware Proxy API. 42*d5c09012SAndroid Build Coastguard Worker 43*d5c09012SAndroid Build Coastguard Worker// APIs for Identity-Aware Proxy Admin configurations. 44*d5c09012SAndroid Build Coastguard Workerservice IdentityAwareProxyAdminService { 45*d5c09012SAndroid Build Coastguard Worker option (google.api.default_host) = "iap.googleapis.com"; 46*d5c09012SAndroid Build Coastguard Worker option (google.api.oauth_scopes) = 47*d5c09012SAndroid Build Coastguard Worker "https://www.googleapis.com/auth/cloud-platform"; 48*d5c09012SAndroid Build Coastguard Worker 49*d5c09012SAndroid Build Coastguard Worker // Sets the access control policy for an Identity-Aware Proxy protected 50*d5c09012SAndroid Build Coastguard Worker // resource. Replaces any existing policy. 51*d5c09012SAndroid Build Coastguard Worker // More information about managing access via IAP can be found at: 52*d5c09012SAndroid Build Coastguard Worker // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api 53*d5c09012SAndroid Build Coastguard Worker rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) 54*d5c09012SAndroid Build Coastguard Worker returns (google.iam.v1.Policy) { 55*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 56*d5c09012SAndroid Build Coastguard Worker post: "/v1/{resource=**}:setIamPolicy" 57*d5c09012SAndroid Build Coastguard Worker body: "*" 58*d5c09012SAndroid Build Coastguard Worker }; 59*d5c09012SAndroid Build Coastguard Worker } 60*d5c09012SAndroid Build Coastguard Worker 61*d5c09012SAndroid Build Coastguard Worker // Gets the access control policy for an Identity-Aware Proxy protected 62*d5c09012SAndroid Build Coastguard Worker // resource. 63*d5c09012SAndroid Build Coastguard Worker // More information about managing access via IAP can be found at: 64*d5c09012SAndroid Build Coastguard Worker // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api 65*d5c09012SAndroid Build Coastguard Worker rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) 66*d5c09012SAndroid Build Coastguard Worker returns (google.iam.v1.Policy) { 67*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 68*d5c09012SAndroid Build Coastguard Worker post: "/v1/{resource=**}:getIamPolicy" 69*d5c09012SAndroid Build Coastguard Worker body: "*" 70*d5c09012SAndroid Build Coastguard Worker }; 71*d5c09012SAndroid Build Coastguard Worker } 72*d5c09012SAndroid Build Coastguard Worker 73*d5c09012SAndroid Build Coastguard Worker // Returns permissions that a caller has on the Identity-Aware Proxy protected 74*d5c09012SAndroid Build Coastguard Worker // resource. 75*d5c09012SAndroid Build Coastguard Worker // More information about managing access via IAP can be found at: 76*d5c09012SAndroid Build Coastguard Worker // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api 77*d5c09012SAndroid Build Coastguard Worker rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) 78*d5c09012SAndroid Build Coastguard Worker returns (google.iam.v1.TestIamPermissionsResponse) { 79*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 80*d5c09012SAndroid Build Coastguard Worker post: "/v1/{resource=**}:testIamPermissions" 81*d5c09012SAndroid Build Coastguard Worker body: "*" 82*d5c09012SAndroid Build Coastguard Worker }; 83*d5c09012SAndroid Build Coastguard Worker } 84*d5c09012SAndroid Build Coastguard Worker 85*d5c09012SAndroid Build Coastguard Worker // Gets the IAP settings on a particular IAP protected resource. 86*d5c09012SAndroid Build Coastguard Worker rpc GetIapSettings(GetIapSettingsRequest) returns (IapSettings) { 87*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 88*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=**}:iapSettings" 89*d5c09012SAndroid Build Coastguard Worker }; 90*d5c09012SAndroid Build Coastguard Worker } 91*d5c09012SAndroid Build Coastguard Worker 92*d5c09012SAndroid Build Coastguard Worker // Updates the IAP settings on a particular IAP protected resource. It 93*d5c09012SAndroid Build Coastguard Worker // replaces all fields unless the `update_mask` is set. 94*d5c09012SAndroid Build Coastguard Worker rpc UpdateIapSettings(UpdateIapSettingsRequest) returns (IapSettings) { 95*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 96*d5c09012SAndroid Build Coastguard Worker patch: "/v1/{iap_settings.name=**}:iapSettings" 97*d5c09012SAndroid Build Coastguard Worker body: "iap_settings" 98*d5c09012SAndroid Build Coastguard Worker }; 99*d5c09012SAndroid Build Coastguard Worker } 100*d5c09012SAndroid Build Coastguard Worker 101*d5c09012SAndroid Build Coastguard Worker // Lists the existing TunnelDestGroups. To group across all locations, use a 102*d5c09012SAndroid Build Coastguard Worker // `-` as the location ID. For example: 103*d5c09012SAndroid Build Coastguard Worker // `/v1/projects/123/iap_tunnel/locations/-/destGroups` 104*d5c09012SAndroid Build Coastguard Worker rpc ListTunnelDestGroups(ListTunnelDestGroupsRequest) 105*d5c09012SAndroid Build Coastguard Worker returns (ListTunnelDestGroupsResponse) { 106*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 107*d5c09012SAndroid Build Coastguard Worker get: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups" 108*d5c09012SAndroid Build Coastguard Worker }; 109*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "parent"; 110*d5c09012SAndroid Build Coastguard Worker } 111*d5c09012SAndroid Build Coastguard Worker 112*d5c09012SAndroid Build Coastguard Worker // Creates a new TunnelDestGroup. 113*d5c09012SAndroid Build Coastguard Worker rpc CreateTunnelDestGroup(CreateTunnelDestGroupRequest) 114*d5c09012SAndroid Build Coastguard Worker returns (TunnelDestGroup) { 115*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 116*d5c09012SAndroid Build Coastguard Worker post: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups" 117*d5c09012SAndroid Build Coastguard Worker body: "tunnel_dest_group" 118*d5c09012SAndroid Build Coastguard Worker }; 119*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = 120*d5c09012SAndroid Build Coastguard Worker "parent,tunnel_dest_group,tunnel_dest_group_id"; 121*d5c09012SAndroid Build Coastguard Worker } 122*d5c09012SAndroid Build Coastguard Worker 123*d5c09012SAndroid Build Coastguard Worker // Retrieves an existing TunnelDestGroup. 124*d5c09012SAndroid Build Coastguard Worker rpc GetTunnelDestGroup(GetTunnelDestGroupRequest) returns (TunnelDestGroup) { 125*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 126*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=projects/*/iap_tunnel/locations/*/destGroups/*}" 127*d5c09012SAndroid Build Coastguard Worker }; 128*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name"; 129*d5c09012SAndroid Build Coastguard Worker } 130*d5c09012SAndroid Build Coastguard Worker 131*d5c09012SAndroid Build Coastguard Worker // Deletes a TunnelDestGroup. 132*d5c09012SAndroid Build Coastguard Worker rpc DeleteTunnelDestGroup(DeleteTunnelDestGroupRequest) 133*d5c09012SAndroid Build Coastguard Worker returns (google.protobuf.Empty) { 134*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 135*d5c09012SAndroid Build Coastguard Worker delete: "/v1/{name=projects/*/iap_tunnel/locations/*/destGroups/*}" 136*d5c09012SAndroid Build Coastguard Worker }; 137*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "name"; 138*d5c09012SAndroid Build Coastguard Worker } 139*d5c09012SAndroid Build Coastguard Worker 140*d5c09012SAndroid Build Coastguard Worker // Updates a TunnelDestGroup. 141*d5c09012SAndroid Build Coastguard Worker rpc UpdateTunnelDestGroup(UpdateTunnelDestGroupRequest) 142*d5c09012SAndroid Build Coastguard Worker returns (TunnelDestGroup) { 143*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 144*d5c09012SAndroid Build Coastguard Worker patch: "/v1/{tunnel_dest_group.name=projects/*/iap_tunnel/locations/*/destGroups/*}" 145*d5c09012SAndroid Build Coastguard Worker body: "tunnel_dest_group" 146*d5c09012SAndroid Build Coastguard Worker }; 147*d5c09012SAndroid Build Coastguard Worker option (google.api.method_signature) = "tunnel_dest_group,update_mask"; 148*d5c09012SAndroid Build Coastguard Worker } 149*d5c09012SAndroid Build Coastguard Worker} 150*d5c09012SAndroid Build Coastguard Worker 151*d5c09012SAndroid Build Coastguard Worker// API to programmatically create, list and retrieve Identity Aware Proxy (IAP) 152*d5c09012SAndroid Build Coastguard Worker// OAuth brands; and create, retrieve, delete and reset-secret of IAP OAuth 153*d5c09012SAndroid Build Coastguard Worker// clients. 154*d5c09012SAndroid Build Coastguard Workerservice IdentityAwareProxyOAuthService { 155*d5c09012SAndroid Build Coastguard Worker option (google.api.default_host) = "iap.googleapis.com"; 156*d5c09012SAndroid Build Coastguard Worker option (google.api.oauth_scopes) = 157*d5c09012SAndroid Build Coastguard Worker "https://www.googleapis.com/auth/cloud-platform"; 158*d5c09012SAndroid Build Coastguard Worker 159*d5c09012SAndroid Build Coastguard Worker // Lists the existing brands for the project. 160*d5c09012SAndroid Build Coastguard Worker rpc ListBrands(ListBrandsRequest) returns (ListBrandsResponse) { 161*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 162*d5c09012SAndroid Build Coastguard Worker get: "/v1/{parent=projects/*}/brands" 163*d5c09012SAndroid Build Coastguard Worker }; 164*d5c09012SAndroid Build Coastguard Worker } 165*d5c09012SAndroid Build Coastguard Worker 166*d5c09012SAndroid Build Coastguard Worker // Constructs a new OAuth brand for the project if one does not exist. 167*d5c09012SAndroid Build Coastguard Worker // The created brand is "internal only", meaning that OAuth clients created 168*d5c09012SAndroid Build Coastguard Worker // under it only accept requests from users who belong to the same Google 169*d5c09012SAndroid Build Coastguard Worker // Workspace organization as the project. The brand is created in an 170*d5c09012SAndroid Build Coastguard Worker // un-reviewed status. NOTE: The "internal only" status can be manually 171*d5c09012SAndroid Build Coastguard Worker // changed in the Google Cloud Console. Requires that a brand does not already 172*d5c09012SAndroid Build Coastguard Worker // exist for the project, and that the specified support email is owned by the 173*d5c09012SAndroid Build Coastguard Worker // caller. 174*d5c09012SAndroid Build Coastguard Worker rpc CreateBrand(CreateBrandRequest) returns (Brand) { 175*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 176*d5c09012SAndroid Build Coastguard Worker post: "/v1/{parent=projects/*}/brands" 177*d5c09012SAndroid Build Coastguard Worker body: "brand" 178*d5c09012SAndroid Build Coastguard Worker }; 179*d5c09012SAndroid Build Coastguard Worker } 180*d5c09012SAndroid Build Coastguard Worker 181*d5c09012SAndroid Build Coastguard Worker // Retrieves the OAuth brand of the project. 182*d5c09012SAndroid Build Coastguard Worker rpc GetBrand(GetBrandRequest) returns (Brand) { 183*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 184*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=projects/*/brands/*}" 185*d5c09012SAndroid Build Coastguard Worker }; 186*d5c09012SAndroid Build Coastguard Worker } 187*d5c09012SAndroid Build Coastguard Worker 188*d5c09012SAndroid Build Coastguard Worker // Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned 189*d5c09012SAndroid Build Coastguard Worker // by IAP. Requires that the brand for the project exists and that it is 190*d5c09012SAndroid Build Coastguard Worker // set for internal-only use. 191*d5c09012SAndroid Build Coastguard Worker rpc CreateIdentityAwareProxyClient(CreateIdentityAwareProxyClientRequest) 192*d5c09012SAndroid Build Coastguard Worker returns (IdentityAwareProxyClient) { 193*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 194*d5c09012SAndroid Build Coastguard Worker post: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients" 195*d5c09012SAndroid Build Coastguard Worker body: "identity_aware_proxy_client" 196*d5c09012SAndroid Build Coastguard Worker }; 197*d5c09012SAndroid Build Coastguard Worker } 198*d5c09012SAndroid Build Coastguard Worker 199*d5c09012SAndroid Build Coastguard Worker // Lists the existing clients for the brand. 200*d5c09012SAndroid Build Coastguard Worker rpc ListIdentityAwareProxyClients(ListIdentityAwareProxyClientsRequest) 201*d5c09012SAndroid Build Coastguard Worker returns (ListIdentityAwareProxyClientsResponse) { 202*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 203*d5c09012SAndroid Build Coastguard Worker get: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients" 204*d5c09012SAndroid Build Coastguard Worker }; 205*d5c09012SAndroid Build Coastguard Worker } 206*d5c09012SAndroid Build Coastguard Worker 207*d5c09012SAndroid Build Coastguard Worker // Retrieves an Identity Aware Proxy (IAP) OAuth client. 208*d5c09012SAndroid Build Coastguard Worker // Requires that the client is owned by IAP. 209*d5c09012SAndroid Build Coastguard Worker rpc GetIdentityAwareProxyClient(GetIdentityAwareProxyClientRequest) 210*d5c09012SAndroid Build Coastguard Worker returns (IdentityAwareProxyClient) { 211*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 212*d5c09012SAndroid Build Coastguard Worker get: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}" 213*d5c09012SAndroid Build Coastguard Worker }; 214*d5c09012SAndroid Build Coastguard Worker } 215*d5c09012SAndroid Build Coastguard Worker 216*d5c09012SAndroid Build Coastguard Worker // Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the 217*d5c09012SAndroid Build Coastguard Worker // secret was compromised. Requires that the client is owned by IAP. 218*d5c09012SAndroid Build Coastguard Worker rpc ResetIdentityAwareProxyClientSecret( 219*d5c09012SAndroid Build Coastguard Worker ResetIdentityAwareProxyClientSecretRequest) 220*d5c09012SAndroid Build Coastguard Worker returns (IdentityAwareProxyClient) { 221*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 222*d5c09012SAndroid Build Coastguard Worker post: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}:resetSecret" 223*d5c09012SAndroid Build Coastguard Worker body: "*" 224*d5c09012SAndroid Build Coastguard Worker }; 225*d5c09012SAndroid Build Coastguard Worker } 226*d5c09012SAndroid Build Coastguard Worker 227*d5c09012SAndroid Build Coastguard Worker // Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing 228*d5c09012SAndroid Build Coastguard Worker // obsolete clients, managing the number of clients in a given project, and 229*d5c09012SAndroid Build Coastguard Worker // cleaning up after tests. Requires that the client is owned by IAP. 230*d5c09012SAndroid Build Coastguard Worker rpc DeleteIdentityAwareProxyClient(DeleteIdentityAwareProxyClientRequest) 231*d5c09012SAndroid Build Coastguard Worker returns (google.protobuf.Empty) { 232*d5c09012SAndroid Build Coastguard Worker option (google.api.http) = { 233*d5c09012SAndroid Build Coastguard Worker delete: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}" 234*d5c09012SAndroid Build Coastguard Worker }; 235*d5c09012SAndroid Build Coastguard Worker } 236*d5c09012SAndroid Build Coastguard Worker} 237*d5c09012SAndroid Build Coastguard Worker 238*d5c09012SAndroid Build Coastguard Worker// The request to ListTunnelDestGroups. 239*d5c09012SAndroid Build Coastguard Workermessage ListTunnelDestGroupsRequest { 240*d5c09012SAndroid Build Coastguard Worker // Required. Google Cloud Project ID and location. 241*d5c09012SAndroid Build Coastguard Worker // In the following format: 242*d5c09012SAndroid Build Coastguard Worker // `projects/{project_number/id}/iap_tunnel/locations/{location}`. 243*d5c09012SAndroid Build Coastguard Worker // A `-` can be used for the location to group across all locations. 244*d5c09012SAndroid Build Coastguard Worker string parent = 1 [ 245*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 246*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 247*d5c09012SAndroid Build Coastguard Worker type: "iap.googleapis.com/TunnelLocation" 248*d5c09012SAndroid Build Coastguard Worker } 249*d5c09012SAndroid Build Coastguard Worker ]; 250*d5c09012SAndroid Build Coastguard Worker 251*d5c09012SAndroid Build Coastguard Worker // The maximum number of groups to return. The service might return fewer than 252*d5c09012SAndroid Build Coastguard Worker // this value. 253*d5c09012SAndroid Build Coastguard Worker // If unspecified, at most 100 groups are returned. 254*d5c09012SAndroid Build Coastguard Worker // The maximum value is 1000; values above 1000 are coerced to 1000. 255*d5c09012SAndroid Build Coastguard Worker int32 page_size = 2; 256*d5c09012SAndroid Build Coastguard Worker 257*d5c09012SAndroid Build Coastguard Worker // A page token, received from a previous `ListTunnelDestGroups` 258*d5c09012SAndroid Build Coastguard Worker // call. Provide this to retrieve the subsequent page. 259*d5c09012SAndroid Build Coastguard Worker // 260*d5c09012SAndroid Build Coastguard Worker // When paginating, all other parameters provided to 261*d5c09012SAndroid Build Coastguard Worker // `ListTunnelDestGroups` must match the call that provided the page 262*d5c09012SAndroid Build Coastguard Worker // token. 263*d5c09012SAndroid Build Coastguard Worker string page_token = 3; 264*d5c09012SAndroid Build Coastguard Worker} 265*d5c09012SAndroid Build Coastguard Worker 266*d5c09012SAndroid Build Coastguard Worker// The response from ListTunnelDestGroups. 267*d5c09012SAndroid Build Coastguard Workermessage ListTunnelDestGroupsResponse { 268*d5c09012SAndroid Build Coastguard Worker // TunnelDestGroup existing in the project. 269*d5c09012SAndroid Build Coastguard Worker repeated TunnelDestGroup tunnel_dest_groups = 1; 270*d5c09012SAndroid Build Coastguard Worker 271*d5c09012SAndroid Build Coastguard Worker // A token that you can send as `page_token` to retrieve the next page. 272*d5c09012SAndroid Build Coastguard Worker // If this field is omitted, there are no subsequent pages. 273*d5c09012SAndroid Build Coastguard Worker string next_page_token = 2; 274*d5c09012SAndroid Build Coastguard Worker} 275*d5c09012SAndroid Build Coastguard Worker 276*d5c09012SAndroid Build Coastguard Worker// The request to CreateTunnelDestGroup. 277*d5c09012SAndroid Build Coastguard Workermessage CreateTunnelDestGroupRequest { 278*d5c09012SAndroid Build Coastguard Worker // Required. Google Cloud Project ID and location. 279*d5c09012SAndroid Build Coastguard Worker // In the following format: 280*d5c09012SAndroid Build Coastguard Worker // `projects/{project_number/id}/iap_tunnel/locations/{location}`. 281*d5c09012SAndroid Build Coastguard Worker string parent = 1 [ 282*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 283*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 284*d5c09012SAndroid Build Coastguard Worker child_type: "iap.googleapis.com/TunnelDestGroup" 285*d5c09012SAndroid Build Coastguard Worker } 286*d5c09012SAndroid Build Coastguard Worker ]; 287*d5c09012SAndroid Build Coastguard Worker 288*d5c09012SAndroid Build Coastguard Worker // Required. The TunnelDestGroup to create. 289*d5c09012SAndroid Build Coastguard Worker TunnelDestGroup tunnel_dest_group = 2 290*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = REQUIRED]; 291*d5c09012SAndroid Build Coastguard Worker 292*d5c09012SAndroid Build Coastguard Worker // Required. The ID to use for the TunnelDestGroup, which becomes the final 293*d5c09012SAndroid Build Coastguard Worker // component of the resource name. 294*d5c09012SAndroid Build Coastguard Worker // 295*d5c09012SAndroid Build Coastguard Worker // This value must be 4-63 characters, and valid characters 296*d5c09012SAndroid Build Coastguard Worker // are `[a-z]-`. 297*d5c09012SAndroid Build Coastguard Worker string tunnel_dest_group_id = 3 [(google.api.field_behavior) = REQUIRED]; 298*d5c09012SAndroid Build Coastguard Worker} 299*d5c09012SAndroid Build Coastguard Worker 300*d5c09012SAndroid Build Coastguard Worker// The request to GetTunnelDestGroup. 301*d5c09012SAndroid Build Coastguard Workermessage GetTunnelDestGroupRequest { 302*d5c09012SAndroid Build Coastguard Worker // Required. Name of the TunnelDestGroup to be fetched. 303*d5c09012SAndroid Build Coastguard Worker // In the following format: 304*d5c09012SAndroid Build Coastguard Worker // `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`. 305*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 306*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 307*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 308*d5c09012SAndroid Build Coastguard Worker type: "iap.googleapis.com/TunnelDestGroup" 309*d5c09012SAndroid Build Coastguard Worker } 310*d5c09012SAndroid Build Coastguard Worker ]; 311*d5c09012SAndroid Build Coastguard Worker} 312*d5c09012SAndroid Build Coastguard Worker 313*d5c09012SAndroid Build Coastguard Worker// The request to DeleteTunnelDestGroup. 314*d5c09012SAndroid Build Coastguard Workermessage DeleteTunnelDestGroupRequest { 315*d5c09012SAndroid Build Coastguard Worker // Required. Name of the TunnelDestGroup to delete. 316*d5c09012SAndroid Build Coastguard Worker // In the following format: 317*d5c09012SAndroid Build Coastguard Worker // `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`. 318*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 319*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 320*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { 321*d5c09012SAndroid Build Coastguard Worker type: "iap.googleapis.com/TunnelDestGroup" 322*d5c09012SAndroid Build Coastguard Worker } 323*d5c09012SAndroid Build Coastguard Worker ]; 324*d5c09012SAndroid Build Coastguard Worker} 325*d5c09012SAndroid Build Coastguard Worker 326*d5c09012SAndroid Build Coastguard Worker// The request to UpdateTunnelDestGroup. 327*d5c09012SAndroid Build Coastguard Workermessage UpdateTunnelDestGroupRequest { 328*d5c09012SAndroid Build Coastguard Worker // Required. The new values for the TunnelDestGroup. 329*d5c09012SAndroid Build Coastguard Worker TunnelDestGroup tunnel_dest_group = 1 330*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = REQUIRED]; 331*d5c09012SAndroid Build Coastguard Worker 332*d5c09012SAndroid Build Coastguard Worker // A field mask that specifies which IAP settings to update. 333*d5c09012SAndroid Build Coastguard Worker // If omitted, then all of the settings are updated. See 334*d5c09012SAndroid Build Coastguard Worker // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask 335*d5c09012SAndroid Build Coastguard Worker google.protobuf.FieldMask update_mask = 2; 336*d5c09012SAndroid Build Coastguard Worker} 337*d5c09012SAndroid Build Coastguard Worker 338*d5c09012SAndroid Build Coastguard Worker// A TunnelDestGroup. 339*d5c09012SAndroid Build Coastguard Workermessage TunnelDestGroup { 340*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 341*d5c09012SAndroid Build Coastguard Worker type: "iap.googleapis.com/TunnelDestGroup" 342*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/iap_tunnel/locations/{location}/destGroups/{dest_group}" 343*d5c09012SAndroid Build Coastguard Worker }; 344*d5c09012SAndroid Build Coastguard Worker 345*d5c09012SAndroid Build Coastguard Worker // Required. Immutable. Identifier for the TunnelDestGroup. Must be unique 346*d5c09012SAndroid Build Coastguard Worker // within the project and contain only lower case letters (a-z) and dashes 347*d5c09012SAndroid Build Coastguard Worker // (-). 348*d5c09012SAndroid Build Coastguard Worker string name = 1 [ 349*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 350*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = IMMUTABLE 351*d5c09012SAndroid Build Coastguard Worker ]; 352*d5c09012SAndroid Build Coastguard Worker 353*d5c09012SAndroid Build Coastguard Worker // Unordered list. List of CIDRs that this group applies to. 354*d5c09012SAndroid Build Coastguard Worker repeated string cidrs = 2 [(google.api.field_behavior) = UNORDERED_LIST]; 355*d5c09012SAndroid Build Coastguard Worker 356*d5c09012SAndroid Build Coastguard Worker // Unordered list. List of FQDNs that this group applies to. 357*d5c09012SAndroid Build Coastguard Worker repeated string fqdns = 3 [(google.api.field_behavior) = UNORDERED_LIST]; 358*d5c09012SAndroid Build Coastguard Worker} 359*d5c09012SAndroid Build Coastguard Worker 360*d5c09012SAndroid Build Coastguard Worker// The request sent to GetIapSettings. 361*d5c09012SAndroid Build Coastguard Workermessage GetIapSettingsRequest { 362*d5c09012SAndroid Build Coastguard Worker // Required. The resource name for which to retrieve the settings. 363*d5c09012SAndroid Build Coastguard Worker // Authorization: Requires the `getSettings` permission for the associated 364*d5c09012SAndroid Build Coastguard Worker // resource. 365*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = REQUIRED]; 366*d5c09012SAndroid Build Coastguard Worker} 367*d5c09012SAndroid Build Coastguard Worker 368*d5c09012SAndroid Build Coastguard Worker// The request sent to UpdateIapSettings. 369*d5c09012SAndroid Build Coastguard Workermessage UpdateIapSettingsRequest { 370*d5c09012SAndroid Build Coastguard Worker // Required. The new values for the IAP settings to be updated. 371*d5c09012SAndroid Build Coastguard Worker // Authorization: Requires the `updateSettings` permission for the associated 372*d5c09012SAndroid Build Coastguard Worker // resource. 373*d5c09012SAndroid Build Coastguard Worker IapSettings iap_settings = 1 [(google.api.field_behavior) = REQUIRED]; 374*d5c09012SAndroid Build Coastguard Worker 375*d5c09012SAndroid Build Coastguard Worker // The field mask specifying which IAP settings should be updated. 376*d5c09012SAndroid Build Coastguard Worker // If omitted, then all of the settings are updated. See 377*d5c09012SAndroid Build Coastguard Worker // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask. 378*d5c09012SAndroid Build Coastguard Worker // 379*d5c09012SAndroid Build Coastguard Worker // Note: All IAP reauth settings must always be set together, using the 380*d5c09012SAndroid Build Coastguard Worker // field mask: `iapSettings.accessSettings.reauthSettings`. 381*d5c09012SAndroid Build Coastguard Worker google.protobuf.FieldMask update_mask = 2; 382*d5c09012SAndroid Build Coastguard Worker} 383*d5c09012SAndroid Build Coastguard Worker 384*d5c09012SAndroid Build Coastguard Worker// The IAP configurable settings. 385*d5c09012SAndroid Build Coastguard Workermessage IapSettings { 386*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the IAP protected resource. 387*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = REQUIRED]; 388*d5c09012SAndroid Build Coastguard Worker 389*d5c09012SAndroid Build Coastguard Worker // Top level wrapper for all access related setting in IAP 390*d5c09012SAndroid Build Coastguard Worker AccessSettings access_settings = 5; 391*d5c09012SAndroid Build Coastguard Worker 392*d5c09012SAndroid Build Coastguard Worker // Top level wrapper for all application related settings in IAP 393*d5c09012SAndroid Build Coastguard Worker ApplicationSettings application_settings = 6; 394*d5c09012SAndroid Build Coastguard Worker} 395*d5c09012SAndroid Build Coastguard Worker 396*d5c09012SAndroid Build Coastguard Worker// Access related settings for IAP protected apps. 397*d5c09012SAndroid Build Coastguard Workermessage AccessSettings { 398*d5c09012SAndroid Build Coastguard Worker // GCIP claims and endpoint configurations for 3p identity providers. 399*d5c09012SAndroid Build Coastguard Worker GcipSettings gcip_settings = 1; 400*d5c09012SAndroid Build Coastguard Worker 401*d5c09012SAndroid Build Coastguard Worker // Configuration to allow cross-origin requests via IAP. 402*d5c09012SAndroid Build Coastguard Worker CorsSettings cors_settings = 2; 403*d5c09012SAndroid Build Coastguard Worker 404*d5c09012SAndroid Build Coastguard Worker // Settings to configure IAP's OAuth behavior. 405*d5c09012SAndroid Build Coastguard Worker OAuthSettings oauth_settings = 3; 406*d5c09012SAndroid Build Coastguard Worker 407*d5c09012SAndroid Build Coastguard Worker // Settings to configure reauthentication policies in IAP. 408*d5c09012SAndroid Build Coastguard Worker ReauthSettings reauth_settings = 6; 409*d5c09012SAndroid Build Coastguard Worker 410*d5c09012SAndroid Build Coastguard Worker // Settings to configure and enable allowed domains. 411*d5c09012SAndroid Build Coastguard Worker AllowedDomainsSettings allowed_domains_settings = 7; 412*d5c09012SAndroid Build Coastguard Worker} 413*d5c09012SAndroid Build Coastguard Worker 414*d5c09012SAndroid Build Coastguard Worker// Allows customers to configure tenant_id for GCIP instance per-app. 415*d5c09012SAndroid Build Coastguard Workermessage GcipSettings { 416*d5c09012SAndroid Build Coastguard Worker // GCIP tenant ids that are linked to the IAP resource. 417*d5c09012SAndroid Build Coastguard Worker // tenant_ids could be a string beginning with a number character to indicate 418*d5c09012SAndroid Build Coastguard Worker // authenticating with GCIP tenant flow, or in the format of _<ProjectNumber> 419*d5c09012SAndroid Build Coastguard Worker // to indicate authenticating with GCIP agent flow. 420*d5c09012SAndroid Build Coastguard Worker // If agent flow is used, tenant_ids should only contain one single element, 421*d5c09012SAndroid Build Coastguard Worker // while for tenant flow, tenant_ids can contain multiple elements. 422*d5c09012SAndroid Build Coastguard Worker repeated string tenant_ids = 1; 423*d5c09012SAndroid Build Coastguard Worker 424*d5c09012SAndroid Build Coastguard Worker // Login page URI associated with the GCIP tenants. 425*d5c09012SAndroid Build Coastguard Worker // Typically, all resources within the same project share the same login page, 426*d5c09012SAndroid Build Coastguard Worker // though it could be overridden at the sub resource level. 427*d5c09012SAndroid Build Coastguard Worker google.protobuf.StringValue login_page_uri = 2; 428*d5c09012SAndroid Build Coastguard Worker} 429*d5c09012SAndroid Build Coastguard Worker 430*d5c09012SAndroid Build Coastguard Worker// Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS 431*d5c09012SAndroid Build Coastguard Worker// call to bypass authentication and authorization. 432*d5c09012SAndroid Build Coastguard Workermessage CorsSettings { 433*d5c09012SAndroid Build Coastguard Worker // Configuration to allow HTTP OPTIONS calls to skip authorization. If 434*d5c09012SAndroid Build Coastguard Worker // undefined, IAP will not apply any special logic to OPTIONS requests. 435*d5c09012SAndroid Build Coastguard Worker google.protobuf.BoolValue allow_http_options = 1; 436*d5c09012SAndroid Build Coastguard Worker} 437*d5c09012SAndroid Build Coastguard Worker 438*d5c09012SAndroid Build Coastguard Worker// Configuration for OAuth login&consent flow behavior as well as for OAuth 439*d5c09012SAndroid Build Coastguard Worker// Credentials. 440*d5c09012SAndroid Build Coastguard Workermessage OAuthSettings { 441*d5c09012SAndroid Build Coastguard Worker // Domain hint to send as hd=? parameter in OAuth request flow. Enables 442*d5c09012SAndroid Build Coastguard Worker // redirect to primary IDP by skipping Google's login screen. 443*d5c09012SAndroid Build Coastguard Worker // https://developers.google.com/identity/protocols/OpenIDConnect#hd-param 444*d5c09012SAndroid Build Coastguard Worker // Note: IAP does not verify that the id token's hd claim matches this value 445*d5c09012SAndroid Build Coastguard Worker // since access behavior is managed by IAM policies. 446*d5c09012SAndroid Build Coastguard Worker google.protobuf.StringValue login_hint = 2; 447*d5c09012SAndroid Build Coastguard Worker 448*d5c09012SAndroid Build Coastguard Worker // List of OAuth client IDs allowed to programmatically authenticate with IAP. 449*d5c09012SAndroid Build Coastguard Worker repeated string programmatic_clients = 5; 450*d5c09012SAndroid Build Coastguard Worker} 451*d5c09012SAndroid Build Coastguard Worker 452*d5c09012SAndroid Build Coastguard Worker// Configuration for IAP reauthentication policies. 453*d5c09012SAndroid Build Coastguard Workermessage ReauthSettings { 454*d5c09012SAndroid Build Coastguard Worker // Types of reauthentication methods supported by IAP. 455*d5c09012SAndroid Build Coastguard Worker enum Method { 456*d5c09012SAndroid Build Coastguard Worker // Reauthentication disabled. 457*d5c09012SAndroid Build Coastguard Worker METHOD_UNSPECIFIED = 0; 458*d5c09012SAndroid Build Coastguard Worker 459*d5c09012SAndroid Build Coastguard Worker // Prompts the user to log in again. 460*d5c09012SAndroid Build Coastguard Worker LOGIN = 1; 461*d5c09012SAndroid Build Coastguard Worker 462*d5c09012SAndroid Build Coastguard Worker PASSWORD = 2 [deprecated = true]; 463*d5c09012SAndroid Build Coastguard Worker 464*d5c09012SAndroid Build Coastguard Worker // User must use their secure key 2nd factor device. 465*d5c09012SAndroid Build Coastguard Worker SECURE_KEY = 3; 466*d5c09012SAndroid Build Coastguard Worker 467*d5c09012SAndroid Build Coastguard Worker // User can use any enabled 2nd factor. 468*d5c09012SAndroid Build Coastguard Worker ENROLLED_SECOND_FACTORS = 4; 469*d5c09012SAndroid Build Coastguard Worker } 470*d5c09012SAndroid Build Coastguard Worker 471*d5c09012SAndroid Build Coastguard Worker // Type of policy in the case of hierarchial policies. 472*d5c09012SAndroid Build Coastguard Worker enum PolicyType { 473*d5c09012SAndroid Build Coastguard Worker // Default value. This value is unused. 474*d5c09012SAndroid Build Coastguard Worker POLICY_TYPE_UNSPECIFIED = 0; 475*d5c09012SAndroid Build Coastguard Worker 476*d5c09012SAndroid Build Coastguard Worker // This policy acts as a minimum to other policies, lower in the hierarchy. 477*d5c09012SAndroid Build Coastguard Worker // Effective policy may only be the same or stricter. 478*d5c09012SAndroid Build Coastguard Worker MINIMUM = 1; 479*d5c09012SAndroid Build Coastguard Worker 480*d5c09012SAndroid Build Coastguard Worker // This policy acts as a default if no other reauth policy is set. 481*d5c09012SAndroid Build Coastguard Worker DEFAULT = 2; 482*d5c09012SAndroid Build Coastguard Worker } 483*d5c09012SAndroid Build Coastguard Worker 484*d5c09012SAndroid Build Coastguard Worker // Reauth method requested. 485*d5c09012SAndroid Build Coastguard Worker Method method = 1; 486*d5c09012SAndroid Build Coastguard Worker 487*d5c09012SAndroid Build Coastguard Worker // Reauth session lifetime, how long before a user has to reauthenticate 488*d5c09012SAndroid Build Coastguard Worker // again. 489*d5c09012SAndroid Build Coastguard Worker google.protobuf.Duration max_age = 2; 490*d5c09012SAndroid Build Coastguard Worker 491*d5c09012SAndroid Build Coastguard Worker // How IAP determines the effective policy in cases of hierarchial policies. 492*d5c09012SAndroid Build Coastguard Worker // Policies are merged from higher in the hierarchy to lower in the hierarchy. 493*d5c09012SAndroid Build Coastguard Worker PolicyType policy_type = 3; 494*d5c09012SAndroid Build Coastguard Worker} 495*d5c09012SAndroid Build Coastguard Worker 496*d5c09012SAndroid Build Coastguard Worker// Configuration for IAP allowed domains. Lets you to restrict access to an app 497*d5c09012SAndroid Build Coastguard Worker// and allow access to only the domains that you list. 498*d5c09012SAndroid Build Coastguard Workermessage AllowedDomainsSettings { 499*d5c09012SAndroid Build Coastguard Worker // Configuration for customers to opt in for the feature. 500*d5c09012SAndroid Build Coastguard Worker optional bool enable = 1; 501*d5c09012SAndroid Build Coastguard Worker 502*d5c09012SAndroid Build Coastguard Worker // List of trusted domains. 503*d5c09012SAndroid Build Coastguard Worker repeated string domains = 2; 504*d5c09012SAndroid Build Coastguard Worker} 505*d5c09012SAndroid Build Coastguard Worker 506*d5c09012SAndroid Build Coastguard Worker// Wrapper over application specific settings for IAP. 507*d5c09012SAndroid Build Coastguard Workermessage ApplicationSettings { 508*d5c09012SAndroid Build Coastguard Worker // Settings to configure IAP's behavior for a service mesh. 509*d5c09012SAndroid Build Coastguard Worker CsmSettings csm_settings = 1; 510*d5c09012SAndroid Build Coastguard Worker 511*d5c09012SAndroid Build Coastguard Worker // Customization for Access Denied page. 512*d5c09012SAndroid Build Coastguard Worker AccessDeniedPageSettings access_denied_page_settings = 2; 513*d5c09012SAndroid Build Coastguard Worker 514*d5c09012SAndroid Build Coastguard Worker // The Domain value to set for cookies generated by IAP. This value is not 515*d5c09012SAndroid Build Coastguard Worker // validated by the API, but will be ignored at runtime if invalid. 516*d5c09012SAndroid Build Coastguard Worker google.protobuf.StringValue cookie_domain = 3; 517*d5c09012SAndroid Build Coastguard Worker 518*d5c09012SAndroid Build Coastguard Worker // Settings to configure attribute propagation. 519*d5c09012SAndroid Build Coastguard Worker AttributePropagationSettings attribute_propagation_settings = 4; 520*d5c09012SAndroid Build Coastguard Worker} 521*d5c09012SAndroid Build Coastguard Worker 522*d5c09012SAndroid Build Coastguard Worker// Configuration for RCToken generated for service mesh workloads protected by 523*d5c09012SAndroid Build Coastguard Worker// IAP. RCToken are IAP generated JWTs that can be verified at the application. 524*d5c09012SAndroid Build Coastguard Worker// The RCToken is primarily used for service mesh deployments, and can be scoped 525*d5c09012SAndroid Build Coastguard Worker// to a single mesh by configuring the audience field accordingly. 526*d5c09012SAndroid Build Coastguard Workermessage CsmSettings { 527*d5c09012SAndroid Build Coastguard Worker // Audience claim set in the generated RCToken. This value is not validated by 528*d5c09012SAndroid Build Coastguard Worker // IAP. 529*d5c09012SAndroid Build Coastguard Worker google.protobuf.StringValue rctoken_aud = 1; 530*d5c09012SAndroid Build Coastguard Worker} 531*d5c09012SAndroid Build Coastguard Worker 532*d5c09012SAndroid Build Coastguard Worker// Custom content configuration for access denied page. 533*d5c09012SAndroid Build Coastguard Worker// IAP allows customers to define a custom URI to use as the error page when 534*d5c09012SAndroid Build Coastguard Worker// access is denied to users. If IAP prevents access to this page, the default 535*d5c09012SAndroid Build Coastguard Worker// IAP error page will be displayed instead. 536*d5c09012SAndroid Build Coastguard Workermessage AccessDeniedPageSettings { 537*d5c09012SAndroid Build Coastguard Worker // The URI to be redirected to when access is denied. 538*d5c09012SAndroid Build Coastguard Worker google.protobuf.StringValue access_denied_page_uri = 1; 539*d5c09012SAndroid Build Coastguard Worker 540*d5c09012SAndroid Build Coastguard Worker // Whether to generate a troubleshooting URL on access denied events to this 541*d5c09012SAndroid Build Coastguard Worker // application. 542*d5c09012SAndroid Build Coastguard Worker google.protobuf.BoolValue generate_troubleshooting_uri = 2; 543*d5c09012SAndroid Build Coastguard Worker 544*d5c09012SAndroid Build Coastguard Worker // Whether to generate remediation token on access denied events to this 545*d5c09012SAndroid Build Coastguard Worker // application. 546*d5c09012SAndroid Build Coastguard Worker optional google.protobuf.BoolValue remediation_token_generation_enabled = 3; 547*d5c09012SAndroid Build Coastguard Worker} 548*d5c09012SAndroid Build Coastguard Worker 549*d5c09012SAndroid Build Coastguard Worker// Configuration for propagating attributes to applications protected 550*d5c09012SAndroid Build Coastguard Worker// by IAP. 551*d5c09012SAndroid Build Coastguard Workermessage AttributePropagationSettings { 552*d5c09012SAndroid Build Coastguard Worker // Supported output credentials for attribute propagation. Each output 553*d5c09012SAndroid Build Coastguard Worker // credential maps to a "field" in the response. For example, selecting JWT 554*d5c09012SAndroid Build Coastguard Worker // will propagate all attributes in the IAP JWT, header in the headers, etc. 555*d5c09012SAndroid Build Coastguard Worker enum OutputCredentials { 556*d5c09012SAndroid Build Coastguard Worker // An output credential is required. 557*d5c09012SAndroid Build Coastguard Worker OUTPUT_CREDENTIALS_UNSPECIFIED = 0; 558*d5c09012SAndroid Build Coastguard Worker 559*d5c09012SAndroid Build Coastguard Worker // Propagate attributes in the headers with "x-goog-iap-attr-" prefix. 560*d5c09012SAndroid Build Coastguard Worker HEADER = 1; 561*d5c09012SAndroid Build Coastguard Worker 562*d5c09012SAndroid Build Coastguard Worker // Propagate attributes in the JWT of the form: `"additional_claims": { 563*d5c09012SAndroid Build Coastguard Worker // "my_attribute": ["value1", "value2"] }` 564*d5c09012SAndroid Build Coastguard Worker JWT = 2; 565*d5c09012SAndroid Build Coastguard Worker 566*d5c09012SAndroid Build Coastguard Worker // Propagate attributes in the RCToken of the form: `"additional_claims": { 567*d5c09012SAndroid Build Coastguard Worker // "my_attribute": ["value1", "value2"] }` 568*d5c09012SAndroid Build Coastguard Worker RCTOKEN = 3; 569*d5c09012SAndroid Build Coastguard Worker } 570*d5c09012SAndroid Build Coastguard Worker 571*d5c09012SAndroid Build Coastguard Worker // Raw string CEL expression. Must return a list of attributes. A maximum of 572*d5c09012SAndroid Build Coastguard Worker // 45 attributes can be selected. Expressions can select different attribute 573*d5c09012SAndroid Build Coastguard Worker // types from `attributes`: `attributes.saml_attributes`, 574*d5c09012SAndroid Build Coastguard Worker // `attributes.iap_attributes`. The following functions are supported: 575*d5c09012SAndroid Build Coastguard Worker // 576*d5c09012SAndroid Build Coastguard Worker // - filter `<list>.filter(<iter_var>, <predicate>)`: Returns a subset of 577*d5c09012SAndroid Build Coastguard Worker // `<list>` where `<predicate>` is true for every item. 578*d5c09012SAndroid Build Coastguard Worker // 579*d5c09012SAndroid Build Coastguard Worker // - in `<var> in <list>`: Returns true if `<list>` contains `<var>`. 580*d5c09012SAndroid Build Coastguard Worker // 581*d5c09012SAndroid Build Coastguard Worker // - selectByName `<list>.selectByName(<string>)`: Returns the attribute 582*d5c09012SAndroid Build Coastguard Worker // in 583*d5c09012SAndroid Build Coastguard Worker // `<list>` with the given `<string>` name, otherwise returns empty. 584*d5c09012SAndroid Build Coastguard Worker // 585*d5c09012SAndroid Build Coastguard Worker // - emitAs `<attribute>.emitAs(<string>)`: Sets the `<attribute>` name 586*d5c09012SAndroid Build Coastguard Worker // field to the given `<string>` for propagation in selected output 587*d5c09012SAndroid Build Coastguard Worker // credentials. 588*d5c09012SAndroid Build Coastguard Worker // 589*d5c09012SAndroid Build Coastguard Worker // - strict `<attribute>.strict()`: Ignores the `x-goog-iap-attr-` prefix 590*d5c09012SAndroid Build Coastguard Worker // for the provided `<attribute>` when propagating with the `HEADER` output 591*d5c09012SAndroid Build Coastguard Worker // credential, such as request headers. 592*d5c09012SAndroid Build Coastguard Worker // 593*d5c09012SAndroid Build Coastguard Worker // - append `<target_list>.append(<attribute>)` OR 594*d5c09012SAndroid Build Coastguard Worker // `<target_list>.append(<list>)`: Appends the provided `<attribute>` or 595*d5c09012SAndroid Build Coastguard Worker // `<list>` to the end of `<target_list>`. 596*d5c09012SAndroid Build Coastguard Worker // 597*d5c09012SAndroid Build Coastguard Worker // Example expression: `attributes.saml_attributes.filter(x, x.name in 598*d5c09012SAndroid Build Coastguard Worker // ['test']).append(attributes.iap_attributes.selectByName('exact').emitAs('custom').strict())` 599*d5c09012SAndroid Build Coastguard Worker optional string expression = 1; 600*d5c09012SAndroid Build Coastguard Worker 601*d5c09012SAndroid Build Coastguard Worker // Which output credentials attributes selected by the CEL expression should 602*d5c09012SAndroid Build Coastguard Worker // be propagated in. All attributes will be fully duplicated in each selected 603*d5c09012SAndroid Build Coastguard Worker // output credential. 604*d5c09012SAndroid Build Coastguard Worker repeated OutputCredentials output_credentials = 2; 605*d5c09012SAndroid Build Coastguard Worker 606*d5c09012SAndroid Build Coastguard Worker // Whether the provided attribute propagation settings should be evaluated on 607*d5c09012SAndroid Build Coastguard Worker // user requests. If set to true, attributes returned from the expression will 608*d5c09012SAndroid Build Coastguard Worker // be propagated in the set output credentials. 609*d5c09012SAndroid Build Coastguard Worker optional bool enable = 3; 610*d5c09012SAndroid Build Coastguard Worker} 611*d5c09012SAndroid Build Coastguard Worker 612*d5c09012SAndroid Build Coastguard Worker// The request sent to ListBrands. 613*d5c09012SAndroid Build Coastguard Workermessage ListBrandsRequest { 614*d5c09012SAndroid Build Coastguard Worker // Required. GCP Project number/id. 615*d5c09012SAndroid Build Coastguard Worker // In the following format: projects/{project_number/id}. 616*d5c09012SAndroid Build Coastguard Worker string parent = 1 [(google.api.field_behavior) = REQUIRED]; 617*d5c09012SAndroid Build Coastguard Worker} 618*d5c09012SAndroid Build Coastguard Worker 619*d5c09012SAndroid Build Coastguard Worker// Response message for ListBrands. 620*d5c09012SAndroid Build Coastguard Workermessage ListBrandsResponse { 621*d5c09012SAndroid Build Coastguard Worker // Brands existing in the project. 622*d5c09012SAndroid Build Coastguard Worker repeated Brand brands = 1; 623*d5c09012SAndroid Build Coastguard Worker} 624*d5c09012SAndroid Build Coastguard Worker 625*d5c09012SAndroid Build Coastguard Worker// The request sent to CreateBrand. 626*d5c09012SAndroid Build Coastguard Workermessage CreateBrandRequest { 627*d5c09012SAndroid Build Coastguard Worker // Required. GCP Project number/id under which the brand is to be created. 628*d5c09012SAndroid Build Coastguard Worker // In the following format: projects/{project_number/id}. 629*d5c09012SAndroid Build Coastguard Worker string parent = 1 [(google.api.field_behavior) = REQUIRED]; 630*d5c09012SAndroid Build Coastguard Worker 631*d5c09012SAndroid Build Coastguard Worker // Required. The brand to be created. 632*d5c09012SAndroid Build Coastguard Worker Brand brand = 2 [(google.api.field_behavior) = REQUIRED]; 633*d5c09012SAndroid Build Coastguard Worker} 634*d5c09012SAndroid Build Coastguard Worker 635*d5c09012SAndroid Build Coastguard Worker// The request sent to GetBrand. 636*d5c09012SAndroid Build Coastguard Workermessage GetBrandRequest { 637*d5c09012SAndroid Build Coastguard Worker // Required. Name of the brand to be fetched. 638*d5c09012SAndroid Build Coastguard Worker // In the following format: projects/{project_number/id}/brands/{brand}. 639*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = REQUIRED]; 640*d5c09012SAndroid Build Coastguard Worker} 641*d5c09012SAndroid Build Coastguard Worker 642*d5c09012SAndroid Build Coastguard Worker// The request sent to ListIdentityAwareProxyClients. 643*d5c09012SAndroid Build Coastguard Workermessage ListIdentityAwareProxyClientsRequest { 644*d5c09012SAndroid Build Coastguard Worker // Required. Full brand path. 645*d5c09012SAndroid Build Coastguard Worker // In the following format: projects/{project_number/id}/brands/{brand}. 646*d5c09012SAndroid Build Coastguard Worker string parent = 1 [(google.api.field_behavior) = REQUIRED]; 647*d5c09012SAndroid Build Coastguard Worker 648*d5c09012SAndroid Build Coastguard Worker // The maximum number of clients to return. The service may return fewer than 649*d5c09012SAndroid Build Coastguard Worker // this value. 650*d5c09012SAndroid Build Coastguard Worker // If unspecified, at most 100 clients will be returned. 651*d5c09012SAndroid Build Coastguard Worker // The maximum value is 1000; values above 1000 will be coerced to 1000. 652*d5c09012SAndroid Build Coastguard Worker int32 page_size = 2; 653*d5c09012SAndroid Build Coastguard Worker 654*d5c09012SAndroid Build Coastguard Worker // A page token, received from a previous `ListIdentityAwareProxyClients` 655*d5c09012SAndroid Build Coastguard Worker // call. Provide this to retrieve the subsequent page. 656*d5c09012SAndroid Build Coastguard Worker // 657*d5c09012SAndroid Build Coastguard Worker // When paginating, all other parameters provided to 658*d5c09012SAndroid Build Coastguard Worker // `ListIdentityAwareProxyClients` must match the call that provided the page 659*d5c09012SAndroid Build Coastguard Worker // token. 660*d5c09012SAndroid Build Coastguard Worker string page_token = 3; 661*d5c09012SAndroid Build Coastguard Worker} 662*d5c09012SAndroid Build Coastguard Worker 663*d5c09012SAndroid Build Coastguard Worker// Response message for ListIdentityAwareProxyClients. 664*d5c09012SAndroid Build Coastguard Workermessage ListIdentityAwareProxyClientsResponse { 665*d5c09012SAndroid Build Coastguard Worker // Clients existing in the brand. 666*d5c09012SAndroid Build Coastguard Worker repeated IdentityAwareProxyClient identity_aware_proxy_clients = 1; 667*d5c09012SAndroid Build Coastguard Worker 668*d5c09012SAndroid Build Coastguard Worker // A token, which can be send as `page_token` to retrieve the next page. 669*d5c09012SAndroid Build Coastguard Worker // If this field is omitted, there are no subsequent pages. 670*d5c09012SAndroid Build Coastguard Worker string next_page_token = 2; 671*d5c09012SAndroid Build Coastguard Worker} 672*d5c09012SAndroid Build Coastguard Worker 673*d5c09012SAndroid Build Coastguard Worker// The request sent to CreateIdentityAwareProxyClient. 674*d5c09012SAndroid Build Coastguard Workermessage CreateIdentityAwareProxyClientRequest { 675*d5c09012SAndroid Build Coastguard Worker // Required. Path to create the client in. 676*d5c09012SAndroid Build Coastguard Worker // In the following format: 677*d5c09012SAndroid Build Coastguard Worker // projects/{project_number/id}/brands/{brand}. 678*d5c09012SAndroid Build Coastguard Worker // The project must belong to a G Suite account. 679*d5c09012SAndroid Build Coastguard Worker string parent = 1 [(google.api.field_behavior) = REQUIRED]; 680*d5c09012SAndroid Build Coastguard Worker 681*d5c09012SAndroid Build Coastguard Worker // Required. Identity Aware Proxy Client to be created. 682*d5c09012SAndroid Build Coastguard Worker IdentityAwareProxyClient identity_aware_proxy_client = 2 683*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = REQUIRED]; 684*d5c09012SAndroid Build Coastguard Worker} 685*d5c09012SAndroid Build Coastguard Worker 686*d5c09012SAndroid Build Coastguard Worker// The request sent to GetIdentityAwareProxyClient. 687*d5c09012SAndroid Build Coastguard Workermessage GetIdentityAwareProxyClientRequest { 688*d5c09012SAndroid Build Coastguard Worker // Required. Name of the Identity Aware Proxy client to be fetched. 689*d5c09012SAndroid Build Coastguard Worker // In the following format: 690*d5c09012SAndroid Build Coastguard Worker // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}. 691*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = REQUIRED]; 692*d5c09012SAndroid Build Coastguard Worker} 693*d5c09012SAndroid Build Coastguard Worker 694*d5c09012SAndroid Build Coastguard Worker// The request sent to ResetIdentityAwareProxyClientSecret. 695*d5c09012SAndroid Build Coastguard Workermessage ResetIdentityAwareProxyClientSecretRequest { 696*d5c09012SAndroid Build Coastguard Worker // Required. Name of the Identity Aware Proxy client to that will have its 697*d5c09012SAndroid Build Coastguard Worker // secret reset. In the following format: 698*d5c09012SAndroid Build Coastguard Worker // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}. 699*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = REQUIRED]; 700*d5c09012SAndroid Build Coastguard Worker} 701*d5c09012SAndroid Build Coastguard Worker 702*d5c09012SAndroid Build Coastguard Worker// The request sent to DeleteIdentityAwareProxyClient. 703*d5c09012SAndroid Build Coastguard Workermessage DeleteIdentityAwareProxyClientRequest { 704*d5c09012SAndroid Build Coastguard Worker // Required. Name of the Identity Aware Proxy client to be deleted. 705*d5c09012SAndroid Build Coastguard Worker // In the following format: 706*d5c09012SAndroid Build Coastguard Worker // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}. 707*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = REQUIRED]; 708*d5c09012SAndroid Build Coastguard Worker} 709*d5c09012SAndroid Build Coastguard Worker 710*d5c09012SAndroid Build Coastguard Worker// OAuth brand data. 711*d5c09012SAndroid Build Coastguard Worker// NOTE: Only contains a portion of the data that describes a brand. 712*d5c09012SAndroid Build Coastguard Workermessage Brand { 713*d5c09012SAndroid Build Coastguard Worker // Output only. Identifier of the brand. 714*d5c09012SAndroid Build Coastguard Worker // NOTE: GCP project number achieves the same brand identification purpose as 715*d5c09012SAndroid Build Coastguard Worker // only one brand per project can be created. 716*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 717*d5c09012SAndroid Build Coastguard Worker 718*d5c09012SAndroid Build Coastguard Worker // Support email displayed on the OAuth consent screen. 719*d5c09012SAndroid Build Coastguard Worker string support_email = 2; 720*d5c09012SAndroid Build Coastguard Worker 721*d5c09012SAndroid Build Coastguard Worker // Application name displayed on OAuth consent screen. 722*d5c09012SAndroid Build Coastguard Worker string application_title = 3; 723*d5c09012SAndroid Build Coastguard Worker 724*d5c09012SAndroid Build Coastguard Worker // Output only. Whether the brand is only intended for usage inside the 725*d5c09012SAndroid Build Coastguard Worker // G Suite organization only. 726*d5c09012SAndroid Build Coastguard Worker bool org_internal_only = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 727*d5c09012SAndroid Build Coastguard Worker} 728*d5c09012SAndroid Build Coastguard Worker 729*d5c09012SAndroid Build Coastguard Worker// Contains the data that describes an Identity Aware Proxy owned client. 730*d5c09012SAndroid Build Coastguard Workermessage IdentityAwareProxyClient { 731*d5c09012SAndroid Build Coastguard Worker // Output only. Unique identifier of the OAuth client. 732*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 733*d5c09012SAndroid Build Coastguard Worker 734*d5c09012SAndroid Build Coastguard Worker // Output only. Client secret of the OAuth client. 735*d5c09012SAndroid Build Coastguard Worker string secret = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 736*d5c09012SAndroid Build Coastguard Worker 737*d5c09012SAndroid Build Coastguard Worker // Human-friendly name given to the OAuth client. 738*d5c09012SAndroid Build Coastguard Worker string display_name = 3; 739*d5c09012SAndroid Build Coastguard Worker} 740