1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.policytroubleshooter.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/iam/v1/policy.proto"; 21import "google/type/expr.proto"; 22 23option csharp_namespace = "Google.Cloud.PolicyTroubleshooter.V1"; 24option go_package = "cloud.google.com/go/policytroubleshooter/apiv1/policytroubleshooterpb;policytroubleshooterpb"; 25option php_namespace = "Google\\Cloud\\PolicyTroubleshooter\\V1"; 26option ruby_package = "Google::Cloud::PolicyTroubleshooter::V1"; 27 28// Information about the principal, resource, and permission to check. 29message AccessTuple { 30 // Required. The principal whose access you want to check, in the form of 31 // the email address that represents that principal. For example, 32 // `[email protected]` or 33 // `[email protected]`. 34 // 35 // The principal must be a Google Account or a service account. Other types of 36 // principals are not supported. 37 string principal = 1 [(google.api.field_behavior) = REQUIRED]; 38 39 // Required. The full resource name that identifies the resource. For example, 40 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. 41 // 42 // For examples of full resource names for Google Cloud services, see 43 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 44 string full_resource_name = 2 [(google.api.field_behavior) = REQUIRED]; 45 46 // Required. The IAM permission to check for the specified principal and 47 // resource. 48 // 49 // For a complete list of IAM permissions, see 50 // https://cloud.google.com/iam/help/permissions/reference. 51 // 52 // For a complete list of predefined IAM roles and the permissions in each 53 // role, see https://cloud.google.com/iam/help/roles/reference. 54 string permission = 3 [(google.api.field_behavior) = REQUIRED]; 55} 56 57// Details about how a specific IAM [Policy][google.iam.v1.Policy] contributed 58// to the access check. 59message ExplainedPolicy { 60 // Indicates whether _this policy_ provides the specified permission to the 61 // specified principal for the specified resource. 62 // 63 // This field does _not_ indicate whether the principal actually has the 64 // permission for the resource. There might be another policy that overrides 65 // this policy. To determine whether the principal actually has the 66 // permission, use the `access` field in the 67 // [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse]. 68 AccessState access = 1; 69 70 // The full resource name that identifies the resource. For example, 71 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. 72 // 73 // If the sender of the request does not have access to the policy, this field 74 // is omitted. 75 // 76 // For examples of full resource names for Google Cloud services, see 77 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 78 string full_resource_name = 2; 79 80 // The IAM policy attached to the resource. 81 // 82 // If the sender of the request does not have access to the policy, this field 83 // is empty. 84 google.iam.v1.Policy policy = 3; 85 86 // Details about how each binding in the policy affects the principal's 87 // ability, or inability, to use the permission for the resource. 88 // 89 // If the sender of the request does not have access to the policy, this field 90 // is omitted. 91 repeated BindingExplanation binding_explanations = 4; 92 93 // The relevance of this policy to the overall determination in the 94 // [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse]. 95 // 96 // If the sender of the request does not have access to the policy, this field 97 // is omitted. 98 HeuristicRelevance relevance = 5; 99} 100 101// Details about how a binding in a policy affects a principal's ability to use 102// a permission. 103message BindingExplanation { 104 // Whether a role includes a specific permission. 105 enum RolePermission { 106 // Default value. This value is unused. 107 ROLE_PERMISSION_UNSPECIFIED = 0; 108 109 // The permission is included in the role. 110 ROLE_PERMISSION_INCLUDED = 1; 111 112 // The permission is not included in the role. 113 ROLE_PERMISSION_NOT_INCLUDED = 2; 114 115 // The sender of the request is not allowed to access the binding. 116 ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3; 117 } 118 119 // Whether the binding includes the principal. 120 enum Membership { 121 // Default value. This value is unused. 122 MEMBERSHIP_UNSPECIFIED = 0; 123 124 // The binding includes the principal. The principal can be included 125 // directly or indirectly. For example: 126 // 127 // * A principal is included directly if that principal is listed in the 128 // binding. 129 // * A principal is included indirectly if that principal is in a Google 130 // group or Google Workspace domain that is listed in the binding. 131 MEMBERSHIP_INCLUDED = 1; 132 133 // The binding does not include the principal. 134 MEMBERSHIP_NOT_INCLUDED = 2; 135 136 // The sender of the request is not allowed to access the binding. 137 MEMBERSHIP_UNKNOWN_INFO_DENIED = 3; 138 139 // The principal is an unsupported type. Only Google Accounts and service 140 // accounts are supported. 141 MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4; 142 } 143 144 // Details about whether the binding includes the principal. 145 message AnnotatedMembership { 146 // Indicates whether the binding includes the principal. 147 Membership membership = 1; 148 149 // The relevance of the principal's status to the overall determination for 150 // the binding. 151 HeuristicRelevance relevance = 2; 152 } 153 154 // Required. Indicates whether _this binding_ provides the specified 155 // permission to the specified principal for the specified resource. 156 // 157 // This field does _not_ indicate whether the principal actually has the 158 // permission for the resource. There might be another binding that overrides 159 // this binding. To determine whether the principal actually has the 160 // permission, use the `access` field in the 161 // [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse]. 162 AccessState access = 1 [(google.api.field_behavior) = REQUIRED]; 163 164 // The role that this binding grants. For example, 165 // `roles/compute.serviceAgent`. 166 // 167 // For a complete list of predefined IAM roles, as well as the permissions in 168 // each role, see https://cloud.google.com/iam/help/roles/reference. 169 string role = 2; 170 171 // Indicates whether the role granted by this binding contains the specified 172 // permission. 173 RolePermission role_permission = 3; 174 175 // The relevance of the permission's existence, or nonexistence, in the role 176 // to the overall determination for the entire policy. 177 HeuristicRelevance role_permission_relevance = 4; 178 179 // Indicates whether each principal in the binding includes the principal 180 // specified in the request, either directly or indirectly. Each key 181 // identifies a principal in the binding, and each value indicates whether the 182 // principal in the binding includes the principal in the request. 183 // 184 // For example, suppose that a binding includes the following principals: 185 // 186 // * `user:[email protected]` 187 // * `group:[email protected]` 188 // 189 // You want to troubleshoot access for `user:[email protected]`. This user is a 190 // principal of the group `group:[email protected]`. 191 // 192 // For the first principal in the binding, the key is 193 // `user:[email protected]`, and the `membership` field in the value is set to 194 // `MEMBERSHIP_NOT_INCLUDED`. 195 // 196 // For the second principal in the binding, the key is 197 // `group:[email protected]`, and the `membership` field in the value is 198 // set to `MEMBERSHIP_INCLUDED`. 199 map<string, AnnotatedMembership> memberships = 5; 200 201 // The relevance of this binding to the overall determination for the entire 202 // policy. 203 HeuristicRelevance relevance = 6; 204 205 // A condition expression that prevents this binding from granting access 206 // unless the expression evaluates to `true`. 207 // 208 // To learn about IAM Conditions, see 209 // https://cloud.google.com/iam/help/conditions/overview. 210 google.type.Expr condition = 7; 211} 212 213// Whether a principal has a permission for a resource. 214enum AccessState { 215 // Default value. This value is unused. 216 ACCESS_STATE_UNSPECIFIED = 0; 217 218 // The principal has the permission. 219 GRANTED = 1; 220 221 // The principal does not have the permission. 222 NOT_GRANTED = 2; 223 224 // The principal has the permission only if a condition expression evaluates 225 // to `true`. 226 UNKNOWN_CONDITIONAL = 3; 227 228 // The sender of the request does not have access to all of the policies that 229 // Policy Troubleshooter needs to evaluate. 230 UNKNOWN_INFO_DENIED = 4; 231} 232 233// The extent to which a single data point, such as the existence of a binding 234// or whether a binding includes a specific principal, contributes to an overall 235// determination. 236enum HeuristicRelevance { 237 // Default value. This value is unused. 238 HEURISTIC_RELEVANCE_UNSPECIFIED = 0; 239 240 // The data point has a limited effect on the result. Changing the data point 241 // is unlikely to affect the overall determination. 242 NORMAL = 1; 243 244 // The data point has a strong effect on the result. Changing the data point 245 // is likely to affect the overall determination. 246 HIGH = 2; 247} 248