blob: bb9bb6f378bde62d3342b6c54a8d6c874aa3b64a [file] [edit]
// Copyright 2020 Google LLC
//
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file or at
// https://developers.google.com/open-source/licenses/bsd
// This is a generated file (see the discoveryapis_generator project).
// ignore_for_file: camel_case_types
// ignore_for_file: comment_references
// ignore_for_file: deprecated_member_use_from_same_package
// ignore_for_file: doc_directive_unknown
// ignore_for_file: lines_longer_than_80_chars
// ignore_for_file: non_constant_identifier_names
// ignore_for_file: prefer_interpolation_to_compose_strings
// ignore_for_file: unintended_html_in_doc_comment
// ignore_for_file: unnecessary_brace_in_string_interps
// ignore_for_file: unnecessary_lambdas
// ignore_for_file: unnecessary_string_interpolations
/// Policy Troubleshooter API - v1
///
/// For more information, see <https://cloud.google.com/iam/>
///
/// Create an instance of [PolicyTroubleshooterApi] to access these resources:
///
/// - [IamResource]
library;
import 'dart:async' as async;
import 'dart:convert' as convert;
import 'dart:core' as core;
import 'package:_discoveryapis_commons/_discoveryapis_commons.dart' as commons;
import 'package:http/http.dart' as http;
import '../shared.dart';
import '../src/user_agent.dart';
export 'package:_discoveryapis_commons/_discoveryapis_commons.dart'
show ApiRequestError, DetailedApiRequestError;
class PolicyTroubleshooterApi {
/// See, edit, configure, and delete your Google Cloud data and see the email
/// address for your Google Account.
static const cloudPlatformScope =
'https://www.googleapis.com/auth/cloud-platform';
final commons.ApiRequester _requester;
IamResource get iam => IamResource(_requester);
PolicyTroubleshooterApi(
http.Client client, {
core.String rootUrl = 'https://policytroubleshooter.googleapis.com/',
core.String servicePath = '',
}) : _requester = commons.ApiRequester(
client,
rootUrl,
servicePath,
requestHeaders,
);
}
class IamResource {
final commons.ApiRequester _requester;
IamResource(commons.ApiRequester client) : _requester = client;
/// Checks whether a principal has a specific permission for a specific
/// resource, and explains why the principal does or does not have that
/// permission.
///
/// [request] - The metadata request object.
///
/// Request parameters:
///
/// [$fields] - Selector specifying which fields to include in a partial
/// response.
///
/// Completes with a
/// [GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse].
///
/// Completes with a [commons.ApiRequestError] if the API endpoint returned an
/// error.
///
/// If the used [http.Client] completes with an error when making a REST call,
/// this method will complete with the same error.
async.Future<GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse>
troubleshoot(
GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest request, {
core.String? $fields,
}) async {
final body_ = convert.json.encode(request);
final queryParams_ = <core.String, core.List<core.String>>{
'fields': ?$fields == null ? null : [$fields],
};
const url_ = 'v1/iam:troubleshoot';
final response_ = await _requester.request(
url_,
'POST',
body: body_,
queryParams: queryParams_,
);
return GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse.fromJson(
response_ as core.Map<core.String, core.dynamic>,
);
}
}
/// Information about the principal, resource, and permission to check.
typedef GoogleCloudPolicytroubleshooterV1AccessTuple = $V1AccessTuple;
/// Details about how a binding in a policy affects a principal's ability to use
/// a permission.
class GoogleCloudPolicytroubleshooterV1BindingExplanation {
/// Indicates whether _this binding_ provides the specified permission to the
/// specified principal for the specified resource.
///
/// This field does _not_ indicate whether the principal actually has the
/// permission for the resource. There might be another binding that overrides
/// this binding. To determine whether the principal actually has the
/// permission, use the `access` field in the TroubleshootIamPolicyResponse.
///
/// Required.
/// Possible string values are:
/// - "ACCESS_STATE_UNSPECIFIED" : Default value. This value is unused.
/// - "GRANTED" : The principal has the permission.
/// - "NOT_GRANTED" : The principal does not have the permission.
/// - "UNKNOWN_CONDITIONAL" : The principal has the permission only if a
/// condition expression evaluates to `true`.
/// - "UNKNOWN_INFO_DENIED" : The sender of the request does not have access
/// to all of the policies that Policy Troubleshooter needs to evaluate.
core.String? access;
/// A condition expression that prevents this binding from granting access
/// unless the expression evaluates to `true`.
///
/// To learn about IAM Conditions, see
/// https://cloud.google.com/iam/help/conditions/overview.
GoogleTypeExpr? condition;
/// Indicates whether each principal in the binding includes the principal
/// specified in the request, either directly or indirectly.
///
/// Each key identifies a principal in the binding, and each value indicates
/// whether the principal in the binding includes the principal in the
/// request. For example, suppose that a binding includes the following
/// principals: * `user:alice@example.com` * `group:product-eng@example.com`
/// You want to troubleshoot access for `user:bob@example.com`. This user is a
/// principal of the group `group:product-eng@example.com`. For the first
/// principal in the binding, the key is `user:alice@example.com`, and the
/// `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For
/// the second principal in the binding, the key is
/// `group:product-eng@example.com`, and the `membership` field in the value
/// is set to `MEMBERSHIP_INCLUDED`.
core.Map<
core.String,
GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership
>?
memberships;
/// The relevance of this binding to the overall determination for the entire
/// policy.
/// Possible string values are:
/// - "HEURISTIC_RELEVANCE_UNSPECIFIED" : Default value. This value is unused.
/// - "NORMAL" : The data point has a limited effect on the result. Changing
/// the data point is unlikely to affect the overall determination.
/// - "HIGH" : The data point has a strong effect on the result. Changing the
/// data point is likely to affect the overall determination.
core.String? relevance;
/// The role that this binding grants.
///
/// For example, `roles/compute.serviceAgent`. For a complete list of
/// predefined IAM roles, as well as the permissions in each role, see
/// https://cloud.google.com/iam/help/roles/reference.
core.String? role;
/// Indicates whether the role granted by this binding contains the specified
/// permission.
/// Possible string values are:
/// - "ROLE_PERMISSION_UNSPECIFIED" : Default value. This value is unused.
/// - "ROLE_PERMISSION_INCLUDED" : The permission is included in the role.
/// - "ROLE_PERMISSION_NOT_INCLUDED" : The permission is not included in the
/// role.
/// - "ROLE_PERMISSION_UNKNOWN_INFO_DENIED" : The sender of the request is not
/// allowed to access the binding.
core.String? rolePermission;
/// The relevance of the permission's existence, or nonexistence, in the role
/// to the overall determination for the entire policy.
/// Possible string values are:
/// - "HEURISTIC_RELEVANCE_UNSPECIFIED" : Default value. This value is unused.
/// - "NORMAL" : The data point has a limited effect on the result. Changing
/// the data point is unlikely to affect the overall determination.
/// - "HIGH" : The data point has a strong effect on the result. Changing the
/// data point is likely to affect the overall determination.
core.String? rolePermissionRelevance;
GoogleCloudPolicytroubleshooterV1BindingExplanation({
this.access,
this.condition,
this.memberships,
this.relevance,
this.role,
this.rolePermission,
this.rolePermissionRelevance,
});
GoogleCloudPolicytroubleshooterV1BindingExplanation.fromJson(core.Map json_)
: this(
access: json_['access'] as core.String?,
condition: json_.containsKey('condition')
? GoogleTypeExpr.fromJson(
json_['condition'] as core.Map<core.String, core.dynamic>,
)
: null,
memberships:
(json_['memberships'] as core.Map<core.String, core.dynamic>?)?.map(
(key, value) => core.MapEntry(
key,
GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership.fromJson(
value as core.Map<core.String, core.dynamic>,
),
),
),
relevance: json_['relevance'] as core.String?,
role: json_['role'] as core.String?,
rolePermission: json_['rolePermission'] as core.String?,
rolePermissionRelevance:
json_['rolePermissionRelevance'] as core.String?,
);
core.Map<core.String, core.dynamic> toJson() {
final access = this.access;
final condition = this.condition;
final memberships = this.memberships;
final relevance = this.relevance;
final role = this.role;
final rolePermission = this.rolePermission;
final rolePermissionRelevance = this.rolePermissionRelevance;
return {
'access': ?access,
'condition': ?condition,
'memberships': ?memberships,
'relevance': ?relevance,
'role': ?role,
'rolePermission': ?rolePermission,
'rolePermissionRelevance': ?rolePermissionRelevance,
};
}
}
/// Details about whether the binding includes the principal.
class GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership {
/// Indicates whether the binding includes the principal.
/// Possible string values are:
/// - "MEMBERSHIP_UNSPECIFIED" : Default value. This value is unused.
/// - "MEMBERSHIP_INCLUDED" : The binding includes the principal. The
/// principal can be included directly or indirectly. For example: * A
/// principal is included directly if that principal is listed in the binding.
/// * A principal is included indirectly if that principal is in a Google
/// group or Google Workspace domain that is listed in the binding.
/// - "MEMBERSHIP_NOT_INCLUDED" : The binding does not include the principal.
/// - "MEMBERSHIP_UNKNOWN_INFO_DENIED" : The sender of the request is not
/// allowed to access the binding.
/// - "MEMBERSHIP_UNKNOWN_UNSUPPORTED" : The principal is an unsupported type.
/// Only Google Accounts and service accounts are supported.
core.String? membership;
/// The relevance of the principal's status to the overall determination for
/// the binding.
/// Possible string values are:
/// - "HEURISTIC_RELEVANCE_UNSPECIFIED" : Default value. This value is unused.
/// - "NORMAL" : The data point has a limited effect on the result. Changing
/// the data point is unlikely to affect the overall determination.
/// - "HIGH" : The data point has a strong effect on the result. Changing the
/// data point is likely to affect the overall determination.
core.String? relevance;
GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership({
this.membership,
this.relevance,
});
GoogleCloudPolicytroubleshooterV1BindingExplanationAnnotatedMembership.fromJson(
core.Map json_,
) : this(
membership: json_['membership'] as core.String?,
relevance: json_['relevance'] as core.String?,
);
core.Map<core.String, core.dynamic> toJson() {
final membership = this.membership;
final relevance = this.relevance;
return {'membership': ?membership, 'relevance': ?relevance};
}
}
/// Details about how a specific IAM Policy contributed to the access check.
class GoogleCloudPolicytroubleshooterV1ExplainedPolicy {
/// Indicates whether _this policy_ provides the specified permission to the
/// specified principal for the specified resource.
///
/// This field does _not_ indicate whether the principal actually has the
/// permission for the resource. There might be another policy that overrides
/// this policy. To determine whether the principal actually has the
/// permission, use the `access` field in the TroubleshootIamPolicyResponse.
/// Possible string values are:
/// - "ACCESS_STATE_UNSPECIFIED" : Default value. This value is unused.
/// - "GRANTED" : The principal has the permission.
/// - "NOT_GRANTED" : The principal does not have the permission.
/// - "UNKNOWN_CONDITIONAL" : The principal has the permission only if a
/// condition expression evaluates to `true`.
/// - "UNKNOWN_INFO_DENIED" : The sender of the request does not have access
/// to all of the policies that Policy Troubleshooter needs to evaluate.
core.String? access;
/// Details about how each binding in the policy affects the principal's
/// ability, or inability, to use the permission for the resource.
///
/// If the sender of the request does not have access to the policy, this
/// field is omitted.
core.List<GoogleCloudPolicytroubleshooterV1BindingExplanation>?
bindingExplanations;
/// The full resource name that identifies the resource.
///
/// For example,
/// `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
/// If the sender of the request does not have access to the policy, this
/// field is omitted. For examples of full resource names for Google Cloud
/// services, see
/// https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
core.String? fullResourceName;
/// The IAM policy attached to the resource.
///
/// If the sender of the request does not have access to the policy, this
/// field is empty.
GoogleIamV1Policy? policy;
/// The relevance of this policy to the overall determination in the
/// TroubleshootIamPolicyResponse.
///
/// If the sender of the request does not have access to the policy, this
/// field is omitted.
/// Possible string values are:
/// - "HEURISTIC_RELEVANCE_UNSPECIFIED" : Default value. This value is unused.
/// - "NORMAL" : The data point has a limited effect on the result. Changing
/// the data point is unlikely to affect the overall determination.
/// - "HIGH" : The data point has a strong effect on the result. Changing the
/// data point is likely to affect the overall determination.
core.String? relevance;
GoogleCloudPolicytroubleshooterV1ExplainedPolicy({
this.access,
this.bindingExplanations,
this.fullResourceName,
this.policy,
this.relevance,
});
GoogleCloudPolicytroubleshooterV1ExplainedPolicy.fromJson(core.Map json_)
: this(
access: json_['access'] as core.String?,
bindingExplanations: (json_['bindingExplanations'] as core.List?)
?.map(
(value) =>
GoogleCloudPolicytroubleshooterV1BindingExplanation.fromJson(
value as core.Map<core.String, core.dynamic>,
),
)
.toList(),
fullResourceName: json_['fullResourceName'] as core.String?,
policy: json_.containsKey('policy')
? GoogleIamV1Policy.fromJson(
json_['policy'] as core.Map<core.String, core.dynamic>,
)
: null,
relevance: json_['relevance'] as core.String?,
);
core.Map<core.String, core.dynamic> toJson() {
final access = this.access;
final bindingExplanations = this.bindingExplanations;
final fullResourceName = this.fullResourceName;
final policy = this.policy;
final relevance = this.relevance;
return {
'access': ?access,
'bindingExplanations': ?bindingExplanations,
'fullResourceName': ?fullResourceName,
'policy': ?policy,
'relevance': ?relevance,
};
}
}
/// Request for TroubleshootIamPolicy.
class GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest {
/// The information to use for checking whether a principal has a permission
/// for a resource.
GoogleCloudPolicytroubleshooterV1AccessTuple? accessTuple;
GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest({
this.accessTuple,
});
GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyRequest.fromJson(
core.Map json_,
) : this(
accessTuple: json_.containsKey('accessTuple')
? GoogleCloudPolicytroubleshooterV1AccessTuple.fromJson(
json_['accessTuple'] as core.Map<core.String, core.dynamic>,
)
: null,
);
core.Map<core.String, core.dynamic> toJson() {
final accessTuple = this.accessTuple;
return {'accessTuple': ?accessTuple};
}
}
/// Response for TroubleshootIamPolicy.
class GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse {
/// Indicates whether the principal has the specified permission for the
/// specified resource, based on evaluating all of the applicable IAM
/// policies.
/// Possible string values are:
/// - "ACCESS_STATE_UNSPECIFIED" : Default value. This value is unused.
/// - "GRANTED" : The principal has the permission.
/// - "NOT_GRANTED" : The principal does not have the permission.
/// - "UNKNOWN_CONDITIONAL" : The principal has the permission only if a
/// condition expression evaluates to `true`.
/// - "UNKNOWN_INFO_DENIED" : The sender of the request does not have access
/// to all of the policies that Policy Troubleshooter needs to evaluate.
core.String? access;
/// The general errors contained in the troubleshooting response.
core.List<GoogleRpcStatus>? errors;
/// List of IAM policies that were evaluated to check the principal's
/// permissions, with annotations to indicate how each policy contributed to
/// the final result.
///
/// The list of policies can include the policy for the resource itself. It
/// can also include policies that are inherited from higher levels of the
/// resource hierarchy, including the organization, the folder, and the
/// project. To learn more about the resource hierarchy, see
/// https://cloud.google.com/iam/help/resource-hierarchy.
core.List<GoogleCloudPolicytroubleshooterV1ExplainedPolicy>?
explainedPolicies;
GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse({
this.access,
this.errors,
this.explainedPolicies,
});
GoogleCloudPolicytroubleshooterV1TroubleshootIamPolicyResponse.fromJson(
core.Map json_,
) : this(
access: json_['access'] as core.String?,
errors: (json_['errors'] as core.List?)
?.map(
(value) => GoogleRpcStatus.fromJson(
value as core.Map<core.String, core.dynamic>,
),
)
.toList(),
explainedPolicies: (json_['explainedPolicies'] as core.List?)
?.map(
(value) =>
GoogleCloudPolicytroubleshooterV1ExplainedPolicy.fromJson(
value as core.Map<core.String, core.dynamic>,
),
)
.toList(),
);
core.Map<core.String, core.dynamic> toJson() {
final access = this.access;
final errors = this.errors;
final explainedPolicies = this.explainedPolicies;
return {
'access': ?access,
'errors': ?errors,
'explainedPolicies': ?explainedPolicies,
};
}
}
/// Specifies the audit configuration for a service.
///
/// The configuration determines which permission types are logged, and what
/// identities, if any, are exempted from logging. An AuditConfig must have one
/// or more AuditLogConfigs. If there are AuditConfigs for both `allServices`
/// and a specific service, the union of the two AuditConfigs is used for that
/// service: the log_types specified in each AuditConfig are enabled, and the
/// exempted_members in each AuditLogConfig are exempted. Example Policy with
/// multiple AuditConfigs: { "audit_configs": \[ { "service": "allServices",
/// "audit_log_configs": \[ { "log_type": "DATA_READ", "exempted_members": \[
/// "user:jose@example.com" \] }, { "log_type": "DATA_WRITE" }, { "log_type":
/// "ADMIN_READ" } \] }, { "service": "sampleservice.googleapis.com",
/// "audit_log_configs": \[ { "log_type": "DATA_READ" }, { "log_type":
/// "DATA_WRITE", "exempted_members": \[ "user:aliya@example.com" \] } \] } \] }
/// For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
/// logging. It also exempts `jose@example.com` from DATA_READ logging, and
/// `aliya@example.com` from DATA_WRITE logging.
class GoogleIamV1AuditConfig {
/// The configuration for logging of each type of permission.
core.List<GoogleIamV1AuditLogConfig>? auditLogConfigs;
/// Specifies a service that will be enabled for audit logging.
///
/// For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
/// `allServices` is a special value that covers all services.
core.String? service;
GoogleIamV1AuditConfig({this.auditLogConfigs, this.service});
GoogleIamV1AuditConfig.fromJson(core.Map json_)
: this(
auditLogConfigs: (json_['auditLogConfigs'] as core.List?)
?.map(
(value) => GoogleIamV1AuditLogConfig.fromJson(
value as core.Map<core.String, core.dynamic>,
),
)
.toList(),
service: json_['service'] as core.String?,
);
core.Map<core.String, core.dynamic> toJson() {
final auditLogConfigs = this.auditLogConfigs;
final service = this.service;
return {'auditLogConfigs': ?auditLogConfigs, 'service': ?service};
}
}
/// Provides the configuration for logging a type of permissions.
///
/// Example: { "audit_log_configs": \[ { "log_type": "DATA_READ",
/// "exempted_members": \[ "user:jose@example.com" \] }, { "log_type":
/// "DATA_WRITE" } \] } This enables 'DATA_READ' and 'DATA_WRITE' logging, while
/// exempting jose@example.com from DATA_READ logging.
typedef GoogleIamV1AuditLogConfig = $AuditLogConfig;
/// Associates `members`, or principals, with a `role`.
class GoogleIamV1Binding {
/// The condition that is associated with this binding.
///
/// If the condition evaluates to `true`, then this binding applies to the
/// current request. If the condition evaluates to `false`, then this binding
/// does not apply to the current request. However, a different role binding
/// might grant the same role to one or more of the principals in this
/// binding. To learn which resources support conditions in their IAM
/// policies, see the
/// [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
GoogleTypeExpr? condition;
/// Specifies the principals requesting access for a Google Cloud resource.
///
/// `members` can have the following values: * `allUsers`: A special
/// identifier that represents anyone who is on the internet; with or without
/// a Google account. * `allAuthenticatedUsers`: A special identifier that
/// represents anyone who is authenticated with a Google account or a service
/// account. Does not include identities that come from external identity
/// providers (IdPs) through identity federation. * `user:{emailid}`: An email
/// address that represents a specific Google account. For example,
/// `alice@example.com` . * `serviceAccount:{emailid}`: An email address that
/// represents a Google service account. For example,
/// `my-other-app@appspot.gserviceaccount.com`. *
/// `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An
/// identifier for a
/// [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts).
/// For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. *
/// `group:{emailid}`: An email address that represents a Google group. For
/// example, `admins@example.com`. * `domain:{domain}`: The G Suite domain
/// (primary) that represents all the users of that domain. For example,
/// `google.com` or `example.com`. *
/// `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`:
/// A single identity in a workforce identity pool. *
/// `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`:
/// All workforce identities in a group. *
/// `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`:
/// All workforce identities with a specific attribute value. *
/// `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}
/// / * `: All identities in a workforce identity pool. *
/// `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`:
/// A single identity in a workload identity pool. *
/// `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`:
/// A workload identity pool group. *
/// `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`:
/// All identities in a workload identity pool with a certain attribute. *
/// `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}
/// / * `: All identities in a workload identity pool. *
/// `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
/// identifier) representing a user that has been recently deleted. For
/// example, `alice@example.com?uid=123456789012345678901`. If the user is
/// recovered, this value reverts to `user:{emailid}` and the recovered user
/// retains the role in the binding. *
/// `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
/// unique identifier) representing a service account that has been recently
/// deleted. For example,
/// `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If
/// the service account is undeleted, this value reverts to
/// `serviceAccount:{emailid}` and the undeleted service account retains the
/// role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email
/// address (plus unique identifier) representing a Google group that has been
/// recently deleted. For example,
/// `admins@example.com?uid=123456789012345678901`. If the group is recovered,
/// this value reverts to `group:{emailid}` and the recovered group retains
/// the role in the binding. *
/// `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`:
/// Deleted single identity in a workforce identity pool. For example,
/// `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`.
core.List<core.String>? members;
/// Role that is assigned to the list of `members`, or principals.
///
/// For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an
/// overview of the IAM roles and permissions, see the
/// [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For
/// a list of the available pre-defined roles, see
/// [here](https://cloud.google.com/iam/docs/understanding-roles).
core.String? role;
GoogleIamV1Binding({this.condition, this.members, this.role});
GoogleIamV1Binding.fromJson(core.Map json_)
: this(
condition: json_.containsKey('condition')
? GoogleTypeExpr.fromJson(
json_['condition'] as core.Map<core.String, core.dynamic>,
)
: null,
members: (json_['members'] as core.List?)
?.map((value) => value as core.String)
.toList(),
role: json_['role'] as core.String?,
);
core.Map<core.String, core.dynamic> toJson() {
final condition = this.condition;
final members = this.members;
final role = this.role;
return {'condition': ?condition, 'members': ?members, 'role': ?role};
}
}
/// An Identity and Access Management (IAM) policy, which specifies access
/// controls for Google Cloud resources.
///
/// A `Policy` is a collection of `bindings`. A `binding` binds one or more
/// `members`, or principals, to a single `role`. Principals can be user
/// accounts, service accounts, Google groups, and domains (such as G Suite). A
/// `role` is a named list of permissions; each `role` can be an IAM predefined
/// role or a user-created custom role. For some types of Google Cloud
/// resources, a `binding` can also specify a `condition`, which is a logical
/// expression that allows access to a resource only if the expression evaluates
/// to `true`. A condition can add constraints based on attributes of the
/// request, the resource, or both. To learn which resources support conditions
/// in their IAM policies, see the
/// [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
/// **JSON example:** ``` { "bindings": [ { "role":
/// "roles/resourcemanager.organizationAdmin", "members": [
/// "user:mike@example.com", "group:admins@example.com", "domain:google.com",
/// "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role":
/// "roles/resourcemanager.organizationViewer", "members": [
/// "user:eve@example.com" ], "condition": { "title": "expirable access",
/// "description": "Does not grant access after Sep 2020", "expression":
/// "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag":
/// "BwWWja0YfJA=", "version": 3 } ``` **YAML example:** ``` bindings: -
/// members: - user:mike@example.com - group:admins@example.com -
/// domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com
/// role: roles/resourcemanager.organizationAdmin - members: -
/// user:eve@example.com role: roles/resourcemanager.organizationViewer
/// condition: title: expirable access description: Does not grant access after
/// Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
/// etag: BwWWja0YfJA= version: 3 ``` For a description of IAM and its features,
/// see the [IAM documentation](https://cloud.google.com/iam/docs/).
class GoogleIamV1Policy {
/// Specifies cloud audit logging configuration for this policy.
core.List<GoogleIamV1AuditConfig>? auditConfigs;
/// Associates a list of `members`, or principals, with a `role`.
///
/// Optionally, may specify a `condition` that determines how and when the
/// `bindings` are applied. Each of the `bindings` must contain at least one
/// principal. The `bindings` in a `Policy` can refer to up to 1,500
/// principals; up to 250 of these principals can be Google groups. Each
/// occurrence of a principal counts towards these limits. For example, if the
/// `bindings` grant 50 different roles to `user:alice@example.com`, and not
/// to any other principal, then you can add another 1,450 principals to the
/// `bindings` in the `Policy`.
core.List<GoogleIamV1Binding>? bindings;
/// `etag` is used for optimistic concurrency control as a way to help prevent
/// simultaneous updates of a policy from overwriting each other.
///
/// It is strongly suggested that systems make use of the `etag` in the
/// read-modify-write cycle to perform policy updates in order to avoid race
/// conditions: An `etag` is returned in the response to `getIamPolicy`, and
/// systems are expected to put that etag in the request to `setIamPolicy` to
/// ensure that their change will be applied to the same version of the
/// policy. **Important:** If you use IAM Conditions, you must include the
/// `etag` field whenever you call `setIamPolicy`. If you omit this field,
/// then IAM allows you to overwrite a version `3` policy with a version `1`
/// policy, and all of the conditions in the version `3` policy are lost.
core.String? etag;
core.List<core.int> get etagAsBytes => convert.base64.decode(etag!);
set etagAsBytes(core.List<core.int> bytes_) {
etag = convert.base64
.encode(bytes_)
.replaceAll('/', '_')
.replaceAll('+', '-');
}
/// Specifies the format of the policy.
///
/// Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
/// are rejected. Any operation that affects conditional role bindings must
/// specify version `3`. This requirement applies to the following operations:
/// * Getting a policy that includes a conditional role binding * Adding a
/// conditional role binding to a policy * Changing a conditional role binding
/// in a policy * Removing any role binding, with or without a condition, from
/// a policy that includes conditions **Important:** If you use IAM
/// Conditions, you must include the `etag` field whenever you call
/// `setIamPolicy`. If you omit this field, then IAM allows you to overwrite a
/// version `3` policy with a version `1` policy, and all of the conditions in
/// the version `3` policy are lost. If a policy does not include any
/// conditions, operations on that policy may specify any valid version or
/// leave the field unset. To learn which resources support conditions in
/// their IAM policies, see the
/// [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
core.int? version;
GoogleIamV1Policy({
this.auditConfigs,
this.bindings,
this.etag,
this.version,
});
GoogleIamV1Policy.fromJson(core.Map json_)
: this(
auditConfigs: (json_['auditConfigs'] as core.List?)
?.map(
(value) => GoogleIamV1AuditConfig.fromJson(
value as core.Map<core.String, core.dynamic>,
),
)
.toList(),
bindings: (json_['bindings'] as core.List?)
?.map(
(value) => GoogleIamV1Binding.fromJson(
value as core.Map<core.String, core.dynamic>,
),
)
.toList(),
etag: json_['etag'] as core.String?,
version: json_['version'] as core.int?,
);
core.Map<core.String, core.dynamic> toJson() {
final auditConfigs = this.auditConfigs;
final bindings = this.bindings;
final etag = this.etag;
final version = this.version;
return {
'auditConfigs': ?auditConfigs,
'bindings': ?bindings,
'etag': ?etag,
'version': ?version,
};
}
}
/// The `Status` type defines a logical error model that is suitable for
/// different programming environments, including REST APIs and RPC APIs.
///
/// It is used by [gRPC](https://github.com/grpc). Each `Status` message
/// contains three pieces of data: error code, error message, and error details.
/// You can find out more about this error model and how to work with it in the
/// [API Design Guide](https://cloud.google.com/apis/design/errors).
typedef GoogleRpcStatus = $Status00;
/// Represents a textual expression in the Common Expression Language (CEL)
/// syntax.
///
/// CEL is a C-like expression language. The syntax and semantics of CEL are
/// documented at https://github.com/google/cel-spec. Example (Comparison):
/// title: "Summary size limit" description: "Determines if a summary is less
/// than 100 chars" expression: "document.summary.size() \< 100" Example
/// (Equality): title: "Requestor is owner" description: "Determines if
/// requestor is the document owner" expression: "document.owner ==
/// request.auth.claims.email" Example (Logic): title: "Public documents"
/// description: "Determine whether the document should be publicly visible"
/// expression: "document.type != 'private' && document.type != 'internal'"
/// Example (Data Manipulation): title: "Notification string" description:
/// "Create a notification string with a timestamp." expression: "'New message
/// received at ' + string(document.create_time)" The exact variables and
/// functions that may be referenced within an expression are determined by the
/// service that evaluates it. See the service documentation for additional
/// information.
typedef GoogleTypeExpr = $Expr;