kpt-grpc-demo/google/cloud/iap/v1/service.proto

// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.iap.v1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/iam/v1/iam_policy.proto";
import "google/iam/v1/policy.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/wrappers.proto";

option csharp_namespace = "Google.Cloud.Iap.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/iap/v1;iap";
option java_multiple_files = true;
option java_package = "com.google.cloud.iap.v1";
option php_namespace = "Google\\Cloud\\Iap\\V1";
option ruby_package = "Google::Cloud::Iap::V1";
option (google.api.resource_definition) = {
  type: "iap.googleapis.com/TunnelLocation"
  pattern: "projects/{project}/iap_tunnel/locations/{location}"
};

// APIs for Identity-Aware Proxy Admin configurations.
service IdentityAwareProxyAdminService {
  option (google.api.default_host) = "iap.googleapis.com";
  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

  // Sets the access control policy for an Identity-Aware Proxy protected
  // resource. Replaces any existing policy.
  // More information about managing access via IAP can be found at:
  // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
    option (google.api.http) = {
      post: "/v1/{resource=**}:setIamPolicy"
      body: "*"
    };
  }

  // Gets the access control policy for an Identity-Aware Proxy protected
  // resource.
  // More information about managing access via IAP can be found at:
  // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
    option (google.api.http) = {
      post: "/v1/{resource=**}:getIamPolicy"
      body: "*"
    };
  }

  // Returns permissions that a caller has on the Identity-Aware Proxy protected
  // resource.
  // More information about managing access via IAP can be found at:
  // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
    option (google.api.http) = {
      post: "/v1/{resource=**}:testIamPermissions"
      body: "*"
    };
  }

  // Gets the IAP settings on a particular IAP protected resource.
  rpc GetIapSettings(GetIapSettingsRequest) returns (IapSettings) {
    option (google.api.http) = {
      get: "/v1/{name=**}:iapSettings"
    };
  }

  // Updates the IAP settings on a particular IAP protected resource. It
  // replaces all fields unless the `update_mask` is set.
  rpc UpdateIapSettings(UpdateIapSettingsRequest) returns (IapSettings) {
    option (google.api.http) = {
      patch: "/v1/{iap_settings.name=**}:iapSettings"
      body: "iap_settings"
    };
  }

  // Lists the existing TunnelDestGroups. To group across all locations, use a
  // `-` as the location ID. For example:
  // `/v1/projects/123/iap_tunnel/locations/-/destGroups`
  rpc ListTunnelDestGroups(ListTunnelDestGroupsRequest) returns (ListTunnelDestGroupsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups"
    };
    option (google.api.method_signature) = "parent";
  }

  // Creates a new TunnelDestGroup.
  rpc CreateTunnelDestGroup(CreateTunnelDestGroupRequest) returns (TunnelDestGroup) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups"
      body: "tunnel_dest_group"
    };
    option (google.api.method_signature) = "parent,tunnel_dest_group,tunnel_dest_group_id";
  }

  // Retrieves an existing TunnelDestGroup.
  rpc GetTunnelDestGroup(GetTunnelDestGroupRequest) returns (TunnelDestGroup) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/iap_tunnel/locations/*/destGroups/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Deletes a TunnelDestGroup.
  rpc DeleteTunnelDestGroup(DeleteTunnelDestGroupRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/iap_tunnel/locations/*/destGroups/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Updates a TunnelDestGroup.
  rpc UpdateTunnelDestGroup(UpdateTunnelDestGroupRequest) returns (TunnelDestGroup) {
    option (google.api.http) = {
      patch: "/v1/{tunnel_dest_group.name=projects/*/iap_tunnel/locations/*/destGroups/*}"
      body: "tunnel_dest_group"
    };
    option (google.api.method_signature) = "tunnel_dest_group,update_mask";
  }
}

// The request to ListTunnelDestGroups.
message ListTunnelDestGroupsRequest {
  // Required. Google Cloud Project ID and location.
  // In the following format:
  // `projects/{project_number/id}/iap_tunnel/locations/{location}`.
  // A `-` can be used for the location to group across all locations.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "iap.googleapis.com/TunnelLocation"
    }
  ];

  // The maximum number of groups to return. The service might return fewer than
  // this value.
  // If unspecified, at most 100 groups are returned.
  // The maximum value is 1000; values above 1000 are coerced to 1000.
  int32 page_size = 2;

  // A page token, received from a previous `ListTunnelDestGroups`
  // call. Provide this to retrieve the subsequent page.
  //
  // When paginating, all other parameters provided to
  // `ListTunnelDestGroups` must match the call that provided the page
  // token.
  string page_token = 3;
}

// The response from ListTunnelDestGroups.
message ListTunnelDestGroupsResponse {
  // TunnelDestGroup existing in the project.
  repeated TunnelDestGroup tunnel_dest_groups = 1;

  // A token that you can send as `page_token` to retrieve the next page.
  // If this field is omitted, there are no subsequent pages.
  string next_page_token = 2;
}

// The request to CreateTunnelDestGroup.
message CreateTunnelDestGroupRequest {
  // Required. Google Cloud Project ID and location.
  // In the following format:
  // `projects/{project_number/id}/iap_tunnel/locations/{location}`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "iap.googleapis.com/TunnelDestGroup"
    }
  ];

  // Required. The TunnelDestGroup to create.
  TunnelDestGroup tunnel_dest_group = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. The ID to use for the TunnelDestGroup, which becomes the final component of
  // the resource name.
  //
  // This value must be 4-63 characters, and valid characters
  // are `[a-z][0-9]-`.
  string tunnel_dest_group_id = 3 [(google.api.field_behavior) = REQUIRED];
}

// The request to GetTunnelDestGroup.
message GetTunnelDestGroupRequest {
  // Required. Name of the TunnelDestGroup to be fetched.
  // In the following format:
  // `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "iap.googleapis.com/TunnelDestGroup"
    }
  ];
}

// The request to DeleteTunnelDestGroup.
message DeleteTunnelDestGroupRequest {
  // Required. Name of the TunnelDestGroup to delete.
  // In the following format:
  // `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "iap.googleapis.com/TunnelDestGroup"
    }
  ];
}

// The request to UpdateTunnelDestGroup.
message UpdateTunnelDestGroupRequest {
  // Required. The new values for the TunnelDestGroup.
  TunnelDestGroup tunnel_dest_group = 1 [(google.api.field_behavior) = REQUIRED];

  // A field mask that specifies which IAP settings to update.
  // If omitted, then all of the settings are updated. See
  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
  google.protobuf.FieldMask update_mask = 2;
}

// A TunnelDestGroup.
message TunnelDestGroup {
  option (google.api.resource) = {
    type: "iap.googleapis.com/TunnelDestGroup"
    pattern: "projects/{project}/iap_tunnel/locations/{location}/destGroups/{dest_group}"
  };

  // Required. Immutable. Identifier for the TunnelDestGroup. Must be unique within the
  // project.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // null List of CIDRs that this group applies to.
  repeated string cidrs = 2 [(google.api.field_behavior) = UNORDERED_LIST];

  // null List of FQDNs that this group applies to.
  repeated string fqdns = 3 [(google.api.field_behavior) = UNORDERED_LIST];
}

// API to programmatically create, list and retrieve Identity Aware Proxy (IAP)
// OAuth brands; and create, retrieve, delete and reset-secret of IAP OAuth
// clients.
service IdentityAwareProxyOAuthService {
  option (google.api.default_host) = "iap.googleapis.com";
  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

  // Lists the existing brands for the project.
  rpc ListBrands(ListBrandsRequest) returns (ListBrandsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*}/brands"
    };
  }

  // Constructs a new OAuth brand for the project if one does not exist.
  // The created brand is "internal only", meaning that OAuth clients created
  // under it only accept requests from users who belong to the same Google
  // Workspace organization as the project. The brand is created in an
  // un-reviewed status. NOTE: The "internal only" status can be manually
  // changed in the Google Cloud Console. Requires that a brand does not already
  // exist for the project, and that the specified support email is owned by the
  // caller.
  rpc CreateBrand(CreateBrandRequest) returns (Brand) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*}/brands"
      body: "brand"
    };
  }

  // Retrieves the OAuth brand of the project.
  rpc GetBrand(GetBrandRequest) returns (Brand) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/brands/*}"
    };
  }

  // Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned
  // by IAP. Requires that the brand for the project exists and that it is
  // set for internal-only use.
  rpc CreateIdentityAwareProxyClient(CreateIdentityAwareProxyClientRequest) returns (IdentityAwareProxyClient) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
      body: "identity_aware_proxy_client"
    };
  }

  // Lists the existing clients for the brand.
  rpc ListIdentityAwareProxyClients(ListIdentityAwareProxyClientsRequest) returns (ListIdentityAwareProxyClientsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
    };
  }

  // Retrieves an Identity Aware Proxy (IAP) OAuth client.
  // Requires that the client is owned by IAP.
  rpc GetIdentityAwareProxyClient(GetIdentityAwareProxyClientRequest) returns (IdentityAwareProxyClient) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
    };
  }

  // Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the
  // secret was compromised. Requires that the client is owned by IAP.
  rpc ResetIdentityAwareProxyClientSecret(ResetIdentityAwareProxyClientSecretRequest) returns (IdentityAwareProxyClient) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}:resetSecret"
      body: "*"
    };
  }

  // Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing
  // obsolete clients, managing the number of clients in a given project, and
  // cleaning up after tests. Requires that the client is owned by IAP.
  rpc DeleteIdentityAwareProxyClient(DeleteIdentityAwareProxyClientRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
    };
  }
}

// The request sent to GetIapSettings.
message GetIapSettingsRequest {
  // Required. The resource name for which to retrieve the settings.
  // Authorization: Requires the `getSettings` permission for the associated
  // resource.
  string name = 1 [(google.api.field_behavior) = REQUIRED];
}

// The request sent to UpdateIapSettings.
message UpdateIapSettingsRequest {
  // Required. The new values for the IAP settings to be updated.
  // Authorization: Requires the `updateSettings` permission for the associated
  // resource.
  IapSettings iap_settings = 1 [(google.api.field_behavior) = REQUIRED];

  // The field mask specifying which IAP settings should be updated.
  // If omitted, the all of the settings are updated. See
  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
  google.protobuf.FieldMask update_mask = 2;
}

// The IAP configurable settings.
message IapSettings {
  // Required. The resource name of the IAP protected resource.
  string name = 1 [(google.api.field_behavior) = REQUIRED];

  // Top level wrapper for all access related setting in IAP
  AccessSettings access_settings = 5;

  // Top level wrapper for all application related settings in IAP
  ApplicationSettings application_settings = 6;
}

// Access related settings for IAP protected apps.
message AccessSettings {
  // GCIP claims and endpoint configurations for 3p identity providers.
  GcipSettings gcip_settings = 1;

  // Configuration to allow cross-origin requests via IAP.
  CorsSettings cors_settings = 2;

  // Settings to configure IAP's OAuth behavior.
  OAuthSettings oauth_settings = 3;

  // Settings to configure reauthentication policies in IAP.
  ReauthSettings reauth_settings = 6;
}

// Allows customers to configure tenant_id for GCIP instance per-app.
message GcipSettings {
  // GCIP tenant ids that are linked to the IAP resource.
  // tenant_ids could be a string beginning with a number character to indicate
  // authenticating with GCIP tenant flow, or in the format of _<ProjectNumber>
  // to indicate authenticating with GCIP agent flow.
  // If agent flow is used, tenant_ids should only contain one single element,
  // while for tenant flow, tenant_ids can contain multiple elements.
  repeated string tenant_ids = 1;

  // Login page URI associated with the GCIP tenants.
  // Typically, all resources within the same project share the same login page,
  // though it could be overridden at the sub resource level.
  google.protobuf.StringValue login_page_uri = 2;
}

// Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS
// call to bypass authentication and authorization.
message CorsSettings {
  // Configuration to allow HTTP OPTIONS calls to skip authorization. If
  // undefined, IAP will not apply any special logic to OPTIONS requests.
  google.protobuf.BoolValue allow_http_options = 1;
}

// Configuration for OAuth login&consent flow behavior as well as for OAuth
// Credentials.
message OAuthSettings {
  // Domain hint to send as hd=? parameter in OAuth request flow. Enables
  // redirect to primary IDP by skipping Google's login screen.
  // https://developers.google.com/identity/protocols/OpenIDConnect#hd-param
  // Note: IAP does not verify that the id token's hd claim matches this value
  // since access behavior is managed by IAM policies.
  google.protobuf.StringValue login_hint = 2;
}

// Configuration for IAP reauthentication policies.
message ReauthSettings {
  // Types of reauthentication methods supported by IAP.
  enum Method {
    // Reauthentication disabled.
    METHOD_UNSPECIFIED = 0;

    // Mimics the behavior as if the user had logged out and tried to log in
    // again. Users with 2SV (2-step verification) enabled see their 2SV
    // challenges if they did not opt to have their second factor responses
    // saved. Apps Core (GSuites) admins can configure settings to disable 2SV
    // cookies and require 2SV for all Apps Core users in their domains.
    LOGIN = 1;

    // User must type their password.
    PASSWORD = 2;

    // User must use their secure key 2nd factor device.
    SECURE_KEY = 3;
  }

  // Type of policy in the case of hierarchial policies.
  enum PolicyType {
    // Default value. This value is unused.
    POLICY_TYPE_UNSPECIFIED = 0;

    // This policy acts as a minimum to other policies, lower in the hierarchy.
    // Effective policy may only be the same or stricter.
    MINIMUM = 1;

    // This policy acts as a default if no other reauth policy is set.
    DEFAULT = 2;
  }

  // Reauth method required by the policy.
  Method method = 1;

  // Reauth session lifetime, how long before a user has to reauthenticate
  // again.
  google.protobuf.Duration max_age = 2;

  // How IAP determines the effective policy in cases of hierarchial policies.
  // Policies are merged from higher in the hierarchy to lower in the hierarchy.
  PolicyType policy_type = 3;
}

// Wrapper over application specific settings for IAP.
message ApplicationSettings {
  // Settings to configure IAP's behavior for a CSM mesh.
  CsmSettings csm_settings = 1;

  // Customization for Access Denied page.
  AccessDeniedPageSettings access_denied_page_settings = 2;

  // The Domain value to set for cookies generated by IAP. This value is not
  // validated by the API, but will be ignored at runtime if invalid.
  google.protobuf.StringValue cookie_domain = 3;
}

// Configuration for RCTokens generated for CSM workloads protected by IAP.
// RCTokens are IAP generated JWTs that can be verified at the application. The
// RCToken is primarily used for ISTIO deployments, and can be scoped to a
// single mesh by configuring the audience field accordingly
message CsmSettings {
  // Audience claim set in the generated RCToken. This value is not validated by
  // IAP.
  google.protobuf.StringValue rctoken_aud = 1;
}

// Custom content configuration for access denied page.
// IAP allows customers to define a custom URI to use as the error page when
// access is denied to users. If IAP prevents access to this page, the default
// IAP error page will be displayed instead.
message AccessDeniedPageSettings {
  // The URI to be redirected to when access is denied.
  google.protobuf.StringValue access_denied_page_uri = 1;

  // Whether to generate a troubleshooting URL on access denied events to this
  // application.
  google.protobuf.BoolValue generate_troubleshooting_uri = 2;
}

// The request sent to ListBrands.
message ListBrandsRequest {
  // Required. GCP Project number/id.
  // In the following format: projects/{project_number/id}.
  string parent = 1 [(google.api.field_behavior) = REQUIRED];
}

// Response message for ListBrands.
message ListBrandsResponse {
  // Brands existing in the project.
  repeated Brand brands = 1;
}

// The request sent to CreateBrand.
message CreateBrandRequest {
  // Required. GCP Project number/id under which the brand is to be created.
  // In the following format: projects/{project_number/id}.
  string parent = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The brand to be created.
  Brand brand = 2 [(google.api.field_behavior) = REQUIRED];
}

// The request sent to GetBrand.
message GetBrandRequest {
  // Required. Name of the brand to be fetched.
  // In the following format: projects/{project_number/id}/brands/{brand}.
  string name = 1 [(google.api.field_behavior) = REQUIRED];
}

// The request sent to ListIdentityAwareProxyClients.
message ListIdentityAwareProxyClientsRequest {
  // Required. Full brand path.
  // In the following format: projects/{project_number/id}/brands/{brand}.
  string parent = 1 [(google.api.field_behavior) = REQUIRED];

  // The maximum number of clients to return. The service may return fewer than
  // this value.
  // If unspecified, at most 100 clients will be returned.
  // The maximum value is 1000; values above 1000 will be coerced to 1000.
  int32 page_size = 2;

  // A page token, received from a previous `ListIdentityAwareProxyClients`
  // call. Provide this to retrieve the subsequent page.
  //
  // When paginating, all other parameters provided to
  // `ListIdentityAwareProxyClients` must match the call that provided the page
  // token.
  string page_token = 3;
}

// Response message for ListIdentityAwareProxyClients.
message ListIdentityAwareProxyClientsResponse {
  // Clients existing in the brand.
  repeated IdentityAwareProxyClient identity_aware_proxy_clients = 1;

  // A token, which can be send as `page_token` to retrieve the next page.
  // If this field is omitted, there are no subsequent pages.
  string next_page_token = 2;
}

// The request sent to CreateIdentityAwareProxyClient.
message CreateIdentityAwareProxyClientRequest {
  // Required. Path to create the client in.
  // In the following format:
  // projects/{project_number/id}/brands/{brand}.
  // The project must belong to a G Suite account.
  string parent = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. Identity Aware Proxy Client to be created.
  IdentityAwareProxyClient identity_aware_proxy_client = 2 [(google.api.field_behavior) = REQUIRED];
}

// The request sent to GetIdentityAwareProxyClient.
message GetIdentityAwareProxyClientRequest {
  // Required. Name of the Identity Aware Proxy client to be fetched.
  // In the following format:
  // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}.
  string name = 1 [(google.api.field_behavior) = REQUIRED];
}

// The request sent to ResetIdentityAwareProxyClientSecret.
message ResetIdentityAwareProxyClientSecretRequest {
  // Required. Name of the Identity Aware Proxy client to that will have its
  // secret reset. In the following format:
  // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}.
  string name = 1 [(google.api.field_behavior) = REQUIRED];
}

// The request sent to DeleteIdentityAwareProxyClient.
message DeleteIdentityAwareProxyClientRequest {
  // Required. Name of the Identity Aware Proxy client to be deleted.
  // In the following format:
  // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}.
  string name = 1 [(google.api.field_behavior) = REQUIRED];
}

// OAuth brand data.
// NOTE: Only contains a portion of the data that describes a brand.
message Brand {
  // Output only. Identifier of the brand.
  // NOTE: GCP project number achieves the same brand identification purpose as
  // only one brand per project can be created.
  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Support email displayed on the OAuth consent screen.
  string support_email = 2;

  // Application name displayed on OAuth consent screen.
  string application_title = 3;

  // Output only. Whether the brand is only intended for usage inside the
  // G Suite organization only.
  bool org_internal_only = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Contains the data that describes an Identity Aware Proxy owned client.
message IdentityAwareProxyClient {
  // Output only. Unique identifier of the OAuth client.
  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Client secret of the OAuth client.
  string secret = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Human-friendly name given to the OAuth client.
  string display_name = 3;
}