From 86d493e1156c2dfd6b25aa2104f679041fc05a5f Mon Sep 17 00:00:00 2001 From: Yoshi Automation Bot Date: Tue, 12 Mar 2024 01:22:29 +0000 Subject: [PATCH] feat: Automated regeneration of IAP client --- clients/iap/lib/google_api/iap/v1/api/v1.ex | 66 ++++++++++++++++++- clients/iap/lib/google_api/iap/v1/metadata.ex | 2 +- .../iap/v1/model/application_settings.ex | 2 +- .../model/attribute_propagation_settings.ex | 4 +- .../lib/google_api/iap/v1/model/binding.ex | 4 +- .../iap/v1/model/o_auth_settings.ex | 5 +- .../iap/lib/google_api/iap/v1/model/policy.ex | 2 +- .../iap/v1/model/reauth_settings.ex | 2 +- .../lib/google_api/iap/v1/model/resource.ex | 3 + ...idate_iap_attribute_expression_response.ex | 41 ++++++++++++ 10 files changed, 121 insertions(+), 10 deletions(-) create mode 100644 clients/iap/lib/google_api/iap/v1/model/validate_iap_attribute_expression_response.ex diff --git a/clients/iap/lib/google_api/iap/v1/api/v1.ex b/clients/iap/lib/google_api/iap/v1/api/v1.ex index 4c4753a604..e36a7932ef 100644 --- a/clients/iap/lib/google_api/iap/v1/api/v1.ex +++ b/clients/iap/lib/google_api/iap/v1/api/v1.ex @@ -290,7 +290,7 @@ defmodule GoogleApi.IAP.V1.Api.V1 do * `:quotaUser` (*type:* `String.t`) - Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. * `:uploadType` (*type:* `String.t`) - Legacy upload protocol for media (e.g. "media", "multipart"). * `:upload_protocol` (*type:* `String.t`) - Upload protocol for media (e.g. "raw", "multipart"). - * `:updateMask` (*type:* `String.t`) - The field mask specifying which IAP settings should be updated. If omitted, the all of the settings are updated. See https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask + * `:updateMask` (*type:* `String.t`) - The field mask specifying which IAP settings should be updated. If omitted, then all of the settings are updated. See https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask. Note: All IAP reauth settings must always be set together, using the field mask: `iapSettings.accessSettings.reauthSettings`. * `:body` (*type:* `GoogleApi.IAP.V1.Model.IapSettings.t`) - * `opts` (*type:* `keyword()`) - Call options @@ -334,4 +334,68 @@ defmodule GoogleApi.IAP.V1.Api.V1 do |> Connection.execute(request) |> Response.decode(opts ++ [struct: %GoogleApi.IAP.V1.Model.IapSettings{}]) end + + @doc """ + Validates a given CEL expression conforms to IAP restrictions. + + ## Parameters + + * `connection` (*type:* `GoogleApi.IAP.V1.Connection.t`) - Connection to server + * `v1_id` (*type:* `String.t`) - Part of `name`. Required. The resource name of the IAP protected resource. + * `optional_params` (*type:* `keyword()`) - Optional parameters + * `:"$.xgafv"` (*type:* `String.t`) - V1 error format. + * `:access_token` (*type:* `String.t`) - OAuth access token. + * `:alt` (*type:* `String.t`) - Data format for response. + * `:callback` (*type:* `String.t`) - JSONP + * `:fields` (*type:* `String.t`) - Selector specifying which fields to include in a partial response. + * `:key` (*type:* `String.t`) - API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token. + * `:oauth_token` (*type:* `String.t`) - OAuth 2.0 token for the current user. + * `:prettyPrint` (*type:* `boolean()`) - Returns response with indentations and line breaks. + * `:quotaUser` (*type:* `String.t`) - Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. + * `:uploadType` (*type:* `String.t`) - Legacy upload protocol for media (e.g. "media", "multipart"). + * `:upload_protocol` (*type:* `String.t`) - Upload protocol for media (e.g. "raw", "multipart"). + * `:expression` (*type:* `String.t`) - Required. User input string expression. Should be of the form 'attributes.saml_attributes.filter(attribute, attribute.name in ['{attribute_name}', '{attribute_name}'])' + * `opts` (*type:* `keyword()`) - Call options + + ## Returns + + * `{:ok, %GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse{}}` on success + * `{:error, info}` on failure + """ + @spec iap_validate_attribute_expression(Tesla.Env.client(), String.t(), keyword(), keyword()) :: + {:ok, GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse.t()} + | {:ok, Tesla.Env.t()} + | {:ok, list()} + | {:error, any()} + def iap_validate_attribute_expression(connection, v1_id, optional_params \\ [], opts \\ []) do + optional_params_config = %{ + :"$.xgafv" => :query, + :access_token => :query, + :alt => :query, + :callback => :query, + :fields => :query, + :key => :query, + :oauth_token => :query, + :prettyPrint => :query, + :quotaUser => :query, + :uploadType => :query, + :upload_protocol => :query, + :expression => :query + } + + request = + Request.new() + |> Request.method(:post) + |> Request.url("/v1/{v1Id}:validateAttributeExpression", %{ + "v1Id" => URI.encode(v1_id, &URI.char_unreserved?/1) + }) + |> Request.add_optional_params(optional_params_config, optional_params) + |> Request.library_version(@library_version) + + connection + |> Connection.execute(request) + |> Response.decode( + opts ++ [struct: %GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse{}] + ) + end end diff --git a/clients/iap/lib/google_api/iap/v1/metadata.ex b/clients/iap/lib/google_api/iap/v1/metadata.ex index 3bb4bc184f..326e271438 100644 --- a/clients/iap/lib/google_api/iap/v1/metadata.ex +++ b/clients/iap/lib/google_api/iap/v1/metadata.ex @@ -20,7 +20,7 @@ defmodule GoogleApi.IAP.V1 do API client metadata for GoogleApi.IAP.V1. """ - @discovery_revision "20221028" + @discovery_revision "20240301" def discovery_revision(), do: @discovery_revision end diff --git a/clients/iap/lib/google_api/iap/v1/model/application_settings.ex b/clients/iap/lib/google_api/iap/v1/model/application_settings.ex index fc2349f280..7e168fe495 100644 --- a/clients/iap/lib/google_api/iap/v1/model/application_settings.ex +++ b/clients/iap/lib/google_api/iap/v1/model/application_settings.ex @@ -22,7 +22,7 @@ defmodule GoogleApi.IAP.V1.Model.ApplicationSettings do ## Attributes * `accessDeniedPageSettings` (*type:* `GoogleApi.IAP.V1.Model.AccessDeniedPageSettings.t`, *default:* `nil`) - Customization for Access Denied page. - * `attributePropagationSettings` (*type:* `GoogleApi.IAP.V1.Model.AttributePropagationSettings.t`, *default:* `nil`) - Settings to configure attribute propagation to customer application. These attributes may come from SAML/SessionStorage integration, or other sources in the future. + * `attributePropagationSettings` (*type:* `GoogleApi.IAP.V1.Model.AttributePropagationSettings.t`, *default:* `nil`) - Settings to configure attribute propagation. * `cookieDomain` (*type:* `String.t`, *default:* `nil`) - The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid. * `csmSettings` (*type:* `GoogleApi.IAP.V1.Model.CsmSettings.t`, *default:* `nil`) - Settings to configure IAP's behavior for a service mesh. """ diff --git a/clients/iap/lib/google_api/iap/v1/model/attribute_propagation_settings.ex b/clients/iap/lib/google_api/iap/v1/model/attribute_propagation_settings.ex index e2e08083ee..b64415568e 100644 --- a/clients/iap/lib/google_api/iap/v1/model/attribute_propagation_settings.ex +++ b/clients/iap/lib/google_api/iap/v1/model/attribute_propagation_settings.ex @@ -17,12 +17,12 @@ defmodule GoogleApi.IAP.V1.Model.AttributePropagationSettings do @moduledoc """ - Configuration for propagating attributes to customer applications protected by IAP. These attributes may be SAML attributes from a 3rd party IdP, or potentially other sources in the future. + Configuration for propagating attributes to applications protected by IAP. ## Attributes * `enable` (*type:* `boolean()`, *default:* `nil`) - Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials. - * `expression` (*type:* `String.t`, *default:* `nil`) - Raw string CEL expression. Expression should be of the form attributes.saml_attributes.filter(attribute, attribute.name in [{attribute_list}]). An example expression to select the attributes "my_attr" and "other_attr": attributes.saml_attributes.filter(attribute, attribute.name in ["my_attr", "other_attr"]) + * `expression` (*type:* `String.t`, *default:* `nil`) - Raw string CEL expression. Must return a list of attributes. A maximum of 45 attributes can be selected. Expressions can select different attribute types from `attributes`: `attributes.saml_attributes`, `attributes.iap_attributes`. The following functions are supported: - filter `.filter(, )`: Returns a subset of `` where `` is true for every item. - in ` in `: Returns true if `` contains ``. - selectByName `.selectByName()`: Returns the attribute in `` with the given `` name, otherwise returns empty. - emitAs `.emitAs()`: Sets the `` name field to the given `` for propagation in selected output credentials. - strict `.strict()`: Ignores the `x-goog-iap-attr-` prefix for the provided `` when propagating with the `HEADER` output credential, such as request headers. - append `.append()` OR `.append()`: Appends the provided `` or `` to the end of ``. Example expression: `attributes.saml_attributes.filter(x, x.name in ['test']).append(attributes.iap_attributes.selectByName('exact').emitAs('custom').strict())` * `outputCredentials` (*type:* `list(String.t)`, *default:* `nil`) - Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. """ diff --git a/clients/iap/lib/google_api/iap/v1/model/binding.ex b/clients/iap/lib/google_api/iap/v1/model/binding.ex index 6539fb30d7..eaad16574e 100644 --- a/clients/iap/lib/google_api/iap/v1/model/binding.ex +++ b/clients/iap/lib/google_api/iap/v1/model/binding.ex @@ -22,8 +22,8 @@ defmodule GoogleApi.IAP.V1.Model.Binding do ## Attributes * `condition` (*type:* `GoogleApi.IAP.V1.Model.Expr.t`, *default:* `nil`) - The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). - * `members` (*type:* `list(String.t)`, *default:* `nil`) - Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a Google service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. - * `role` (*type:* `String.t`, *default:* `nil`) - Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. + * `members` (*type:* `list(String.t)`, *default:* `nil`) - Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a Google service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workforce identity pool. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: All workforce identities in a group. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All workforce identities with a specific attribute value. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: All identities in a workforce identity pool. * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workload identity pool. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool group. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All identities in a workload identity pool with a certain attribute. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: All identities in a workload identity pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: Deleted single identity in a workforce identity pool. For example, `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. + * `role` (*type:* `String.t`, *default:* `nil`) - Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For a list of the available pre-defined roles, see [here](https://cloud.google.com/iam/docs/understanding-roles). """ use GoogleApi.Gax.ModelBase diff --git a/clients/iap/lib/google_api/iap/v1/model/o_auth_settings.ex b/clients/iap/lib/google_api/iap/v1/model/o_auth_settings.ex index 3297d39aeb..c8ef599257 100644 --- a/clients/iap/lib/google_api/iap/v1/model/o_auth_settings.ex +++ b/clients/iap/lib/google_api/iap/v1/model/o_auth_settings.ex @@ -22,15 +22,18 @@ defmodule GoogleApi.IAP.V1.Model.OAuthSettings do ## Attributes * `loginHint` (*type:* `String.t`, *default:* `nil`) - Domain hint to send as hd=? parameter in OAuth request flow. Enables redirect to primary IDP by skipping Google's login screen. https://developers.google.com/identity/protocols/OpenIDConnect#hd-param Note: IAP does not verify that the id token's hd claim matches this value since access behavior is managed by IAM policies. + * `programmaticClients` (*type:* `list(String.t)`, *default:* `nil`) - List of client ids allowed to use IAP programmatically. """ use GoogleApi.Gax.ModelBase @type t :: %__MODULE__{ - :loginHint => String.t() | nil + :loginHint => String.t() | nil, + :programmaticClients => list(String.t()) | nil } field(:loginHint) + field(:programmaticClients, type: :list) end defimpl Poison.Decoder, for: GoogleApi.IAP.V1.Model.OAuthSettings do diff --git a/clients/iap/lib/google_api/iap/v1/model/policy.ex b/clients/iap/lib/google_api/iap/v1/model/policy.ex index 333b4d8e16..4406940256 100644 --- a/clients/iap/lib/google_api/iap/v1/model/policy.ex +++ b/clients/iap/lib/google_api/iap/v1/model/policy.ex @@ -17,7 +17,7 @@ defmodule GoogleApi.IAP.V1.Model.Policy do @moduledoc """ - An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members`, or principals, to a single `role`. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } **YAML example:** bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/). + An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members`, or principals, to a single `role`. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** ``` { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } ``` **YAML example:** ``` bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the [IAM documentation](https://cloud.google.com/iam/docs/). ## Attributes diff --git a/clients/iap/lib/google_api/iap/v1/model/reauth_settings.ex b/clients/iap/lib/google_api/iap/v1/model/reauth_settings.ex index 9180178418..d657786e01 100644 --- a/clients/iap/lib/google_api/iap/v1/model/reauth_settings.ex +++ b/clients/iap/lib/google_api/iap/v1/model/reauth_settings.ex @@ -23,7 +23,7 @@ defmodule GoogleApi.IAP.V1.Model.ReauthSettings do * `maxAge` (*type:* `String.t`, *default:* `nil`) - Reauth session lifetime, how long before a user has to reauthenticate again. * `method` (*type:* `String.t`, *default:* `nil`) - Reauth method requested. - * `policyType` (*type:* `String.t`, *default:* `nil`) - How IAP determines the effective policy in cases of hierarchial policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. + * `policyType` (*type:* `String.t`, *default:* `nil`) - How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. """ use GoogleApi.Gax.ModelBase diff --git a/clients/iap/lib/google_api/iap/v1/model/resource.ex b/clients/iap/lib/google_api/iap/v1/model/resource.ex index 653405b7de..e542ba928f 100644 --- a/clients/iap/lib/google_api/iap/v1/model/resource.ex +++ b/clients/iap/lib/google_api/iap/v1/model/resource.ex @@ -21,6 +21,7 @@ defmodule GoogleApi.IAP.V1.Model.Resource do ## Attributes + * `expectedNextState` (*type:* `map()`, *default:* `nil`) - The proto or JSON formatted expected next state of the resource, wrapped in a google.protobuf.Any proto, against which the policy rules are evaluated. Services not integrated with custom org policy can omit this field. Services integrated with custom org policy must populate this field for all requests where the API call changes the state of the resource. Custom org policy backend uses these attributes to enforce custom org policies. When a proto is wrapped, it is generally the One Platform API proto. When a JSON string is wrapped, use `google.protobuf.StringValue` for the inner value. For create operations, GCP service is expected to pass resource from customer request as is. For update/patch operations, GCP service is expected to compute the next state with the patch provided by the user. See go/custom-constraints-org-policy-integration-guide for additional details. * `labels` (*type:* `map()`, *default:* `nil`) - The service defined labels of the resource on which the conditions will be evaluated. The semantics - including the key names - are vague to IAM. If the effective condition has a reference to a `resource.labels[foo]` construct, IAM consults with this map to retrieve the values associated with `foo` key for Conditions evaluation. If the provided key is not found in the labels map, the condition would evaluate to false. This field is in limited use. If your intended use case is not expected to express resource.labels attribute in IAM Conditions, leave this field empty. Before planning on using this attribute please: * Read go/iam-conditions-labels-comm and ensure your service can meet the data availability and management requirements. * Talk to iam-conditions-eng@ about your use case. * `name` (*type:* `String.t`, *default:* `nil`) - Name of the resource on which conditions will be evaluated. Must use the Relative Resource Name of the resource, which is the URI path of the resource without the leading "/". Examples are "projects/_/buckets/[BUCKET-ID]" for storage buckets or "projects/[PROJECT-ID]/global/firewalls/[FIREWALL-ID]" for a firewall. This field is required for evaluating conditions with rules on resource names. For a `list` permission check, the resource.name value must be set to the parent resource. If the parent resource is a project, this field should be left unset. * `service` (*type:* `String.t`, *default:* `nil`) - The name of the service this resource belongs to. It is configured using the official_service_name of the Service as defined in service configurations under //configs/cloud/resourcetypes. For example, the official_service_name of cloud resource manager service is set as 'cloudresourcemanager.googleapis.com' according to //configs/cloud/resourcetypes/google/cloud/resourcemanager/prod.yaml @@ -30,12 +31,14 @@ defmodule GoogleApi.IAP.V1.Model.Resource do use GoogleApi.Gax.ModelBase @type t :: %__MODULE__{ + :expectedNextState => map() | nil, :labels => map() | nil, :name => String.t() | nil, :service => String.t() | nil, :type => String.t() | nil } + field(:expectedNextState, type: :map) field(:labels, type: :map) field(:name) field(:service) diff --git a/clients/iap/lib/google_api/iap/v1/model/validate_iap_attribute_expression_response.ex b/clients/iap/lib/google_api/iap/v1/model/validate_iap_attribute_expression_response.ex new file mode 100644 index 0000000000..aedd100753 --- /dev/null +++ b/clients/iap/lib/google_api/iap/v1/model/validate_iap_attribute_expression_response.ex @@ -0,0 +1,41 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# NOTE: This file is auto generated by the elixir code generator program. +# Do not edit this file manually. + +defmodule GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse do + @moduledoc """ + API requires a return message, but currently all response strings will fit in the status and public message. In the future, this response can hold AST validation info. + + ## Attributes + + """ + + use GoogleApi.Gax.ModelBase + + @type t :: %__MODULE__{} +end + +defimpl Poison.Decoder, for: GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse do + def decode(value, options) do + GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse.decode(value, options) + end +end + +defimpl Poison.Encoder, for: GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse do + def encode(value, options) do + GoogleApi.Gax.ModelBase.encode(value, options) + end +end