feat: Automated regeneration of IAP client

clients/iap/lib/google_api/iap/v1/api/v1.ex

@@ -290,7 +290,7 @@ defmodule GoogleApi.IAP.V1.Api.V1 do
       *   `:quotaUser` (*type:* `String.t`) - Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
       *   `:uploadType` (*type:* `String.t`) - Legacy upload protocol for media (e.g. "media", "multipart").
       *   `:upload_protocol` (*type:* `String.t`) - Upload protocol for media (e.g. "raw", "multipart").
-      *   `:updateMask` (*type:* `String.t`) - The field mask specifying which IAP settings should be updated. If omitted, the all of the settings are updated. See https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
+      *   `:updateMask` (*type:* `String.t`) - The field mask specifying which IAP settings should be updated. If omitted, then all of the settings are updated. See https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask. Note: All IAP reauth settings must always be set together, using the field mask: `iapSettings.accessSettings.reauthSettings`.
       *   `:body` (*type:* `GoogleApi.IAP.V1.Model.IapSettings.t`) - 
   *   `opts` (*type:* `keyword()`) - Call options
 
@@ -334,4 +334,68 @@ defmodule GoogleApi.IAP.V1.Api.V1 do
     |> Connection.execute(request)
     |> Response.decode(opts ++ [struct: %GoogleApi.IAP.V1.Model.IapSettings{}])
   end
+
+  @doc """
+  Validates a given CEL expression conforms to IAP restrictions.
+
+  ## Parameters
+
+  *   `connection` (*type:* `GoogleApi.IAP.V1.Connection.t`) - Connection to server
+  *   `v1_id` (*type:* `String.t`) - Part of `name`. Required. The resource name of the IAP protected resource.
+  *   `optional_params` (*type:* `keyword()`) - Optional parameters
+      *   `:"$.xgafv"` (*type:* `String.t`) - V1 error format.
+      *   `:access_token` (*type:* `String.t`) - OAuth access token.
+      *   `:alt` (*type:* `String.t`) - Data format for response.
+      *   `:callback` (*type:* `String.t`) - JSONP
+      *   `:fields` (*type:* `String.t`) - Selector specifying which fields to include in a partial response.
+      *   `:key` (*type:* `String.t`) - API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
+      *   `:oauth_token` (*type:* `String.t`) - OAuth 2.0 token for the current user.
+      *   `:prettyPrint` (*type:* `boolean()`) - Returns response with indentations and line breaks.
+      *   `:quotaUser` (*type:* `String.t`) - Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
+      *   `:uploadType` (*type:* `String.t`) - Legacy upload protocol for media (e.g. "media", "multipart").
+      *   `:upload_protocol` (*type:* `String.t`) - Upload protocol for media (e.g. "raw", "multipart").
+      *   `:expression` (*type:* `String.t`) - Required. User input string expression. Should be of the form 'attributes.saml_attributes.filter(attribute, attribute.name in ['{attribute_name}', '{attribute_name}'])'
+  *   `opts` (*type:* `keyword()`) - Call options
+
+  ## Returns
+
+  *   `{:ok, %GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse{}}` on success
+  *   `{:error, info}` on failure
+  """
+  @spec iap_validate_attribute_expression(Tesla.Env.client(), String.t(), keyword(), keyword()) ::
+          {:ok, GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse.t()}
+          | {:ok, Tesla.Env.t()}
+          | {:ok, list()}
+          | {:error, any()}
+  def iap_validate_attribute_expression(connection, v1_id, optional_params \\ [], opts \\ []) do
+    optional_params_config = %{
+      :"$.xgafv" => :query,
+      :access_token => :query,
+      :alt => :query,
+      :callback => :query,
+      :fields => :query,
+      :key => :query,
+      :oauth_token => :query,
+      :prettyPrint => :query,
+      :quotaUser => :query,
+      :uploadType => :query,
+      :upload_protocol => :query,
+      :expression => :query
+    }
+
+    request =
+      Request.new()
+      |> Request.method(:post)
+      |> Request.url("/v1/{v1Id}:validateAttributeExpression", %{
+        "v1Id" => URI.encode(v1_id, &URI.char_unreserved?/1)
+      })
+      |> Request.add_optional_params(optional_params_config, optional_params)
+      |> Request.library_version(@library_version)
+
+    connection
+    |> Connection.execute(request)
+    |> Response.decode(
+      opts ++ [struct: %GoogleApi.IAP.V1.Model.ValidateIapAttributeExpressionResponse{}]
+    )
+  end
 end

clients/iap/lib/google_api/iap/v1/metadata.ex

@@ -20,7 +20,7 @@ defmodule GoogleApi.IAP.V1 do
   API client metadata for GoogleApi.IAP.V1.
   """
 
-  @discovery_revision "20221028"
+  @discovery_revision "20240301"
 
   def discovery_revision(), do: @discovery_revision
 end

clients/iap/lib/google_api/iap/v1/model/application_settings.ex

@@ -22,7 +22,7 @@ defmodule GoogleApi.IAP.V1.Model.ApplicationSettings do
   ## Attributes
 
   *   `accessDeniedPageSettings` (*type:* `GoogleApi.IAP.V1.Model.AccessDeniedPageSettings.t`, *default:* `nil`) - Customization for Access Denied page.
-  *   `attributePropagationSettings` (*type:* `GoogleApi.IAP.V1.Model.AttributePropagationSettings.t`, *default:* `nil`) - Settings to configure attribute propagation to customer application. These attributes may come from SAML/SessionStorage integration, or other sources in the future.
+  *   `attributePropagationSettings` (*type:* `GoogleApi.IAP.V1.Model.AttributePropagationSettings.t`, *default:* `nil`) - Settings to configure attribute propagation.
   *   `cookieDomain` (*type:* `String.t`, *default:* `nil`) - The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid.
   *   `csmSettings` (*type:* `GoogleApi.IAP.V1.Model.CsmSettings.t`, *default:* `nil`) - Settings to configure IAP's behavior for a service mesh.
   """

clients/iap/lib/google_api/iap/v1/model/attribute_propagation_settings.ex

@@ -17,12 +17,12 @@
 
 defmodule GoogleApi.IAP.V1.Model.AttributePropagationSettings do
   @moduledoc """
-  Configuration for propagating attributes to customer applications protected by IAP. These attributes may be SAML attributes from a 3rd party IdP, or potentially other sources in the future.
+  Configuration for propagating attributes to applications protected by IAP.
 
   ## Attributes
 
   *   `enable` (*type:* `boolean()`, *default:* `nil`) - Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials.
-  *   `expression` (*type:* `String.t`, *default:* `nil`) - Raw string CEL expression. Expression should be of the form attributes.saml_attributes.filter(attribute, attribute.name in [{attribute_list}]). An example expression to select the attributes "my_attr" and "other_attr": attributes.saml_attributes.filter(attribute, attribute.name in ["my_attr", "other_attr"])
+  *   `expression` (*type:* `String.t`, *default:* `nil`) - Raw string CEL expression. Must return a list of attributes. A maximum of 45 attributes can be selected. Expressions can select different attribute types from `attributes`: `attributes.saml_attributes`, `attributes.iap_attributes`. The following functions are supported: - filter `.filter(, )`: Returns a subset of `` where `` is true for every item. - in ` in `: Returns true if `` contains ``. - selectByName `.selectByName()`: Returns the attribute in `` with the given `` name, otherwise returns empty. - emitAs `.emitAs()`: Sets the `` name field to the given `` for propagation in selected output credentials. - strict `.strict()`: Ignores the `x-goog-iap-attr-` prefix for the provided `` when propagating with the `HEADER` output credential, such as request headers. - append `.append()` OR `.append()`: Appends the provided `` or `` to the end of ``. Example expression: `attributes.saml_attributes.filter(x, x.name in ['test']).append(attributes.iap_attributes.selectByName('exact').emitAs('custom').strict())`
   *   `outputCredentials` (*type:* `list(String.t)`, *default:* `nil`) - Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential.
   """
 

clients/iap/lib/google_api/iap/v1/model/binding.ex

@@ -22,8 +22,8 @@ defmodule GoogleApi.IAP.V1.Model.Binding do
   ## Attributes
 
   *   `condition` (*type:* `GoogleApi.IAP.V1.Model.Expr.t`, *default:* `nil`) - The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
-  *   `members` (*type:* `list(String.t)`, *default:* `nil`) - Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid}`: An email address that represents a specific Google account. For example, `[email protected]` . * `serviceAccount:{emailid}`: An email address that represents a Google service account. For example, `[email protected]`. * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid}`: An email address that represents a Google group. For example, `[email protected]`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. 
-  *   `role` (*type:* `String.t`, *default:* `nil`) - Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+  *   `members` (*type:* `list(String.t)`, *default:* `nil`) - Specifies the principals requesting access for a Google Cloud resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. * `user:{emailid}`: An email address that represents a specific Google account. For example, `[email protected]` . * `serviceAccount:{emailid}`: An email address that represents a Google service account. For example, `[email protected]`. * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An identifier for a [Kubernetes service account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * `group:{emailid}`: An email address that represents a Google group. For example, `[email protected]`. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`. * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workforce identity pool. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: All workforce identities in a group. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All workforce identities with a specific attribute value. * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: All identities in a workforce identity pool. * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single identity in a workload identity pool. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool group. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: All identities in a workload identity pool with a certain attribute. * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: All identities in a workload identity pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `[email protected]?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: Deleted single identity in a workforce identity pool. For example, `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`.
+  *   `role` (*type:* `String.t`, *default:* `nil`) - Role that is assigned to the list of `members`, or principals. For example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview of the IAM roles and permissions, see the [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For a list of the available pre-defined roles, see [here](https://cloud.google.com/iam/docs/understanding-roles).
   """
 
   use GoogleApi.Gax.ModelBase

clients/iap/lib/google_api/iap/v1/model/o_auth_settings.ex

@@ -22,15 +22,18 @@ defmodule GoogleApi.IAP.V1.Model.OAuthSettings do
   ## Attributes
 
   *   `loginHint` (*type:* `String.t`, *default:* `nil`) - Domain hint to send as hd=? parameter in OAuth request flow. Enables redirect to primary IDP by skipping Google's login screen. https://developers.google.com/identity/protocols/OpenIDConnect#hd-param Note: IAP does not verify that the id token's hd claim matches this value since access behavior is managed by IAM policies.
+  *   `programmaticClients` (*type:* `list(String.t)`, *default:* `nil`) - List of client ids allowed to use IAP programmatically.
   """
 
   use GoogleApi.Gax.ModelBase
 
   @type t :: %__MODULE__{
-          :loginHint => String.t() | nil
+          :loginHint => String.t() | nil,
+          :programmaticClients => list(String.t()) | nil
         }
 
   field(:loginHint)
+  field(:programmaticClients, type: :list)
 end
 
 defimpl Poison.Decoder, for: GoogleApi.IAP.V1.Model.OAuthSettings do