123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411 |
- // Copyright 2021 Google LLC
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- syntax = "proto3";
- package google.cloud.iap.v1;
- import "google/api/annotations.proto";
- import "google/api/field_behavior.proto";
- import "google/iam/v1/iam_policy.proto";
- import "google/iam/v1/policy.proto";
- import "google/protobuf/empty.proto";
- import "google/protobuf/field_mask.proto";
- import "google/protobuf/wrappers.proto";
- import "google/api/client.proto";
- option csharp_namespace = "Google.Cloud.Iap.V1";
- option go_package = "google.golang.org/genproto/googleapis/cloud/iap/v1;iap";
- option java_multiple_files = true;
- option java_package = "com.google.cloud.iap.v1";
- option php_namespace = "Google\\Cloud\\Iap\\V1";
- option ruby_package = "Google::Cloud::Iap::V1";
- // APIs for Identity-Aware Proxy Admin configurations.
- service IdentityAwareProxyAdminService {
- option (google.api.default_host) = "iap.googleapis.com";
- option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
- // Sets the access control policy for an Identity-Aware Proxy protected
- // resource. Replaces any existing policy.
- // More information about managing access via IAP can be found at:
- // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
- rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
- option (google.api.http) = {
- post: "/v1/{resource=**}:setIamPolicy"
- body: "*"
- };
- }
- // Gets the access control policy for an Identity-Aware Proxy protected
- // resource.
- // More information about managing access via IAP can be found at:
- // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
- rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
- option (google.api.http) = {
- post: "/v1/{resource=**}:getIamPolicy"
- body: "*"
- };
- }
- // Returns permissions that a caller has on the Identity-Aware Proxy protected
- // resource.
- // More information about managing access via IAP can be found at:
- // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
- rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
- option (google.api.http) = {
- post: "/v1/{resource=**}:testIamPermissions"
- body: "*"
- };
- }
- // Gets the IAP settings on a particular IAP protected resource.
- rpc GetIapSettings(GetIapSettingsRequest) returns (IapSettings) {
- option (google.api.http) = {
- get: "/v1/{name=**}:iapSettings"
- };
- }
- // Updates the IAP settings on a particular IAP protected resource. It
- // replaces all fields unless the `update_mask` is set.
- rpc UpdateIapSettings(UpdateIapSettingsRequest) returns (IapSettings) {
- option (google.api.http) = {
- patch: "/v1/{iap_settings.name=**}:iapSettings"
- body: "iap_settings"
- };
- }
- }
- // The request sent to GetIapSettings.
- message GetIapSettingsRequest {
- // Required. The resource name for which to retrieve the settings.
- // Authorization: Requires the `getSettings` permission for the associated
- // resource.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- }
- // The request sent to UpdateIapSettings.
- message UpdateIapSettingsRequest {
- // Required. The new values for the IAP settings to be updated.
- // Authorization: Requires the `updateSettings` permission for the associated
- // resource.
- IapSettings iap_settings = 1 [(google.api.field_behavior) = REQUIRED];
- // The field mask specifying which IAP settings should be updated.
- // If omitted, the all of the settings are updated. See
- // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
- google.protobuf.FieldMask update_mask = 2;
- }
- // The IAP configurable settings.
- message IapSettings {
- // Required. The resource name of the IAP protected resource.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- // Top level wrapper for all access related setting in IAP
- AccessSettings access_settings = 5;
- // Top level wrapper for all application related settings in IAP
- ApplicationSettings application_settings = 6;
- }
- // Access related settings for IAP protected apps.
- message AccessSettings {
- // GCIP claims and endpoint configurations for 3p identity providers.
- GcipSettings gcip_settings = 1;
- // Configuration to allow cross-origin requests via IAP.
- CorsSettings cors_settings = 2;
- // Settings to configure IAP's OAuth behavior.
- OAuthSettings oauth_settings = 3;
- }
- // API to programmatically create, list and retrieve Identity Aware Proxy (IAP)
- // OAuth brands; and create, retrieve, delete and reset-secret of IAP OAuth
- // clients.
- service IdentityAwareProxyOAuthService {
- option (google.api.default_host) = "iap.googleapis.com";
- option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
- // Lists the existing brands for the project.
- rpc ListBrands(ListBrandsRequest) returns (ListBrandsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*}/brands"
- };
- }
- // Constructs a new OAuth brand for the project if one does not exist.
- // The created brand is "internal only", meaning that OAuth clients created
- // under it only accept requests from users who belong to the same G Suite
- // organization as the project. The brand is created in an un-reviewed status.
- // NOTE: The "internal only" status can be manually changed in the Google
- // Cloud console. Requires that a brand does not already exist for the
- // project, and that the specified support email is owned by the caller.
- rpc CreateBrand(CreateBrandRequest) returns (Brand) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*}/brands"
- body: "brand"
- };
- }
- // Retrieves the OAuth brand of the project.
- rpc GetBrand(GetBrandRequest) returns (Brand) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/brands/*}"
- };
- }
- // Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned
- // by IAP. Requires that the brand for the project exists and that it is
- // set for internal-only use.
- rpc CreateIdentityAwareProxyClient(CreateIdentityAwareProxyClientRequest) returns (IdentityAwareProxyClient) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
- body: "identity_aware_proxy_client"
- };
- }
- // Lists the existing clients for the brand.
- rpc ListIdentityAwareProxyClients(ListIdentityAwareProxyClientsRequest) returns (ListIdentityAwareProxyClientsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
- };
- }
- // Retrieves an Identity Aware Proxy (IAP) OAuth client.
- // Requires that the client is owned by IAP.
- rpc GetIdentityAwareProxyClient(GetIdentityAwareProxyClientRequest) returns (IdentityAwareProxyClient) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
- };
- }
- // Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the
- // secret was compromised. Requires that the client is owned by IAP.
- rpc ResetIdentityAwareProxyClientSecret(ResetIdentityAwareProxyClientSecretRequest) returns (IdentityAwareProxyClient) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}:resetSecret"
- body: "*"
- };
- }
- // Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing
- // obsolete clients, managing the number of clients in a given project, and
- // cleaning up after tests. Requires that the client is owned by IAP.
- rpc DeleteIdentityAwareProxyClient(DeleteIdentityAwareProxyClientRequest) returns (google.protobuf.Empty) {
- option (google.api.http) = {
- delete: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
- };
- }
- }
- // Allows customers to configure tenant_id for GCIP instance per-app.
- message GcipSettings {
- // GCIP tenant ids that are linked to the IAP resource.
- // tenant_ids could be a string beginning with a number character to indicate
- // authenticating with GCIP tenant flow, or in the format of _<ProjectNumber>
- // to indicate authenticating with GCIP agent flow.
- // If agent flow is used, tenant_ids should only contain one single element,
- // while for tenant flow, tenant_ids can contain multiple elements.
- repeated string tenant_ids = 1;
- // Login page URI associated with the GCIP tenants.
- // Typically, all resources within the same project share the same login page,
- // though it could be overridden at the sub resource level.
- google.protobuf.StringValue login_page_uri = 2;
- }
- // Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS
- // call to bypass authentication and authorization.
- message CorsSettings {
- // Configuration to allow HTTP OPTIONS calls to skip authorization. If
- // undefined, IAP will not apply any special logic to OPTIONS requests.
- google.protobuf.BoolValue allow_http_options = 1;
- }
- // Configuration for OAuth login&consent flow behavior as well as for OAuth
- // Credentials.
- message OAuthSettings {
- // Domain hint to send as hd=? parameter in OAuth request flow. Enables
- // redirect to primary IDP by skipping Google's login screen.
- // https://developers.google.com/identity/protocols/OpenIDConnect#hd-param
- // Note: IAP does not verify that the id token's hd claim matches this value
- // since access behavior is managed by IAM policies.
- google.protobuf.StringValue login_hint = 2;
- }
- // Wrapper over application specific settings for IAP.
- message ApplicationSettings {
- // Settings to configure IAP's behavior for a CSM mesh.
- CsmSettings csm_settings = 1;
- // Customization for Access Denied page.
- AccessDeniedPageSettings access_denied_page_settings = 2;
- // The Domain value to set for cookies generated by IAP. This value is not
- // validated by the API, but will be ignored at runtime if invalid.
- google.protobuf.StringValue cookie_domain = 3;
- }
- // Configuration for RCTokens generated for CSM workloads protected by IAP.
- // RCTokens are IAP generated JWTs that can be verified at the application. The
- // RCToken is primarily used for ISTIO deployments, and can be scoped to a
- // single mesh by configuring the audience field accordingly
- message CsmSettings {
- // Audience claim set in the generated RCToken. This value is not validated by
- // IAP.
- google.protobuf.StringValue rctoken_aud = 1;
- }
- // Custom content configuration for access denied page.
- // IAP allows customers to define a custom URI to use as the error page when
- // access is denied to users. If IAP prevents access to this page, the default
- // IAP error page will be displayed instead.
- message AccessDeniedPageSettings {
- // The URI to be redirected to when access is denied.
- google.protobuf.StringValue access_denied_page_uri = 1;
- // Whether to generate a troubleshooting URL on access denied events to this
- // application.
- google.protobuf.BoolValue generate_troubleshooting_uri = 2;
- }
- // The request sent to ListBrands.
- message ListBrandsRequest {
- // Required. GCP Project number/id.
- // In the following format: projects/{project_number/id}.
- string parent = 1 [(google.api.field_behavior) = REQUIRED];
- }
- // Response message for ListBrands.
- message ListBrandsResponse {
- // Brands existing in the project.
- repeated Brand brands = 1;
- }
- // The request sent to CreateBrand.
- message CreateBrandRequest {
- // Required. GCP Project number/id under which the brand is to be created.
- // In the following format: projects/{project_number/id}.
- string parent = 1 [(google.api.field_behavior) = REQUIRED];
- // Required. The brand to be created.
- Brand brand = 2 [(google.api.field_behavior) = REQUIRED];
- }
- // The request sent to GetBrand.
- message GetBrandRequest {
- // Required. Name of the brand to be fetched.
- // In the following format: projects/{project_number/id}/brands/{brand}.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- }
- // The request sent to ListIdentityAwareProxyClients.
- message ListIdentityAwareProxyClientsRequest {
- // Required. Full brand path.
- // In the following format: projects/{project_number/id}/brands/{brand}.
- string parent = 1 [(google.api.field_behavior) = REQUIRED];
- // The maximum number of clients to return. The service may return fewer than
- // this value.
- // If unspecified, at most 100 clients will be returned.
- // The maximum value is 1000; values above 1000 will be coerced to 1000.
- int32 page_size = 2;
- // A page token, received from a previous `ListIdentityAwareProxyClients`
- // call. Provide this to retrieve the subsequent page.
- //
- // When paginating, all other parameters provided to
- // `ListIdentityAwareProxyClients` must match the call that provided the page
- // token.
- string page_token = 3;
- }
- // Response message for ListIdentityAwareProxyClients.
- message ListIdentityAwareProxyClientsResponse {
- // Clients existing in the brand.
- repeated IdentityAwareProxyClient identity_aware_proxy_clients = 1;
- // A token, which can be send as `page_token` to retrieve the next page.
- // If this field is omitted, there are no subsequent pages.
- string next_page_token = 2;
- }
- // The request sent to CreateIdentityAwareProxyClient.
- message CreateIdentityAwareProxyClientRequest {
- // Required. Path to create the client in.
- // In the following format:
- // projects/{project_number/id}/brands/{brand}.
- // The project must belong to a G Suite account.
- string parent = 1 [(google.api.field_behavior) = REQUIRED];
- // Required. Identity Aware Proxy Client to be created.
- IdentityAwareProxyClient identity_aware_proxy_client = 2 [(google.api.field_behavior) = REQUIRED];
- }
- // The request sent to GetIdentityAwareProxyClient.
- message GetIdentityAwareProxyClientRequest {
- // Required. Name of the Identity Aware Proxy client to be fetched.
- // In the following format:
- // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- }
- // The request sent to ResetIdentityAwareProxyClientSecret.
- message ResetIdentityAwareProxyClientSecretRequest {
- // Required. Name of the Identity Aware Proxy client to that will have its
- // secret reset. In the following format:
- // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- }
- // The request sent to DeleteIdentityAwareProxyClient.
- message DeleteIdentityAwareProxyClientRequest {
- // Required. Name of the Identity Aware Proxy client to be deleted.
- // In the following format:
- // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}.
- string name = 1 [(google.api.field_behavior) = REQUIRED];
- }
- // OAuth brand data.
- // NOTE: Only contains a portion of the data that describes a brand.
- message Brand {
- // Output only. Identifier of the brand.
- // NOTE: GCP project number achieves the same brand identification purpose as
- // only one brand per project can be created.
- string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
- // Support email displayed on the OAuth consent screen.
- string support_email = 2;
- // Application name displayed on OAuth consent screen.
- string application_title = 3;
- // Output only. Whether the brand is only intended for usage inside the
- // G Suite organization only.
- bool org_internal_only = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
- }
- // Contains the data that describes an Identity Aware Proxy owned client.
- message IdentityAwareProxyClient {
- // Output only. Unique identifier of the OAuth client.
- string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
- // Output only. Client secret of the OAuth client.
- string secret = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
- // Human-friendly name given to the OAuth client.
- string display_name = 3;
- }
|