grpc1.45.2/third_party/googleapis/google/cloud/asset/v1p4beta1/asset_service.proto

// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.asset.v1p4beta1;

import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/cloud/asset/v1p4beta1/assets.proto";
import "google/iam/v1/policy.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/duration.proto";
import "google/api/client.proto";

option csharp_namespace = "Google.Cloud.Asset.V1P4Beta1";
option go_package = "google.golang.org/genproto/googleapis/cloud/asset/v1p4beta1;asset";
option java_multiple_files = true;
option java_outer_classname = "AssetServiceProto";
option java_package = "com.google.cloud.asset.v1p4beta1";
option php_namespace = "Google\\Cloud\\Asset\\V1p4beta1";

// Asset service definition.
service AssetService {
  option (google.api.default_host) = "cloudasset.googleapis.com";
  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

  // Analyzes IAM policies based on the specified request. Returns
  // a list of [IamPolicyAnalysisResult][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult] matching the request.
  rpc AnalyzeIamPolicy(AnalyzeIamPolicyRequest) returns (AnalyzeIamPolicyResponse) {
    option (google.api.http) = {
      get: "/v1p4beta1/{analysis_query.parent=*/*}:analyzeIamPolicy"
    };
  }

  // Exports IAM policy analysis based on the specified request. This API
  // implements the [google.longrunning.Operation][google.longrunning.Operation] API allowing you to keep
  // track of the export. The metadata contains the request to help callers to
  // map responses to requests.
  rpc ExportIamPolicyAnalysis(ExportIamPolicyAnalysisRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1p4beta1/{analysis_query.parent=*/*}:exportIamPolicyAnalysis"
      body: "*"
    };
    option (google.longrunning.operation_info) = {
      response_type: "google.cloud.asset.v1p4beta1.ExportIamPolicyAnalysisResponse"
      metadata_type: "google.cloud.asset.v1p4beta1.ExportIamPolicyAnalysisRequest"
    };
  }
}

// IAM policy analysis query message.
message IamPolicyAnalysisQuery {
  // Specifies the resource to analyze for access policies, which may be set
  // directly on the resource, or on ancestors such as organizations, folders or
  // projects. At least one of [ResourceSelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.ResourceSelector], [IdentitySelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.IdentitySelector] or
  // [AccessSelector][google.cloud.asset.v1p4beta1.IamPolicyAnalysisQuery.AccessSelector] must be specified in a request.
  message ResourceSelector {
    // Required. The [full resource
    // name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
    // .
    string full_resource_name = 1 [(google.api.field_behavior) = REQUIRED];
  }

  // Specifies an identity for which to determine resource access, based on
  // roles assigned either directly to them or to the groups they belong to,
  // directly or indirectly.
  message IdentitySelector {
    // Required. The identity appear in the form of members in
    // [IAM policy
    // binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
    string identity = 1 [(google.api.field_behavior) = REQUIRED];
  }

  // Specifies roles and/or permissions to analyze, to determine both the
  // identities possessing them and the resources they control. If multiple
  // values are specified, results will include identities and resources
  // matching any of them.
  message AccessSelector {
    // Optional. The roles to appear in result.
    repeated string roles = 1 [(google.api.field_behavior) = OPTIONAL];

    // Optional. The permissions to appear in result.
    repeated string permissions = 2 [(google.api.field_behavior) = OPTIONAL];
  }

  // Required. The relative name of the root asset. Only resources and IAM policies within
  // the parent will be analyzed. This can only be an organization number (such
  // as "organizations/123") or a folder number (such as "folders/123").
  string parent = 1 [(google.api.field_behavior) = REQUIRED];

  // Optional. Specifies a resource for analysis. Leaving it empty means ANY.
  ResourceSelector resource_selector = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specifies an identity for analysis. Leaving it empty means ANY.
  IdentitySelector identity_selector = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specifies roles or permissions for analysis. Leaving it empty
  // means ANY.
  AccessSelector access_selector = 4 [(google.api.field_behavior) = OPTIONAL];
}

// A request message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1p4beta1.AssetService.AnalyzeIamPolicy].
message AnalyzeIamPolicyRequest {
  // Contains request options.
  message Options {
    // Optional. If true, the identities section of the result will expand any
    // Google groups appearing in an IAM policy binding.
    //
    // If [identity_selector][] is specified, the identity in the result will
    // be determined by the selector, and this flag will have no effect.
    //
    // Default is false.
    bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the access section of result will expand any roles
    // appearing in IAM policy bindings to include their permissions.
    //
    // If [access_selector][] is specified, the access section of the result
    // will be determined by the selector, and this flag will have no effect.
    //
    // Default is false.
    bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the resource section of the result will expand any
    // resource attached to an IAM policy to include resources lower in the
    // resource hierarchy.
    //
    // For example, if the request analyzes for which resources user A has
    // permission P, and the results include an IAM policy with P on a GCP
    // folder, the results will also include resources in that folder with
    // permission P.
    //
    // If [resource_selector][] is specified, the resource section of the result
    // will be determined by the selector, and this flag will have no effect.
    // Default is false.
    bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the result will output resource edges, starting
    // from the policy attached resource, to any expanded resources.
    // Default is false.
    bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the result will output group identity edges, starting
    // from the binding's group members, to any expanded identities.
    // Default is false.
    bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the response will include access analysis from identities to
    // resources via service account impersonation. This is a very expensive
    // operation, because many derived queries will be executed. We highly
    // recommend you use ExportIamPolicyAnalysis rpc instead.
    //
    // For example, if the request analyzes for which resources user A has
    // permission P, and there's an IAM policy states user A has
    // iam.serviceAccounts.getAccessToken permission to a service account SA,
    // and there's another IAM policy states service account SA has permission P
    // to a GCP folder F, then user A potentially has access to the GCP folder
    // F. And those advanced analysis results will be included in
    // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
    //
    // Another example, if the request analyzes for who has
    // permission P to a GCP folder F, and there's an IAM policy states user A
    // has iam.serviceAccounts.actAs permission to a service account SA, and
    // there's another IAM policy states service account SA has permission P to
    // the GCP folder F, then user A potentially has access to the GCP folder
    // F. And those advanced analysis results will be included in
    // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
    //
    // Default is false.
    bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL];

    // Optional. Amount of time executable has to complete.  See JSON representation of
    // [Duration](https://developers.google.com/protocol-buffers/docs/proto3#json).
    //
    // If this field is set with a value less than the RPC deadline, and the
    // execution of your query hasn't finished in the specified
    // execution timeout,  you will get a response with partial result.
    // Otherwise, your query's execution will continue until the RPC deadline.
    // If it's not finished until then, you will get a  DEADLINE_EXCEEDED error.
    //
    // Default is empty.
    google.protobuf.Duration execution_timeout = 7 [(google.api.field_behavior) = OPTIONAL];
  }

  // Required. The request query.
  IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED];

  // Optional. The request options.
  Options options = 2 [(google.api.field_behavior) = OPTIONAL];
}

// A response message for [AssetService.AnalyzeIamPolicy][google.cloud.asset.v1p4beta1.AssetService.AnalyzeIamPolicy].
message AnalyzeIamPolicyResponse {
  // An analysis message to group the query and results.
  message IamPolicyAnalysis {
    // The analysis query.
    IamPolicyAnalysisQuery analysis_query = 1;

    // A list of [IamPolicyAnalysisResult][google.cloud.asset.v1p4beta1.IamPolicyAnalysisResult] that matches the analysis query, or
    // empty if no result is found.
    repeated IamPolicyAnalysisResult analysis_results = 2;

    // Represents whether all entries in the [analysis_results][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.IamPolicyAnalysis.analysis_results] have been
    // fully explored to answer the query.
    bool fully_explored = 3;
  }

  // The main analysis that matches the original request.
  IamPolicyAnalysis main_analysis = 1;

  // The service account impersonation analysis if
  // [AnalyzeIamPolicyRequest.analyze_service_account_impersonation][] is
  // enabled.
  repeated IamPolicyAnalysis service_account_impersonation_analysis = 2;

  // Represents whether all entries in the [main_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.main_analysis] and
  // [service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis] have been fully explored to
  // answer the query in the request.
  bool fully_explored = 3;

  // A list of non-critical errors happened during the request handling to
  // explain why `fully_explored` is false, or empty if no error happened.
  repeated IamPolicyAnalysisResult.AnalysisState non_critical_errors = 4;
}

// Output configuration for export IAM policy analysis destination.
message IamPolicyAnalysisOutputConfig {
  // A Cloud Storage location.
  message GcsDestination {
    // Required. The uri of the Cloud Storage object. It's the same uri that is used by
    // gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
    // Editing Object
    // Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
    // for more information.
    string uri = 1 [(google.api.field_behavior) = REQUIRED];
  }

  // IAM policy analysis export destination.
  oneof destination {
    // Destination on Cloud Storage.
    GcsDestination gcs_destination = 1;
  }
}

// A request message for [AssetService.ExportIamPolicyAnalysis][google.cloud.asset.v1p4beta1.AssetService.ExportIamPolicyAnalysis].
message ExportIamPolicyAnalysisRequest {
  // Contains request options.
  message Options {
    // Optional. If true, the identities section of the result will expand any
    // Google groups appearing in an IAM policy binding.
    //
    // If [identity_selector][] is specified, the identity in the result will
    // be determined by the selector, and this flag will have no effect.
    //
    // Default is false.
    bool expand_groups = 1 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the access section of result will expand any roles
    // appearing in IAM policy bindings to include their permissions.
    //
    // If [access_selector][] is specified, the access section of the result
    // will be determined by the selector, and this flag will have no effect.
    //
    // Default is false.
    bool expand_roles = 2 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the resource section of the result will expand any
    // resource attached to an IAM policy to include resources lower in the
    // resource hierarchy.
    //
    // For example, if the request analyzes for which resources user A has
    // permission P, and the results include an IAM policy with P on a GCP
    // folder, the results will also include resources in that folder with
    // permission P.
    //
    // If [resource_selector][] is specified, the resource section of the result
    // will be determined by the selector, and this flag will have no effect.
    // Default is false.
    bool expand_resources = 3 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the result will output resource edges, starting
    // from the policy attached resource, to any expanded resources.
    // Default is false.
    bool output_resource_edges = 4 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the result will output group identity edges, starting
    // from the binding's group members, to any expanded identities.
    // Default is false.
    bool output_group_edges = 5 [(google.api.field_behavior) = OPTIONAL];

    // Optional. If true, the response will include access analysis from identities to
    // resources via service account impersonation. This is a very expensive
    // operation, because many derived queries will be executed.
    //
    // For example, if the request analyzes for which resources user A has
    // permission P, and there's an IAM policy states user A has
    // iam.serviceAccounts.getAccessToken permission to a service account SA,
    // and there's another IAM policy states service account SA has permission P
    // to a GCP folder F, then user A potentially has access to the GCP folder
    // F. And those advanced analysis results will be included in
    // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
    //
    // Another example, if the request analyzes for who has
    // permission P to a GCP folder F, and there's an IAM policy states user A
    // has iam.serviceAccounts.actAs permission to a service account SA, and
    // there's another IAM policy states service account SA has permission P to
    // the GCP folder F, then user A potentially has access to the GCP folder
    // F. And those advanced analysis results will be included in
    // [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1p4beta1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].
    //
    // Default is false.
    bool analyze_service_account_impersonation = 6 [(google.api.field_behavior) = OPTIONAL];
  }

  // Required. The request query.
  IamPolicyAnalysisQuery analysis_query = 1 [(google.api.field_behavior) = REQUIRED];

  // Optional. The request options.
  Options options = 2 [(google.api.field_behavior) = OPTIONAL];

  // Required. Output configuration indicating where the results will be output to.
  IamPolicyAnalysisOutputConfig output_config = 3 [(google.api.field_behavior) = REQUIRED];
}

// The export IAM policy analysis response. This message is returned by the
// [google.longrunning.Operations.GetOperation][] method in the returned
// [google.longrunning.Operation.response][] field.
message ExportIamPolicyAnalysisResponse {
  // Output configuration indicating where the results were output to.
  IamPolicyAnalysisOutputConfig output_config = 1;
}