service.proto 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411
  1. // Copyright 2021 Google LLC
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. syntax = "proto3";
  15. package google.cloud.iap.v1;
  16. import "google/api/annotations.proto";
  17. import "google/api/field_behavior.proto";
  18. import "google/iam/v1/iam_policy.proto";
  19. import "google/iam/v1/policy.proto";
  20. import "google/protobuf/empty.proto";
  21. import "google/protobuf/field_mask.proto";
  22. import "google/protobuf/wrappers.proto";
  23. import "google/api/client.proto";
  24. option csharp_namespace = "Google.Cloud.Iap.V1";
  25. option go_package = "google.golang.org/genproto/googleapis/cloud/iap/v1;iap";
  26. option java_multiple_files = true;
  27. option java_package = "com.google.cloud.iap.v1";
  28. option php_namespace = "Google\\Cloud\\Iap\\V1";
  29. option ruby_package = "Google::Cloud::Iap::V1";
  30. // APIs for Identity-Aware Proxy Admin configurations.
  31. service IdentityAwareProxyAdminService {
  32. option (google.api.default_host) = "iap.googleapis.com";
  33. option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
  34. // Sets the access control policy for an Identity-Aware Proxy protected
  35. // resource. Replaces any existing policy.
  36. // More information about managing access via IAP can be found at:
  37. // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
  38. rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
  39. option (google.api.http) = {
  40. post: "/v1/{resource=**}:setIamPolicy"
  41. body: "*"
  42. };
  43. }
  44. // Gets the access control policy for an Identity-Aware Proxy protected
  45. // resource.
  46. // More information about managing access via IAP can be found at:
  47. // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
  48. rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
  49. option (google.api.http) = {
  50. post: "/v1/{resource=**}:getIamPolicy"
  51. body: "*"
  52. };
  53. }
  54. // Returns permissions that a caller has on the Identity-Aware Proxy protected
  55. // resource.
  56. // More information about managing access via IAP can be found at:
  57. // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
  58. rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
  59. option (google.api.http) = {
  60. post: "/v1/{resource=**}:testIamPermissions"
  61. body: "*"
  62. };
  63. }
  64. // Gets the IAP settings on a particular IAP protected resource.
  65. rpc GetIapSettings(GetIapSettingsRequest) returns (IapSettings) {
  66. option (google.api.http) = {
  67. get: "/v1/{name=**}:iapSettings"
  68. };
  69. }
  70. // Updates the IAP settings on a particular IAP protected resource. It
  71. // replaces all fields unless the `update_mask` is set.
  72. rpc UpdateIapSettings(UpdateIapSettingsRequest) returns (IapSettings) {
  73. option (google.api.http) = {
  74. patch: "/v1/{iap_settings.name=**}:iapSettings"
  75. body: "iap_settings"
  76. };
  77. }
  78. }
  79. // The request sent to GetIapSettings.
  80. message GetIapSettingsRequest {
  81. // Required. The resource name for which to retrieve the settings.
  82. // Authorization: Requires the `getSettings` permission for the associated
  83. // resource.
  84. string name = 1 [(google.api.field_behavior) = REQUIRED];
  85. }
  86. // The request sent to UpdateIapSettings.
  87. message UpdateIapSettingsRequest {
  88. // Required. The new values for the IAP settings to be updated.
  89. // Authorization: Requires the `updateSettings` permission for the associated
  90. // resource.
  91. IapSettings iap_settings = 1 [(google.api.field_behavior) = REQUIRED];
  92. // The field mask specifying which IAP settings should be updated.
  93. // If omitted, the all of the settings are updated. See
  94. // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
  95. google.protobuf.FieldMask update_mask = 2;
  96. }
  97. // The IAP configurable settings.
  98. message IapSettings {
  99. // Required. The resource name of the IAP protected resource.
  100. string name = 1 [(google.api.field_behavior) = REQUIRED];
  101. // Top level wrapper for all access related setting in IAP
  102. AccessSettings access_settings = 5;
  103. // Top level wrapper for all application related settings in IAP
  104. ApplicationSettings application_settings = 6;
  105. }
  106. // Access related settings for IAP protected apps.
  107. message AccessSettings {
  108. // GCIP claims and endpoint configurations for 3p identity providers.
  109. GcipSettings gcip_settings = 1;
  110. // Configuration to allow cross-origin requests via IAP.
  111. CorsSettings cors_settings = 2;
  112. // Settings to configure IAP's OAuth behavior.
  113. OAuthSettings oauth_settings = 3;
  114. }
  115. // API to programmatically create, list and retrieve Identity Aware Proxy (IAP)
  116. // OAuth brands; and create, retrieve, delete and reset-secret of IAP OAuth
  117. // clients.
  118. service IdentityAwareProxyOAuthService {
  119. option (google.api.default_host) = "iap.googleapis.com";
  120. option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
  121. // Lists the existing brands for the project.
  122. rpc ListBrands(ListBrandsRequest) returns (ListBrandsResponse) {
  123. option (google.api.http) = {
  124. get: "/v1/{parent=projects/*}/brands"
  125. };
  126. }
  127. // Constructs a new OAuth brand for the project if one does not exist.
  128. // The created brand is "internal only", meaning that OAuth clients created
  129. // under it only accept requests from users who belong to the same G Suite
  130. // organization as the project. The brand is created in an un-reviewed status.
  131. // NOTE: The "internal only" status can be manually changed in the Google
  132. // Cloud console. Requires that a brand does not already exist for the
  133. // project, and that the specified support email is owned by the caller.
  134. rpc CreateBrand(CreateBrandRequest) returns (Brand) {
  135. option (google.api.http) = {
  136. post: "/v1/{parent=projects/*}/brands"
  137. body: "brand"
  138. };
  139. }
  140. // Retrieves the OAuth brand of the project.
  141. rpc GetBrand(GetBrandRequest) returns (Brand) {
  142. option (google.api.http) = {
  143. get: "/v1/{name=projects/*/brands/*}"
  144. };
  145. }
  146. // Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned
  147. // by IAP. Requires that the brand for the project exists and that it is
  148. // set for internal-only use.
  149. rpc CreateIdentityAwareProxyClient(CreateIdentityAwareProxyClientRequest) returns (IdentityAwareProxyClient) {
  150. option (google.api.http) = {
  151. post: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
  152. body: "identity_aware_proxy_client"
  153. };
  154. }
  155. // Lists the existing clients for the brand.
  156. rpc ListIdentityAwareProxyClients(ListIdentityAwareProxyClientsRequest) returns (ListIdentityAwareProxyClientsResponse) {
  157. option (google.api.http) = {
  158. get: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
  159. };
  160. }
  161. // Retrieves an Identity Aware Proxy (IAP) OAuth client.
  162. // Requires that the client is owned by IAP.
  163. rpc GetIdentityAwareProxyClient(GetIdentityAwareProxyClientRequest) returns (IdentityAwareProxyClient) {
  164. option (google.api.http) = {
  165. get: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
  166. };
  167. }
  168. // Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the
  169. // secret was compromised. Requires that the client is owned by IAP.
  170. rpc ResetIdentityAwareProxyClientSecret(ResetIdentityAwareProxyClientSecretRequest) returns (IdentityAwareProxyClient) {
  171. option (google.api.http) = {
  172. post: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}:resetSecret"
  173. body: "*"
  174. };
  175. }
  176. // Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing
  177. // obsolete clients, managing the number of clients in a given project, and
  178. // cleaning up after tests. Requires that the client is owned by IAP.
  179. rpc DeleteIdentityAwareProxyClient(DeleteIdentityAwareProxyClientRequest) returns (google.protobuf.Empty) {
  180. option (google.api.http) = {
  181. delete: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
  182. };
  183. }
  184. }
  185. // Allows customers to configure tenant_id for GCIP instance per-app.
  186. message GcipSettings {
  187. // GCIP tenant ids that are linked to the IAP resource.
  188. // tenant_ids could be a string beginning with a number character to indicate
  189. // authenticating with GCIP tenant flow, or in the format of _<ProjectNumber>
  190. // to indicate authenticating with GCIP agent flow.
  191. // If agent flow is used, tenant_ids should only contain one single element,
  192. // while for tenant flow, tenant_ids can contain multiple elements.
  193. repeated string tenant_ids = 1;
  194. // Login page URI associated with the GCIP tenants.
  195. // Typically, all resources within the same project share the same login page,
  196. // though it could be overridden at the sub resource level.
  197. google.protobuf.StringValue login_page_uri = 2;
  198. }
  199. // Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS
  200. // call to bypass authentication and authorization.
  201. message CorsSettings {
  202. // Configuration to allow HTTP OPTIONS calls to skip authorization. If
  203. // undefined, IAP will not apply any special logic to OPTIONS requests.
  204. google.protobuf.BoolValue allow_http_options = 1;
  205. }
  206. // Configuration for OAuth login&consent flow behavior as well as for OAuth
  207. // Credentials.
  208. message OAuthSettings {
  209. // Domain hint to send as hd=? parameter in OAuth request flow. Enables
  210. // redirect to primary IDP by skipping Google's login screen.
  211. // https://developers.google.com/identity/protocols/OpenIDConnect#hd-param
  212. // Note: IAP does not verify that the id token's hd claim matches this value
  213. // since access behavior is managed by IAM policies.
  214. google.protobuf.StringValue login_hint = 2;
  215. }
  216. // Wrapper over application specific settings for IAP.
  217. message ApplicationSettings {
  218. // Settings to configure IAP's behavior for a CSM mesh.
  219. CsmSettings csm_settings = 1;
  220. // Customization for Access Denied page.
  221. AccessDeniedPageSettings access_denied_page_settings = 2;
  222. // The Domain value to set for cookies generated by IAP. This value is not
  223. // validated by the API, but will be ignored at runtime if invalid.
  224. google.protobuf.StringValue cookie_domain = 3;
  225. }
  226. // Configuration for RCTokens generated for CSM workloads protected by IAP.
  227. // RCTokens are IAP generated JWTs that can be verified at the application. The
  228. // RCToken is primarily used for ISTIO deployments, and can be scoped to a
  229. // single mesh by configuring the audience field accordingly
  230. message CsmSettings {
  231. // Audience claim set in the generated RCToken. This value is not validated by
  232. // IAP.
  233. google.protobuf.StringValue rctoken_aud = 1;
  234. }
  235. // Custom content configuration for access denied page.
  236. // IAP allows customers to define a custom URI to use as the error page when
  237. // access is denied to users. If IAP prevents access to this page, the default
  238. // IAP error page will be displayed instead.
  239. message AccessDeniedPageSettings {
  240. // The URI to be redirected to when access is denied.
  241. google.protobuf.StringValue access_denied_page_uri = 1;
  242. // Whether to generate a troubleshooting URL on access denied events to this
  243. // application.
  244. google.protobuf.BoolValue generate_troubleshooting_uri = 2;
  245. }
  246. // The request sent to ListBrands.
  247. message ListBrandsRequest {
  248. // Required. GCP Project number/id.
  249. // In the following format: projects/{project_number/id}.
  250. string parent = 1 [(google.api.field_behavior) = REQUIRED];
  251. }
  252. // Response message for ListBrands.
  253. message ListBrandsResponse {
  254. // Brands existing in the project.
  255. repeated Brand brands = 1;
  256. }
  257. // The request sent to CreateBrand.
  258. message CreateBrandRequest {
  259. // Required. GCP Project number/id under which the brand is to be created.
  260. // In the following format: projects/{project_number/id}.
  261. string parent = 1 [(google.api.field_behavior) = REQUIRED];
  262. // Required. The brand to be created.
  263. Brand brand = 2 [(google.api.field_behavior) = REQUIRED];
  264. }
  265. // The request sent to GetBrand.
  266. message GetBrandRequest {
  267. // Required. Name of the brand to be fetched.
  268. // In the following format: projects/{project_number/id}/brands/{brand}.
  269. string name = 1 [(google.api.field_behavior) = REQUIRED];
  270. }
  271. // The request sent to ListIdentityAwareProxyClients.
  272. message ListIdentityAwareProxyClientsRequest {
  273. // Required. Full brand path.
  274. // In the following format: projects/{project_number/id}/brands/{brand}.
  275. string parent = 1 [(google.api.field_behavior) = REQUIRED];
  276. // The maximum number of clients to return. The service may return fewer than
  277. // this value.
  278. // If unspecified, at most 100 clients will be returned.
  279. // The maximum value is 1000; values above 1000 will be coerced to 1000.
  280. int32 page_size = 2;
  281. // A page token, received from a previous `ListIdentityAwareProxyClients`
  282. // call. Provide this to retrieve the subsequent page.
  283. //
  284. // When paginating, all other parameters provided to
  285. // `ListIdentityAwareProxyClients` must match the call that provided the page
  286. // token.
  287. string page_token = 3;
  288. }
  289. // Response message for ListIdentityAwareProxyClients.
  290. message ListIdentityAwareProxyClientsResponse {
  291. // Clients existing in the brand.
  292. repeated IdentityAwareProxyClient identity_aware_proxy_clients = 1;
  293. // A token, which can be send as `page_token` to retrieve the next page.
  294. // If this field is omitted, there are no subsequent pages.
  295. string next_page_token = 2;
  296. }
  297. // The request sent to CreateIdentityAwareProxyClient.
  298. message CreateIdentityAwareProxyClientRequest {
  299. // Required. Path to create the client in.
  300. // In the following format:
  301. // projects/{project_number/id}/brands/{brand}.
  302. // The project must belong to a G Suite account.
  303. string parent = 1 [(google.api.field_behavior) = REQUIRED];
  304. // Required. Identity Aware Proxy Client to be created.
  305. IdentityAwareProxyClient identity_aware_proxy_client = 2 [(google.api.field_behavior) = REQUIRED];
  306. }
  307. // The request sent to GetIdentityAwareProxyClient.
  308. message GetIdentityAwareProxyClientRequest {
  309. // Required. Name of the Identity Aware Proxy client to be fetched.
  310. // In the following format:
  311. // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}.
  312. string name = 1 [(google.api.field_behavior) = REQUIRED];
  313. }
  314. // The request sent to ResetIdentityAwareProxyClientSecret.
  315. message ResetIdentityAwareProxyClientSecretRequest {
  316. // Required. Name of the Identity Aware Proxy client to that will have its
  317. // secret reset. In the following format:
  318. // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}.
  319. string name = 1 [(google.api.field_behavior) = REQUIRED];
  320. }
  321. // The request sent to DeleteIdentityAwareProxyClient.
  322. message DeleteIdentityAwareProxyClientRequest {
  323. // Required. Name of the Identity Aware Proxy client to be deleted.
  324. // In the following format:
  325. // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}.
  326. string name = 1 [(google.api.field_behavior) = REQUIRED];
  327. }
  328. // OAuth brand data.
  329. // NOTE: Only contains a portion of the data that describes a brand.
  330. message Brand {
  331. // Output only. Identifier of the brand.
  332. // NOTE: GCP project number achieves the same brand identification purpose as
  333. // only one brand per project can be created.
  334. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  335. // Support email displayed on the OAuth consent screen.
  336. string support_email = 2;
  337. // Application name displayed on OAuth consent screen.
  338. string application_title = 3;
  339. // Output only. Whether the brand is only intended for usage inside the
  340. // G Suite organization only.
  341. bool org_internal_only = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
  342. }
  343. // Contains the data that describes an Identity Aware Proxy owned client.
  344. message IdentityAwareProxyClient {
  345. // Output only. Unique identifier of the OAuth client.
  346. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  347. // Output only. Client secret of the OAuth client.
  348. string secret = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
  349. // Human-friendly name given to the OAuth client.
  350. string display_name = 3;
  351. }