2018-06-08 00:35:54 +00:00
|
|
|
# Copyright 2015 Google Inc.
|
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
|
|
|
|
|
|
|
require 'date'
|
|
|
|
require 'google/apis/core/base_service'
|
|
|
|
require 'google/apis/core/json_representation'
|
|
|
|
require 'google/apis/core/hashable'
|
|
|
|
require 'google/apis/errors'
|
|
|
|
|
|
|
|
module Google
|
|
|
|
module Apis
|
|
|
|
module IamcredentialsV1
|
2018-06-29 00:37:36 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
class GenerateAccessTokenRequest
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# The sequence of service accounts in a delegation chain. Each service
|
|
|
|
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
|
|
|
|
# on its next service account in the chain. The last service account in the
|
|
|
|
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
|
|
|
|
# on the service account that is specified in the `name` field of the
|
|
|
|
# request.
|
|
|
|
# The delegates must have the following format:
|
2019-03-02 00:37:28 +00:00
|
|
|
# `projects/-/serviceAccounts/`ACCOUNT_EMAIL_OR_UNIQUEID``. The `-` wildcard
|
|
|
|
# character is required; replacing it with a project ID is invalid.
|
2018-06-29 00:37:36 +00:00
|
|
|
# Corresponds to the JSON property `delegates`
|
|
|
|
# @return [Array<String>]
|
|
|
|
attr_accessor :delegates
|
|
|
|
|
|
|
|
# The desired lifetime duration of the access token in seconds.
|
|
|
|
# Must be set to a value less than or equal to 3600 (1 hour). If a value is
|
|
|
|
# not specified, the token's lifetime will be set to a default value of one
|
|
|
|
# hour.
|
|
|
|
# Corresponds to the JSON property `lifetime`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :lifetime
|
|
|
|
|
2018-08-22 21:14:52 +00:00
|
|
|
# Code to identify the scopes to be included in the OAuth 2.0 access token.
|
2018-06-29 00:37:36 +00:00
|
|
|
# See https://developers.google.com/identity/protocols/googlescopes for more
|
|
|
|
# information.
|
|
|
|
# At least one value required.
|
|
|
|
# Corresponds to the JSON property `scope`
|
|
|
|
# @return [Array<String>]
|
|
|
|
attr_accessor :scope
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@delegates = args[:delegates] if args.key?(:delegates)
|
|
|
|
@lifetime = args[:lifetime] if args.key?(:lifetime)
|
|
|
|
@scope = args[:scope] if args.key?(:scope)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
class GenerateAccessTokenResponse
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# The OAuth 2.0 access token.
|
|
|
|
# Corresponds to the JSON property `accessToken`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :access_token
|
|
|
|
|
|
|
|
# Token expiration time.
|
2018-08-22 21:14:52 +00:00
|
|
|
# The expiration time is always set.
|
2018-06-29 00:37:36 +00:00
|
|
|
# Corresponds to the JSON property `expireTime`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :expire_time
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@access_token = args[:access_token] if args.key?(:access_token)
|
|
|
|
@expire_time = args[:expire_time] if args.key?(:expire_time)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
class GenerateIdTokenRequest
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# The audience for the token, such as the API or account that this token
|
|
|
|
# grants access to.
|
|
|
|
# Corresponds to the JSON property `audience`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :audience
|
|
|
|
|
|
|
|
# The sequence of service accounts in a delegation chain. Each service
|
|
|
|
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
|
|
|
|
# on its next service account in the chain. The last service account in the
|
|
|
|
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
|
|
|
|
# on the service account that is specified in the `name` field of the
|
|
|
|
# request.
|
|
|
|
# The delegates must have the following format:
|
2019-03-02 00:37:28 +00:00
|
|
|
# `projects/-/serviceAccounts/`ACCOUNT_EMAIL_OR_UNIQUEID``. The `-` wildcard
|
|
|
|
# character is required; replacing it with a project ID is invalid.
|
2018-06-29 00:37:36 +00:00
|
|
|
# Corresponds to the JSON property `delegates`
|
|
|
|
# @return [Array<String>]
|
|
|
|
attr_accessor :delegates
|
|
|
|
|
|
|
|
# Include the service account email in the token. If set to `true`, the
|
|
|
|
# token will contain `email` and `email_verified` claims.
|
|
|
|
# Corresponds to the JSON property `includeEmail`
|
|
|
|
# @return [Boolean]
|
|
|
|
attr_accessor :include_email
|
|
|
|
alias_method :include_email?, :include_email
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@audience = args[:audience] if args.key?(:audience)
|
|
|
|
@delegates = args[:delegates] if args.key?(:delegates)
|
|
|
|
@include_email = args[:include_email] if args.key?(:include_email)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
class GenerateIdTokenResponse
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# The OpenId Connect ID token.
|
|
|
|
# Corresponds to the JSON property `token`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :token
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@token = args[:token] if args.key?(:token)
|
|
|
|
end
|
2018-08-31 00:36:52 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
class GenerateIdentityBindingAccessTokenRequest
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# Required. Input token.
|
|
|
|
# Must be in JWT format according to
|
|
|
|
# RFC7523 (https://tools.ietf.org/html/rfc7523)
|
|
|
|
# and must have 'kid' field in the header.
|
|
|
|
# Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
|
|
|
|
# Mandatory payload fields (along the lines of RFC 7523, section 3):
|
|
|
|
# - iss: issuer of the token. Must provide a discovery document at
|
|
|
|
# $iss/.well-known/openid-configuration . The document needs to be
|
|
|
|
# formatted according to section 4.2 of the OpenID Connect Discovery
|
|
|
|
# 1.0 specification.
|
|
|
|
# - iat: Issue time in seconds since epoch. Must be in the past.
|
|
|
|
# - exp: Expiration time in seconds since epoch. Must be less than 48 hours
|
|
|
|
# after iat. We recommend to create tokens that last shorter than 6
|
|
|
|
# hours to improve security unless business reasons mandate longer
|
|
|
|
# expiration times. Shorter token lifetimes are generally more secure
|
|
|
|
# since tokens that have been exfiltrated by attackers can be used for
|
|
|
|
# a shorter time. you can configure the maximum lifetime of the
|
|
|
|
# incoming token in the configuration of the mapper.
|
|
|
|
# The resulting Google token will expire within an hour or at "exp",
|
|
|
|
# whichever is earlier.
|
|
|
|
# - sub: JWT subject, identity asserted in the JWT.
|
|
|
|
# - aud: Configured in the mapper policy. By default the service account
|
|
|
|
# email.
|
|
|
|
# Claims from the incoming token can be transferred into the output token
|
|
|
|
# accoding to the mapper configuration. The outgoing claim size is limited.
|
|
|
|
# Outgoing claims size must be less than 4kB serialized as JSON without
|
|
|
|
# whitespace.
|
|
|
|
# Example header:
|
|
|
|
# `
|
|
|
|
# "alg": "RS256",
|
|
|
|
# "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
|
|
|
|
# `
|
|
|
|
# Example payload:
|
|
|
|
# `
|
|
|
|
# "iss": "https://accounts.google.com",
|
|
|
|
# "iat": 1517963104,
|
|
|
|
# "exp": 1517966704,
|
2019-02-02 00:36:56 +00:00
|
|
|
# "aud":
|
|
|
|
# "https://iamcredentials.googleapis.com/google.iam.credentials.v1.CloudGaia",
|
2018-08-31 00:36:52 +00:00
|
|
|
# "sub": "113475438248934895348",
|
|
|
|
# "my_claims": `
|
|
|
|
# "additional_claim": "value"
|
|
|
|
# `
|
|
|
|
# `
|
|
|
|
# Corresponds to the JSON property `jwt`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :jwt
|
|
|
|
|
|
|
|
# Code to identify the scopes to be included in the OAuth 2.0 access token.
|
|
|
|
# See https://developers.google.com/identity/protocols/googlescopes for more
|
|
|
|
# information.
|
|
|
|
# At least one value required.
|
|
|
|
# Corresponds to the JSON property `scope`
|
|
|
|
# @return [Array<String>]
|
|
|
|
attr_accessor :scope
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@jwt = args[:jwt] if args.key?(:jwt)
|
|
|
|
@scope = args[:scope] if args.key?(:scope)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
class GenerateIdentityBindingAccessTokenResponse
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# The OAuth 2.0 access token.
|
|
|
|
# Corresponds to the JSON property `accessToken`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :access_token
|
|
|
|
|
|
|
|
# Token expiration time.
|
|
|
|
# The expiration time is always set.
|
|
|
|
# Corresponds to the JSON property `expireTime`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :expire_time
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@access_token = args[:access_token] if args.key?(:access_token)
|
|
|
|
@expire_time = args[:expire_time] if args.key?(:expire_time)
|
|
|
|
end
|
2018-06-29 00:37:36 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
class SignBlobRequest
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# The sequence of service accounts in a delegation chain. Each service
|
|
|
|
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
|
|
|
|
# on its next service account in the chain. The last service account in the
|
|
|
|
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
|
|
|
|
# on the service account that is specified in the `name` field of the
|
|
|
|
# request.
|
|
|
|
# The delegates must have the following format:
|
2019-03-02 00:37:28 +00:00
|
|
|
# `projects/-/serviceAccounts/`ACCOUNT_EMAIL_OR_UNIQUEID``. The `-` wildcard
|
|
|
|
# character is required; replacing it with a project ID is invalid.
|
2018-06-29 00:37:36 +00:00
|
|
|
# Corresponds to the JSON property `delegates`
|
|
|
|
# @return [Array<String>]
|
|
|
|
attr_accessor :delegates
|
|
|
|
|
|
|
|
# The bytes to sign.
|
|
|
|
# Corresponds to the JSON property `payload`
|
|
|
|
# NOTE: Values are automatically base64 encoded/decoded in the client library.
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :payload
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@delegates = args[:delegates] if args.key?(:delegates)
|
|
|
|
@payload = args[:payload] if args.key?(:payload)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
class SignBlobResponse
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# The ID of the key used to sign the blob.
|
|
|
|
# Corresponds to the JSON property `keyId`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :key_id
|
|
|
|
|
|
|
|
# The signed blob.
|
|
|
|
# Corresponds to the JSON property `signedBlob`
|
|
|
|
# NOTE: Values are automatically base64 encoded/decoded in the client library.
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :signed_blob
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@key_id = args[:key_id] if args.key?(:key_id)
|
|
|
|
@signed_blob = args[:signed_blob] if args.key?(:signed_blob)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
class SignJwtRequest
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# The sequence of service accounts in a delegation chain. Each service
|
|
|
|
# account must be granted the `roles/iam.serviceAccountTokenCreator` role
|
|
|
|
# on its next service account in the chain. The last service account in the
|
|
|
|
# chain must be granted the `roles/iam.serviceAccountTokenCreator` role
|
|
|
|
# on the service account that is specified in the `name` field of the
|
|
|
|
# request.
|
|
|
|
# The delegates must have the following format:
|
2019-03-02 00:37:28 +00:00
|
|
|
# `projects/-/serviceAccounts/`ACCOUNT_EMAIL_OR_UNIQUEID``. The `-` wildcard
|
|
|
|
# character is required; replacing it with a project ID is invalid.
|
2018-06-29 00:37:36 +00:00
|
|
|
# Corresponds to the JSON property `delegates`
|
|
|
|
# @return [Array<String>]
|
|
|
|
attr_accessor :delegates
|
|
|
|
|
|
|
|
# The JWT payload to sign: a JSON object that contains a JWT Claims Set.
|
|
|
|
# Corresponds to the JSON property `payload`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :payload
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@delegates = args[:delegates] if args.key?(:delegates)
|
|
|
|
@payload = args[:payload] if args.key?(:payload)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
class SignJwtResponse
|
|
|
|
include Google::Apis::Core::Hashable
|
|
|
|
|
|
|
|
# The ID of the key used to sign the JWT.
|
|
|
|
# Corresponds to the JSON property `keyId`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :key_id
|
|
|
|
|
|
|
|
# The signed JWT.
|
|
|
|
# Corresponds to the JSON property `signedJwt`
|
|
|
|
# @return [String]
|
|
|
|
attr_accessor :signed_jwt
|
|
|
|
|
|
|
|
def initialize(**args)
|
|
|
|
update!(**args)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Update properties of this object
|
|
|
|
def update!(**args)
|
|
|
|
@key_id = args[:key_id] if args.key?(:key_id)
|
|
|
|
@signed_jwt = args[:signed_jwt] if args.key?(:signed_jwt)
|
|
|
|
end
|
|
|
|
end
|
2018-06-08 00:35:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|