# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. require 'date' require 'google/apis/core/base_service' require 'google/apis/core/json_representation' require 'google/apis/core/hashable' require 'google/apis/errors' module Google module Apis module StsV1beta # Associates `members`, or principals, with a `role`. class GoogleIamV1Binding include Google::Apis::Core::Hashable # Represents a textual expression in the Common Expression Language (CEL) syntax. # CEL is a C-like expression language. The syntax and semantics of CEL are # documented at https://github.com/google/cel-spec. Example (Comparison): title: # "Summary size limit" description: "Determines if a summary is less than 100 # chars" expression: "document.summary.size() < 100" Example (Equality): title: " # Requestor is owner" description: "Determines if requestor is the document # owner" expression: "document.owner == request.auth.claims.email" Example ( # Logic): title: "Public documents" description: "Determine whether the document # should be publicly visible" expression: "document.type != 'private' && # document.type != 'internal'" Example (Data Manipulation): title: "Notification # string" description: "Create a notification string with a timestamp." # expression: "'New message received at ' + string(document.create_time)" The # exact variables and functions that may be referenced within an expression are # determined by the service that evaluates it. See the service documentation for # additional information. # Corresponds to the JSON property `condition` # @return [Google::Apis::StsV1beta::GoogleTypeExpr] attr_accessor :condition # Specifies the principals requesting access for a Cloud Platform resource. ` # members` can have the following values: * `allUsers`: A special identifier # that represents anyone who is on the internet; with or without a Google # account. * `allAuthenticatedUsers`: A special identifier that represents # anyone who is authenticated with a Google account or a service account. * ` # user:`emailid``: An email address that represents a specific Google account. # For example, `alice@example.com` . * `serviceAccount:`emailid``: An email # address that represents a service account. For example, `my-other-app@appspot. # gserviceaccount.com`. * `group:`emailid``: An email address that represents a # Google group. For example, `admins@example.com`. * `deleted:user:`emailid`?uid= # `uniqueid``: An email address (plus unique identifier) representing a user # that has been recently deleted. For example, `alice@example.com?uid= # 123456789012345678901`. If the user is recovered, this value reverts to `user:` # emailid`` and the recovered user retains the role in the binding. * `deleted: # serviceAccount:`emailid`?uid=`uniqueid``: An email address (plus unique # identifier) representing a service account that has been recently deleted. For # example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. # If the service account is undeleted, this value reverts to `serviceAccount:` # emailid`` and the undeleted service account retains the role in the binding. * # `deleted:group:`emailid`?uid=`uniqueid``: An email address (plus unique # identifier) representing a Google group that has been recently deleted. For # example, `admins@example.com?uid=123456789012345678901`. If the group is # recovered, this value reverts to `group:`emailid`` and the recovered group # retains the role in the binding. * `domain:`domain``: The G Suite domain ( # primary) that represents all the users of that domain. For example, `google. # com` or `example.com`. # Corresponds to the JSON property `members` # @return [Array] attr_accessor :members # Role that is assigned to the list of `members`, or principals. For example, ` # roles/viewer`, `roles/editor`, or `roles/owner`. # Corresponds to the JSON property `role` # @return [String] attr_accessor :role def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @condition = args[:condition] if args.key?(:condition) @members = args[:members] if args.key?(:members) @role = args[:role] if args.key?(:role) end end # An access boundary defines the upper bound of what a principal may access. It # includes a list of access boundary rules that each defines the resource that # may be allowed as well as permissions that may be used on those resources. class GoogleIdentityStsV1AccessBoundary include Google::Apis::Core::Hashable # A list of access boundary rules which defines the upper bound of the # permission a principal may carry. If multiple rules are specified, the # effective access boundary is the union of all the access boundary rules # attached. One access boundary can contain at most 10 rules. # Corresponds to the JSON property `accessBoundaryRules` # @return [Array] attr_accessor :access_boundary_rules def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @access_boundary_rules = args[:access_boundary_rules] if args.key?(:access_boundary_rules) end end # An access boundary rule defines an upper bound of IAM permissions on a single # resource. class GoogleIdentityStsV1AccessBoundaryRule include Google::Apis::Core::Hashable # Represents a textual expression in the Common Expression Language (CEL) syntax. # CEL is a C-like expression language. The syntax and semantics of CEL are # documented at https://github.com/google/cel-spec. Example (Comparison): title: # "Summary size limit" description: "Determines if a summary is less than 100 # chars" expression: "document.summary.size() < 100" Example (Equality): title: " # Requestor is owner" description: "Determines if requestor is the document # owner" expression: "document.owner == request.auth.claims.email" Example ( # Logic): title: "Public documents" description: "Determine whether the document # should be publicly visible" expression: "document.type != 'private' && # document.type != 'internal'" Example (Data Manipulation): title: "Notification # string" description: "Create a notification string with a timestamp." # expression: "'New message received at ' + string(document.create_time)" The # exact variables and functions that may be referenced within an expression are # determined by the service that evaluates it. See the service documentation for # additional information. # Corresponds to the JSON property `availabilityCondition` # @return [Google::Apis::StsV1beta::GoogleTypeExpr] attr_accessor :availability_condition # A list of permissions that may be allowed for use on the specified resource. # The only supported values in the list are IAM roles, following the format of # google.iam.v1.Binding.role. Example value: `inRole:roles/logging.viewer` for # predefined roles and `inRole:organizations/`ORGANIZATION_ID`/roles/logging. # viewer` for custom roles. # Corresponds to the JSON property `availablePermissions` # @return [Array] attr_accessor :available_permissions # The full resource name of a Google Cloud resource entity. The format # definition is at https://cloud.google.com/apis/design/resource_names. Example # value: `//cloudresourcemanager.googleapis.com/projects/my-project`. # Corresponds to the JSON property `availableResource` # @return [String] attr_accessor :available_resource def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @availability_condition = args[:availability_condition] if args.key?(:availability_condition) @available_permissions = args[:available_permissions] if args.key?(:available_permissions) @available_resource = args[:available_resource] if args.key?(:available_resource) end end # An `Options` object configures features that the Security Token Service # supports, but that are not supported by standard OAuth 2.0 token exchange # endpoints, as defined in https://tools.ietf.org/html/rfc8693. class GoogleIdentityStsV1Options include Google::Apis::Core::Hashable # An access boundary defines the upper bound of what a principal may access. It # includes a list of access boundary rules that each defines the resource that # may be allowed as well as permissions that may be used on those resources. # Corresponds to the JSON property `accessBoundary` # @return [Google::Apis::StsV1beta::GoogleIdentityStsV1AccessBoundary] attr_accessor :access_boundary # The intended audience(s) of the credential. The audience value(s) should be # the name(s) of services intended to receive the credential. Example: `["https:/ # /pubsub.googleapis.com/", "https://storage.googleapis.com/"]`. A maximum of 5 # audiences can be included. For each provided audience, the maximum length is # 262 characters. # Corresponds to the JSON property `audiences` # @return [Array] attr_accessor :audiences # A Google project used for quota and billing purposes when the credential is # used to access Google APIs. The provided project overrides the project bound # to the credential. The value must be a project number or a project ID. Example: # `my-sample-project-191923`. The maximum length is 32 characters. # Corresponds to the JSON property `userProject` # @return [String] attr_accessor :user_project def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @access_boundary = args[:access_boundary] if args.key?(:access_boundary) @audiences = args[:audiences] if args.key?(:audiences) @user_project = args[:user_project] if args.key?(:user_project) end end # An access boundary defines the upper bound of what a principal may access. It # includes a list of access boundary rules that each defines the resource that # may be allowed as well as permissions that may be used on those resources. class GoogleIdentityStsV1betaAccessBoundary include Google::Apis::Core::Hashable # A list of access boundary rules which defines the upper bound of the # permission a principal may carry. If multiple rules are specified, the # effective access boundary is the union of all the access boundary rules # attached. One access boundary can contain at most 10 rules. # Corresponds to the JSON property `accessBoundaryRules` # @return [Array] attr_accessor :access_boundary_rules def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @access_boundary_rules = args[:access_boundary_rules] if args.key?(:access_boundary_rules) end end # An access boundary rule defines an upper bound of IAM permissions on a single # resource. class GoogleIdentityStsV1betaAccessBoundaryRule include Google::Apis::Core::Hashable # Represents a textual expression in the Common Expression Language (CEL) syntax. # CEL is a C-like expression language. The syntax and semantics of CEL are # documented at https://github.com/google/cel-spec. Example (Comparison): title: # "Summary size limit" description: "Determines if a summary is less than 100 # chars" expression: "document.summary.size() < 100" Example (Equality): title: " # Requestor is owner" description: "Determines if requestor is the document # owner" expression: "document.owner == request.auth.claims.email" Example ( # Logic): title: "Public documents" description: "Determine whether the document # should be publicly visible" expression: "document.type != 'private' && # document.type != 'internal'" Example (Data Manipulation): title: "Notification # string" description: "Create a notification string with a timestamp." # expression: "'New message received at ' + string(document.create_time)" The # exact variables and functions that may be referenced within an expression are # determined by the service that evaluates it. See the service documentation for # additional information. # Corresponds to the JSON property `availabilityCondition` # @return [Google::Apis::StsV1beta::GoogleTypeExpr] attr_accessor :availability_condition # A list of permissions that may be allowed for use on the specified resource. # The only supported values in the list are IAM roles, following the format of # google.iam.v1.Binding.role. Example value: `inRole:roles/logging.viewer` for # predefined roles and `inRole:organizations/`ORGANIZATION_ID`/roles/logging. # viewer` for custom roles. # Corresponds to the JSON property `availablePermissions` # @return [Array] attr_accessor :available_permissions # The full resource name of a Google Cloud resource entity. The format # definition is at https://cloud.google.com/apis/design/resource_names. Example # value: `//cloudresourcemanager.googleapis.com/projects/my-project`. # Corresponds to the JSON property `availableResource` # @return [String] attr_accessor :available_resource def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @availability_condition = args[:availability_condition] if args.key?(:availability_condition) @available_permissions = args[:available_permissions] if args.key?(:available_permissions) @available_resource = args[:available_resource] if args.key?(:available_resource) end end # Request message for ExchangeToken. class GoogleIdentityStsV1betaExchangeTokenRequest include Google::Apis::Core::Hashable # The full resource name of the identity provider. For example, `//iam. # googleapis.com/projects//locations/global/workloadIdentityPools//providers/`. # Required when exchanging an external credential for a Google access token. # Corresponds to the JSON property `audience` # @return [String] attr_accessor :audience # Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token- # exchange`, which indicates a token exchange. # Corresponds to the JSON property `grantType` # @return [String] attr_accessor :grant_type # A set of features that Security Token Service supports, in addition to the # standard OAuth 2.0 token exchange, formatted as a serialized JSON object of # Options. # Corresponds to the JSON property `options` # @return [String] attr_accessor :options # Required. The type of security token. Must be `urn:ietf:params:oauth:token- # type:access_token`, which indicates an OAuth 2.0 access token. # Corresponds to the JSON property `requestedTokenType` # @return [String] attr_accessor :requested_token_type # The OAuth 2.0 scopes to include on the resulting access token, formatted as a # list of space-delimited, case-sensitive strings. Required when exchanging an # external credential for a Google access token. # Corresponds to the JSON property `scope` # @return [String] attr_accessor :scope # Required. The input token. This token is either an external credential issued # by a workload identity pool provider, or a short-lived access token issued by # Google. If the token is an OIDC JWT, it must use the JWT format defined in [ # RFC 7523](https://tools.ietf.org/html/rfc7523), and the `subject_token_type` # must be either `urn:ietf:params:oauth:token-type:jwt` or `urn:ietf:params: # oauth:token-type:id_token`. The following headers are required: - `kid`: The # identifier of the signing key securing the JWT. - `alg`: The cryptographic # algorithm securing the JWT. Must be `RS256` or `ES256`. The following payload # fields are required. For more information, see [RFC 7523, Section 3](https:// # tools.ietf.org/html/rfc7523#section-3): - `iss`: The issuer of the token. The # issuer must provide a discovery document at the URL `/.well-known/openid- # configuration`, where `` is the value of this field. The document must be # formatted according to section 4.2 of the [OIDC 1.0 Discovery specification]( # https://openid.net/specs/openid-connect-discovery-1_0.html# # ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the # Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, # since the Unix epoch. Must be less than 48 hours after `iat`. Shorter # expiration times are more secure. If possible, we recommend setting an # expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. - # `aud`: For workload identity pools, this must be a value specified in the # allowed audiences for the workload identity pool provider, or one of the # audiences allowed by default if no audiences were specified. See https://cloud. # google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools. # providers#oidc Example header: ``` ` "alg": "RS256", "kid": "us-east-11" ` ``` # Example payload: ``` ` "iss": "https://accounts.google.com", "iat": 1517963104, # "exp": 1517966704, "aud": "//iam.googleapis.com/projects/1234567890123/ # locations/global/workloadIdentityPools/my-pool/providers/my-provider", "sub": " # 113475438248934895348", "my_claims": ` "additional_claim": "value" ` ` ``` If ` # subject_token` is for AWS, it must be a serialized `GetCallerIdentity` token. # This token contains the same information as a request to the AWS [` # GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/APIReference/ # API_GetCallerIdentity) method, as well as the AWS [signature](https://docs.aws. # amazon.com/general/latest/gr/signing_aws_api_requests.html) for the request # information. Use Signature Version 4. Format the request as URL-encoded JSON, # and set the `subject_token_type` parameter to `urn:ietf:params:aws:token-type: # aws4_request`. The following parameters are required: - `url`: The URL of the # AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.com? # Action=GetCallerIdentity&Version=2011-06-15`. Regional endpoints are also # supported. - `method`: The HTTP request method: `POST`. - `headers`: The HTTP # request headers, which must include: - `Authorization`: The request signature. # - `x-amz-date`: The time you will send the request, formatted as an [ISO8601 # Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html# # sigv4_elements_date) string. This value is typically set to the current time # and is used to help prevent replay attacks. - `host`: The hostname of the `url` # field; for example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: # The full, canonical resource name of the workload identity pool provider, with # or without an `https:` prefix. To help ensure data integrity, we recommend # including this header in the `SignedHeaders` field of the signed request. For # example: //iam.googleapis.com/projects//locations/global/workloadIdentityPools/ # /providers/ https://iam.googleapis.com/projects//locations/global/ # workloadIdentityPools//providers/ If you are using temporary security # credentials provided by AWS, you must also include the header `x-amz-security- # token`, with the value set to the session token. The following example shows a # `GetCallerIdentity` token: ``` ` "headers": [ `"key": "x-amz-date", "value": " # 20200815T015049Z"`, `"key": "Authorization", "value": "AWS4-HMAC-SHA256+ # Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target- # resource,+Signature=$signature"`, `"key": "x-goog-cloud-target-resource", " # value": "//iam.googleapis.com/projects//locations/global/workloadIdentityPools/ # /providers/"`, `"key": "host", "value": "sts.amazonaws.com"` . ], "method": " # POST", "url": "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011- # 06-15" ` ``` You can also use a Google-issued OAuth 2.0 access token with this # field to obtain an access token with new security attributes applied, such as # a Credential Access Boundary. In this case, set `subject_token_type` to `urn: # ietf:params:oauth:token-type:access_token`. If an access token already # contains security attributes, you cannot apply additional security attributes. # Corresponds to the JSON property `subjectToken` # @return [String] attr_accessor :subject_token # Required. An identifier that indicates the type of the security token in the ` # subject_token` parameter. Supported values are `urn:ietf:params:oauth:token- # type:jwt`, `urn:ietf:params:oauth:token-type:id_token`, `urn:ietf:params:aws: # token-type:aws4_request`, and `urn:ietf:params:oauth:token-type:access_token`. # Corresponds to the JSON property `subjectTokenType` # @return [String] attr_accessor :subject_token_type def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @audience = args[:audience] if args.key?(:audience) @grant_type = args[:grant_type] if args.key?(:grant_type) @options = args[:options] if args.key?(:options) @requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type) @scope = args[:scope] if args.key?(:scope) @subject_token = args[:subject_token] if args.key?(:subject_token) @subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type) end end # Response message for ExchangeToken. class GoogleIdentityStsV1betaExchangeTokenResponse include Google::Apis::Core::Hashable # An OAuth 2.0 security token, issued by Google, in response to the token # exchange request. Tokens can vary in size, depending in part on the size of # mapped claims, up to a maximum of 12288 bytes (12 KB). Google reserves the # right to change the token size and the maximum length at any time. # Corresponds to the JSON property `access_token` # @return [String] attr_accessor :access_token # The amount of time, in seconds, between the time when the access token was # issued and the time when the access token will expire. This field is absent # when the `subject_token` in the request is a Google-issued, short-lived access # token. In this case, the access token has the same expiration time as the ` # subject_token`. # Corresponds to the JSON property `expires_in` # @return [Fixnum] attr_accessor :expires_in # The token type. Always matches the value of `requested_token_type` from the # request. # Corresponds to the JSON property `issued_token_type` # @return [String] attr_accessor :issued_token_type # The type of access token. Always has the value `Bearer`. # Corresponds to the JSON property `token_type` # @return [String] attr_accessor :token_type def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @access_token = args[:access_token] if args.key?(:access_token) @expires_in = args[:expires_in] if args.key?(:expires_in) @issued_token_type = args[:issued_token_type] if args.key?(:issued_token_type) @token_type = args[:token_type] if args.key?(:token_type) end end # An `Options` object configures features that the Security Token Service # supports, but that are not supported by standard OAuth 2.0 token exchange # endpoints, as defined in https://tools.ietf.org/html/rfc8693. class GoogleIdentityStsV1betaOptions include Google::Apis::Core::Hashable # An access boundary defines the upper bound of what a principal may access. It # includes a list of access boundary rules that each defines the resource that # may be allowed as well as permissions that may be used on those resources. # Corresponds to the JSON property `accessBoundary` # @return [Google::Apis::StsV1beta::GoogleIdentityStsV1betaAccessBoundary] attr_accessor :access_boundary # The intended audience(s) of the credential. The audience value(s) should be # the name(s) of services intended to receive the credential. Example: `["https:/ # /pubsub.googleapis.com/", "https://storage.googleapis.com/"]`. A maximum of 5 # audiences can be included. For each provided audience, the maximum length is # 262 characters. # Corresponds to the JSON property `audiences` # @return [Array] attr_accessor :audiences # A Google project used for quota and billing purposes when the credential is # used to access Google APIs. The provided project overrides the project bound # to the credential. The value must be a project number or a project ID. Example: # `my-sample-project-191923`. The maximum length is 32 characters. # Corresponds to the JSON property `userProject` # @return [String] attr_accessor :user_project def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @access_boundary = args[:access_boundary] if args.key?(:access_boundary) @audiences = args[:audiences] if args.key?(:audiences) @user_project = args[:user_project] if args.key?(:user_project) end end # Represents a textual expression in the Common Expression Language (CEL) syntax. # CEL is a C-like expression language. The syntax and semantics of CEL are # documented at https://github.com/google/cel-spec. Example (Comparison): title: # "Summary size limit" description: "Determines if a summary is less than 100 # chars" expression: "document.summary.size() < 100" Example (Equality): title: " # Requestor is owner" description: "Determines if requestor is the document # owner" expression: "document.owner == request.auth.claims.email" Example ( # Logic): title: "Public documents" description: "Determine whether the document # should be publicly visible" expression: "document.type != 'private' && # document.type != 'internal'" Example (Data Manipulation): title: "Notification # string" description: "Create a notification string with a timestamp." # expression: "'New message received at ' + string(document.create_time)" The # exact variables and functions that may be referenced within an expression are # determined by the service that evaluates it. See the service documentation for # additional information. class GoogleTypeExpr include Google::Apis::Core::Hashable # Optional. Description of the expression. This is a longer text which describes # the expression, e.g. when hovered over it in a UI. # Corresponds to the JSON property `description` # @return [String] attr_accessor :description # Textual representation of an expression in Common Expression Language syntax. # Corresponds to the JSON property `expression` # @return [String] attr_accessor :expression # Optional. String indicating the location of the expression for error reporting, # e.g. a file name and a position in the file. # Corresponds to the JSON property `location` # @return [String] attr_accessor :location # Optional. Title for the expression, i.e. a short string describing its purpose. # This can be used e.g. in UIs which allow to enter the expression. # Corresponds to the JSON property `title` # @return [String] attr_accessor :title def initialize(**args) update!(**args) end # Update properties of this object def update!(**args) @description = args[:description] if args.key?(:description) @expression = args[:expression] if args.key?(:expression) @location = args[:location] if args.key?(:location) @title = args[:title] if args.key?(:title) end end end end end