943 lines
41 KiB
Ruby
943 lines
41 KiB
Ruby
# Copyright 2015 Google Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
require 'date'
|
|
require 'google/apis/core/base_service'
|
|
require 'google/apis/core/json_representation'
|
|
require 'google/apis/core/hashable'
|
|
require 'google/apis/errors'
|
|
|
|
module Google
|
|
module Apis
|
|
module CloudassetV1p4beta1
|
|
|
|
# Specifies roles and/or permissions to analyze, to determine both the
|
|
# identities possessing them and the resources they control. If multiple
|
|
# values are specified, results will include identities and resources
|
|
# matching any of them.
|
|
class AccessSelector
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Optional. The permissions to appear in result.
|
|
# Corresponds to the JSON property `permissions`
|
|
# @return [Array<String>]
|
|
attr_accessor :permissions
|
|
|
|
# Optional. The roles to appear in result.
|
|
# Corresponds to the JSON property `roles`
|
|
# @return [Array<String>]
|
|
attr_accessor :roles
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@permissions = args[:permissions] if args.key?(:permissions)
|
|
@roles = args[:roles] if args.key?(:roles)
|
|
end
|
|
end
|
|
|
|
# A response message for AssetService.AnalyzeIamPolicy.
|
|
class AnalyzeIamPolicyResponse
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Represents whether all entries in the main_analysis and
|
|
# service_account_impersonation_analysis have been fully explored to
|
|
# answer the query in the request.
|
|
# Corresponds to the JSON property `fullyExplored`
|
|
# @return [Boolean]
|
|
attr_accessor :fully_explored
|
|
alias_method :fully_explored?, :fully_explored
|
|
|
|
# An analysis message to group the query and results.
|
|
# Corresponds to the JSON property `mainAnalysis`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::IamPolicyAnalysis]
|
|
attr_accessor :main_analysis
|
|
|
|
# A list of non-critical errors happened during the request handling to
|
|
# explain why `fully_explored` is false, or empty if no error happened.
|
|
# Corresponds to the JSON property `nonCriticalErrors`
|
|
# @return [Array<Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1AnalysisState>]
|
|
attr_accessor :non_critical_errors
|
|
|
|
# The service account impersonation analysis if
|
|
# AnalyzeIamPolicyRequest.analyze_service_account_impersonation is
|
|
# enabled.
|
|
# Corresponds to the JSON property `serviceAccountImpersonationAnalysis`
|
|
# @return [Array<Google::Apis::CloudassetV1p4beta1::IamPolicyAnalysis>]
|
|
attr_accessor :service_account_impersonation_analysis
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@fully_explored = args[:fully_explored] if args.key?(:fully_explored)
|
|
@main_analysis = args[:main_analysis] if args.key?(:main_analysis)
|
|
@non_critical_errors = args[:non_critical_errors] if args.key?(:non_critical_errors)
|
|
@service_account_impersonation_analysis = args[:service_account_impersonation_analysis] if args.key?(:service_account_impersonation_analysis)
|
|
end
|
|
end
|
|
|
|
# Associates `members` with a `role`.
|
|
class Binding
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Represents a textual expression in the Common Expression Language (CEL)
|
|
# syntax. CEL is a C-like expression language. The syntax and semantics of CEL
|
|
# are documented at https://github.com/google/cel-spec.
|
|
# Example (Comparison):
|
|
# title: "Summary size limit"
|
|
# description: "Determines if a summary is less than 100 chars"
|
|
# expression: "document.summary.size() < 100"
|
|
# Example (Equality):
|
|
# title: "Requestor is owner"
|
|
# description: "Determines if requestor is the document owner"
|
|
# expression: "document.owner == request.auth.claims.email"
|
|
# Example (Logic):
|
|
# title: "Public documents"
|
|
# description: "Determine whether the document should be publicly visible"
|
|
# expression: "document.type != 'private' && document.type != 'internal'"
|
|
# Example (Data Manipulation):
|
|
# title: "Notification string"
|
|
# description: "Create a notification string with a timestamp."
|
|
# expression: "'New message received at ' + string(document.create_time)"
|
|
# The exact variables and functions that may be referenced within an expression
|
|
# are determined by the service that evaluates it. See the service
|
|
# documentation for additional information.
|
|
# Corresponds to the JSON property `condition`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::Expr]
|
|
attr_accessor :condition
|
|
|
|
# Specifies the identities requesting access for a Cloud Platform resource.
|
|
# `members` can have the following values:
|
|
# * `allUsers`: A special identifier that represents anyone who is
|
|
# on the internet; with or without a Google account.
|
|
# * `allAuthenticatedUsers`: A special identifier that represents anyone
|
|
# who is authenticated with a Google account or a service account.
|
|
# * `user:`emailid``: An email address that represents a specific Google
|
|
# account. For example, `alice@example.com` .
|
|
# * `serviceAccount:`emailid``: An email address that represents a service
|
|
# account. For example, `my-other-app@appspot.gserviceaccount.com`.
|
|
# * `group:`emailid``: An email address that represents a Google group.
|
|
# For example, `admins@example.com`.
|
|
# * `deleted:user:`emailid`?uid=`uniqueid``: An email address (plus unique
|
|
# identifier) representing a user that has been recently deleted. For
|
|
# example, `alice@example.com?uid=123456789012345678901`. If the user is
|
|
# recovered, this value reverts to `user:`emailid`` and the recovered user
|
|
# retains the role in the binding.
|
|
# * `deleted:serviceAccount:`emailid`?uid=`uniqueid``: An email address (plus
|
|
# unique identifier) representing a service account that has been recently
|
|
# deleted. For example,
|
|
# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
|
|
# If the service account is undeleted, this value reverts to
|
|
# `serviceAccount:`emailid`` and the undeleted service account retains the
|
|
# role in the binding.
|
|
# * `deleted:group:`emailid`?uid=`uniqueid``: An email address (plus unique
|
|
# identifier) representing a Google group that has been recently
|
|
# deleted. For example, `admins@example.com?uid=123456789012345678901`. If
|
|
# the group is recovered, this value reverts to `group:`emailid`` and the
|
|
# recovered group retains the role in the binding.
|
|
# * `domain:`domain``: The G Suite domain (primary) that represents all the
|
|
# users of that domain. For example, `google.com` or `example.com`.
|
|
# Corresponds to the JSON property `members`
|
|
# @return [Array<String>]
|
|
attr_accessor :members
|
|
|
|
# Role that is assigned to `members`.
|
|
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
|
|
# Corresponds to the JSON property `role`
|
|
# @return [String]
|
|
attr_accessor :role
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@condition = args[:condition] if args.key?(:condition)
|
|
@members = args[:members] if args.key?(:members)
|
|
@role = args[:role] if args.key?(:role)
|
|
end
|
|
end
|
|
|
|
# A request message for AssetService.ExportIamPolicyAnalysis.
|
|
class ExportIamPolicyAnalysisRequest
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# IAM policy analysis query message.
|
|
# Corresponds to the JSON property `analysisQuery`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::IamPolicyAnalysisQuery]
|
|
attr_accessor :analysis_query
|
|
|
|
# Contains request options.
|
|
# Corresponds to the JSON property `options`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::Options]
|
|
attr_accessor :options
|
|
|
|
# Output configuration for export IAM policy analysis destination.
|
|
# Corresponds to the JSON property `outputConfig`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::IamPolicyAnalysisOutputConfig]
|
|
attr_accessor :output_config
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@analysis_query = args[:analysis_query] if args.key?(:analysis_query)
|
|
@options = args[:options] if args.key?(:options)
|
|
@output_config = args[:output_config] if args.key?(:output_config)
|
|
end
|
|
end
|
|
|
|
# Represents a textual expression in the Common Expression Language (CEL)
|
|
# syntax. CEL is a C-like expression language. The syntax and semantics of CEL
|
|
# are documented at https://github.com/google/cel-spec.
|
|
# Example (Comparison):
|
|
# title: "Summary size limit"
|
|
# description: "Determines if a summary is less than 100 chars"
|
|
# expression: "document.summary.size() < 100"
|
|
# Example (Equality):
|
|
# title: "Requestor is owner"
|
|
# description: "Determines if requestor is the document owner"
|
|
# expression: "document.owner == request.auth.claims.email"
|
|
# Example (Logic):
|
|
# title: "Public documents"
|
|
# description: "Determine whether the document should be publicly visible"
|
|
# expression: "document.type != 'private' && document.type != 'internal'"
|
|
# Example (Data Manipulation):
|
|
# title: "Notification string"
|
|
# description: "Create a notification string with a timestamp."
|
|
# expression: "'New message received at ' + string(document.create_time)"
|
|
# The exact variables and functions that may be referenced within an expression
|
|
# are determined by the service that evaluates it. See the service
|
|
# documentation for additional information.
|
|
class Expr
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Optional. Description of the expression. This is a longer text which
|
|
# describes the expression, e.g. when hovered over it in a UI.
|
|
# Corresponds to the JSON property `description`
|
|
# @return [String]
|
|
attr_accessor :description
|
|
|
|
# Textual representation of an expression in Common Expression Language
|
|
# syntax.
|
|
# Corresponds to the JSON property `expression`
|
|
# @return [String]
|
|
attr_accessor :expression
|
|
|
|
# Optional. String indicating the location of the expression for error
|
|
# reporting, e.g. a file name and a position in the file.
|
|
# Corresponds to the JSON property `location`
|
|
# @return [String]
|
|
attr_accessor :location
|
|
|
|
# Optional. Title for the expression, i.e. a short string describing
|
|
# its purpose. This can be used e.g. in UIs which allow to enter the
|
|
# expression.
|
|
# Corresponds to the JSON property `title`
|
|
# @return [String]
|
|
attr_accessor :title
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@description = args[:description] if args.key?(:description)
|
|
@expression = args[:expression] if args.key?(:expression)
|
|
@location = args[:location] if args.key?(:location)
|
|
@title = args[:title] if args.key?(:title)
|
|
end
|
|
end
|
|
|
|
# A Cloud Storage location.
|
|
class GcsDestination
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Required. The uri of the Cloud Storage object. It's the same uri that is used
|
|
# by
|
|
# gsutil. For example: "gs://bucket_name/object_name". See [Viewing and
|
|
# Editing Object
|
|
# Metadata](https://cloud.google.com/storage/docs/viewing-editing-metadata)
|
|
# for more information.
|
|
# Corresponds to the JSON property `uri`
|
|
# @return [String]
|
|
attr_accessor :uri
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@uri = args[:uri] if args.key?(:uri)
|
|
end
|
|
end
|
|
|
|
# A role or permission that appears in an access control list.
|
|
class GoogleCloudAssetV1p4beta1Access
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Represents analysis state of each node in the result graph or non-critical
|
|
# errors in the response.
|
|
# Corresponds to the JSON property `analysisState`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1AnalysisState]
|
|
attr_accessor :analysis_state
|
|
|
|
# The permission.
|
|
# Corresponds to the JSON property `permission`
|
|
# @return [String]
|
|
attr_accessor :permission
|
|
|
|
# The role.
|
|
# Corresponds to the JSON property `role`
|
|
# @return [String]
|
|
attr_accessor :role
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@analysis_state = args[:analysis_state] if args.key?(:analysis_state)
|
|
@permission = args[:permission] if args.key?(:permission)
|
|
@role = args[:role] if args.key?(:role)
|
|
end
|
|
end
|
|
|
|
# An access control list, derived from the above IAM policy binding, which
|
|
# contains a set of resources and accesses. May include one
|
|
# item from each set to compose an access control entry.
|
|
# NOTICE that there could be multiple access control lists for one IAM policy
|
|
# binding. The access control lists are created based on resource and access
|
|
# combinations.
|
|
# For example, assume we have the following cases in one IAM policy binding:
|
|
# - Permission P1 and P2 apply to resource R1 and R2;
|
|
# - Permission P3 applies to resource R2 and R3;
|
|
# This will result in the following access control lists:
|
|
# - AccessControlList 1: [R1, R2], [P1, P2]
|
|
# - AccessControlList 2: [R2, R3], [P3]
|
|
class GoogleCloudAssetV1p4beta1AccessControlList
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# The accesses that match one of the following conditions:
|
|
# - The access_selector, if it is specified in request;
|
|
# - Otherwise, access specifiers reachable from the policy binding's role.
|
|
# Corresponds to the JSON property `accesses`
|
|
# @return [Array<Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1Access>]
|
|
attr_accessor :accesses
|
|
|
|
# Resource edges of the graph starting from the policy attached
|
|
# resource to any descendant resources. The Edge.source_node contains
|
|
# the full resource name of a parent resource and Edge.target_node
|
|
# contains the full resource name of a child resource. This field is
|
|
# present only if the output_resource_edges option is enabled in request.
|
|
# Corresponds to the JSON property `resourceEdges`
|
|
# @return [Array<Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1Edge>]
|
|
attr_accessor :resource_edges
|
|
|
|
# The resources that match one of the following conditions:
|
|
# - The resource_selector, if it is specified in request;
|
|
# - Otherwise, resources reachable from the policy attached resource.
|
|
# Corresponds to the JSON property `resources`
|
|
# @return [Array<Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1Resource>]
|
|
attr_accessor :resources
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@accesses = args[:accesses] if args.key?(:accesses)
|
|
@resource_edges = args[:resource_edges] if args.key?(:resource_edges)
|
|
@resources = args[:resources] if args.key?(:resources)
|
|
end
|
|
end
|
|
|
|
# Represents analysis state of each node in the result graph or non-critical
|
|
# errors in the response.
|
|
class GoogleCloudAssetV1p4beta1AnalysisState
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# The human-readable description of the cause of failure.
|
|
# Corresponds to the JSON property `cause`
|
|
# @return [String]
|
|
attr_accessor :cause
|
|
|
|
# The Google standard error code that best describes the state.
|
|
# For example:
|
|
# - OK means the node has been successfully explored;
|
|
# - PERMISSION_DENIED means an access denied error is encountered;
|
|
# - DEADLINE_EXCEEDED means the node hasn't been explored in time;
|
|
# Corresponds to the JSON property `code`
|
|
# @return [String]
|
|
attr_accessor :code
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@cause = args[:cause] if args.key?(:cause)
|
|
@code = args[:code] if args.key?(:code)
|
|
end
|
|
end
|
|
|
|
# A directional edge.
|
|
class GoogleCloudAssetV1p4beta1Edge
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# The source node of the edge.
|
|
# Corresponds to the JSON property `sourceNode`
|
|
# @return [String]
|
|
attr_accessor :source_node
|
|
|
|
# The target node of the edge.
|
|
# Corresponds to the JSON property `targetNode`
|
|
# @return [String]
|
|
attr_accessor :target_node
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@source_node = args[:source_node] if args.key?(:source_node)
|
|
@target_node = args[:target_node] if args.key?(:target_node)
|
|
end
|
|
end
|
|
|
|
# An identity that appears in an access control list.
|
|
class GoogleCloudAssetV1p4beta1Identity
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Represents analysis state of each node in the result graph or non-critical
|
|
# errors in the response.
|
|
# Corresponds to the JSON property `analysisState`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1AnalysisState]
|
|
attr_accessor :analysis_state
|
|
|
|
# The identity name in any form of members appear in
|
|
# [IAM policy
|
|
# binding](https://cloud.google.com/iam/reference/rest/v1/Binding), such
|
|
# as:
|
|
# - user:foo@google.com
|
|
# - group:group1@google.com
|
|
# - serviceAccount:s1@prj1.iam.gserviceaccount.com
|
|
# - projectOwner:some_project_id
|
|
# - domain:google.com
|
|
# - allUsers
|
|
# - etc.
|
|
# Corresponds to the JSON property `name`
|
|
# @return [String]
|
|
attr_accessor :name
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@analysis_state = args[:analysis_state] if args.key?(:analysis_state)
|
|
@name = args[:name] if args.key?(:name)
|
|
end
|
|
end
|
|
|
|
#
|
|
class GoogleCloudAssetV1p4beta1IdentityList
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Group identity edges of the graph starting from the binding's
|
|
# group members to any node of the identities. The Edge.source_node
|
|
# contains a group, such as "group:parent@google.com". The
|
|
# Edge.target_node contains a member of the group,
|
|
# such as "group:child@google.com" or "user:foo@google.com".
|
|
# This field is present only if the output_group_edges option is enabled in
|
|
# request.
|
|
# Corresponds to the JSON property `groupEdges`
|
|
# @return [Array<Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1Edge>]
|
|
attr_accessor :group_edges
|
|
|
|
# Only the identities that match one of the following conditions will be
|
|
# presented:
|
|
# - The identity_selector, if it is specified in request;
|
|
# - Otherwise, identities reachable from the policy binding's members.
|
|
# Corresponds to the JSON property `identities`
|
|
# @return [Array<Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1Identity>]
|
|
attr_accessor :identities
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@group_edges = args[:group_edges] if args.key?(:group_edges)
|
|
@identities = args[:identities] if args.key?(:identities)
|
|
end
|
|
end
|
|
|
|
# A GCP resource that appears in an access control list.
|
|
class GoogleCloudAssetV1p4beta1Resource
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Represents analysis state of each node in the result graph or non-critical
|
|
# errors in the response.
|
|
# Corresponds to the JSON property `analysisState`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1AnalysisState]
|
|
attr_accessor :analysis_state
|
|
|
|
# The [full resource
|
|
# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
|
|
# Corresponds to the JSON property `fullResourceName`
|
|
# @return [String]
|
|
attr_accessor :full_resource_name
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@analysis_state = args[:analysis_state] if args.key?(:analysis_state)
|
|
@full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
|
|
end
|
|
end
|
|
|
|
# An analysis message to group the query and results.
|
|
class IamPolicyAnalysis
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# IAM policy analysis query message.
|
|
# Corresponds to the JSON property `analysisQuery`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::IamPolicyAnalysisQuery]
|
|
attr_accessor :analysis_query
|
|
|
|
# A list of IamPolicyAnalysisResult that matches the analysis query, or
|
|
# empty if no result is found.
|
|
# Corresponds to the JSON property `analysisResults`
|
|
# @return [Array<Google::Apis::CloudassetV1p4beta1::IamPolicyAnalysisResult>]
|
|
attr_accessor :analysis_results
|
|
|
|
# Represents whether all entries in the analysis_results have been
|
|
# fully explored to answer the query.
|
|
# Corresponds to the JSON property `fullyExplored`
|
|
# @return [Boolean]
|
|
attr_accessor :fully_explored
|
|
alias_method :fully_explored?, :fully_explored
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@analysis_query = args[:analysis_query] if args.key?(:analysis_query)
|
|
@analysis_results = args[:analysis_results] if args.key?(:analysis_results)
|
|
@fully_explored = args[:fully_explored] if args.key?(:fully_explored)
|
|
end
|
|
end
|
|
|
|
# Output configuration for export IAM policy analysis destination.
|
|
class IamPolicyAnalysisOutputConfig
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# A Cloud Storage location.
|
|
# Corresponds to the JSON property `gcsDestination`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::GcsDestination]
|
|
attr_accessor :gcs_destination
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@gcs_destination = args[:gcs_destination] if args.key?(:gcs_destination)
|
|
end
|
|
end
|
|
|
|
# IAM policy analysis query message.
|
|
class IamPolicyAnalysisQuery
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Specifies roles and/or permissions to analyze, to determine both the
|
|
# identities possessing them and the resources they control. If multiple
|
|
# values are specified, results will include identities and resources
|
|
# matching any of them.
|
|
# Corresponds to the JSON property `accessSelector`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::AccessSelector]
|
|
attr_accessor :access_selector
|
|
|
|
# Specifies an identity for which to determine resource access, based on
|
|
# roles assigned either directly to them or to the groups they belong to,
|
|
# directly or indirectly.
|
|
# Corresponds to the JSON property `identitySelector`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::IdentitySelector]
|
|
attr_accessor :identity_selector
|
|
|
|
# Required. The relative name of the root asset. Only resources and IAM policies
|
|
# within
|
|
# the parent will be analyzed. This can only be an organization number (such
|
|
# as "organizations/123") or a folder number (such as "folders/123").
|
|
# To know how to get organization id, visit [here
|
|
# ](https://cloud.google.com/resource-manager/docs/creating-managing-
|
|
# organization#retrieving_your_organization_id).
|
|
# To know how to get folder id, visit [here
|
|
# ](https://cloud.google.com/resource-manager/docs/creating-managing-folders#
|
|
# viewing_or_listing_folders_and_projects).
|
|
# Corresponds to the JSON property `parent`
|
|
# @return [String]
|
|
attr_accessor :parent
|
|
|
|
# Specifies the resource to analyze for access policies, which may be set
|
|
# directly on the resource, or on ancestors such as organizations, folders or
|
|
# projects. Either ResourceSelector or IdentitySelector must be
|
|
# specified in a request.
|
|
# Corresponds to the JSON property `resourceSelector`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::ResourceSelector]
|
|
attr_accessor :resource_selector
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@access_selector = args[:access_selector] if args.key?(:access_selector)
|
|
@identity_selector = args[:identity_selector] if args.key?(:identity_selector)
|
|
@parent = args[:parent] if args.key?(:parent)
|
|
@resource_selector = args[:resource_selector] if args.key?(:resource_selector)
|
|
end
|
|
end
|
|
|
|
# IAM Policy analysis result, consisting of one IAM policy binding and derived
|
|
# access control lists.
|
|
class IamPolicyAnalysisResult
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# The access control lists derived from the iam_binding that match or
|
|
# potentially match resource and access selectors specified in the request.
|
|
# Corresponds to the JSON property `accessControlLists`
|
|
# @return [Array<Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1AccessControlList>]
|
|
attr_accessor :access_control_lists
|
|
|
|
# The [full resource
|
|
# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
|
|
# of the resource to which the iam_binding policy attaches.
|
|
# Corresponds to the JSON property `attachedResourceFullName`
|
|
# @return [String]
|
|
attr_accessor :attached_resource_full_name
|
|
|
|
# Represents whether all nodes in the transitive closure of the
|
|
# iam_binding node have been explored.
|
|
# Corresponds to the JSON property `fullyExplored`
|
|
# @return [Boolean]
|
|
attr_accessor :fully_explored
|
|
alias_method :fully_explored?, :fully_explored
|
|
|
|
# Associates `members` with a `role`.
|
|
# Corresponds to the JSON property `iamBinding`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::Binding]
|
|
attr_accessor :iam_binding
|
|
|
|
# The identity list derived from members of the iam_binding that match or
|
|
# potentially match identity selector specified in the request.
|
|
# Corresponds to the JSON property `identityList`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::GoogleCloudAssetV1p4beta1IdentityList]
|
|
attr_accessor :identity_list
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@access_control_lists = args[:access_control_lists] if args.key?(:access_control_lists)
|
|
@attached_resource_full_name = args[:attached_resource_full_name] if args.key?(:attached_resource_full_name)
|
|
@fully_explored = args[:fully_explored] if args.key?(:fully_explored)
|
|
@iam_binding = args[:iam_binding] if args.key?(:iam_binding)
|
|
@identity_list = args[:identity_list] if args.key?(:identity_list)
|
|
end
|
|
end
|
|
|
|
# Specifies an identity for which to determine resource access, based on
|
|
# roles assigned either directly to them or to the groups they belong to,
|
|
# directly or indirectly.
|
|
class IdentitySelector
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Required. The identity appear in the form of members in
|
|
# [IAM policy
|
|
# binding](https://cloud.google.com/iam/reference/rest/v1/Binding).
|
|
# The examples of supported forms are:
|
|
# "user:mike@example.com",
|
|
# "group:admins@example.com",
|
|
# "domain:google.com",
|
|
# "serviceAccount:my-project-id@appspot.gserviceaccount.com".
|
|
# Notice that wildcard characters (such as * and ?) are not supported.
|
|
# You must give a specific identity.
|
|
# Corresponds to the JSON property `identity`
|
|
# @return [String]
|
|
attr_accessor :identity
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@identity = args[:identity] if args.key?(:identity)
|
|
end
|
|
end
|
|
|
|
# This resource represents a long-running operation that is the result of a
|
|
# network API call.
|
|
class Operation
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# If the value is `false`, it means the operation is still in progress.
|
|
# If `true`, the operation is completed, and either `error` or `response` is
|
|
# available.
|
|
# Corresponds to the JSON property `done`
|
|
# @return [Boolean]
|
|
attr_accessor :done
|
|
alias_method :done?, :done
|
|
|
|
# The `Status` type defines a logical error model that is suitable for
|
|
# different programming environments, including REST APIs and RPC APIs. It is
|
|
# used by [gRPC](https://github.com/grpc). Each `Status` message contains
|
|
# three pieces of data: error code, error message, and error details.
|
|
# You can find out more about this error model and how to work with it in the
|
|
# [API Design Guide](https://cloud.google.com/apis/design/errors).
|
|
# Corresponds to the JSON property `error`
|
|
# @return [Google::Apis::CloudassetV1p4beta1::Status]
|
|
attr_accessor :error
|
|
|
|
# Service-specific metadata associated with the operation. It typically
|
|
# contains progress information and common metadata such as create time.
|
|
# Some services might not provide such metadata. Any method that returns a
|
|
# long-running operation should document the metadata type, if any.
|
|
# Corresponds to the JSON property `metadata`
|
|
# @return [Hash<String,Object>]
|
|
attr_accessor :metadata
|
|
|
|
# The server-assigned name, which is only unique within the same service that
|
|
# originally returns it. If you use the default HTTP mapping, the
|
|
# `name` should be a resource name ending with `operations/`unique_id``.
|
|
# Corresponds to the JSON property `name`
|
|
# @return [String]
|
|
attr_accessor :name
|
|
|
|
# The normal response of the operation in case of success. If the original
|
|
# method returns no data on success, such as `Delete`, the response is
|
|
# `google.protobuf.Empty`. If the original method is standard
|
|
# `Get`/`Create`/`Update`, the response should be the resource. For other
|
|
# methods, the response should have the type `XxxResponse`, where `Xxx`
|
|
# is the original method name. For example, if the original method name
|
|
# is `TakeSnapshot()`, the inferred response type is
|
|
# `TakeSnapshotResponse`.
|
|
# Corresponds to the JSON property `response`
|
|
# @return [Hash<String,Object>]
|
|
attr_accessor :response
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@done = args[:done] if args.key?(:done)
|
|
@error = args[:error] if args.key?(:error)
|
|
@metadata = args[:metadata] if args.key?(:metadata)
|
|
@name = args[:name] if args.key?(:name)
|
|
@response = args[:response] if args.key?(:response)
|
|
end
|
|
end
|
|
|
|
# Contains request options.
|
|
class Options
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Optional. If true, the response will include access analysis from identities
|
|
# to
|
|
# resources via service account impersonation. This is a very expensive
|
|
# operation, because many derived queries will be executed.
|
|
# For example, if the request analyzes for which resources user A has
|
|
# permission P, and there's an IAM policy states user A has
|
|
# iam.serviceAccounts.getAccessToken permission to a service account SA,
|
|
# and there's another IAM policy states service account SA has permission P
|
|
# to a GCP folder F, then user A potentially has access to the GCP folder
|
|
# F. And those advanced analysis results will be included in
|
|
# AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
|
|
# Another example, if the request analyzes for who has
|
|
# permission P to a GCP folder F, and there's an IAM policy states user A
|
|
# has iam.serviceAccounts.actAs permission to a service account SA, and
|
|
# there's another IAM policy states service account SA has permission P to
|
|
# the GCP folder F, then user A potentially has access to the GCP folder
|
|
# F. And those advanced analysis results will be included in
|
|
# AnalyzeIamPolicyResponse.service_account_impersonation_analysis.
|
|
# Default is false.
|
|
# Corresponds to the JSON property `analyzeServiceAccountImpersonation`
|
|
# @return [Boolean]
|
|
attr_accessor :analyze_service_account_impersonation
|
|
alias_method :analyze_service_account_impersonation?, :analyze_service_account_impersonation
|
|
|
|
# Optional. If true, the identities section of the result will expand any
|
|
# Google groups appearing in an IAM policy binding.
|
|
# If identity_selector is specified, the identity in the result will
|
|
# be determined by the selector, and this flag will have no effect.
|
|
# Default is false.
|
|
# Corresponds to the JSON property `expandGroups`
|
|
# @return [Boolean]
|
|
attr_accessor :expand_groups
|
|
alias_method :expand_groups?, :expand_groups
|
|
|
|
# Optional. If true, the resource section of the result will expand any
|
|
# resource attached to an IAM policy to include resources lower in the
|
|
# resource hierarchy.
|
|
# For example, if the request analyzes for which resources user A has
|
|
# permission P, and the results include an IAM policy with P on a GCP
|
|
# folder, the results will also include resources in that folder with
|
|
# permission P.
|
|
# If resource_selector is specified, the resource section of the result
|
|
# will be determined by the selector, and this flag will have no effect.
|
|
# Default is false.
|
|
# Corresponds to the JSON property `expandResources`
|
|
# @return [Boolean]
|
|
attr_accessor :expand_resources
|
|
alias_method :expand_resources?, :expand_resources
|
|
|
|
# Optional. If true, the access section of result will expand any roles
|
|
# appearing in IAM policy bindings to include their permissions.
|
|
# If access_selector is specified, the access section of the result
|
|
# will be determined by the selector, and this flag will have no effect.
|
|
# Default is false.
|
|
# Corresponds to the JSON property `expandRoles`
|
|
# @return [Boolean]
|
|
attr_accessor :expand_roles
|
|
alias_method :expand_roles?, :expand_roles
|
|
|
|
# Optional. If true, the result will output group identity edges, starting
|
|
# from the binding's group members, to any expanded identities.
|
|
# Default is false.
|
|
# Corresponds to the JSON property `outputGroupEdges`
|
|
# @return [Boolean]
|
|
attr_accessor :output_group_edges
|
|
alias_method :output_group_edges?, :output_group_edges
|
|
|
|
# Optional. If true, the result will output resource edges, starting
|
|
# from the policy attached resource, to any expanded resources.
|
|
# Default is false.
|
|
# Corresponds to the JSON property `outputResourceEdges`
|
|
# @return [Boolean]
|
|
attr_accessor :output_resource_edges
|
|
alias_method :output_resource_edges?, :output_resource_edges
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@analyze_service_account_impersonation = args[:analyze_service_account_impersonation] if args.key?(:analyze_service_account_impersonation)
|
|
@expand_groups = args[:expand_groups] if args.key?(:expand_groups)
|
|
@expand_resources = args[:expand_resources] if args.key?(:expand_resources)
|
|
@expand_roles = args[:expand_roles] if args.key?(:expand_roles)
|
|
@output_group_edges = args[:output_group_edges] if args.key?(:output_group_edges)
|
|
@output_resource_edges = args[:output_resource_edges] if args.key?(:output_resource_edges)
|
|
end
|
|
end
|
|
|
|
# Specifies the resource to analyze for access policies, which may be set
|
|
# directly on the resource, or on ancestors such as organizations, folders or
|
|
# projects. Either ResourceSelector or IdentitySelector must be
|
|
# specified in a request.
|
|
class ResourceSelector
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# Required. The [full resource
|
|
# name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
|
|
# of a resource of [supported resource
|
|
# types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#
|
|
# analyzable_asset_types).
|
|
# Corresponds to the JSON property `fullResourceName`
|
|
# @return [String]
|
|
attr_accessor :full_resource_name
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@full_resource_name = args[:full_resource_name] if args.key?(:full_resource_name)
|
|
end
|
|
end
|
|
|
|
# The `Status` type defines a logical error model that is suitable for
|
|
# different programming environments, including REST APIs and RPC APIs. It is
|
|
# used by [gRPC](https://github.com/grpc). Each `Status` message contains
|
|
# three pieces of data: error code, error message, and error details.
|
|
# You can find out more about this error model and how to work with it in the
|
|
# [API Design Guide](https://cloud.google.com/apis/design/errors).
|
|
class Status
|
|
include Google::Apis::Core::Hashable
|
|
|
|
# The status code, which should be an enum value of google.rpc.Code.
|
|
# Corresponds to the JSON property `code`
|
|
# @return [Fixnum]
|
|
attr_accessor :code
|
|
|
|
# A list of messages that carry the error details. There is a common set of
|
|
# message types for APIs to use.
|
|
# Corresponds to the JSON property `details`
|
|
# @return [Array<Hash<String,Object>>]
|
|
attr_accessor :details
|
|
|
|
# A developer-facing error message, which should be in English. Any
|
|
# user-facing error message should be localized and sent in the
|
|
# google.rpc.Status.details field, or localized by the client.
|
|
# Corresponds to the JSON property `message`
|
|
# @return [String]
|
|
attr_accessor :message
|
|
|
|
def initialize(**args)
|
|
update!(**args)
|
|
end
|
|
|
|
# Update properties of this object
|
|
def update!(**args)
|
|
@code = args[:code] if args.key?(:code)
|
|
@details = args[:details] if args.key?(:details)
|
|
@message = args[:message] if args.key?(:message)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|