Chiebot-Mirror
/
googleapis
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: add AllowedDomainSettings to the UpdateIapSettingsRequest

Browse Source 
feat: add AttributePropagationSettings to the UpdateIapSettingsRequest
feat: add remediation_token_generation_enabled to the CsmSettings
chore: deprecate password reauth method which will no longer be accepted by IAP APIs.

PiperOrigin-RevId: 496681848
pull/763/head
Google APIs 2 years ago committed by Copybara-Service
parent bc27df2b63
commit be2d54edde
3 changed files with 234 additions and 116 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      google/cloud/iap/v1/BUILD.bazel
  2. 319
      google/cloud/iap/v1/service.proto
  3. 29
      google/cloud/iap/v1beta1/BUILD.bazel

2
google/cloud/iap/v1/BUILD.bazel
Unescape View File

@ -182,6 +182,7 @@ py_gapic_library(
srcs = [":iap_proto"],
grpc_service_config = "iap_grpc_service_config.json",
rest_numeric_enums = True,
service_yaml = "iap_v1.yaml",
transport = "grpc",
deps = [
"//google/iam/v1:iam_policy_py_proto",
@ -317,6 +318,7 @@ ruby_cloud_gapic_library(
rest_numeric_enums = True,
ruby_cloud_description = "IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.",
ruby_cloud_title = "Identity-Aware Proxy V1",
service_yaml = "iap_v1.yaml",
deps = [
":iap_ruby_grpc",
":iap_ruby_proto",

319
google/cloud/iap/v1/service.proto
Unescape View File

@ -38,16 +38,20 @@ option (google.api.resource_definition) = {
pattern: "projects/{project}/iap_tunnel/locations/{location}"
};
// The Cloud Identity-Aware Proxy API.
// APIs for Identity-Aware Proxy Admin configurations.
service IdentityAwareProxyAdminService {
option (google.api.default_host) = "iap.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
option (google.api.oauth_scopes) =
"https://www.googleapis.com/auth/cloud-platform";
// Sets the access control policy for an Identity-Aware Proxy protected
// resource. Replaces any existing policy.
// More information about managing access via IAP can be found at:
// https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest)
returns (google.iam.v1.Policy) {
option (google.api.http) = {
post: "/v1/{resource=**}:setIamPolicy"
body: "*"
@ -58,7 +62,8 @@ service IdentityAwareProxyAdminService {
// resource.
// More information about managing access via IAP can be found at:
// https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest)
returns (google.iam.v1.Policy) {
option (google.api.http) = {
post: "/v1/{resource=**}:getIamPolicy"
body: "*"
@ -69,7 +74,8 @@ service IdentityAwareProxyAdminService {
// resource.
// More information about managing access via IAP can be found at:
// https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api
rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest)
returns (google.iam.v1.TestIamPermissionsResponse) {
option (google.api.http) = {
post: "/v1/{resource=**}:testIamPermissions"
body: "*"
@ -95,7 +101,8 @@ service IdentityAwareProxyAdminService {
// Lists the existing TunnelDestGroups. To group across all locations, use a
// `-` as the location ID. For example:
// `/v1/projects/123/iap_tunnel/locations/-/destGroups`
rpc ListTunnelDestGroups(ListTunnelDestGroupsRequest) returns (ListTunnelDestGroupsResponse) {
rpc ListTunnelDestGroups(ListTunnelDestGroupsRequest)
returns (ListTunnelDestGroupsResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups"
};
@ -103,12 +110,14 @@ service IdentityAwareProxyAdminService {
}
// Creates a new TunnelDestGroup.
rpc CreateTunnelDestGroup(CreateTunnelDestGroupRequest) returns (TunnelDestGroup) {
rpc CreateTunnelDestGroup(CreateTunnelDestGroupRequest)
returns (TunnelDestGroup) {
option (google.api.http) = {
post: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups"
body: "tunnel_dest_group"
};
option (google.api.method_signature) = "parent,tunnel_dest_group,tunnel_dest_group_id";
option (google.api.method_signature) =
"parent,tunnel_dest_group,tunnel_dest_group_id";
}
// Retrieves an existing TunnelDestGroup.
@ -120,7 +129,8 @@ service IdentityAwareProxyAdminService {
}
// Deletes a TunnelDestGroup.
rpc DeleteTunnelDestGroup(DeleteTunnelDestGroupRequest) returns (google.protobuf.Empty) {
rpc DeleteTunnelDestGroup(DeleteTunnelDestGroupRequest)
returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/v1/{name=projects/*/iap_tunnel/locations/*/destGroups/*}"
};
@ -128,7 +138,8 @@ service IdentityAwareProxyAdminService {
}
// Updates a TunnelDestGroup.
rpc UpdateTunnelDestGroup(UpdateTunnelDestGroupRequest) returns (TunnelDestGroup) {
rpc UpdateTunnelDestGroup(UpdateTunnelDestGroupRequest)
returns (TunnelDestGroup) {
option (google.api.http) = {
patch: "/v1/{tunnel_dest_group.name=projects/*/iap_tunnel/locations/*/destGroups/*}"
body: "tunnel_dest_group"
@ -188,13 +199,14 @@ message CreateTunnelDestGroupRequest {
];
// Required. The TunnelDestGroup to create.
TunnelDestGroup tunnel_dest_group = 2 [(google.api.field_behavior) = REQUIRED];
TunnelDestGroup tunnel_dest_group = 2
[(google.api.field_behavior) = REQUIRED];
// Required. The ID to use for the TunnelDestGroup, which becomes the final component of
// the resource name.
// Required. The ID to use for the TunnelDestGroup, which becomes the final
// component of the resource name.
//
// This value must be 4-63 characters, and valid characters
// are `[a-z][0-9]-`.
// are `[a-z]-`.
string tunnel_dest_group_id = 3 [(google.api.field_behavior) = REQUIRED];
}
@ -227,7 +239,8 @@ message DeleteTunnelDestGroupRequest {
// The request to UpdateTunnelDestGroup.
message UpdateTunnelDestGroupRequest {
// Required. The new values for the TunnelDestGroup.
TunnelDestGroup tunnel_dest_group = 1 [(google.api.field_behavior) = REQUIRED];
TunnelDestGroup tunnel_dest_group = 1
[(google.api.field_behavior) = REQUIRED];
// A field mask that specifies which IAP settings to update.
// If omitted, then all of the settings are updated. See
@ -242,100 +255,21 @@ message TunnelDestGroup {
pattern: "projects/{project}/iap_tunnel/locations/{location}/destGroups/{dest_group}"
};
// Required. Immutable. Identifier for the TunnelDestGroup. Must be unique within the
// project.
// Required. Immutable. Identifier for the TunnelDestGroup. Must be unique
// within the project and contain only lower case letters (a-z) and dashes
// (-).
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.field_behavior) = IMMUTABLE
];
// null List of CIDRs that this group applies to.
// Unordered list. List of CIDRs that this group applies to.
repeated string cidrs = 2 [(google.api.field_behavior) = UNORDERED_LIST];
// null List of FQDNs that this group applies to.
// Unordered list. List of FQDNs that this group applies to.
repeated string fqdns = 3 [(google.api.field_behavior) = UNORDERED_LIST];
}
// API to programmatically create, list and retrieve Identity Aware Proxy (IAP)
// OAuth brands; and create, retrieve, delete and reset-secret of IAP OAuth
// clients.
service IdentityAwareProxyOAuthService {
option (google.api.default_host) = "iap.googleapis.com";
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
// Lists the existing brands for the project.
rpc ListBrands(ListBrandsRequest) returns (ListBrandsResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*}/brands"
};
}
// Constructs a new OAuth brand for the project if one does not exist.
// The created brand is "internal only", meaning that OAuth clients created
// under it only accept requests from users who belong to the same Google
// Workspace organization as the project. The brand is created in an
// un-reviewed status. NOTE: The "internal only" status can be manually
// changed in the Google Cloud Console. Requires that a brand does not already
// exist for the project, and that the specified support email is owned by the
// caller.
rpc CreateBrand(CreateBrandRequest) returns (Brand) {
option (google.api.http) = {
post: "/v1/{parent=projects/*}/brands"
body: "brand"
};
}
// Retrieves the OAuth brand of the project.
rpc GetBrand(GetBrandRequest) returns (Brand) {
option (google.api.http) = {
get: "/v1/{name=projects/*/brands/*}"
};
}
// Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned
// by IAP. Requires that the brand for the project exists and that it is
// set for internal-only use.
rpc CreateIdentityAwareProxyClient(CreateIdentityAwareProxyClientRequest) returns (IdentityAwareProxyClient) {
option (google.api.http) = {
post: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
body: "identity_aware_proxy_client"
};
}
// Lists the existing clients for the brand.
rpc ListIdentityAwareProxyClients(ListIdentityAwareProxyClientsRequest) returns (ListIdentityAwareProxyClientsResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
};
}
// Retrieves an Identity Aware Proxy (IAP) OAuth client.
// Requires that the client is owned by IAP.
rpc GetIdentityAwareProxyClient(GetIdentityAwareProxyClientRequest) returns (IdentityAwareProxyClient) {
option (google.api.http) = {
get: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
};
}
// Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the
// secret was compromised. Requires that the client is owned by IAP.
rpc ResetIdentityAwareProxyClientSecret(ResetIdentityAwareProxyClientSecretRequest) returns (IdentityAwareProxyClient) {
option (google.api.http) = {
post: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}:resetSecret"
body: "*"
};
}
// Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing
// obsolete clients, managing the number of clients in a given project, and
// cleaning up after tests. Requires that the client is owned by IAP.
rpc DeleteIdentityAwareProxyClient(DeleteIdentityAwareProxyClientRequest) returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
};
}
}
// The request sent to GetIapSettings.
message GetIapSettingsRequest {
// Required. The resource name for which to retrieve the settings.
@ -382,6 +316,9 @@ message AccessSettings {
// Settings to configure reauthentication policies in IAP.
ReauthSettings reauth_settings = 6;
// Settings to configure and enable allowed domains.
AllowedDomainsSettings allowed_domains_settings = 7;
}
// Allows customers to configure tenant_id for GCIP instance per-app.
@ -426,15 +363,11 @@ message ReauthSettings {
// Reauthentication disabled.
METHOD_UNSPECIFIED = 0;
// Mimics the behavior as if the user had logged out and tried to log in
// again. Users with 2SV (2-step verification) enabled see their 2SV
// challenges if they did not opt to have their second factor responses
// saved. Apps Core (GSuites) admins can configure settings to disable 2SV
// cookies and require 2SV for all Apps Core users in their domains.
// Prompts the user to log in again.
LOGIN = 1;
// User must type their password.
PASSWORD = 2;
// Deprecated, no longer accepted by IAP APIs.
PASSWORD = 2 [deprecated = true];
// User must use their secure key 2nd factor device.
SECURE_KEY = 3;
@ -453,7 +386,7 @@ message ReauthSettings {
DEFAULT = 2;
}
// Reauth method required by the policy.
// Reauth method requested.
Method method = 1;
// Reauth session lifetime, how long before a user has to reauthenticate
@ -465,9 +398,19 @@ message ReauthSettings {
PolicyType policy_type = 3;
}
// Configuration for IAP allowed domains. Lets you to restrict access to an app
// and allow access to only the domains that you list.
message AllowedDomainsSettings {
// Configuration for customers to opt in for the feature.
optional bool enable = 1;
// List of trusted domains.
repeated string domains = 2;
}
// Wrapper over application specific settings for IAP.
message ApplicationSettings {
// Settings to configure IAP's behavior for a CSM mesh.
// Settings to configure IAP's behavior for a service mesh.
CsmSettings csm_settings = 1;
// Customization for Access Denied page.
@ -476,12 +419,15 @@ message ApplicationSettings {
// The Domain value to set for cookies generated by IAP. This value is not
// validated by the API, but will be ignored at runtime if invalid.
google.protobuf.StringValue cookie_domain = 3;
// Settings to configure attribute propagation.
AttributePropagationSettings attribute_propagation_settings = 4;
}
// Configuration for RCTokens generated for CSM workloads protected by IAP.
// RCTokens are IAP generated JWTs that can be verified at the application. The
// RCToken is primarily used for ISTIO deployments, and can be scoped to a
// single mesh by configuring the audience field accordingly
// Configuration for RCToken generated for service mesh workloads protected by
// IAP. RCToken are IAP generated JWTs that can be verified at the application.
// The RCToken is primarily used for service mesh deployments, and can be scoped
// to a single mesh by configuring the audience field accordingly.
message CsmSettings {
// Audience claim set in the generated RCToken. This value is not validated by
// IAP.
@ -499,6 +445,154 @@ message AccessDeniedPageSettings {
// Whether to generate a troubleshooting URL on access denied events to this
// application.
google.protobuf.BoolValue generate_troubleshooting_uri = 2;
// Whether to generate remediation token on access denied events to this
// application.
optional google.protobuf.BoolValue remediation_token_generation_enabled = 3;
}
// Configuration for propagating attributes to applications protected
// by IAP.
message AttributePropagationSettings {
// Supported output credentials for attribute propagation. Each output
// credential maps to a "field" in the response. For example, selecting JWT
// will propagate all attributes in the IAP JWT, header in the headers, etc.
enum OutputCredentials {
// No output credential. This is an unsupported default.
OUTPUT_CREDENTIALS_UNSPECIFIED = 0;
// Propagate attributes in the headers with "x-goog-iap-attr-" prefix.
HEADER = 1;
// Propagate attributes in the JWT of the form: `"additional_claims": {
// "my_attribute": ["value1", "value2"] }`
JWT = 2;
// Propagate attributes in the RCToken of the form: `"additional_claims": {
// "my_attribute": ["value1", "value2"] }`
RCTOKEN = 3;
}
// Raw string CEL expression. Must return a list of attributes. Maximum of 45
// attributes can be selected. Expressions can select different attribute
// types from `attributes`: `attributes.saml_attributes`,
// `attributes.iap_attributes`. Limited functions are supported:
// - `filter: <list>.filter(<iter_var>, <predicate>)` -> returns a subset of
// `<list>` where `<predicate>` is true for every item.
// - `in: <var> in <list>` -> returns true if `<list>` contains `<var>`
// - `selectByName: <list>.selectByName(<string>)` -> returns the attribute
// in
// `<list>` with the given `<string>` name, otherwise returns empty.
// - `emitAs: <attribute>.emitAs(<string>)` -> sets the `<attribute>` name
// field to the given `<string>` for propagation in selected output
// credentials.
// - `strict: <attribute>.strict()` -> ignore the `x-goog-iap-attr-` prefix
// for the provided `<attribute>` when propagating via the `HEADER` output
// credential, i.e. request headers.
// - `append: <target_list>.append(<attribute>)` OR
// `<target_list>.append(<list>)` -> append the provided `<attribute>` or
// `<list>` onto the end of `<target_list>`.
//
// Example expression: `attributes.saml_attributes.filter(x, x.name in
// ['test']).append(attributes.iap_attributes.selectByName('exact').emitAs('custom').strict())`
optional string expression = 1;
// Which output credentials attributes selected by the CEL expression should
// be propagated in. All attributes will be fully duplicated in each selected
// output credential.
repeated OutputCredentials output_credentials = 2;
// Whether the provided attribute propagation settings should be evaluated on
// user requests. If set to true, attributes returned from the expression will
// be propagated in the set output credentials.
optional bool enable = 3;
}
// API to programmatically create, list and retrieve Identity Aware Proxy (IAP)
// OAuth brands; and create, retrieve, delete and reset-secret of IAP OAuth
// clients.
service IdentityAwareProxyOAuthService {
option (google.api.default_host) = "iap.googleapis.com";
option (google.api.oauth_scopes) =
"https://www.googleapis.com/auth/cloud-platform";
// Lists the existing brands for the project.
rpc ListBrands(ListBrandsRequest) returns (ListBrandsResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*}/brands"
};
}
// Constructs a new OAuth brand for the project if one does not exist.
// The created brand is "internal only", meaning that OAuth clients created
// under it only accept requests from users who belong to the same Google
// Workspace organization as the project. The brand is created in an
// un-reviewed status. NOTE: The "internal only" status can be manually
// changed in the Google Cloud Console. Requires that a brand does not already
// exist for the project, and that the specified support email is owned by the
// caller.
rpc CreateBrand(CreateBrandRequest) returns (Brand) {
option (google.api.http) = {
post: "/v1/{parent=projects/*}/brands"
body: "brand"
};
}
// Retrieves the OAuth brand of the project.
rpc GetBrand(GetBrandRequest) returns (Brand) {
option (google.api.http) = {
get: "/v1/{name=projects/*/brands/*}"
};
}
// Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned
// by IAP. Requires that the brand for the project exists and that it is
// set for internal-only use.
rpc CreateIdentityAwareProxyClient(CreateIdentityAwareProxyClientRequest)
returns (IdentityAwareProxyClient) {
option (google.api.http) = {
post: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
body: "identity_aware_proxy_client"
};
}
// Lists the existing clients for the brand.
rpc ListIdentityAwareProxyClients(ListIdentityAwareProxyClientsRequest)
returns (ListIdentityAwareProxyClientsResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
};
}
// Retrieves an Identity Aware Proxy (IAP) OAuth client.
// Requires that the client is owned by IAP.
rpc GetIdentityAwareProxyClient(GetIdentityAwareProxyClientRequest)
returns (IdentityAwareProxyClient) {
option (google.api.http) = {
get: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
};
}
// Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the
// secret was compromised. Requires that the client is owned by IAP.
rpc ResetIdentityAwareProxyClientSecret(
ResetIdentityAwareProxyClientSecretRequest)
returns (IdentityAwareProxyClient) {
option (google.api.http) = {
post: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}:resetSecret"
body: "*"
};
}
// Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing
// obsolete clients, managing the number of clients in a given project, and
// cleaning up after tests. Requires that the client is owned by IAP.
rpc DeleteIdentityAwareProxyClient(DeleteIdentityAwareProxyClientRequest)
returns (google.protobuf.Empty) {
option (google.api.http) = {
delete: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
};
}
}
// The request sent to ListBrands.
@ -571,7 +665,8 @@ message CreateIdentityAwareProxyClientRequest {
string parent = 1 [(google.api.field_behavior) = REQUIRED];
// Required. Identity Aware Proxy Client to be created.
IdentityAwareProxyClient identity_aware_proxy_client = 2 [(google.api.field_behavior) = REQUIRED];
IdentityAwareProxyClient identity_aware_proxy_client = 2
[(google.api.field_behavior) = REQUIRED];
}
// The request sent to GetIdentityAwareProxyClient.

29
google/cloud/iap/v1beta1/BUILD.bazel
Unescape View File

@ -65,8 +65,10 @@ java_grpc_library(
java_gapic_library(
name = "iap_java_gapic",
srcs = [":iap_proto_with_info"],
gapic_yaml = None,
grpc_service_config = "iap_grpc_service_config.json",
rest_numeric_enums = True,
service_yaml = "iap_v1beta1.yaml",
test_deps = [
":iap_java_grpc",
"//google/iam/v1:iam_java_grpc",
@ -74,6 +76,7 @@ java_gapic_library(
transport = "grpc+rest",
deps = [
":iap_java_proto",
"//google/api:api_java_proto",
"//google/iam/v1:iam_java_proto",
],
)
@ -170,6 +173,7 @@ py_gapic_library(
srcs = [":iap_proto"],
grpc_service_config = "iap_grpc_service_config.json",
rest_numeric_enums = True,
service_yaml = "iap_v1beta1.yaml",
transport = "grpc",
deps = [
"//google/iam/v1:iam_policy_py_proto",
@ -295,16 +299,17 @@ ruby_cloud_gapic_library(
name = "iap_ruby_gapic",
srcs = [":iap_proto_with_info"],
extra_protoc_parameters = [
"ruby-cloud-gem-name=google-cloud-iap-v1beta1",
"ruby-cloud-env-prefix=IAP",
"ruby-cloud-product-url=https://cloud.google.com/iap/",
"ruby-cloud-api-id=iap.googleapis.com",
"ruby-cloud-api-shortname=iap",
"ruby-cloud-env-prefix=IAP",
"ruby-cloud-gem-name=google-cloud-iap-v1beta1",
"ruby-cloud-product-url=https://cloud.google.com/iap/",
],
grpc_service_config = "iap_grpc_service_config.json",
rest_numeric_enums = True,
ruby_cloud_description = "IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.",
ruby_cloud_title = "Identity-Aware Proxy V1beta1",
service_yaml = "iap_v1beta1.yaml",
deps = [
":iap_ruby_grpc",
":iap_ruby_proto",
@ -369,4 +374,20 @@ csharp_gapic_assembly_pkg(
##############################################################################
# C++
##############################################################################
# Put your C++ rules here
load(
"@com_google_googleapis_imports//:imports.bzl",
"cc_grpc_library",
"cc_proto_library",
)
cc_proto_library(
name = "iap_cc_proto",
deps = [":iap_proto"],
)
cc_grpc_library(
name = "iap_cc_grpc",
srcs = [":iap_proto"],
grpc_only = True,
deps = [":iap_cc_proto"],
)

Write Preview
Loading…
Cancel
Save