# frozen_string_literal: true # Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Auto-generated by gapic-generator-ruby. DO NOT EDIT! module Google module Cloud module PolicyTroubleshooter module V1 # Information about the principal, resource, and permission to check. # @!attribute [rw] principal # @return [::String] # Required. The principal whose access you want to check, in the form of # the email address that represents that principal. For example, # `alice@example.com` or # `my-service-account@my-project.iam.gserviceaccount.com`. # # The principal must be a Google Account or a service account. Other types of # principals are not supported. # @!attribute [rw] full_resource_name # @return [::String] # Required. The full resource name that identifies the resource. For example, # `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. # # For examples of full resource names for Google Cloud services, see # https://cloud.google.com/iam/help/troubleshooter/full-resource-names. # @!attribute [rw] permission # @return [::String] # Required. The IAM permission to check for the specified principal and # resource. # # For a complete list of IAM permissions, see # https://cloud.google.com/iam/help/permissions/reference. # # For a complete list of predefined IAM roles and the permissions in each # role, see https://cloud.google.com/iam/help/roles/reference. class AccessTuple include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Details about how a specific IAM {::Google::Iam::V1::Policy Policy} contributed # to the access check. # @!attribute [rw] access # @return [::Google::Cloud::PolicyTroubleshooter::V1::AccessState] # Indicates whether _this policy_ provides the specified permission to the # specified principal for the specified resource. # # This field does _not_ indicate whether the principal actually has the # permission for the resource. There might be another policy that overrides # this policy. To determine whether the principal actually has the # permission, use the `access` field in the # [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse]. # @!attribute [rw] full_resource_name # @return [::String] # The full resource name that identifies the resource. For example, # `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. # # If the sender of the request does not have access to the policy, this field # is omitted. # # For examples of full resource names for Google Cloud services, see # https://cloud.google.com/iam/help/troubleshooter/full-resource-names. # @!attribute [rw] policy # @return [::Google::Iam::V1::Policy] # The IAM policy attached to the resource. # # If the sender of the request does not have access to the policy, this field # is empty. # @!attribute [rw] binding_explanations # @return [::Array<::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation>] # Details about how each binding in the policy affects the principal's # ability, or inability, to use the permission for the resource. # # If the sender of the request does not have access to the policy, this field # is omitted. # @!attribute [rw] relevance # @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance] # The relevance of this policy to the overall determination in the # [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse]. # # If the sender of the request does not have access to the policy, this field # is omitted. class ExplainedPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Details about how a binding in a policy affects a principal's ability to use # a permission. # @!attribute [rw] access # @return [::Google::Cloud::PolicyTroubleshooter::V1::AccessState] # Required. Indicates whether _this binding_ provides the specified # permission to the specified principal for the specified resource. # # This field does _not_ indicate whether the principal actually has the # permission for the resource. There might be another binding that overrides # this binding. To determine whether the principal actually has the # permission, use the `access` field in the # [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse]. # @!attribute [rw] role # @return [::String] # The role that this binding grants. For example, # `roles/compute.serviceAgent`. # # For a complete list of predefined IAM roles, as well as the permissions in # each role, see https://cloud.google.com/iam/help/roles/reference. # @!attribute [rw] role_permission # @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::RolePermission] # Indicates whether the role granted by this binding contains the specified # permission. # @!attribute [rw] role_permission_relevance # @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance] # The relevance of the permission's existence, or nonexistence, in the role # to the overall determination for the entire policy. # @!attribute [rw] memberships # @return [::Google::Protobuf::Map{::String => ::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership}] # Indicates whether each principal in the binding includes the principal # specified in the request, either directly or indirectly. Each key # identifies a principal in the binding, and each value indicates whether the # principal in the binding includes the principal in the request. # # For example, suppose that a binding includes the following principals: # # * `user:alice@example.com` # * `group:product-eng@example.com` # # You want to troubleshoot access for `user:bob@example.com`. This user is a # principal of the group `group:product-eng@example.com`. # # For the first principal in the binding, the key is # `user:alice@example.com`, and the `membership` field in the value is set to # `MEMBERSHIP_NOT_INCLUDED`. # # For the second principal in the binding, the key is # `group:product-eng@example.com`, and the `membership` field in the value is # set to `MEMBERSHIP_INCLUDED`. # @!attribute [rw] relevance # @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance] # The relevance of this binding to the overall determination for the entire # policy. # @!attribute [rw] condition # @return [::Google::Type::Expr] # A condition expression that prevents this binding from granting access # unless the expression evaluates to `true`. # # To learn about IAM Conditions, see # https://cloud.google.com/iam/help/conditions/overview. class BindingExplanation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Details about whether the binding includes the principal. # @!attribute [rw] membership # @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::Membership] # Indicates whether the binding includes the principal. # @!attribute [rw] relevance # @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance] # The relevance of the principal's status to the overall determination for # the binding. class AnnotatedMembership include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership] class MembershipsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Whether a role includes a specific permission. module RolePermission # Default value. This value is unused. ROLE_PERMISSION_UNSPECIFIED = 0 # The permission is included in the role. ROLE_PERMISSION_INCLUDED = 1 # The permission is not included in the role. ROLE_PERMISSION_NOT_INCLUDED = 2 # The sender of the request is not allowed to access the binding. ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3 end # Whether the binding includes the principal. module Membership # Default value. This value is unused. MEMBERSHIP_UNSPECIFIED = 0 # The binding includes the principal. The principal can be included # directly or indirectly. For example: # # * A principal is included directly if that principal is listed in the # binding. # * A principal is included indirectly if that principal is in a Google # group or Google Workspace domain that is listed in the binding. MEMBERSHIP_INCLUDED = 1 # The binding does not include the principal. MEMBERSHIP_NOT_INCLUDED = 2 # The sender of the request is not allowed to access the binding. MEMBERSHIP_UNKNOWN_INFO_DENIED = 3 # The principal is an unsupported type. Only Google Accounts and service # accounts are supported. MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4 end end # Whether a principal has a permission for a resource. module AccessState # Default value. This value is unused. ACCESS_STATE_UNSPECIFIED = 0 # The principal has the permission. GRANTED = 1 # The principal does not have the permission. NOT_GRANTED = 2 # The principal has the permission only if a condition expression evaluates # to `true`. UNKNOWN_CONDITIONAL = 3 # The sender of the request does not have access to all of the policies that # Policy Troubleshooter needs to evaluate. UNKNOWN_INFO_DENIED = 4 end # The extent to which a single data point, such as the existence of a binding # or whether a binding includes a specific principal, contributes to an overall # determination. module HeuristicRelevance # Default value. This value is unused. HEURISTIC_RELEVANCE_UNSPECIFIED = 0 # The data point has a limited effect on the result. Changing the data point # is unlikely to affect the overall determination. NORMAL = 1 # The data point has a strong effect on the result. Changing the data point # is likely to affect the overall determination. HIGH = 2 end end end end end