# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module Google
module Iam
module V1
# Defines an Identity and Access Management (IAM) policy. It is used to
# specify access control policies for Cloud Platform resources.
#
#
# A `Policy` is a collection of `bindings`. A `binding` binds one or more
# `members` to a single `role`. Members can be user accounts, service accounts,
# Google groups, and domains (such as G Suite). A `role` is a named list of
# permissions (defined by IAM or configured by users). A `binding` can
# optionally specify a `condition`, which is a logic expression that further
# constrains the role binding based on attributes about the request and/or
# target resource.
#
# **JSON Example**
#
# {
# "bindings": [
# {
# "role": "roles/resourcemanager.organizationAdmin",
# "members": [
# "user:mike@example.com",
# "group:admins@example.com",
# "domain:google.com",
# "serviceAccount:my-project-id@appspot.gserviceaccount.com"
# ]
# },
# {
# "role": "roles/resourcemanager.organizationViewer",
# "members": ["user:eve@example.com"],
# "condition": {
# "title": "expirable access",
# "description": "Does not grant access after Sep 2020",
# "expression": "request.time <
# timestamp('2020-10-01T00:00:00.000Z')",
# }
# }
# ]
# }
#
# **YAML Example**
#
# bindings:
# * members:
# * user:mike@example.com
# * group:admins@example.com
# * domain:google.com
# * serviceAccount:my-project-id@appspot.gserviceaccount.com
# role: roles/resourcemanager.organizationAdmin
# * members:
# * user:eve@example.com
# role: roles/resourcemanager.organizationViewer
# condition:
# title: expirable access
# description: Does not grant access after Sep 2020
# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
#
# For a description of IAM and its features, see the
# [IAM developer's guide](https://cloud.google.com/iam/docs).
# @!attribute [rw] version
# @return [Integer]
# Specifies the format of the policy.
#
# Valid values are 0, 1, and 3. Requests specifying an invalid value will be
# rejected.
#
# Operations affecting conditional bindings must specify version 3. This can
# be either setting a conditional policy, modifying a conditional binding,
# or removing a conditional binding from the stored conditional policy.
# Operations on non-conditional policies may specify any valid value or
# leave the field unset.
#
# If no etag is provided in the call to `setIamPolicy`, any version
# compliance checks on the incoming and/or stored policy is skipped.
# @!attribute [rw] bindings
# @return [Array<Google::Iam::V1::Binding>]
# Associates a list of `members` to a `role`. Optionally may specify a
# `condition` that determines when binding is in effect.
# `bindings` with no members will result in an error.
# @!attribute [rw] etag
# @return [String]
# `etag` is used for optimistic concurrency control as a way to help
# prevent simultaneous updates of a policy from overwriting each other.
# It is strongly suggested that systems make use of the `etag` in the
# read-modify-write cycle to perform policy updates in order to avoid race
# conditions: An `etag` is returned in the response to `getIamPolicy`, and
# systems are expected to put that etag in the request to `setIamPolicy` to
# ensure that their change will be applied to the same version of the policy.
#
# If no `etag` is provided in the call to `setIamPolicy`, then the existing
# policy is overwritten. Due to blind-set semantics of an etag-less policy,
# 'setIamPolicy' will not fail even if either of incoming or stored policy
# does not meet the version requirements.
class Policy; end
# Associates `members` with a `role`.
# @!attribute [rw] role
# @return [String]
# Role that is assigned to `members`.
# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
# @!attribute [rw] members
# @return [Array<String>]
# Specifies the identities requesting access for a Cloud Platform resource.
# `members` can have the following values:
#
# * `allUsers`: A special identifier that represents anyone who is
# on the internet; with or without a Google account.
#
# * `allAuthenticatedUsers`: A special identifier that represents anyone
# who is authenticated with a Google account or a service account.
#
# * `user:{emailid}`: An email address that represents a specific Google
# account. For example, `alice@example.com` .
#
#
# * `serviceAccount:{emailid}`: An email address that represents a service
# account. For example, `my-other-app@appspot.gserviceaccount.com`.
#
# * `group:{emailid}`: An email address that represents a Google group.
# For example, `admins@example.com`.
#
#
# * `domain:{domain}`: The G Suite domain (primary) that represents all the
# users of that domain. For example, `google.com` or `example.com`.
# @!attribute [rw] condition
# @return [Google::Type::Expr]
# The condition that is associated with this binding.
# NOTE: An unsatisfied condition will not allow user access via current
# binding. Different bindings, including their conditions, are examined
# independently.
class Binding; end
end
end
end