lib/google/iam/v1/policy_pb.rb in grpc-google-iam-v1-1.2.0 vs lib/google/iam/v1/policy_pb.rb in grpc-google-iam-v1-1.3.0

@@ -1,66 +1,39 @@
+# frozen_string_literal: true
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: google/iam/v1/policy.proto
 
 require 'google/protobuf'
 
 require 'google/type/expr_pb'
 
-Google::Protobuf::DescriptorPool.generated_pool.build do
-  add_file("google/iam/v1/policy.proto", :syntax => :proto3) do
-    add_message "google.iam.v1.Policy" do
-      optional :version, :int32, 1
-      repeated :bindings, :message, 4, "google.iam.v1.Binding"
-      repeated :audit_configs, :message, 6, "google.iam.v1.AuditConfig"
-      optional :etag, :bytes, 3
+
+descriptor_data = "\n\x1agoogle/iam/v1/policy.proto\x12\rgoogle.iam.v1\x1a\x16google/type/expr.proto\"\x84\x01\n\x06Policy\x12\x0f\n\x07version\x18\x01 \x01(\x05\x12(\n\x08\x62indings\x18\x04 \x03(\x0b\x32\x16.google.iam.v1.Binding\x12\x31\n\raudit_configs\x18\x06 \x03(\x0b\x32\x1a.google.iam.v1.AuditConfig\x12\x0c\n\x04\x65tag\x18\x03 \x01(\x0c\"N\n\x07\x42inding\x12\x0c\n\x04role\x18\x01 \x01(\t\x12\x0f\n\x07members\x18\x02 \x03(\t\x12$\n\tcondition\x18\x03 \x01(\x0b\x32\x11.google.type.Expr\"X\n\x0b\x41uditConfig\x12\x0f\n\x07service\x18\x01 \x01(\t\x12\x38\n\x11\x61udit_log_configs\x18\x03 \x03(\x0b\x32\x1d.google.iam.v1.AuditLogConfig\"\xb7\x01\n\x0e\x41uditLogConfig\x12\x37\n\x08log_type\x18\x01 \x01(\x0e\x32%.google.iam.v1.AuditLogConfig.LogType\x12\x18\n\x10\x65xempted_members\x18\x02 \x03(\t\"R\n\x07LogType\x12\x18\n\x14LOG_TYPE_UNSPECIFIED\x10\x00\x12\x0e\n\nADMIN_READ\x10\x01\x12\x0e\n\nDATA_WRITE\x10\x02\x12\r\n\tDATA_READ\x10\x03\"\x80\x01\n\x0bPolicyDelta\x12\x33\n\x0e\x62inding_deltas\x18\x01 \x03(\x0b\x32\x1b.google.iam.v1.BindingDelta\x12<\n\x13\x61udit_config_deltas\x18\x02 \x03(\x0b\x32\x1f.google.iam.v1.AuditConfigDelta\"\xbd\x01\n\x0c\x42indingDelta\x12\x32\n\x06\x61\x63tion\x18\x01 \x01(\x0e\x32\".google.iam.v1.BindingDelta.Action\x12\x0c\n\x04role\x18\x02 \x01(\t\x12\x0e\n\x06member\x18\x03 \x01(\t\x12$\n\tcondition\x18\x04 \x01(\x0b\x32\x11.google.type.Expr\"5\n\x06\x41\x63tion\x12\x16\n\x12\x41\x43TION_UNSPECIFIED\x10\x00\x12\x07\n\x03\x41\x44\x44\x10\x01\x12\n\n\x06REMOVE\x10\x02\"\xbd\x01\n\x10\x41uditConfigDelta\x12\x36\n\x06\x61\x63tion\x18\x01 \x01(\x0e\x32&.google.iam.v1.AuditConfigDelta.Action\x12\x0f\n\x07service\x18\x02 \x01(\t\x12\x17\n\x0f\x65xempted_member\x18\x03 \x01(\t\x12\x10\n\x08log_type\x18\x04 \x01(\t\"5\n\x06\x41\x63tion\x12\x16\n\x12\x41\x43TION_UNSPECIFIED\x10\x00\x12\x07\n\x03\x41\x44\x44\x10\x01\x12\n\n\x06REMOVE\x10\x02\x42|\n\x11\x63om.google.iam.v1B\x0bPolicyProtoP\x01Z)cloud.google.com/go/iam/apiv1/iampb;iampb\xf8\x01\x01\xaa\x02\x13Google.Cloud.Iam.V1\xca\x02\x13Google\\Cloud\\Iam\\V1b\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError => e
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+    ["google.type.Expr", "google/type/expr.proto"],
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
     end
-    add_message "google.iam.v1.Binding" do
-      optional :role, :string, 1
-      repeated :members, :string, 2
-      optional :condition, :message, 3, "google.type.Expr"
-    end
-    add_message "google.iam.v1.AuditConfig" do
-      optional :service, :string, 1
-      repeated :audit_log_configs, :message, 3, "google.iam.v1.AuditLogConfig"
-    end
-    add_message "google.iam.v1.AuditLogConfig" do
-      optional :log_type, :enum, 1, "google.iam.v1.AuditLogConfig.LogType"
-      repeated :exempted_members, :string, 2
-    end
-    add_enum "google.iam.v1.AuditLogConfig.LogType" do
-      value :LOG_TYPE_UNSPECIFIED, 0
-      value :ADMIN_READ, 1
-      value :DATA_WRITE, 2
-      value :DATA_READ, 3
-    end
-    add_message "google.iam.v1.PolicyDelta" do
-      repeated :binding_deltas, :message, 1, "google.iam.v1.BindingDelta"
-      repeated :audit_config_deltas, :message, 2, "google.iam.v1.AuditConfigDelta"
-    end
-    add_message "google.iam.v1.BindingDelta" do
-      optional :action, :enum, 1, "google.iam.v1.BindingDelta.Action"
-      optional :role, :string, 2
-      optional :member, :string, 3
-      optional :condition, :message, 4, "google.type.Expr"
-    end
-    add_enum "google.iam.v1.BindingDelta.Action" do
-      value :ACTION_UNSPECIFIED, 0
-      value :ADD, 1
-      value :REMOVE, 2
-    end
-    add_message "google.iam.v1.AuditConfigDelta" do
-      optional :action, :enum, 1, "google.iam.v1.AuditConfigDelta.Action"
-      optional :service, :string, 2
-      optional :exempted_member, :string, 3
-      optional :log_type, :string, 4
-    end
-    add_enum "google.iam.v1.AuditConfigDelta.Action" do
-      value :ACTION_UNSPECIFIED, 0
-      value :ADD, 1
-      value :REMOVE, 2
-    end
   end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
 end
 
 module Google
   module Iam
     module V1
@@ -75,5 +48,418 @@
       AuditConfigDelta = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.AuditConfigDelta").msgclass
       AuditConfigDelta::Action = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.iam.v1.AuditConfigDelta.Action").enummodule
     end
   end
 end
+
+#### Source proto file: google/iam/v1/policy.proto ####
+#
+# // Copyright 2023 Google LLC
+# //
+# // Licensed under the Apache License, Version 2.0 (the "License");
+# // you may not use this file except in compliance with the License.
+# // You may obtain a copy of the License at
+# //
+# //     http://www.apache.org/licenses/LICENSE-2.0
+# //
+# // Unless required by applicable law or agreed to in writing, software
+# // distributed under the License is distributed on an "AS IS" BASIS,
+# // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# // See the License for the specific language governing permissions and
+# // limitations under the License.
+#
+# syntax = "proto3";
+#
+# package google.iam.v1;
+#
+# import "google/type/expr.proto";
+#
+# option cc_enable_arenas = true;
+# option csharp_namespace = "Google.Cloud.Iam.V1";
+# option go_package = "cloud.google.com/go/iam/apiv1/iampb;iampb";
+# option java_multiple_files = true;
+# option java_outer_classname = "PolicyProto";
+# option java_package = "com.google.iam.v1";
+# option php_namespace = "Google\\Cloud\\Iam\\V1";
+#
+# // An Identity and Access Management (IAM) policy, which specifies access
+# // controls for Google Cloud resources.
+# //
+# //
+# // A `Policy` is a collection of `bindings`. A `binding` binds one or more
+# // `members`, or principals, to a single `role`. Principals can be user
+# // accounts, service accounts, Google groups, and domains (such as G Suite). A
+# // `role` is a named list of permissions; each `role` can be an IAM predefined
+# // role or a user-created custom role.
+# //
+# // For some types of Google Cloud resources, a `binding` can also specify a
+# // `condition`, which is a logical expression that allows access to a resource
+# // only if the expression evaluates to `true`. A condition can add constraints
+# // based on attributes of the request, the resource, or both. To learn which
+# // resources support conditions in their IAM policies, see the
+# // [IAM
+# // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+# //
+# // **JSON example:**
+# //
+# // ```
+# //     {
+# //       "bindings": [
+# //         {
+# //           "role": "roles/resourcemanager.organizationAdmin",
+# //           "members": [
+# //             "user:mike@example.com",
+# //             "group:admins@example.com",
+# //             "domain:google.com",
+# //             "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+# //           ]
+# //         },
+# //         {
+# //           "role": "roles/resourcemanager.organizationViewer",
+# //           "members": [
+# //             "user:eve@example.com"
+# //           ],
+# //           "condition": {
+# //             "title": "expirable access",
+# //             "description": "Does not grant access after Sep 2020",
+# //             "expression": "request.time <
+# //             timestamp('2020-10-01T00:00:00.000Z')",
+# //           }
+# //         }
+# //       ],
+# //       "etag": "BwWWja0YfJA=",
+# //       "version": 3
+# //     }
+# // ```
+# //
+# // **YAML example:**
+# //
+# // ```
+# //     bindings:
+# //     - members:
+# //       - user:mike@example.com
+# //       - group:admins@example.com
+# //       - domain:google.com
+# //       - serviceAccount:my-project-id@appspot.gserviceaccount.com
+# //       role: roles/resourcemanager.organizationAdmin
+# //     - members:
+# //       - user:eve@example.com
+# //       role: roles/resourcemanager.organizationViewer
+# //       condition:
+# //         title: expirable access
+# //         description: Does not grant access after Sep 2020
+# //         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+# //     etag: BwWWja0YfJA=
+# //     version: 3
+# // ```
+# //
+# // For a description of IAM and its features, see the
+# // [IAM documentation](https://cloud.google.com/iam/docs/).
+# message Policy {
+#   // Specifies the format of the policy.
+#   //
+#   // Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+#   // are rejected.
+#   //
+#   // Any operation that affects conditional role bindings must specify version
+#   // `3`. This requirement applies to the following operations:
+#   //
+#   // * Getting a policy that includes a conditional role binding
+#   // * Adding a conditional role binding to a policy
+#   // * Changing a conditional role binding in a policy
+#   // * Removing any role binding, with or without a condition, from a policy
+#   //   that includes conditions
+#   //
+#   // **Important:** If you use IAM Conditions, you must include the `etag` field
+#   // whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+#   // you to overwrite a version `3` policy with a version `1` policy, and all of
+#   // the conditions in the version `3` policy are lost.
+#   //
+#   // If a policy does not include any conditions, operations on that policy may
+#   // specify any valid version or leave the field unset.
+#   //
+#   // To learn which resources support conditions in their IAM policies, see the
+#   // [IAM
+#   // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+#   int32 version = 1;
+#
+#   // Associates a list of `members`, or principals, with a `role`. Optionally,
+#   // may specify a `condition` that determines how and when the `bindings` are
+#   // applied. Each of the `bindings` must contain at least one principal.
+#   //
+#   // The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+#   // of these principals can be Google groups. Each occurrence of a principal
+#   // counts towards these limits. For example, if the `bindings` grant 50
+#   // different roles to `user:alice@example.com`, and not to any other
+#   // principal, then you can add another 1,450 principals to the `bindings` in
+#   // the `Policy`.
+#   repeated Binding bindings = 4;
+#
+#   // Specifies cloud audit logging configuration for this policy.
+#   repeated AuditConfig audit_configs = 6;
+#
+#   // `etag` is used for optimistic concurrency control as a way to help
+#   // prevent simultaneous updates of a policy from overwriting each other.
+#   // It is strongly suggested that systems make use of the `etag` in the
+#   // read-modify-write cycle to perform policy updates in order to avoid race
+#   // conditions: An `etag` is returned in the response to `getIamPolicy`, and
+#   // systems are expected to put that etag in the request to `setIamPolicy` to
+#   // ensure that their change will be applied to the same version of the policy.
+#   //
+#   // **Important:** If you use IAM Conditions, you must include the `etag` field
+#   // whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+#   // you to overwrite a version `3` policy with a version `1` policy, and all of
+#   // the conditions in the version `3` policy are lost.
+#   bytes etag = 3;
+# }
+#
+# // Associates `members`, or principals, with a `role`.
+# message Binding {
+#   // Role that is assigned to the list of `members`, or principals.
+#   // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+#   string role = 1;
+#
+#   // Specifies the principals requesting access for a Google Cloud resource.
+#   // `members` can have the following values:
+#   //
+#   // * `allUsers`: A special identifier that represents anyone who is
+#   //    on the internet; with or without a Google account.
+#   //
+#   // * `allAuthenticatedUsers`: A special identifier that represents anyone
+#   //    who is authenticated with a Google account or a service account.
+#   //
+#   // * `user:{emailid}`: An email address that represents a specific Google
+#   //    account. For example, `alice@example.com` .
+#   //
+#   //
+#   // * `serviceAccount:{emailid}`: An email address that represents a service
+#   //    account. For example, `my-other-app@appspot.gserviceaccount.com`.
+#   //
+#   // * `group:{emailid}`: An email address that represents a Google group.
+#   //    For example, `admins@example.com`.
+#   //
+#   // * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+#   //    identifier) representing a user that has been recently deleted. For
+#   //    example, `alice@example.com?uid=123456789012345678901`. If the user is
+#   //    recovered, this value reverts to `user:{emailid}` and the recovered user
+#   //    retains the role in the binding.
+#   //
+#   // * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+#   //    unique identifier) representing a service account that has been recently
+#   //    deleted. For example,
+#   //    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+#   //    If the service account is undeleted, this value reverts to
+#   //    `serviceAccount:{emailid}` and the undeleted service account retains the
+#   //    role in the binding.
+#   //
+#   // * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+#   //    identifier) representing a Google group that has been recently
+#   //    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+#   //    the group is recovered, this value reverts to `group:{emailid}` and the
+#   //    recovered group retains the role in the binding.
+#   //
+#   //
+#   // * `domain:{domain}`: The G Suite domain (primary) that represents all the
+#   //    users of that domain. For example, `google.com` or `example.com`.
+#   //
+#   //
+#   repeated string members = 2;
+#
+#   // The condition that is associated with this binding.
+#   //
+#   // If the condition evaluates to `true`, then this binding applies to the
+#   // current request.
+#   //
+#   // If the condition evaluates to `false`, then this binding does not apply to
+#   // the current request. However, a different role binding might grant the same
+#   // role to one or more of the principals in this binding.
+#   //
+#   // To learn which resources support conditions in their IAM policies, see the
+#   // [IAM
+#   // documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+#   google.type.Expr condition = 3;
+# }
+#
+# // Specifies the audit configuration for a service.
+# // The configuration determines which permission types are logged, and what
+# // identities, if any, are exempted from logging.
+# // An AuditConfig must have one or more AuditLogConfigs.
+# //
+# // If there are AuditConfigs for both `allServices` and a specific service,
+# // the union of the two AuditConfigs is used for that service: the log_types
+# // specified in each AuditConfig are enabled, and the exempted_members in each
+# // AuditLogConfig are exempted.
+# //
+# // Example Policy with multiple AuditConfigs:
+# //
+# //     {
+# //       "audit_configs": [
+# //         {
+# //           "service": "allServices",
+# //           "audit_log_configs": [
+# //             {
+# //               "log_type": "DATA_READ",
+# //               "exempted_members": [
+# //                 "user:jose@example.com"
+# //               ]
+# //             },
+# //             {
+# //               "log_type": "DATA_WRITE"
+# //             },
+# //             {
+# //               "log_type": "ADMIN_READ"
+# //             }
+# //           ]
+# //         },
+# //         {
+# //           "service": "sampleservice.googleapis.com",
+# //           "audit_log_configs": [
+# //             {
+# //               "log_type": "DATA_READ"
+# //             },
+# //             {
+# //               "log_type": "DATA_WRITE",
+# //               "exempted_members": [
+# //                 "user:aliya@example.com"
+# //               ]
+# //             }
+# //           ]
+# //         }
+# //       ]
+# //     }
+# //
+# // For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+# // logging. It also exempts `jose@example.com` from DATA_READ logging, and
+# // `aliya@example.com` from DATA_WRITE logging.
+# message AuditConfig {
+#   // Specifies a service that will be enabled for audit logging.
+#   // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+#   // `allServices` is a special value that covers all services.
+#   string service = 1;
+#
+#   // The configuration for logging of each type of permission.
+#   repeated AuditLogConfig audit_log_configs = 3;
+# }
+#
+# // Provides the configuration for logging a type of permissions.
+# // Example:
+# //
+# //     {
+# //       "audit_log_configs": [
+# //         {
+# //           "log_type": "DATA_READ",
+# //           "exempted_members": [
+# //             "user:jose@example.com"
+# //           ]
+# //         },
+# //         {
+# //           "log_type": "DATA_WRITE"
+# //         }
+# //       ]
+# //     }
+# //
+# // This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+# // jose@example.com from DATA_READ logging.
+# message AuditLogConfig {
+#   // The list of valid permission types for which logging can be configured.
+#   // Admin writes are always logged, and are not configurable.
+#   enum LogType {
+#     // Default case. Should never be this.
+#     LOG_TYPE_UNSPECIFIED = 0;
+#
+#     // Admin reads. Example: CloudIAM getIamPolicy
+#     ADMIN_READ = 1;
+#
+#     // Data writes. Example: CloudSQL Users create
+#     DATA_WRITE = 2;
+#
+#     // Data reads. Example: CloudSQL Users list
+#     DATA_READ = 3;
+#   }
+#
+#   // The log type that this config enables.
+#   LogType log_type = 1;
+#
+#   // Specifies the identities that do not cause logging for this type of
+#   // permission.
+#   // Follows the same format of
+#   // [Binding.members][google.iam.v1.Binding.members].
+#   repeated string exempted_members = 2;
+# }
+#
+# // The difference delta between two policies.
+# message PolicyDelta {
+#   // The delta for Bindings between two policies.
+#   repeated BindingDelta binding_deltas = 1;
+#
+#   // The delta for AuditConfigs between two policies.
+#   repeated AuditConfigDelta audit_config_deltas = 2;
+# }
+#
+# // One delta entry for Binding. Each individual change (only one member in each
+# // entry) to a binding will be a separate entry.
+# message BindingDelta {
+#   // The type of action performed on a Binding in a policy.
+#   enum Action {
+#     // Unspecified.
+#     ACTION_UNSPECIFIED = 0;
+#
+#     // Addition of a Binding.
+#     ADD = 1;
+#
+#     // Removal of a Binding.
+#     REMOVE = 2;
+#   }
+#
+#   // The action that was performed on a Binding.
+#   // Required
+#   Action action = 1;
+#
+#   // Role that is assigned to `members`.
+#   // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+#   // Required
+#   string role = 2;
+#
+#   // A single identity requesting access for a Google Cloud resource.
+#   // Follows the same format of Binding.members.
+#   // Required
+#   string member = 3;
+#
+#   // The condition that is associated with this binding.
+#   google.type.Expr condition = 4;
+# }
+#
+# // One delta entry for AuditConfig. Each individual change (only one
+# // exempted_member in each entry) to a AuditConfig will be a separate entry.
+# message AuditConfigDelta {
+#   // The type of action performed on an audit configuration in a policy.
+#   enum Action {
+#     // Unspecified.
+#     ACTION_UNSPECIFIED = 0;
+#
+#     // Addition of an audit configuration.
+#     ADD = 1;
+#
+#     // Removal of an audit configuration.
+#     REMOVE = 2;
+#   }
+#
+#   // The action that was performed on an audit configuration in a policy.
+#   // Required
+#   Action action = 1;
+#
+#   // Specifies a service that was configured for Cloud Audit Logging.
+#   // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+#   // `allServices` is a special value that covers all services.
+#   // Required
+#   string service = 2;
+#
+#   // A single identity that is exempted from "data access" audit
+#   // logging for the `service` specified above.
+#   // Follows the same format of Binding.members.
+#   string exempted_member = 3;
+#
+#   // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
+#   // enabled, and cannot be configured.
+#   // Required
+#   string log_type = 4;
+# }