accessapprovalpb

type AccessApprovalClient interface {
	// Lists approval requests associated with a project, folder, or organization.
	// Approval requests can be filtered by state (pending, active, dismissed).
	// The order is reverse chronological.
	ListApprovalRequests(ctx context.Context, in *ListApprovalRequestsMessage, opts ...grpc.CallOption) (*ListApprovalRequestsResponse, error)
	// Gets an approval request. Returns NOT_FOUND if the request does not exist.
	GetApprovalRequest(ctx context.Context, in *GetApprovalRequestMessage, opts ...grpc.CallOption) (*ApprovalRequest, error)
	// Approves a request and returns the updated ApprovalRequest.
	//
	// Returns NOT_FOUND if the request does not exist. Returns
	// FAILED_PRECONDITION if the request exists but is not in a pending state.
	ApproveApprovalRequest(ctx context.Context, in *ApproveApprovalRequestMessage, opts ...grpc.CallOption) (*ApprovalRequest, error)
	// Dismisses a request. Returns the updated ApprovalRequest.
	//
	// NOTE: This does not deny access to the resource if another request has been
	// made and approved. It is equivalent in effect to ignoring the request
	// altogether.
	//
	// Returns NOT_FOUND if the request does not exist.
	//
	// Returns FAILED_PRECONDITION if the request exists but is not in a pending
	// state.
	DismissApprovalRequest(ctx context.Context, in *DismissApprovalRequestMessage, opts ...grpc.CallOption) (*ApprovalRequest, error)
	// Invalidates an existing ApprovalRequest. Returns the updated
	// ApprovalRequest.
	//
	// NOTE: This does not deny access to the resource if another request has been
	// made and approved. It only invalidates a single approval.
	//
	// Returns FAILED_PRECONDITION if the request exists but is not in an approved
	// state.
	InvalidateApprovalRequest(ctx context.Context, in *InvalidateApprovalRequestMessage, opts ...grpc.CallOption) (*ApprovalRequest, error)
	// Gets the settings associated with a project, folder, or organization.
	GetAccessApprovalSettings(ctx context.Context, in *GetAccessApprovalSettingsMessage, opts ...grpc.CallOption) (*AccessApprovalSettings, error)
	// Updates the settings associated with a project, folder, or organization.
	// Settings to update are determined by the value of field_mask.
	UpdateAccessApprovalSettings(ctx context.Context, in *UpdateAccessApprovalSettingsMessage, opts ...grpc.CallOption) (*AccessApprovalSettings, error)
	// Deletes the settings associated with a project, folder, or organization.
	// This will have the effect of disabling Access Approval for the project,
	// folder, or organization, but only if all ancestors also have Access
	// Approval disabled. If Access Approval is enabled at a higher level of the
	// hierarchy, then Access Approval will still be enabled at this level as
	// the settings are inherited.
	DeleteAccessApprovalSettings(ctx context.Context, in *DeleteAccessApprovalSettingsMessage, opts ...grpc.CallOption) (*emptypb.Empty, error)
	// Retrieves the service account that is used by Access Approval to access KMS
	// keys for signing approved approval requests.
	GetAccessApprovalServiceAccount(ctx context.Context, in *GetAccessApprovalServiceAccountMessage, opts ...grpc.CallOption) (*AccessApprovalServiceAccount, error)
}

type AccessApprovalServer interface {
	// Lists approval requests associated with a project, folder, or organization.
	// Approval requests can be filtered by state (pending, active, dismissed).
	// The order is reverse chronological.
	ListApprovalRequests(context.Context, *ListApprovalRequestsMessage) (*ListApprovalRequestsResponse, error)
	// Gets an approval request. Returns NOT_FOUND if the request does not exist.
	GetApprovalRequest(context.Context, *GetApprovalRequestMessage) (*ApprovalRequest, error)
	// Approves a request and returns the updated ApprovalRequest.
	//
	// Returns NOT_FOUND if the request does not exist. Returns
	// FAILED_PRECONDITION if the request exists but is not in a pending state.
	ApproveApprovalRequest(context.Context, *ApproveApprovalRequestMessage) (*ApprovalRequest, error)
	// Dismisses a request. Returns the updated ApprovalRequest.
	//
	// NOTE: This does not deny access to the resource if another request has been
	// made and approved. It is equivalent in effect to ignoring the request
	// altogether.
	//
	// Returns NOT_FOUND if the request does not exist.
	//
	// Returns FAILED_PRECONDITION if the request exists but is not in a pending
	// state.
	DismissApprovalRequest(context.Context, *DismissApprovalRequestMessage) (*ApprovalRequest, error)
	// Invalidates an existing ApprovalRequest. Returns the updated
	// ApprovalRequest.
	//
	// NOTE: This does not deny access to the resource if another request has been
	// made and approved. It only invalidates a single approval.
	//
	// Returns FAILED_PRECONDITION if the request exists but is not in an approved
	// state.
	InvalidateApprovalRequest(context.Context, *InvalidateApprovalRequestMessage) (*ApprovalRequest, error)
	// Gets the settings associated with a project, folder, or organization.
	GetAccessApprovalSettings(context.Context, *GetAccessApprovalSettingsMessage) (*AccessApprovalSettings, error)
	// Updates the settings associated with a project, folder, or organization.
	// Settings to update are determined by the value of field_mask.
	UpdateAccessApprovalSettings(context.Context, *UpdateAccessApprovalSettingsMessage) (*AccessApprovalSettings, error)
	// Deletes the settings associated with a project, folder, or organization.
	// This will have the effect of disabling Access Approval for the project,
	// folder, or organization, but only if all ancestors also have Access
	// Approval disabled. If Access Approval is enabled at a higher level of the
	// hierarchy, then Access Approval will still be enabled at this level as
	// the settings are inherited.
	DeleteAccessApprovalSettings(context.Context, *DeleteAccessApprovalSettingsMessage) (*emptypb.Empty, error)
	// Retrieves the service account that is used by Access Approval to access KMS
	// keys for signing approved approval requests.
	GetAccessApprovalServiceAccount(context.Context, *GetAccessApprovalServiceAccountMessage) (*AccessApprovalServiceAccount, error)
}

type AccessApprovalServiceAccount struct {

	// The resource name of the Access Approval service account. Format is one of:
	//
	//   - "projects/{project}/serviceAccount"
	//   - "folders/{folder}/serviceAccount"
	//   - "organizations/{organization}/serviceAccount"
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Email address of the service account.
	AccountEmail string `protobuf:"bytes,2,opt,name=account_email,json=accountEmail,proto3" json:"account_email,omitempty"`
	// contains filtered or unexported fields
}

type AccessApprovalSettings struct {

	// The resource name of the settings. Format is one of:
	//
	//   - "projects/{project}/accessApprovalSettings"
	//   - "folders/{folder}/accessApprovalSettings"
	//   - "organizations/{organization}/accessApprovalSettings"
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// A list of email addresses to which notifications relating to approval
	// requests should be sent. Notifications relating to a resource will be sent
	// to all emails in the settings of ancestor resources of that resource. A
	// maximum of 50 email addresses are allowed.
	NotificationEmails []string `protobuf:"bytes,2,rep,name=notification_emails,json=notificationEmails,proto3" json:"notification_emails,omitempty"`
	// A list of Google Cloud Services for which the given resource has Access
	// Approval enrolled. Access requests for the resource given by name against
	// any of these services contained here will be required to have explicit
	// approval. If name refers to an organization, enrollment can be done for
	// individual services. If name refers to a folder or project, enrollment can
	// only be done on an all or nothing basis.
	//
	// If a cloud_product is repeated in this list, the first entry will be
	// honored and all following entries will be discarded. A maximum of 10
	// enrolled services will be enforced, to be expanded as the set of supported
	// services is expanded.
	EnrolledServices []*EnrolledService `protobuf:"bytes,3,rep,name=enrolled_services,json=enrolledServices,proto3" json:"enrolled_services,omitempty"`
	// Output only. This field is read only (not settable via
	// UpdateAccessApprovalSettings method). If the field is true, that
	// indicates that at least one service is enrolled for Access Approval in one
	// or more ancestors of the Project or Folder (this field will always be
	// unset for the organization since organizations do not have ancestors).
	EnrolledAncestor bool `protobuf:"varint,4,opt,name=enrolled_ancestor,json=enrolledAncestor,proto3" json:"enrolled_ancestor,omitempty"`
	// The asymmetric crypto key version to use for signing approval requests.
	// Empty active_key_version indicates that a Google-managed key should be used
	// for signing. This property will be ignored if set by an ancestor of this
	// resource, and new non-empty values may not be set.
	ActiveKeyVersion string `protobuf:"bytes,6,opt,name=active_key_version,json=activeKeyVersion,proto3" json:"active_key_version,omitempty"`
	// Output only. This field is read only (not settable via UpdateAccessApprovalSettings
	// method). If the field is true, that indicates that an ancestor of this
	// Project or Folder has set active_key_version (this field will always be
	// unset for the organization since organizations do not have ancestors).
	AncestorHasActiveKeyVersion bool `` /* 149-byte string literal not displayed */
	// Output only. This field is read only (not settable via UpdateAccessApprovalSettings
	// method). If the field is true, that indicates that there is some
	// configuration issue with the active_key_version configured at this level in
	// the resource hierarchy (e.g. it doesn't exist or the Access Approval
	// service account doesn't have the correct permissions on it, etc.) This key
	// version is not necessarily the effective key version at this level, as key
	// versions are inherited top-down.
	InvalidKeyVersion bool `protobuf:"varint,8,opt,name=invalid_key_version,json=invalidKeyVersion,proto3" json:"invalid_key_version,omitempty"`
	// contains filtered or unexported fields
}

type AccessLocations struct {

	// The "home office" location of the principal. A two-letter country code
	// (ISO 3166-1 alpha-2), such as "US", "DE" or "GB" or a region code. In some
	// limited situations Google systems may refer refer to a region code instead
	// of a country code.
	// Possible Region Codes:
	//
	//   - ASI: Asia
	//   - EUR: Europe
	//   - OCE: Oceania
	//   - AFR: Africa
	//   - NAM: North America
	//   - SAM: South America
	//   - ANT: Antarctica
	//   - ANY: Any location
	PrincipalOfficeCountry string `` /* 129-byte string literal not displayed */
	// Physical location of the principal at the time of the access. A
	// two-letter country code (ISO 3166-1 alpha-2), such as "US", "DE" or "GB" or
	// a region code. In some limited situations Google systems may refer refer to
	// a region code instead of a country code.
	// Possible Region Codes:
	//
	//   - ASI: Asia
	//   - EUR: Europe
	//   - OCE: Oceania
	//   - AFR: Africa
	//   - NAM: North America
	//   - SAM: South America
	//   - ANT: Antarctica
	//   - ANY: Any location
	PrincipalPhysicalLocationCountry string `` /* 161-byte string literal not displayed */
	// contains filtered or unexported fields
}

type AccessReason struct {

	// Type of access justification.
	Type AccessReason_Type `protobuf:"varint,1,opt,name=type,proto3,enum=google.cloud.accessapproval.v1.AccessReason_Type" json:"type,omitempty"`
	// More detail about certain reason types. See comments for each type above.
	Detail string `protobuf:"bytes,2,opt,name=detail,proto3" json:"detail,omitempty"`
	// contains filtered or unexported fields
}

type AccessReason_Type int32

type ApprovalRequest struct {

	// The resource name of the request. Format is
	// "{projects|folders|organizations}/{id}/approvalRequests/{approval_request}".
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The resource for which approval is being requested. The format of the
	// resource name is defined at
	// https://cloud.google.com/apis/design/resource_names. The resource name here
	// may either be a "full" resource name (e.g.
	// "//library.googleapis.com/shelves/shelf1/books/book2") or a "relative"
	// resource name (e.g. "shelves/shelf1/books/book2") as described in the
	// resource name specification.
	RequestedResourceName string `` /* 126-byte string literal not displayed */
	// Properties related to the resource represented by requested_resource_name.
	RequestedResourceProperties *ResourceProperties `` /* 144-byte string literal not displayed */
	// The justification for which approval is being requested.
	RequestedReason *AccessReason `protobuf:"bytes,3,opt,name=requested_reason,json=requestedReason,proto3" json:"requested_reason,omitempty"`
	// The locations for which approval is being requested.
	RequestedLocations *AccessLocations `protobuf:"bytes,4,opt,name=requested_locations,json=requestedLocations,proto3" json:"requested_locations,omitempty"`
	// The time at which approval was requested.
	RequestTime *timestamppb.Timestamp `protobuf:"bytes,5,opt,name=request_time,json=requestTime,proto3" json:"request_time,omitempty"`
	// The requested expiration for the approval. If the request is approved,
	// access will be granted from the time of approval until the expiration time.
	RequestedExpiration *timestamppb.Timestamp `protobuf:"bytes,6,opt,name=requested_expiration,json=requestedExpiration,proto3" json:"requested_expiration,omitempty"`
	// The current decision on the approval request.
	//
	// Types that are assignable to Decision:
	//
	//	*ApprovalRequest_Approve
	//	*ApprovalRequest_Dismiss
	Decision isApprovalRequest_Decision `protobuf_oneof:"decision"`
	// contains filtered or unexported fields
}

type ApprovalRequest_Approve struct {
	// Access was approved.
	Approve *ApproveDecision `protobuf:"bytes,7,opt,name=approve,proto3,oneof"`
}

type ApprovalRequest_Dismiss struct {
	// The request was dismissed.
	Dismiss *DismissDecision `protobuf:"bytes,8,opt,name=dismiss,proto3,oneof"`
}

type ApproveApprovalRequestMessage struct {

	// Name of the approval request to approve.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The expiration time of this approval.
	ExpireTime *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expire_time,json=expireTime,proto3" json:"expire_time,omitempty"`
	// contains filtered or unexported fields
}

type ApproveDecision struct {

	// The time at which approval was granted.
	ApproveTime *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=approve_time,json=approveTime,proto3" json:"approve_time,omitempty"`
	// The time at which the approval expires.
	ExpireTime *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expire_time,json=expireTime,proto3" json:"expire_time,omitempty"`
	// If set, denotes the timestamp at which the approval is invalidated.
	InvalidateTime *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=invalidate_time,json=invalidateTime,proto3" json:"invalidate_time,omitempty"`
	// The signature for the ApprovalRequest and details on how it was signed.
	SignatureInfo *SignatureInfo `protobuf:"bytes,4,opt,name=signature_info,json=signatureInfo,proto3" json:"signature_info,omitempty"`
	// True when the request has been auto-approved.
	AutoApproved bool `protobuf:"varint,5,opt,name=auto_approved,json=autoApproved,proto3" json:"auto_approved,omitempty"`
	// contains filtered or unexported fields
}

type DeleteAccessApprovalSettingsMessage struct {

	// Name of the AccessApprovalSettings to delete.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

type DismissApprovalRequestMessage struct {

	// Name of the ApprovalRequest to dismiss.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

type DismissDecision struct {

	// The time at which the approval request was dismissed.
	DismissTime *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=dismiss_time,json=dismissTime,proto3" json:"dismiss_time,omitempty"`
	// This field will be true if the ApprovalRequest was implicitly dismissed due
	// to inaction by the access approval approvers (the request is not acted
	// on by the approvers before the exiration time).
	Implicit bool `protobuf:"varint,2,opt,name=implicit,proto3" json:"implicit,omitempty"`
	// contains filtered or unexported fields
}

type EnrolledService struct {

	// The product for which Access Approval will be enrolled. Allowed values are
	// listed below (case-sensitive):
	//
	//   - all
	//   - GA
	//   - App Engine
	//   - BigQuery
	//   - Cloud Bigtable
	//   - Cloud Key Management Service
	//   - Compute Engine
	//   - Cloud Dataflow
	//   - Cloud Dataproc
	//   - Cloud DLP
	//   - Cloud EKM
	//   - Cloud HSM
	//   - Cloud Identity and Access Management
	//   - Cloud Logging
	//   - Cloud Pub/Sub
	//   - Cloud Spanner
	//   - Cloud SQL
	//   - Cloud Storage
	//   - Google Kubernetes Engine
	//   - Organization Policy Serivice
	//   - Persistent Disk
	//   - Resource Manager
	//   - Secret Manager
	//   - Speaker ID
	//
	// Note: These values are supported as input for legacy purposes, but will not
	// be returned from the API.
	//
	//   - all
	//   - ga-only
	//   - appengine.googleapis.com
	//   - bigquery.googleapis.com
	//   - bigtable.googleapis.com
	//   - container.googleapis.com
	//   - cloudkms.googleapis.com
	//   - cloudresourcemanager.googleapis.com
	//   - cloudsql.googleapis.com
	//   - compute.googleapis.com
	//   - dataflow.googleapis.com
	//   - dataproc.googleapis.com
	//   - dlp.googleapis.com
	//   - iam.googleapis.com
	//   - logging.googleapis.com
	//   - orgpolicy.googleapis.com
	//   - pubsub.googleapis.com
	//   - spanner.googleapis.com
	//   - secretmanager.googleapis.com
	//   - speakerid.googleapis.com
	//   - storage.googleapis.com
	//
	// Calls to UpdateAccessApprovalSettings using 'all' or any of the
	// XXX.googleapis.com will be translated to the associated product name
	// ('all', 'App Engine', etc.).
	//
	// Note: 'all' will enroll the resource in all products supported at both 'GA'
	// and 'Preview' levels.
	//
	// More information about levels of support is available at
	// https://cloud.google.com/access-approval/docs/supported-services
	CloudProduct string `protobuf:"bytes,1,opt,name=cloud_product,json=cloudProduct,proto3" json:"cloud_product,omitempty"`
	// The enrollment level of the service.
	EnrollmentLevel EnrollmentLevel `` /* 159-byte string literal not displayed */
	// contains filtered or unexported fields
}

type EnrollmentLevel int32

type GetAccessApprovalServiceAccountMessage struct {

	// Name of the AccessApprovalServiceAccount to retrieve.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

type GetAccessApprovalSettingsMessage struct {

	// The name of the AccessApprovalSettings to retrieve.
	// Format: "{projects|folders|organizations}/{id}/accessApprovalSettings"
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

type GetApprovalRequestMessage struct {

	// The name of the approval request to retrieve.
	// Format:
	// "{projects|folders|organizations}/{id}/approvalRequests/{approval_request}"
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

type InvalidateApprovalRequestMessage struct {

	// Name of the ApprovalRequest to invalidate.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

type ListApprovalRequestsMessage struct {

	// The parent resource. This may be "projects/{project}",
	// "folders/{folder}", or "organizations/{organization}".
	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
	// A filter on the type of approval requests to retrieve. Must be one of the
	// following values:
	//
	//   - [not set]: Requests that are pending or have active approvals.
	//   - ALL: All requests.
	//   - PENDING: Only pending requests.
	//   - ACTIVE: Only active (i.e. currently approved) requests.
	//   - DISMISSED: Only requests that have been dismissed, or requests that
	//     are not approved and past expiration.
	//   - EXPIRED: Only requests that have been approved, and the approval has
	//     expired.
	//   - HISTORY: Active, dismissed and expired requests.
	Filter string `protobuf:"bytes,2,opt,name=filter,proto3" json:"filter,omitempty"`
	// Requested page size.
	PageSize int32 `protobuf:"varint,3,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"`
	// A token identifying the page of results to return.
	PageToken string `protobuf:"bytes,4,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"`
	// contains filtered or unexported fields
}

type ListApprovalRequestsResponse struct {

	// Approval request details.
	ApprovalRequests []*ApprovalRequest `protobuf:"bytes,1,rep,name=approval_requests,json=approvalRequests,proto3" json:"approval_requests,omitempty"`
	// Token to retrieve the next page of results, or empty if there are no more.
	NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"`
	// contains filtered or unexported fields
}

type ResourceProperties struct {

	// Whether an approval will exclude the descendants of the resource being
	// requested.
	ExcludesDescendants bool `protobuf:"varint,1,opt,name=excludes_descendants,json=excludesDescendants,proto3" json:"excludes_descendants,omitempty"`
	// contains filtered or unexported fields
}

type SignatureInfo struct {

	// The digital signature.
	Signature []byte `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
	// How this signature may be verified.
	//
	// Types that are assignable to VerificationInfo:
	//
	//	*SignatureInfo_GooglePublicKeyPem
	//	*SignatureInfo_CustomerKmsKeyVersion
	VerificationInfo isSignatureInfo_VerificationInfo `protobuf_oneof:"verification_info"`
	// contains filtered or unexported fields
}

type SignatureInfo_CustomerKmsKeyVersion struct {
	// The resource name of the customer CryptoKeyVersion used for signing.
	CustomerKmsKeyVersion string `protobuf:"bytes,3,opt,name=customer_kms_key_version,json=customerKmsKeyVersion,proto3,oneof"`
}

type SignatureInfo_GooglePublicKeyPem struct {
	// The public key for the Google default signing, encoded in PEM format. The
	// signature was created using a private key which may be verified using
	// this public key.
	GooglePublicKeyPem string `protobuf:"bytes,2,opt,name=google_public_key_pem,json=googlePublicKeyPem,proto3,oneof"`
}

type UnimplementedAccessApprovalServer struct {
}

type UpdateAccessApprovalSettingsMessage struct {

	// The new AccessApprovalSettings.
	Settings *AccessApprovalSettings `protobuf:"bytes,1,opt,name=settings,proto3" json:"settings,omitempty"`
	// The update mask applies to the settings. Only the top level fields of
	// AccessApprovalSettings (notification_emails & enrolled_services) are
	// supported. For each field, if it is included, the currently stored value
	// will be entirely overwritten with the value of the field passed in this
	// request.
	//
	// For the `FieldMask` definition, see
	// https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
	// If this field is left unset, only the notification_emails field will be
	// updated.
	UpdateMask *fieldmaskpb.FieldMask `protobuf:"bytes,2,opt,name=update_mask,json=updateMask,proto3" json:"update_mask,omitempty"`
	// contains filtered or unexported fields
}