iamv1

type Caller struct {

	// The caller's resolved IAM members.
	Members []string `protobuf:"bytes,1,rep,name=members,proto3" json:"members,omitempty"`
	// Caller identity from gRPC metadata key/value pairs.
	Metadata map[string]*Caller_Metadata `` /* 157-byte string literal not displayed */
	// Caller context.
	// TODO: Remove this when cel-go supports async functions with context threading.
	Context *Caller_Context `protobuf:"bytes,3,opt,name=context,proto3" json:"context,omitempty"`
	// contains filtered or unexported fields
}

type Caller_Context struct {

	// Deadline for the caller's request.
	Deadline *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=deadline,proto3" json:"deadline,omitempty"`
	// Trace context for the caller's request.
	Trace string `protobuf:"bytes,2,opt,name=trace,proto3" json:"trace,omitempty"`
	// contains filtered or unexported fields
}

type Caller_Metadata struct {

	// The IAM members from the metadata value.
	Members []string `protobuf:"bytes,1,rep,name=members,proto3" json:"members,omitempty"`
	// The identity token from the metadata value.
	IdentityToken *IdentityToken `protobuf:"bytes,2,opt,name=identity_token,json=identityToken,proto3" json:"identity_token,omitempty"`
	// contains filtered or unexported fields
}

type IdentityToken struct {

	// The raw token value.
	Raw string `protobuf:"bytes,1,opt,name=raw,proto3" json:"raw,omitempty"`
	// The "iss" claim identifies the principal that issued the JWT.
	// The processing of this claim is generally application specific.
	// The "iss" value is a case-sensitive string containing a string or URI value.
	Iss string `protobuf:"bytes,2,opt,name=iss,proto3" json:"iss,omitempty"`
	// The "sub" claim identifies the principal that is the
	// subject of the JWT.  The claims in a JWT are normally statements
	// about the subject.  The subject value MUST either be scoped to be
	// locally unique in the context of the issuer or be globally unique.
	// The processing of this claim is generally application specific.
	// The "sub" value is a case-sensitive string containing a string or URI value.
	Sub string `protobuf:"bytes,3,opt,name=sub,proto3" json:"sub,omitempty"`
	// The "aud" claim identifies the recipients that the JWT is intended for.
	// Each principal intended to process the JWT MUST identify itself with a value in the audience claim.
	// If the principal processing the claim does not identify itself with a value in the
	// "aud" claim when this claim is present, then the JWT MUST be rejected.
	// In the general case, the "aud" value is an array of case-sensitive strings, each containing a
	// string or URI value.
	// In the special case when the JWT has one audience, the "aud" value MAY be a
	// single case-sensitive string containing a string or URI value.
	// The interpretation of audience values is generally application specific.
	Aud string `protobuf:"bytes,4,opt,name=aud,proto3" json:"aud,omitempty"`
	// The "exp" claim identifies the expiration time on or after
	// which the JWT MUST NOT be accepted for processing.
	// The processing of the "exp" claim requires that the current date/time
	// MUST be before the expiration date/time listed in the "exp" claim.
	Exp int64 `protobuf:"varint,5,opt,name=exp,proto3" json:"exp,omitempty"`
	// The "nbf" (not before) claim identifies the time before which the JWT
	// MUST NOT be accepted for processing. The processing of the "nbf"
	// claim requires that the current date/time MUST be after or equal to
	// the not-before date/time listed in the "nbf" claim. Implementers MAY
	// provide for some small leeway, usually no more than a few minutes, to
	// account for clock skew. Its value MUST be a number containing a
	// numeric date value.
	Nbf int64 `protobuf:"varint,6,opt,name=nbf,proto3" json:"nbf,omitempty"`
	// The "iat" claim identifies the time at which the JWT was
	// issued.  This claim can be used to determine the age of the JWT.
	// Its value MUST be a number containing a numeric date value.
	Iat int64 `protobuf:"varint,7,opt,name=iat,proto3" json:"iat,omitempty"`
	// contains filtered or unexported fields
}

type LongRunningOperationPermissions struct {

	// The long-running operation resource. The type field is mandatory.
	Operation *annotations.ResourceDescriptor `protobuf:"bytes,1,opt,name=operation,proto3" json:"operation,omitempty"`
	// Permission for listing operations.
	List string `protobuf:"bytes,2,opt,name=list,proto3" json:"list,omitempty"`
	// Permission for getting an operation.
	Get string `protobuf:"bytes,3,opt,name=get,proto3" json:"get,omitempty"`
	// Permission for cancelling an operation.
	Cancel string `protobuf:"bytes,4,opt,name=cancel,proto3" json:"cancel,omitempty"`
	// Permission for deleting an operation.
	Delete string `protobuf:"bytes,5,opt,name=delete,proto3" json:"delete,omitempty"`
	// Permission for waiting on an operation.
	Wait string `protobuf:"bytes,6,opt,name=wait,proto3" json:"wait,omitempty"`
	// contains filtered or unexported fields
}

type LongRunningOperationsAuthorizationOptions struct {

	// The long-running operation permissions.
	OperationPermissions []*LongRunningOperationPermissions `protobuf:"bytes,1,rep,name=operation_permissions,json=operationPermissions,proto3" json:"operation_permissions,omitempty"`
	// Strategy that decides if the request is authorized.
	//
	// Types that are assignable to Strategy:
	//
	//	*LongRunningOperationsAuthorizationOptions_Before
	//	*LongRunningOperationsAuthorizationOptions_Custom
	//	*LongRunningOperationsAuthorizationOptions_None
	Strategy isLongRunningOperationsAuthorizationOptions_Strategy `protobuf_oneof:"strategy"`
	// contains filtered or unexported fields
}

type LongRunningOperationsAuthorizationOptions_Before struct {
	// A flag indicating if a standard authorization checked is performed before the request.
	Before bool `protobuf:"varint,3,opt,name=before,proto3,oneof"`
}

type LongRunningOperationsAuthorizationOptions_Custom struct {
	// A flag indicating if custom-implemented authorization is needed.
	Custom bool `protobuf:"varint,4,opt,name=custom,proto3,oneof"`
}

type LongRunningOperationsAuthorizationOptions_None struct {
	// A flag indicating if no authorization is needed.
	None bool `protobuf:"varint,5,opt,name=none,proto3,oneof"`
}

type MethodAuthorizationOptions struct {

	// Permission to use for authorization.
	//
	// Types that are assignable to Permissions:
	//
	//	*MethodAuthorizationOptions_Permission
	//	*MethodAuthorizationOptions_ResourcePermissions
	Permissions isMethodAuthorizationOptions_Permissions `protobuf_oneof:"permissions"`
	// Strategy that decides if the request is authorized.
	//
	// Types that are assignable to Strategy:
	//
	//	*MethodAuthorizationOptions_Before
	//	*MethodAuthorizationOptions_After
	//	*MethodAuthorizationOptions_Custom
	//	*MethodAuthorizationOptions_None
	Strategy isMethodAuthorizationOptions_Strategy `protobuf_oneof:"strategy"`
	// contains filtered or unexported fields
}

type MethodAuthorizationOptions_After struct {
	// Expression that decides after the request if the caller is authorized.
	After *expr.Expr `protobuf:"bytes,4,opt,name=after,proto3,oneof"`
}

type MethodAuthorizationOptions_Before struct {
	// Expression that decides before the request if the caller is authorized.
	Before *expr.Expr `protobuf:"bytes,3,opt,name=before,proto3,oneof"`
}

type MethodAuthorizationOptions_Custom struct {
	// A flag indicating if the method requires custom-implemented authorization.
	Custom bool `protobuf:"varint,5,opt,name=custom,proto3,oneof"`
}

type MethodAuthorizationOptions_None struct {
	// A flag indicating if the method requires no authorization.
	None bool `protobuf:"varint,6,opt,name=none,proto3,oneof"`
}

type MethodAuthorizationOptions_Permission struct {
	// A single permission used by the method.
	Permission string `protobuf:"bytes,1,opt,name=permission,proto3,oneof"`
}

type MethodAuthorizationOptions_ResourcePermissions struct {
	// Resource permissions used by the method.
	ResourcePermissions *ResourcePermissions `protobuf:"bytes,2,opt,name=resource_permissions,json=resourcePermissions,proto3,oneof"`
}

type PredefinedRoles struct {

	// The predefined roles.
	Role []*adminpb.Role `protobuf:"bytes,1,rep,name=role,proto3" json:"role,omitempty"`
	// contains filtered or unexported fields
}

type ResourcePermission struct {

	// The resource.
	// When used for authorization method options, only the type must be provided.
	Resource *annotations.ResourceDescriptor `protobuf:"bytes,1,opt,name=resource,proto3" json:"resource,omitempty"`
	// The permission.
	Permission string `protobuf:"bytes,2,opt,name=permission,proto3" json:"permission,omitempty"`
	// contains filtered or unexported fields
}

type ResourcePermissions struct {

	// The resource permissions.
	ResourcePermission []*ResourcePermission `protobuf:"bytes,1,rep,name=resource_permission,json=resourcePermission,proto3" json:"resource_permission,omitempty"`
	// contains filtered or unexported fields
}