// Copyright 2019 Google LLC.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

syntax = "proto3";

package google.iam.v1;

import "google/type/expr.proto";
import "google/api/annotations.proto";

option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Iam.V1";
option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
option java_multiple_files = true;
option java_outer_classname = "PolicyProto";
option java_package = "com.google.iam.v1";
option php_namespace = "Google\\Cloud\\Iam\\V1";

// Defines an Identity and Access Management (IAM) policy. It is used to
// specify access control policies for Cloud Platform resources.
//
//
// A `Policy` consists of a list of `bindings`. A `binding` binds a list of
// `members` to a `role`, where the members can be user accounts, Google groups,
// Google domains, and service accounts. A `role` is a named list of permissions
// defined by IAM.
//
// **JSON Example**
//
//     {
//       "bindings": [
//         {
//           "role": "roles/owner",
//           "members": [
//             "user:mike@example.com",
//             "group:admins@example.com",
//             "domain:google.com",
//             "serviceAccount:my-other-app@appspot.gserviceaccount.com"
//           ]
//         },
//         {
//           "role": "roles/viewer",
//           "members": ["user:sean@example.com"]
//         }
//       ]
//     }
//
// **YAML Example**
//
//     bindings:
//     - members:
//       - user:mike@example.com
//       - group:admins@example.com
//       - domain:google.com
//       - serviceAccount:my-other-app@appspot.gserviceaccount.com
//       role: roles/owner
//     - members:
//       - user:sean@example.com
//       role: roles/viewer
//
//
// For a description of IAM and its features, see the
// [IAM developer's guide](https://cloud.google.com/iam/docs).
message Policy {
  // Deprecated.
  int32 version = 1;

  // Associates a list of `members` to a `role`.
  // `bindings` with no members will result in an error.
  repeated Binding bindings = 4;

  // `etag` is used for optimistic concurrency control as a way to help
  // prevent simultaneous updates of a policy from overwriting each other.
  // It is strongly suggested that systems make use of the `etag` in the
  // read-modify-write cycle to perform policy updates in order to avoid race
  // conditions: An `etag` is returned in the response to `getIamPolicy`, and
  // systems are expected to put that etag in the request to `setIamPolicy` to
  // ensure that their change will be applied to the same version of the policy.
  //
  // If no `etag` is provided in the call to `setIamPolicy`, then the existing
  // policy is overwritten blindly.
  bytes etag = 3;
}

// Associates `members` with a `role`.
message Binding {
  // Role that is assigned to `members`.
  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
  string role = 1;

  // Specifies the identities requesting access for a Cloud Platform resource.
  // `members` can have the following values:
  //
  // * `allUsers`: A special identifier that represents anyone who is
  //    on the internet; with or without a Google account.
  //
  // * `allAuthenticatedUsers`: A special identifier that represents anyone
  //    who is authenticated with a Google account or a service account.
  //
  // * `user:{emailid}`: An email address that represents a specific Google
  //    account. For example, `alice@gmail.com` .
  //
  //
  // * `serviceAccount:{emailid}`: An email address that represents a service
  //    account. For example, `my-other-app@appspot.gserviceaccount.com`.
  //
  // * `group:{emailid}`: An email address that represents a Google group.
  //    For example, `admins@example.com`.
  //
  //
  // * `domain:{domain}`: The G Suite domain (primary) that represents all the
  //    users of that domain. For example, `google.com` or `example.com`.
  //
  //
  repeated string members = 2;

  // The condition that is associated with this binding.
  // NOTE: An unsatisfied condition will not allow user access via current
  // binding. Different bindings, including their conditions, are examined
  // independently.
  google.type.Expr condition = 3;
}

// The difference delta between two policies.
message PolicyDelta {
  // The delta for Bindings between two policies.
  repeated BindingDelta binding_deltas = 1;

  // The delta for AuditConfigs between two policies.
  repeated AuditConfigDelta audit_config_deltas = 2;
}

// One delta entry for Binding. Each individual change (only one member in each
// entry) to a binding will be a separate entry.
message BindingDelta {
  // The type of action performed on a Binding in a policy.
  enum Action {
    // Unspecified.
    ACTION_UNSPECIFIED = 0;

    // Addition of a Binding.
    ADD = 1;

    // Removal of a Binding.
    REMOVE = 2;
  }

  // The action that was performed on a Binding.
  // Required
  Action action = 1;

  // Role that is assigned to `members`.
  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
  // Required
  string role = 2;

  // A single identity requesting access for a Cloud Platform resource.
  // Follows the same format of Binding.members.
  // Required
  string member = 3;

  // Unimplemented. The condition that is associated with this binding.
  // This field is logged only for Cloud Audit Logging.
  google.type.Expr condition = 4;
}

// One delta entry for AuditConfig. Each individual change (only one
// exempted_member in each entry) to a AuditConfig will be a separate entry.
message AuditConfigDelta {
  // The type of action performed on an audit configuration in a policy.
  enum Action {
    // Unspecified.
    ACTION_UNSPECIFIED = 0;

    // Addition of an audit configuration.
    ADD = 1;

    // Removal of an audit configuration.
    REMOVE = 2;
  }

  // The action that was performed on an audit configuration in a policy.
  // Required
  Action action = 1;

  // Specifies a service that was configured for Cloud Audit Logging.
  // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
  // `allServices` is a special value that covers all services.
  // Required
  string service = 2;

  // A single identity that is exempted from "data access" audit
  // logging for the `service` specified above.
  // Follows the same format of Binding.members.
  string exempted_member = 3;

  // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
  // enabled, and cannot be configured.
  // Required
  string log_type = 4;
}