github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1/condition.proto (about) 1 syntax = "proto3"; 2 3 package ntt.iam.v1; 4 5 import "google/api/resource.proto"; 6 import "google/protobuf/struct.proto"; 7 import "goten-sdk/types/meta.proto"; 8 9 option go_package = "github.com/cloudwan/edgelq-sdk/iam/resources/v1/condition;condition"; 10 option java_multiple_files = true; 11 option java_outer_classname = "ConditionProto"; 12 option java_package = "com.ntt.iam.pb.v1"; 13 14 // Condition Resource represents additional that is not 15 // built-in into the role. It can be attached to role grant 16 // or RoleBinding (applies to all grants then). 17 message Condition { 18 option (google.api.resource) = { 19 type : "iam.edgelq.com/Condition" 20 pattern : "conditions/{condition}" 21 pattern : "projects/{project}/conditions/{condition}" 22 pattern : "organizations/{organization}/conditions/{condition}" 23 pattern : "services/{service}/conditions/{condition}" 24 }; 25 26 // Name of Condition 27 // When creating a new instance, this field is optional and if not provided, 28 // it will be generated automatically. Last ID segment must conform to the 29 // following regex: [a-z][a-z0-9\\-]{0,28}[a-z0-9] 30 string name = 1; 31 32 // Metadata is an object with information like create, update and delete time 33 // (for async deleted resources), has user labels/annotations, sharding 34 // information, multi-region syncing information and may have non-schema 35 // owners (useful for taking ownership of resources belonging to lower level 36 // services by higher ones). 37 goten.types.Meta metadata = 6; 38 39 // Display Name 40 string display_name = 2; 41 42 // Description 43 string description = 3; 44 45 oneof condition { 46 IpCondition ip_condition = 7; 47 48 AttestationCondition attestation_condition = 8; 49 } 50 51 // Condition expression in [Google 52 // CEL](https://github.com/google/cel-spec/blob/v0.4.0/doc/intro.md), syntax, 53 // e.g. `resource.name == "projects/xyz/instances/abc"` 54 // 55 // Accessible parameters: 56 // | variable | type | description | examples | 57 // |-|-|-|-| 58 // | `resource.body` | `string` | Resource type | `"iam.edgelq.com/Condition"` 59 // | | `request.action` | `string` | Action verb | `"create"`, `"batchGet"` | 60 // | `request.body` | `dyn` | Request body (in native format). | 61 // request.body.page_size | | `parameters` | `map(string, dyn)` | Bound 62 // parameters. | `parameters.minSeverity` | | `attest.policy` | `string` | 63 // Name of attestation policy attested with by the atestee; empty string if 64 // none. | `""`, `"projects/myProj/AttestationPolicies/myPol"` | 65 // 66 // Extension: 67 // 68 // Some 69 // 70 // Filter.`satisfies(other)` 71 // 72 // Access is determined by the return value. Return `true` to grant access or 73 // `false` to deny. Any execution error results in access denied. 74 // DEPRECATED: This should not be actually used at all, as CEL conditions 75 // are obsolete. 76 string expression = 4; 77 78 // Typed parameters declarations. When binding a Condition passed parameters 79 // must correspond to declarations. 80 // DEPRECATED: Along with expression, CEL conditions are gone. 81 repeated ParameterDeclaration parameter_declarations = 5; 82 83 // Parameter Declarations used 84 message ParameterDeclaration { 85 // Parameter Key - must be unique within condition. Defined parameter 86 // variables are accessible in condition expression via `parameters.<key>`, 87 // e.g.`parameters.projectId` 88 string key = 1; 89 90 // Parameter value type 91 ParameterType type = 2; 92 } 93 94 // IpCondition presents list of allowed/disallowed source IP 95 // addresses. 96 message IpCondition { 97 // Allowed IP cidrs in v4 or v6 format. 98 // If specified, at least one must be satisfied during execution. 99 repeated string allowed_cidrs = 1; 100 101 // Disallowed IP cidrs in v4 or v6 format. 102 // If specified, client IP must not be in any specified range. 103 repeated string disabled_cidrs = 2; 104 } 105 106 // AttestationCondition requires that associated roles/grants 107 // are authorized only if caller attaches proper attestation token 108 // next to authorization one. 109 message AttestationCondition { 110 // Domain name that must be present in attestation token. 111 string domain = 1; 112 113 // List of permissions excepted from this condition. 114 // By default, it contains: 115 // * services/iam.edgelq.com/permissions/attestationDomains.get 116 // * services/iam.edgelq.com/permissions/attestationDomains.verify 117 // * services/iam.edgelq.com/permissions/serviceAccounts.get 118 // * services/iam.edgelq.com/permissions/serviceAccountKeys.get 119 // * services/devices.edgelq.com/permissions/devices.list 120 // * services/devices.edgelq.com/permissions/provisioningPolicies.list 121 // * services/devices.edgelq.com/permissions/provisioningPolicies.provisionDeviceViaPolicy 122 // * services/devices.edgelq.com/permissions/provisioningPolicies.requestProvisioningApproval 123 // Those are necessary to obtain attestation token in the first 124 // place. 125 repeated string except_permissions = 2; 126 } 127 128 // Parameter Type. 129 enum ParameterType { 130 TYPE_UNSPECIFIED = 0; 131 132 STRING = 1; 133 134 INT64 = 2; 135 136 DOUBLE = 3; 137 138 BOOL = 4; 139 140 STRING_ARRAY = 5; 141 142 INT64_ARRAY = 6; 143 144 DOUBLE_ARRAY = 7; 145 146 BOOL_ARRAY = 8; 147 148 OBJECT = 9; 149 } 150 } 151 152 // ExecutableCondition represents instantiation of condition with params, 153 // in other words: Executable condition, that is used in Role bindings. 154 message ExecutableCondition { 155 // Reference to Condition which may also be parameterized 156 string condition = 1; 157 158 // Parameters in string form. Parameters must match 159 // [declarations][ntt.iam.v1.Condition.parameter_declarations] 160 // TODO: Only used by deprecated CEL conditions. 161 google.protobuf.Struct params = 3; 162 163 reserved 2; 164 }