1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.identity.accesscontextmanager.v1; 18 19import "google/api/resource.proto"; 20import "google/identity/accesscontextmanager/type/device_resources.proto"; 21import "google/protobuf/timestamp.proto"; 22import "google/type/expr.proto"; 23 24option csharp_namespace = "Google.Identity.AccessContextManager.V1"; 25option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb"; 26option java_multiple_files = true; 27option java_outer_classname = "AccessLevelProto"; 28option java_package = "com.google.identity.accesscontextmanager.v1"; 29option objc_class_prefix = "GACM"; 30option php_namespace = "Google\\Identity\\AccessContextManager\\V1"; 31option ruby_package = "Google::Identity::AccessContextManager::V1"; 32 33// An `AccessLevel` is a label that can be applied to requests to Google Cloud 34// services, along with a list of requirements necessary for the label to be 35// applied. 36message AccessLevel { 37 option (google.api.resource) = { 38 type: "accesscontextmanager.googleapis.com/AccessLevel" 39 pattern: "accessPolicies/{access_policy}/accessLevels/{access_level}" 40 }; 41 42 // Required. Resource name for the Access Level. The `short_name` component 43 // must begin with a letter and only include alphanumeric and '_'. Format: 44 // `accessPolicies/{access_policy}/accessLevels/{access_level}`. The maximum 45 // length of the `access_level` component is 50 characters. 46 string name = 1; 47 48 // Human readable title. Must be unique within the Policy. 49 string title = 2; 50 51 // Description of the `AccessLevel` and its use. Does not affect behavior. 52 string description = 3; 53 54 // Required. Describes the necessary conditions for the level to apply. 55 oneof level { 56 // A `BasicLevel` composed of `Conditions`. 57 BasicLevel basic = 4; 58 59 // A `CustomLevel` written in the Common Expression Language. 60 CustomLevel custom = 5; 61 } 62 63 // Output only. Time the `AccessLevel` was created in UTC. 64 google.protobuf.Timestamp create_time = 6; 65 66 // Output only. Time the `AccessLevel` was updated in UTC. 67 google.protobuf.Timestamp update_time = 7; 68} 69 70// `BasicLevel` is an `AccessLevel` using a set of recommended features. 71message BasicLevel { 72 // Options for how the `conditions` list should be combined to determine if 73 // this `AccessLevel` is applied. Default is AND. 74 enum ConditionCombiningFunction { 75 // All `Conditions` must be true for the `BasicLevel` to be true. 76 AND = 0; 77 78 // If at least one `Condition` is true, then the `BasicLevel` is true. 79 OR = 1; 80 } 81 82 // Required. A list of requirements for the `AccessLevel` to be granted. 83 repeated Condition conditions = 1; 84 85 // How the `conditions` list should be combined to determine if a request is 86 // granted this `AccessLevel`. If AND is used, each `Condition` in 87 // `conditions` must be satisfied for the `AccessLevel` to be applied. If OR 88 // is used, at least one `Condition` in `conditions` must be satisfied for the 89 // `AccessLevel` to be applied. Default behavior is AND. 90 ConditionCombiningFunction combining_function = 2; 91} 92 93// A condition necessary for an `AccessLevel` to be granted. The Condition is an 94// AND over its fields. So a Condition is true if: 1) the request IP is from one 95// of the listed subnetworks AND 2) the originating device complies with the 96// listed device policy AND 3) all listed access levels are granted AND 4) the 97// request was sent at a time allowed by the DateTimeRestriction. 98message Condition { 99 // CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for 100 // a CIDR IP address block, the specified IP address portion must be properly 101 // truncated (i.e. all the host bits must be zero) or the input is considered 102 // malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is 103 // not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas 104 // "2001:db8::1/32" is not. The originating IP of a request must be in one of 105 // the listed subnets in order for this Condition to be true. If empty, all IP 106 // addresses are allowed. 107 repeated string ip_subnetworks = 1; 108 109 // Device specific restrictions, all restrictions must hold for the 110 // Condition to be true. If not specified, all devices are allowed. 111 DevicePolicy device_policy = 2; 112 113 // A list of other access levels defined in the same `Policy`, referenced by 114 // resource name. Referencing an `AccessLevel` which does not exist is an 115 // error. All access levels listed must be granted for the Condition 116 // to be true. Example: 117 // "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"` 118 repeated string required_access_levels = 3; 119 120 // Whether to negate the Condition. If true, the Condition becomes a NAND over 121 // its non-empty fields, each field must be false for the Condition overall to 122 // be satisfied. Defaults to false. 123 bool negate = 5; 124 125 // The request must be made by one of the provided user or service 126 // accounts. Groups are not supported. 127 // Syntax: 128 // `user:{emailid}` 129 // `serviceAccount:{emailid}` 130 // If not specified, a request may come from any user. 131 repeated string members = 6; 132 133 // The request must originate from one of the provided countries/regions. 134 // Must be valid ISO 3166-1 alpha-2 codes. 135 repeated string regions = 7; 136} 137 138// `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language 139// to represent the necessary conditions for the level to apply to a request. 140// See CEL spec at: https://github.com/google/cel-spec 141message CustomLevel { 142 // Required. A Cloud CEL expression evaluating to a boolean. 143 google.type.Expr expr = 1; 144} 145 146// `DevicePolicy` specifies device specific restrictions necessary to acquire a 147// given access level. A `DevicePolicy` specifies requirements for requests from 148// devices to be granted access levels, it does not do any enforcement on the 149// device. `DevicePolicy` acts as an AND over all specified fields, and each 150// repeated field is an OR over its elements. Any unset fields are ignored. For 151// example, if the proto is { os_type : DESKTOP_WINDOWS, os_type : 152// DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be 153// true for requests originating from encrypted Linux desktops and encrypted 154// Windows desktops. 155message DevicePolicy { 156 // Whether or not screenlock is required for the DevicePolicy to be true. 157 // Defaults to `false`. 158 bool require_screenlock = 1; 159 160 // Allowed encryptions statuses, an empty list allows all statuses. 161 repeated google.identity.accesscontextmanager.type.DeviceEncryptionStatus allowed_encryption_statuses = 2; 162 163 // Allowed OS versions, an empty list allows all types and all versions. 164 repeated OsConstraint os_constraints = 3; 165 166 // Allowed device management levels, an empty list allows all management 167 // levels. 168 repeated google.identity.accesscontextmanager.type.DeviceManagementLevel allowed_device_management_levels = 6; 169 170 // Whether the device needs to be approved by the customer admin. 171 bool require_admin_approval = 7; 172 173 // Whether the device needs to be corp owned. 174 bool require_corp_owned = 8; 175} 176 177// A restriction on the OS type and version of devices making requests. 178message OsConstraint { 179 // Required. The allowed OS type. 180 google.identity.accesscontextmanager.type.OsType os_type = 1; 181 182 // The minimum allowed OS version. If not set, any version of this OS 183 // satisfies the constraint. Format: `"major.minor.patch"`. 184 // Examples: `"10.5.301"`, `"9.2.1"`. 185 string minimum_version = 2; 186 187 // Only allows requests from devices with a verified Chrome OS. 188 // Verifications includes requirements that the device is enterprise-managed, 189 // conformant to domain policies, and the caller has permission to call 190 // the API targeted by the request. 191 bool require_verified_chrome_os = 3; 192} 193