googleapis/google/identity/accesscontextmanager/v1/access_level.proto

// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.identity.accesscontextmanager.v1;

import "google/identity/accesscontextmanager/type/device_resources.proto";
import "google/protobuf/timestamp.proto";
import "google/type/expr.proto";
import "google/api/annotations.proto";

option csharp_namespace = "Google.Identity.AccessContextManager.V1";
option go_package = "google.golang.org/genproto/googleapis/identity/accesscontextmanager/v1;accesscontextmanager";
option java_multiple_files = true;
option java_outer_classname = "AccessLevelProto";
option java_package = "com.google.identity.accesscontextmanager.v1";
option php_namespace = "Google\\Identity\\AccessContextManager\\V1";
option ruby_package = "Google::Identity::AccessContextManager::V1";
option objc_class_prefix = "GACM";

// An `AccessLevel` is a label that can be applied to requests to Google Cloud
// services, along with a list of requirements necessary for the label to be
// applied.
message AccessLevel {
  // Required. Resource name for the Access Level. The `short_name` component
  // must begin with a letter and only include alphanumeric and '_'. Format:
  // `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length
  // of the `short_name` component is 50 characters.
  string name = 1;

  // Human readable title. Must be unique within the Policy.
  string title = 2;

  // Description of the `AccessLevel` and its use. Does not affect behavior.
  string description = 3;

  // Required. Describes the necessary conditions for the level to apply.
  oneof level {
    // A `BasicLevel` composed of `Conditions`.
    BasicLevel basic = 4;

    // A `CustomLevel` written in the Common Expression Language.
    CustomLevel custom = 5;
  }

  // Output only. Time the `AccessLevel` was created in UTC.
  google.protobuf.Timestamp create_time = 6;

  // Output only. Time the `AccessLevel` was updated in UTC.
  google.protobuf.Timestamp update_time = 7;
}

// `BasicLevel` is an `AccessLevel` using a set of recommended features.
message BasicLevel {
  // Options for how the `conditions` list should be combined to determine if
  // this `AccessLevel` is applied. Default is AND.
  enum ConditionCombiningFunction {
    // All `Conditions` must be true for the `BasicLevel` to be true.
    AND = 0;

    // If at least one `Condition` is true, then the `BasicLevel` is true.
    OR = 1;
  }

  // Required. A list of requirements for the `AccessLevel` to be granted.
  repeated Condition conditions = 1;

  // How the `conditions` list should be combined to determine if a request is
  // granted this `AccessLevel`. If AND is used, each `Condition` in
  // `conditions` must be satisfied for the `AccessLevel` to be applied. If OR
  // is used, at least one `Condition` in `conditions` must be satisfied for the
  // `AccessLevel` to be applied. Default behavior is AND.
  ConditionCombiningFunction combining_function = 2;
}

// A condition necessary for an `AccessLevel` to be granted. The Condition is an
// AND over its fields. So a Condition is true if: 1) the request IP is from one
// of the listed subnetworks AND 2) the originating device complies with the
// listed device policy AND 3) all listed access levels are granted AND 4) the
// request was sent at a time allowed by the DateTimeRestriction.
message Condition {
  // CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for
  // a CIDR IP address block, the specified IP address portion must be properly
  // truncated (i.e. all the host bits must be zero) or the input is considered
  // malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is
  // not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas
  // "2001:db8::1/32" is not. The originating IP of a request must be in one of
  // the listed subnets in order for this Condition to be true. If empty, all IP
  // addresses are allowed.
  repeated string ip_subnetworks = 1;

  // Device specific restrictions, all restrictions must hold for the
  // Condition to be true. If not specified, all devices are allowed.
  DevicePolicy device_policy = 2;

  // A list of other access levels defined in the same `Policy`, referenced by
  // resource name. Referencing an `AccessLevel` which does not exist is an
  // error. All access levels listed must be granted for the Condition
  // to be true. Example:
  // "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`
  repeated string required_access_levels = 3;

  // Whether to negate the Condition. If true, the Condition becomes a NAND over
  // its non-empty fields, each field must be false for the Condition overall to
  // be satisfied. Defaults to false.
  bool negate = 5;

  // The request must be made by one of the provided user or service
  // accounts. Groups are not supported.
  // Syntax:
  // `user:{emailid}`
  // `serviceAccount:{emailid}`
  // If not specified, a request may come from any user.
  repeated string members = 6;

  // The request must originate from one of the provided countries/regions.
  // Must be valid ISO 3166-1 alpha-2 codes.
  repeated string regions = 7;
}

// `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language
// to represent the necessary conditions for the level to apply to a request.
// See CEL spec at: https://github.com/google/cel-spec
message CustomLevel {
  // Required. A Cloud CEL expression evaluating to a boolean.
  google.type.Expr expr = 1;
}

// `DevicePolicy` specifies device specific restrictions necessary to acquire a
// given access level. A `DevicePolicy` specifies requirements for requests from
// devices to be granted access levels, it does not do any enforcement on the
// device. `DevicePolicy` acts as an AND over all specified fields, and each
// repeated field is an OR over its elements. Any unset fields are ignored. For
// example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :
// DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be
// true for requests originating from encrypted Linux desktops and encrypted
// Windows desktops.
message DevicePolicy {
  // Whether or not screenlock is required for the DevicePolicy to be true.
  // Defaults to `false`.
  bool require_screenlock = 1;

  // Allowed encryptions statuses, an empty list allows all statuses.
  repeated google.identity.accesscontextmanager.type.DeviceEncryptionStatus allowed_encryption_statuses = 2;

  // Allowed OS versions, an empty list allows all types and all versions.
  repeated OsConstraint os_constraints = 3;

  // Allowed device management levels, an empty list allows all management
  // levels.
  repeated google.identity.accesscontextmanager.type.DeviceManagementLevel allowed_device_management_levels = 6;

  // Whether the device needs to be approved by the customer admin.
  bool require_admin_approval = 7;

  // Whether the device needs to be corp owned.
  bool require_corp_owned = 8;
}

// A restriction on the OS type and version of devices making requests.
message OsConstraint {
  // Required. The allowed OS type.
  google.identity.accesscontextmanager.type.OsType os_type = 1;

  // The minimum allowed OS version. If not set, any version of this OS
  // satisfies the constraint. Format: `"major.minor.patch"`.
  // Examples: `"10.5.301"`, `"9.2.1"`.
  string minimum_version = 2;

  // Only allows requests from devices with a verified Chrome OS.
  // Verifications includes requirements that the device is enterprise-managed,
  // conformant to domain policies, and the caller has permission to call
  // the API targeted by the request.
  bool require_verified_chrome_os = 3;
}