googleapis
diff --git a/‎protos/google/cloud/iap/v1/service.proto‎
Lines changed: 258 additions & 39 deletions b/‎protos/google/cloud/iap/v1/service.proto‎
Lines changed: 258 additions & 39 deletions
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,20 +17,26 @@ syntax = "proto3";
 package google.cloud.iap.v1;
 
 import "google/api/annotations.proto";
+import "google/api/client.proto";
 import "google/api/field_behavior.proto";
+import "google/api/resource.proto";
 import "google/iam/v1/iam_policy.proto";
 import "google/iam/v1/policy.proto";
+import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/field_mask.proto";
 import "google/protobuf/wrappers.proto";
-import "google/api/client.proto";
 
 option csharp_namespace = "Google.Cloud.Iap.V1";
 option go_package = "google.golang.org/genproto/googleapis/cloud/iap/v1;iap";
 option java_multiple_files = true;
 option java_package = "com.google.cloud.iap.v1";
 option php_namespace = "Google\\Cloud\\Iap\\V1";
 option ruby_package = "Google::Cloud::Iap::V1";
+option (google.api.resource_definition) = {
+  type: "iap.googleapis.com/TunnelLocation"
+  pattern: "projects/{project}/iap_tunnel/locations/{location}"
+};
 
 // APIs for Identity-Aware Proxy Admin configurations.
 service IdentityAwareProxyAdminService {
@@ -85,51 +91,169 @@ service IdentityAwareProxyAdminService {
       body: "iap_settings"
     };
   }
+
+  // Lists the existing TunnelDestGroups. To group across all locations, use a
+  // `-` as the location ID. For example:
+  // `/v1/projects/123/iap_tunnel/locations/-/destGroups`
+  rpc ListTunnelDestGroups(ListTunnelDestGroupsRequest) returns (ListTunnelDestGroupsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
+  // Creates a new TunnelDestGroup.
+  rpc CreateTunnelDestGroup(CreateTunnelDestGroupRequest) returns (TunnelDestGroup) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups"
+      body: "tunnel_dest_group"
+    };
+    option (google.api.method_signature) = "parent,tunnel_dest_group,tunnel_dest_group_id";
+  }
+
+  // Retrieves an existing TunnelDestGroup.
+  rpc GetTunnelDestGroup(GetTunnelDestGroupRequest) returns (TunnelDestGroup) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/iap_tunnel/locations/*/destGroups/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Deletes a TunnelDestGroup.
+  rpc DeleteTunnelDestGroup(DeleteTunnelDestGroupRequest) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/v1/{name=projects/*/iap_tunnel/locations/*/destGroups/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Updates a TunnelDestGroup.
+  rpc UpdateTunnelDestGroup(UpdateTunnelDestGroupRequest) returns (TunnelDestGroup) {
+    option (google.api.http) = {
+      patch: "/v1/{tunnel_dest_group.name=projects/*/iap_tunnel/locations/*/destGroups/*}"
+      body: "tunnel_dest_group"
+    };
+    option (google.api.method_signature) = "tunnel_dest_group,update_mask";
+  }
 }
 
-// The request sent to GetIapSettings.
-message GetIapSettingsRequest {
-  // Required. The resource name for which to retrieve the settings.
-  // Authorization: Requires the `getSettings` permission for the associated
-  // resource.
-  string name = 1 [(google.api.field_behavior) = REQUIRED];
+// The request to ListTunnelDestGroups.
+message ListTunnelDestGroupsRequest {
+  // Required. Google Cloud Project ID and location.
+  // In the following format:
+  // `projects/{project_number/id}/iap_tunnel/locations/{location}`.
+  // A `-` can be used for the location to group across all locations.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iap.googleapis.com/TunnelLocation"
+    }
+  ];
+
+  // The maximum number of groups to return. The service might return fewer than
+  // this value.
+  // If unspecified, at most 100 groups are returned.
+  // The maximum value is 1000; values above 1000 are coerced to 1000.
+  int32 page_size = 2;
+
+  // A page token, received from a previous `ListTunnelDestGroups`
+  // call. Provide this to retrieve the subsequent page.
+  //
+  // When paginating, all other parameters provided to
+  // `ListTunnelDestGroups` must match the call that provided the page
+  // token.
+  string page_token = 3;
 }
 
-// The request sent to UpdateIapSettings.
-message UpdateIapSettingsRequest {
-  // Required. The new values for the IAP settings to be updated.
-  // Authorization: Requires the `updateSettings` permission for the associated
-  // resource.
-  IapSettings iap_settings = 1 [(google.api.field_behavior) = REQUIRED];
+// The response from ListTunnelDestGroups.
+message ListTunnelDestGroupsResponse {
+  // TunnelDestGroup existing in the project.
+  repeated TunnelDestGroup tunnel_dest_groups = 1;
 
-  // The field mask specifying which IAP settings should be updated.
-  // If omitted, the all of the settings are updated. See
-  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
-  google.protobuf.FieldMask update_mask = 2;
+  // A token that you can send as `page_token` to retrieve the next page.
+  // If this field is omitted, there are no subsequent pages.
+  string next_page_token = 2;
 }
 
-// The IAP configurable settings.
-message IapSettings {
-  // Required. The resource name of the IAP protected resource.
-  string name = 1 [(google.api.field_behavior) = REQUIRED];
+// The request to CreateTunnelDestGroup.
+message CreateTunnelDestGroupRequest {
+  // Required. Google Cloud Project ID and location.
+  // In the following format:
+  // `projects/{project_number/id}/iap_tunnel/locations/{location}`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "iap.googleapis.com/TunnelDestGroup"
+    }
+  ];
+
+  // Required. The TunnelDestGroup to create.
+  TunnelDestGroup tunnel_dest_group = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The ID to use for the TunnelDestGroup, which becomes the final component of
+  // the resource name.
+  //
+  // This value must be 4-63 characters, and valid characters
+  // are `[a-z][0-9]-`.
+  string tunnel_dest_group_id = 3 [(google.api.field_behavior) = REQUIRED];
+}
 
-  // Top level wrapper for all access related setting in IAP
-  AccessSettings access_settings = 5;
+// The request to GetTunnelDestGroup.
+message GetTunnelDestGroupRequest {
+  // Required. Name of the TunnelDestGroup to be fetched.
+  // In the following format:
+  // `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iap.googleapis.com/TunnelDestGroup"
+    }
+  ];
+}
 
-  // Top level wrapper for all application related settings in IAP
-  ApplicationSettings application_settings = 6;
+// The request to DeleteTunnelDestGroup.
+message DeleteTunnelDestGroupRequest {
+  // Required. Name of the TunnelDestGroup to delete.
+  // In the following format:
+  // `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "iap.googleapis.com/TunnelDestGroup"
+    }
+  ];
 }
 
-// Access related settings for IAP protected apps.
-message AccessSettings {
-  // GCIP claims and endpoint configurations for 3p identity providers.
-  GcipSettings gcip_settings = 1;
+// The request to UpdateTunnelDestGroup.
+message UpdateTunnelDestGroupRequest {
+  // Required. The new values for the TunnelDestGroup.
+  TunnelDestGroup tunnel_dest_group = 1 [(google.api.field_behavior) = REQUIRED];
 
-  // Configuration to allow cross-origin requests via IAP.
-  CorsSettings cors_settings = 2;
+  // A field mask that specifies which IAP settings to update.
+  // If omitted, then all of the settings are updated. See
+  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
+  google.protobuf.FieldMask update_mask = 2;
+}
 
-  // Settings to configure IAP's OAuth behavior.
-  OAuthSettings oauth_settings = 3;
+// A TunnelDestGroup.
+message TunnelDestGroup {
+  option (google.api.resource) = {
+    type: "iap.googleapis.com/TunnelDestGroup"
+    pattern: "projects/{project}/iap_tunnel/locations/{location}/destGroups/{dest_group}"
+  };
+
+  // Required. Immutable. Identifier for the TunnelDestGroup. Must be unique within the
+  // project.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.field_behavior) = IMMUTABLE
+  ];
+
+  // null List of CIDRs that this group applies to.
+  repeated string cidrs = 2 [(google.api.field_behavior) = UNORDERED_LIST];
+
+  // null List of FQDNs that this group applies to.
+  repeated string fqdns = 3 [(google.api.field_behavior) = UNORDERED_LIST];
 }
 
 // API to programmatically create, list and retrieve Identity Aware Proxy (IAP)
@@ -148,11 +272,12 @@ service IdentityAwareProxyOAuthService {
 
   // Constructs a new OAuth brand for the project if one does not exist.
   // The created brand is "internal only", meaning that OAuth clients created
-  // under it only accept requests from users who belong to the same G Suite
-  // organization as the project. The brand is created in an un-reviewed status.
-  // NOTE: The "internal only" status can be manually changed in the Google
-  // Cloud console. Requires that a brand does not already exist for the
-  // project, and that the specified support email is owned by the caller.
+  // under it only accept requests from users who belong to the same Google
+  // Workspace organization as the project. The brand is created in an
+  // un-reviewed status. NOTE: The "internal only" status can be manually
+  // changed in the Google Cloud Console. Requires that a brand does not already
+  // exist for the project, and that the specified support email is owned by the
+  // caller.
   rpc CreateBrand(CreateBrandRequest) returns (Brand) {
     option (google.api.http) = {
       post: "/v1/{parent=projects/*}/brands"
@@ -211,6 +336,54 @@ service IdentityAwareProxyOAuthService {
   }
 }
 
+// The request sent to GetIapSettings.
+message GetIapSettingsRequest {
+  // Required. The resource name for which to retrieve the settings.
+  // Authorization: Requires the `getSettings` permission for the associated
+  // resource.
+  string name = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// The request sent to UpdateIapSettings.
+message UpdateIapSettingsRequest {
+  // Required. The new values for the IAP settings to be updated.
+  // Authorization: Requires the `updateSettings` permission for the associated
+  // resource.
+  IapSettings iap_settings = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // The field mask specifying which IAP settings should be updated.
+  // If omitted, the all of the settings are updated. See
+  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
+  google.protobuf.FieldMask update_mask = 2;
+}
+
+// The IAP configurable settings.
+message IapSettings {
+  // Required. The resource name of the IAP protected resource.
+  string name = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Top level wrapper for all access related setting in IAP
+  AccessSettings access_settings = 5;
+
+  // Top level wrapper for all application related settings in IAP
+  ApplicationSettings application_settings = 6;
+}
+
+// Access related settings for IAP protected apps.
+message AccessSettings {
+  // GCIP claims and endpoint configurations for 3p identity providers.
+  GcipSettings gcip_settings = 1;
+
+  // Configuration to allow cross-origin requests via IAP.
+  CorsSettings cors_settings = 2;
+
+  // Settings to configure IAP's OAuth behavior.
+  OAuthSettings oauth_settings = 3;
+
+  // Settings to configure reauthentication policies in IAP.
+  ReauthSettings reauth_settings = 6;
+}
+
 // Allows customers to configure tenant_id for GCIP instance per-app.
 message GcipSettings {
   // GCIP tenant ids that are linked to the IAP resource.
@@ -246,6 +419,52 @@ message OAuthSettings {
   google.protobuf.StringValue login_hint = 2;
 }
 
+// Configuration for IAP reauthentication policies.
+message ReauthSettings {
+  // Types of reauthentication methods supported by IAP.
+  enum Method {
+    // Reauthentication disabled.
+    METHOD_UNSPECIFIED = 0;
+
+    // Mimics the behavior as if the user had logged out and tried to log in
+    // again. Users with 2SV (2-step verification) enabled see their 2SV
+    // challenges if they did not opt to have their second factor responses
+    // saved. Apps Core (GSuites) admins can configure settings to disable 2SV
+    // cookies and require 2SV for all Apps Core users in their domains.
+    LOGIN = 1;
+
+    // User must type their password.
+    PASSWORD = 2;
+
+    // User must use their secure key 2nd factor device.
+    SECURE_KEY = 3;
+  }
+
+  // Type of policy in the case of hierarchial policies.
+  enum PolicyType {
+    // Default value. This value is unused.
+    POLICY_TYPE_UNSPECIFIED = 0;
+
+    // This policy acts as a minimum to other policies, lower in the hierarchy.
+    // Effective policy may only be the same or stricter.
+    MINIMUM = 1;
+
+    // This policy acts as a default if no other reauth policy is set.
+    DEFAULT = 2;
+  }
+
+  // Reauth method required by the policy.
+  Method method = 1;
+
+  // Reauth session lifetime, how long before a user has to reauthenticate
+  // again.
+  google.protobuf.Duration max_age = 2;
+
+  // How IAP determines the effective policy in cases of hierarchial policies.
+  // Policies are merged from higher in the hierarchy to lower in the hierarchy.
+  PolicyType policy_type = 3;
+}
+
 // Wrapper over application specific settings for IAP.
 message ApplicationSettings {
   // Settings to configure IAP's behavior for a CSM mesh.