feat: add an enum ENROLLED_SECOND_FACTORS under IapSettings

Google APIs · copybara-github · commit d2d07fc10d0a · 2023-03-13T21:09:41.000-07:00
docs: update doc description for field_mask

PiperOrigin-RevId: 516408359
diff --git a/google/cloud/iap/v1/service.proto b/google/cloud/iap/v1/service.proto
@@ -148,6 +148,93 @@ service IdentityAwareProxyAdminService {
   }
 }
 
+// API to programmatically create, list and retrieve Identity Aware Proxy (IAP)
+// OAuth brands; and create, retrieve, delete and reset-secret of IAP OAuth
+// clients.
+service IdentityAwareProxyOAuthService {
+  option (google.api.default_host) = "iap.googleapis.com";
+  option (google.api.oauth_scopes) =
+      "https://www.googleapis.com/auth/cloud-platform";
+
+  // Lists the existing brands for the project.
+  rpc ListBrands(ListBrandsRequest) returns (ListBrandsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*}/brands"
+    };
+  }
+
+  // Constructs a new OAuth brand for the project if one does not exist.
+  // The created brand is "internal only", meaning that OAuth clients created
+  // under it only accept requests from users who belong to the same Google
+  // Workspace organization as the project. The brand is created in an
+  // un-reviewed status. NOTE: The "internal only" status can be manually
+  // changed in the Google Cloud Console. Requires that a brand does not already
+  // exist for the project, and that the specified support email is owned by the
+  // caller.
+  rpc CreateBrand(CreateBrandRequest) returns (Brand) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*}/brands"
+      body: "brand"
+    };
+  }
+
+  // Retrieves the OAuth brand of the project.
+  rpc GetBrand(GetBrandRequest) returns (Brand) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/brands/*}"
+    };
+  }
+
+  // Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned
+  // by IAP. Requires that the brand for the project exists and that it is
+  // set for internal-only use.
+  rpc CreateIdentityAwareProxyClient(CreateIdentityAwareProxyClientRequest)
+      returns (IdentityAwareProxyClient) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
+      body: "identity_aware_proxy_client"
+    };
+  }
+
+  // Lists the existing clients for the brand.
+  rpc ListIdentityAwareProxyClients(ListIdentityAwareProxyClientsRequest)
+      returns (ListIdentityAwareProxyClientsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
+    };
+  }
+
+  // Retrieves an Identity Aware Proxy (IAP) OAuth client.
+  // Requires that the client is owned by IAP.
+  rpc GetIdentityAwareProxyClient(GetIdentityAwareProxyClientRequest)
+      returns (IdentityAwareProxyClient) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
+    };
+  }
+
+  // Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the
+  // secret was compromised. Requires that the client is owned by IAP.
+  rpc ResetIdentityAwareProxyClientSecret(
+      ResetIdentityAwareProxyClientSecretRequest)
+      returns (IdentityAwareProxyClient) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}:resetSecret"
+      body: "*"
+    };
+  }
+
+  // Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing
+  // obsolete clients, managing the number of clients in a given project, and
+  // cleaning up after tests. Requires that the client is owned by IAP.
+  rpc DeleteIdentityAwareProxyClient(DeleteIdentityAwareProxyClientRequest)
+      returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
+    };
+  }
+}
+
 // The request to ListTunnelDestGroups.
 message ListTunnelDestGroupsRequest {
   // Required. Google Cloud Project ID and location.
@@ -286,8 +373,11 @@ message UpdateIapSettingsRequest {
   IapSettings iap_settings = 1 [(google.api.field_behavior) = REQUIRED];
 
   // The field mask specifying which IAP settings should be updated.
-  // If omitted, the all of the settings are updated. See
-  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
+  // If omitted, then all of the settings are updated. See
+  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.
+  //
+  // Note: All IAP reauth settings must always be set together, using the
+  // field mask: `iapSettings.accessSettings.reauthSettings`.
   google.protobuf.FieldMask update_mask = 2;
 }
 
@@ -371,6 +461,9 @@ message ReauthSettings {
 
     // User must use their secure key 2nd factor device.
     SECURE_KEY = 3;
+
+    // User can use any enabled 2nd factor.
+    ENROLLED_SECOND_FACTORS = 4;
   }
 
   // Type of policy in the case of hierarchial policies.
@@ -508,93 +601,6 @@ message AttributePropagationSettings {
   optional bool enable = 3;
 }
 
-// API to programmatically create, list and retrieve Identity Aware Proxy (IAP)
-// OAuth brands; and create, retrieve, delete and reset-secret of IAP OAuth
-// clients.
-service IdentityAwareProxyOAuthService {
-  option (google.api.default_host) = "iap.googleapis.com";
-  option (google.api.oauth_scopes) =
-      "https://www.googleapis.com/auth/cloud-platform";
-
-  // Lists the existing brands for the project.
-  rpc ListBrands(ListBrandsRequest) returns (ListBrandsResponse) {
-    option (google.api.http) = {
-      get: "/v1/{parent=projects/*}/brands"
-    };
-  }
-
-  // Constructs a new OAuth brand for the project if one does not exist.
-  // The created brand is "internal only", meaning that OAuth clients created
-  // under it only accept requests from users who belong to the same Google
-  // Workspace organization as the project. The brand is created in an
-  // un-reviewed status. NOTE: The "internal only" status can be manually
-  // changed in the Google Cloud Console. Requires that a brand does not already
-  // exist for the project, and that the specified support email is owned by the
-  // caller.
-  rpc CreateBrand(CreateBrandRequest) returns (Brand) {
-    option (google.api.http) = {
-      post: "/v1/{parent=projects/*}/brands"
-      body: "brand"
-    };
-  }
-
-  // Retrieves the OAuth brand of the project.
-  rpc GetBrand(GetBrandRequest) returns (Brand) {
-    option (google.api.http) = {
-      get: "/v1/{name=projects/*/brands/*}"
-    };
-  }
-
-  // Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned
-  // by IAP. Requires that the brand for the project exists and that it is
-  // set for internal-only use.
-  rpc CreateIdentityAwareProxyClient(CreateIdentityAwareProxyClientRequest)
-      returns (IdentityAwareProxyClient) {
-    option (google.api.http) = {
-      post: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
-      body: "identity_aware_proxy_client"
-    };
-  }
-
-  // Lists the existing clients for the brand.
-  rpc ListIdentityAwareProxyClients(ListIdentityAwareProxyClientsRequest)
-      returns (ListIdentityAwareProxyClientsResponse) {
-    option (google.api.http) = {
-      get: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients"
-    };
-  }
-
-  // Retrieves an Identity Aware Proxy (IAP) OAuth client.
-  // Requires that the client is owned by IAP.
-  rpc GetIdentityAwareProxyClient(GetIdentityAwareProxyClientRequest)
-      returns (IdentityAwareProxyClient) {
-    option (google.api.http) = {
-      get: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
-    };
-  }
-
-  // Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the
-  // secret was compromised. Requires that the client is owned by IAP.
-  rpc ResetIdentityAwareProxyClientSecret(
-      ResetIdentityAwareProxyClientSecretRequest)
-      returns (IdentityAwareProxyClient) {
-    option (google.api.http) = {
-      post: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}:resetSecret"
-      body: "*"
-    };
-  }
-
-  // Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing
-  // obsolete clients, managing the number of clients in a given project, and
-  // cleaning up after tests. Requires that the client is owned by IAP.
-  rpc DeleteIdentityAwareProxyClient(DeleteIdentityAwareProxyClientRequest)
-      returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}"
-    };
-  }
-}
-
 // The request sent to ListBrands.
 message ListBrandsRequest {
   // Required. GCP Project number/id.
