var (
	AccessState_name = map[int32]string{
		0: "ACCESS_STATE_UNSPECIFIED",
		1: "GRANTED",
		2: "NOT_GRANTED",
		3: "UNKNOWN_CONDITIONAL",
		4: "UNKNOWN_INFO_DENIED",
	}
	AccessState_value = map[string]int32{
		"ACCESS_STATE_UNSPECIFIED": 0,
		"GRANTED":                  1,
		"NOT_GRANTED":              2,
		"UNKNOWN_CONDITIONAL":      3,
		"UNKNOWN_INFO_DENIED":      4,
	}
)

var (
	HeuristicRelevance_name = map[int32]string{
		0: "HEURISTIC_RELEVANCE_UNSPECIFIED",
		1: "NORMAL",
		2: "HIGH",
	}
	HeuristicRelevance_value = map[string]int32{
		"HEURISTIC_RELEVANCE_UNSPECIFIED": 0,
		"NORMAL":                          1,
		"HIGH":                            2,
	}
)

var (
	BindingExplanation_RolePermission_name = map[int32]string{
		0: "ROLE_PERMISSION_UNSPECIFIED",
		1: "ROLE_PERMISSION_INCLUDED",
		2: "ROLE_PERMISSION_NOT_INCLUDED",
		3: "ROLE_PERMISSION_UNKNOWN_INFO_DENIED",
	}
	BindingExplanation_RolePermission_value = map[string]int32{
		"ROLE_PERMISSION_UNSPECIFIED":         0,
		"ROLE_PERMISSION_INCLUDED":            1,
		"ROLE_PERMISSION_NOT_INCLUDED":        2,
		"ROLE_PERMISSION_UNKNOWN_INFO_DENIED": 3,
	}
)

var (
	BindingExplanation_Membership_name = map[int32]string{
		0: "MEMBERSHIP_UNSPECIFIED",
		1: "MEMBERSHIP_INCLUDED",
		2: "MEMBERSHIP_NOT_INCLUDED",
		3: "MEMBERSHIP_UNKNOWN_INFO_DENIED",
		4: "MEMBERSHIP_UNKNOWN_UNSUPPORTED",
	}
	BindingExplanation_Membership_value = map[string]int32{
		"MEMBERSHIP_UNSPECIFIED":         0,
		"MEMBERSHIP_INCLUDED":            1,
		"MEMBERSHIP_NOT_INCLUDED":        2,
		"MEMBERSHIP_UNKNOWN_INFO_DENIED": 3,
		"MEMBERSHIP_UNKNOWN_UNSUPPORTED": 4,
	}
)

var File_google_cloud_policytroubleshooter_v1_checker_proto protoreflect.FileDescriptor

var File_google_cloud_policytroubleshooter_v1_explanations_proto protoreflect.FileDescriptor

type AccessState int32

const (
	// Default value. This value is unused.
	AccessState_ACCESS_STATE_UNSPECIFIED AccessState = 0
	// The principal has the permission.
	AccessState_GRANTED AccessState = 1
	// The principal does not have the permission.
	AccessState_NOT_GRANTED AccessState = 2
	// The principal has the permission only if a condition expression evaluates
	// to `true`.
	AccessState_UNKNOWN_CONDITIONAL AccessState = 3
	// The sender of the request does not have access to all of the policies that
	// Policy Troubleshooter needs to evaluate.
	AccessState_UNKNOWN_INFO_DENIED AccessState = 4
)

type AccessTuple struct {

	// Required. The principal whose access you want to check, in the form of
	// the email address that represents that principal. For example,
	// `alice@example.com` or
	// `my-service-account@my-project.iam.gserviceaccount.com`.
	//
	// The principal must be a Google Account or a service account. Other types of
	// principals are not supported.
	Principal string `protobuf:"bytes,1,opt,name=principal,proto3" json:"principal,omitempty"`
	// Required. The full resource name that identifies the resource. For example,
	// `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
	//
	// For examples of full resource names for Google Cloud services, see
	// https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
	FullResourceName string `protobuf:"bytes,2,opt,name=full_resource_name,json=fullResourceName,proto3" json:"full_resource_name,omitempty"`
	// Required. The IAM permission to check for the specified principal and
	// resource.
	//
	// For a complete list of IAM permissions, see
	// https://cloud.google.com/iam/help/permissions/reference.
	//
	// For a complete list of predefined IAM roles and the permissions in each
	// role, see https://cloud.google.com/iam/help/roles/reference.
	Permission string `protobuf:"bytes,3,opt,name=permission,proto3" json:"permission,omitempty"`
	// contains filtered or unexported fields
}

type BindingExplanation struct {

	// Required. Indicates whether _this binding_ provides the specified
	// permission to the specified principal for the specified resource.
	//
	// This field does _not_ indicate whether the principal actually has the
	// permission for the resource. There might be another binding that overrides
	// this binding. To determine whether the principal actually has the
	// permission, use the `access` field in the
	// [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].
	Access AccessState `protobuf:"varint,1,opt,name=access,proto3,enum=google.cloud.policytroubleshooter.v1.AccessState" json:"access,omitempty"`
	// The role that this binding grants. For example,
	// `roles/compute.serviceAgent`.
	//
	// For a complete list of predefined IAM roles, as well as the permissions in
	// each role, see https://cloud.google.com/iam/help/roles/reference.
	Role string `protobuf:"bytes,2,opt,name=role,proto3" json:"role,omitempty"`
	// Indicates whether the role granted by this binding contains the specified
	// permission.
	RolePermission BindingExplanation_RolePermission `protobuf:"varint,3,opt,name=role_permission,json=rolePermission,proto3,enum=google.cloud.policytroubleshooter.v1.BindingExplanation_RolePermission" json:"role_permission,omitempty"`
	// The relevance of the permission's existence, or nonexistence, in the role
	// to the overall determination for the entire policy.
	RolePermissionRelevance HeuristicRelevance `protobuf:"varint,4,opt,name=role_permission_relevance,json=rolePermissionRelevance,proto3,enum=google.cloud.policytroubleshooter.v1.HeuristicRelevance" json:"role_permission_relevance,omitempty"`
	// Indicates whether each principal in the binding includes the principal
	// specified in the request, either directly or indirectly. Each key
	// identifies a principal in the binding, and each value indicates whether the
	// principal in the binding includes the principal in the request.
	//
	// For example, suppose that a binding includes the following principals:
	//
	// * `user:alice@example.com`
	// * `group:product-eng@example.com`
	//
	// You want to troubleshoot access for `user:bob@example.com`. This user is a
	// principal of the group `group:product-eng@example.com`.
	//
	// For the first principal in the binding, the key is
	// `user:alice@example.com`, and the `membership` field in the value is set to
	// `MEMBERSHIP_NOT_INCLUDED`.
	//
	// For the second principal in the binding, the key is
	// `group:product-eng@example.com`, and the `membership` field in the value is
	// set to `MEMBERSHIP_INCLUDED`.
	Memberships map[string]*BindingExplanation_AnnotatedMembership `protobuf:"bytes,5,rep,name=memberships,proto3" json:"memberships,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
	// The relevance of this binding to the overall determination for the entire
	// policy.
	Relevance HeuristicRelevance `protobuf:"varint,6,opt,name=relevance,proto3,enum=google.cloud.policytroubleshooter.v1.HeuristicRelevance" json:"relevance,omitempty"`
	// A condition expression that prevents this binding from granting access
	// unless the expression evaluates to `true`.
	//
	// To learn about IAM Conditions, see
	// https://cloud.google.com/iam/help/conditions/overview.
	Condition *expr.Expr `protobuf:"bytes,7,opt,name=condition,proto3" json:"condition,omitempty"`
	// contains filtered or unexported fields
}

type BindingExplanation_AnnotatedMembership struct {

	// Indicates whether the binding includes the principal.
	Membership BindingExplanation_Membership `protobuf:"varint,1,opt,name=membership,proto3,enum=google.cloud.policytroubleshooter.v1.BindingExplanation_Membership" json:"membership,omitempty"`
	// The relevance of the principal's status to the overall determination for
	// the binding.
	Relevance HeuristicRelevance `protobuf:"varint,2,opt,name=relevance,proto3,enum=google.cloud.policytroubleshooter.v1.HeuristicRelevance" json:"relevance,omitempty"`
	// contains filtered or unexported fields
}

type BindingExplanation_Membership int32

const (
	// Default value. This value is unused.
	BindingExplanation_MEMBERSHIP_UNSPECIFIED BindingExplanation_Membership = 0
	// The binding includes the principal. The principal can be included
	// directly or indirectly. For example:
	//
	//   - A principal is included directly if that principal is listed in the
	//     binding.
	//   - A principal is included indirectly if that principal is in a Google
	//     group or Google Workspace domain that is listed in the binding.
	BindingExplanation_MEMBERSHIP_INCLUDED BindingExplanation_Membership = 1
	// The binding does not include the principal.
	BindingExplanation_MEMBERSHIP_NOT_INCLUDED BindingExplanation_Membership = 2
	// The sender of the request is not allowed to access the binding.
	BindingExplanation_MEMBERSHIP_UNKNOWN_INFO_DENIED BindingExplanation_Membership = 3
	// The principal is an unsupported type. Only Google Accounts and service
	// accounts are supported.
	BindingExplanation_MEMBERSHIP_UNKNOWN_UNSUPPORTED BindingExplanation_Membership = 4
)

type BindingExplanation_RolePermission int32

const (
	// Default value. This value is unused.
	BindingExplanation_ROLE_PERMISSION_UNSPECIFIED BindingExplanation_RolePermission = 0
	// The permission is included in the role.
	BindingExplanation_ROLE_PERMISSION_INCLUDED BindingExplanation_RolePermission = 1
	// The permission is not included in the role.
	BindingExplanation_ROLE_PERMISSION_NOT_INCLUDED BindingExplanation_RolePermission = 2
	// The sender of the request is not allowed to access the binding.
	BindingExplanation_ROLE_PERMISSION_UNKNOWN_INFO_DENIED BindingExplanation_RolePermission = 3
)

type ExplainedPolicy struct {

	// Indicates whether _this policy_ provides the specified permission to the
	// specified principal for the specified resource.
	//
	// This field does _not_ indicate whether the principal actually has the
	// permission for the resource. There might be another policy that overrides
	// this policy. To determine whether the principal actually has the
	// permission, use the `access` field in the
	// [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].
	Access AccessState `protobuf:"varint,1,opt,name=access,proto3,enum=google.cloud.policytroubleshooter.v1.AccessState" json:"access,omitempty"`
	// The full resource name that identifies the resource. For example,
	// `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.
	//
	// If the sender of the request does not have access to the policy, this field
	// is omitted.
	//
	// For examples of full resource names for Google Cloud services, see
	// https://cloud.google.com/iam/help/troubleshooter/full-resource-names.
	FullResourceName string `protobuf:"bytes,2,opt,name=full_resource_name,json=fullResourceName,proto3" json:"full_resource_name,omitempty"`
	// The IAM policy attached to the resource.
	//
	// If the sender of the request does not have access to the policy, this field
	// is empty.
	Policy *iampb.Policy `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"`
	// Details about how each binding in the policy affects the principal's
	// ability, or inability, to use the permission for the resource.
	//
	// If the sender of the request does not have access to the policy, this field
	// is omitted.
	BindingExplanations []*BindingExplanation `protobuf:"bytes,4,rep,name=binding_explanations,json=bindingExplanations,proto3" json:"binding_explanations,omitempty"`
	// The relevance of this policy to the overall determination in the
	// [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].
	//
	// If the sender of the request does not have access to the policy, this field
	// is omitted.
	Relevance HeuristicRelevance `protobuf:"varint,5,opt,name=relevance,proto3,enum=google.cloud.policytroubleshooter.v1.HeuristicRelevance" json:"relevance,omitempty"`
	// contains filtered or unexported fields
}

type HeuristicRelevance int32

const (
	// Default value. This value is unused.
	HeuristicRelevance_HEURISTIC_RELEVANCE_UNSPECIFIED HeuristicRelevance = 0
	// The data point has a limited effect on the result. Changing the data point
	// is unlikely to affect the overall determination.
	HeuristicRelevance_NORMAL HeuristicRelevance = 1
	// The data point has a strong effect on the result. Changing the data point
	// is likely to affect the overall determination.
	HeuristicRelevance_HIGH HeuristicRelevance = 2
)

type IamCheckerClient interface {
	// Checks whether a principal has a specific permission for a specific
	// resource, and explains why the principal does or does not have that
	// permission.
	TroubleshootIamPolicy(ctx context.Context, in *TroubleshootIamPolicyRequest, opts ...grpc.CallOption) (*TroubleshootIamPolicyResponse, error)
}

type IamCheckerServer interface {
	// Checks whether a principal has a specific permission for a specific
	// resource, and explains why the principal does or does not have that
	// permission.
	TroubleshootIamPolicy(context.Context, *TroubleshootIamPolicyRequest) (*TroubleshootIamPolicyResponse, error)
}

type TroubleshootIamPolicyRequest struct {

	// The information to use for checking whether a principal has a permission
	// for a resource.
	AccessTuple *AccessTuple `protobuf:"bytes,1,opt,name=access_tuple,json=accessTuple,proto3" json:"access_tuple,omitempty"`
	// contains filtered or unexported fields
}

type TroubleshootIamPolicyResponse struct {

	// Indicates whether the principal has the specified permission for the
	// specified resource, based on evaluating all of the applicable IAM policies.
	Access AccessState `protobuf:"varint,1,opt,name=access,proto3,enum=google.cloud.policytroubleshooter.v1.AccessState" json:"access,omitempty"`
	// List of IAM policies that were evaluated to check the principal's
	// permissions, with annotations to indicate how each policy contributed to
	// the final result.
	//
	// The list of policies can include the policy for the resource itself. It can
	// also include policies that are inherited from higher levels of the resource
	// hierarchy, including the organization, the folder, and the project.
	//
	// To learn more about the resource hierarchy, see
	// https://cloud.google.com/iam/help/resource-hierarchy.
	ExplainedPolicies []*ExplainedPolicy `protobuf:"bytes,2,rep,name=explained_policies,json=explainedPolicies,proto3" json:"explained_policies,omitempty"`
	// The general errors contained in the troubleshooting response.
	Errors []*status.Status `protobuf:"bytes,3,rep,name=errors,proto3" json:"errors,omitempty"`
	// contains filtered or unexported fields
}

type UnimplementedIamCheckerServer struct {
}