feat: [google-cloud-iap] Identity-aware Proxy (IAP) released a feature Use IAP with Workforce Identity Federation (#13751)

- [ ] Regenerate this pull request now.

feat: [google-cloud-iap] Identity-aware Proxy (IAP) released a feature
`Use IAP with Workforce Identity
Federation`(https://cloud.google.com/iap/docs/use-workforce-identity-federation)
at Feb 7, 2025. Two settings field are newly introduced in the feature
release: `AccessSettings.workforce_identity_settings` and
`AccessSettings.identity_sources`


BEGIN_COMMIT_OVERRIDE
feat: Use IAP with Workforce Identity Federation
feat: Add fields `AccessSettings.workforce_identity_settings` and
`AccessSettings.identity_sources`
docs: A comment for field `name` in message
`.google.cloud.iap.v1.TunnelDestGroup` is changed
docs: A comment for field `cidrs` in message
`.google.cloud.iap.v1.TunnelDestGroup` is changed
docs: A comment for field `fqdns` in message
`.google.cloud.iap.v1.TunnelDestGroup` is changed
docs: Mark `access_settings` in message
`.google.cloud.iap.v1.IapSettings` as optional
docs: Mark `application_settings` in message
`.google.cloud.iap.v1.IapSettings` as optional
docs: Mark `gcip_settings` in message
`.google.cloud.iap.v1.AccessSettings` as optional
docs: Mark `cors_settings` in message
`.google.cloud.iap.v1.AccessSettings` as optional
docs: Mark `oauth_settings` in message
`.google.cloud.iap.v1.AccessSettings` as optional
docs: Mark `reauth_settings` in message
`.google.cloud.iap.v1.AccessSettings` as optional
docs: Mark `allowed_domains_settings` in message
`.google.cloud.iap.v1.AccessSettings` as optional
docs: Mark `tenant_ids` in message `.google.cloud.iap.v1.GcipSettings`
as optional
docs: Mark `programmatic_clients` in message
`.google.cloud.iap.v1.OAuthSettings` as optional
docs: A comment for enum `PolicyType` is changed
docs: Mark `method` in message `.google.cloud.iap.v1.ReauthSettings` as
optional
docs: Mark `max_age` in message `.google.cloud.iap.v1.ReauthSettings` as
optional
docs: Mark `policy_type` in message
`.google.cloud.iap.v1.ReauthSettings` as optional
docs: Mark `enable` in message
`.google.cloud.iap.v1.AllowedDomainsSettings` as optional
docs: Mark `domains` in message
`.google.cloud.iap.v1.AllowedDomainsSettings` as optional
docs: Mark `csm_settings` in message
`.google.cloud.iap.v1.ApplicationSettings` as optional
docs: Mark `access_denied_page_settings` in message
`.google.cloud.iap.v1.ApplicationSettings` as optional
docs: Mark `attribute_propagation_settings` in message
`.google.cloud.iap.v1.ApplicationSettings` as optional
docs: Mark `expression` in message
`.google.cloud.iap.v1.AttributePropagationSettings` as optional
docs: Mark `output_credentials` in message
`.google.cloud.iap.v1.AttributePropagationSettings` as optional
docs: Mark `enable` in message
`.google.cloud.iap.v1.AttributePropagationSettings` as optional
END_COMMIT_OVERRIDE

PiperOrigin-RevId: 745722681

Source-Link:
googleapis/googleapis@81dd948

Source-Link:
googleapis/googleapis-gen@553184a
Copy-Tag:
eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWlhcC8uT3dsQm90LnlhbWwiLCJoIjoiNTUzMTg0YTdjZDdlMWM1ODI0OTVmYjFmOGNkMDBlYzBmNjZhZmY2ZCJ9

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: gcf-owl-bot[bot]

packages/google-cloud-iap/google/cloud/iap/__init__.py

@@ -57,12 +57,16 @@
     ListIdentityAwareProxyClientsResponse,
     ListTunnelDestGroupsRequest,
     ListTunnelDestGroupsResponse,
+    OAuth2,
     OAuthSettings,
     ReauthSettings,
     ResetIdentityAwareProxyClientSecretRequest,
     TunnelDestGroup,
     UpdateIapSettingsRequest,
     UpdateTunnelDestGroupRequest,
+    ValidateIapAttributeExpressionRequest,
+    ValidateIapAttributeExpressionResponse,
+    WorkforceIdentitySettings,
 )
 
 __all__ = (
@@ -96,10 +100,14 @@
     "ListIdentityAwareProxyClientsResponse",
     "ListTunnelDestGroupsRequest",
     "ListTunnelDestGroupsResponse",
+    "OAuth2",
     "OAuthSettings",
     "ReauthSettings",
     "ResetIdentityAwareProxyClientSecretRequest",
     "TunnelDestGroup",
     "UpdateIapSettingsRequest",
     "UpdateTunnelDestGroupRequest",
+    "ValidateIapAttributeExpressionRequest",
+    "ValidateIapAttributeExpressionResponse",
+    "WorkforceIdentitySettings",
 )

packages/google-cloud-iap/google/cloud/iap_v1/__init__.py

@@ -53,12 +53,16 @@
     ListIdentityAwareProxyClientsResponse,
     ListTunnelDestGroupsRequest,
     ListTunnelDestGroupsResponse,
+    OAuth2,
     OAuthSettings,
     ReauthSettings,
     ResetIdentityAwareProxyClientSecretRequest,
     TunnelDestGroup,
     UpdateIapSettingsRequest,
     UpdateTunnelDestGroupRequest,
+    ValidateIapAttributeExpressionRequest,
+    ValidateIapAttributeExpressionResponse,
+    WorkforceIdentitySettings,
 )
 
 __all__ = (
@@ -92,10 +96,14 @@
     "ListIdentityAwareProxyClientsResponse",
     "ListTunnelDestGroupsRequest",
     "ListTunnelDestGroupsResponse",
+    "OAuth2",
     "OAuthSettings",
     "ReauthSettings",
     "ResetIdentityAwareProxyClientSecretRequest",
     "TunnelDestGroup",
     "UpdateIapSettingsRequest",
     "UpdateTunnelDestGroupRequest",
+    "ValidateIapAttributeExpressionRequest",
+    "ValidateIapAttributeExpressionResponse",
+    "WorkforceIdentitySettings",
 )

packages/google-cloud-iap/google/cloud/iap_v1/gapic_metadata.json

@@ -59,6 +59,11 @@
               "methods": [
                 "update_tunnel_dest_group"
               ]
+            },
+            "ValidateIapAttributeExpression": {
+              "methods": [
+                "validate_iap_attribute_expression"
+              ]
             }
           }
         },
@@ -114,6 +119,11 @@
               "methods": [
                 "update_tunnel_dest_group"
               ]
+            },
+            "ValidateIapAttributeExpression": {
+              "methods": [
+                "validate_iap_attribute_expression"
+              ]
             }
           }
         },
@@ -169,6 +179,11 @@
               "methods": [
                 "update_tunnel_dest_group"
               ]
+            },
+            "ValidateIapAttributeExpression": {
+              "methods": [
+                "validate_iap_attribute_expression"
+              ]
             }
           }
         }

packages/google-cloud-iap/google/cloud/iap_v1/services/identity_aware_proxy_admin_service/async_client.py

@@ -817,6 +817,96 @@ async def sample_update_iap_settings():
         # Done; return the response.
         return response
 
+    async def validate_iap_attribute_expression(
+        self,
+        request: Optional[
+            Union[service.ValidateIapAttributeExpressionRequest, dict]
+        ] = None,
+        *,
+        retry: OptionalRetry = gapic_v1.method.DEFAULT,
+        timeout: Union[float, object] = gapic_v1.method.DEFAULT,
+        metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
+    ) -> service.ValidateIapAttributeExpressionResponse:
+        r"""Validates that a given CEL expression conforms to IAP
+        restrictions.
+
+        .. code-block:: python
+
+            # This snippet has been automatically generated and should be regarded as a
+            # code template only.
+            # It will require modifications to work:
+            # - It may require correct/in-range values for request initialization.
+            # - It may require specifying regional endpoints when creating the service
+            #   client as shown in:
+            #   https://googleapis.dev/python/google-api-core/latest/client_options.html
+            from google.cloud import iap_v1
+
+            async def sample_validate_iap_attribute_expression():
+                # Create a client
+                client = iap_v1.IdentityAwareProxyAdminServiceAsyncClient()
+
+                # Initialize request argument(s)
+                request = iap_v1.ValidateIapAttributeExpressionRequest(
+                    name="name_value",
+                    expression="expression_value",
+                )
+
+                # Make the request
+                response = await client.validate_iap_attribute_expression(request=request)
+
+                # Handle the response
+                print(response)
+
+        Args:
+            request (Optional[Union[google.cloud.iap_v1.types.ValidateIapAttributeExpressionRequest, dict]]):
+                The request object. Request sent to IAP Expression Linter
+                endpoint.
+            retry (google.api_core.retry_async.AsyncRetry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be
+                sent along with the request as metadata. Normally, each value must be of type `str`,
+                but for metadata keys ending with the suffix `-bin`, the corresponding values must
+                be of type `bytes`.
+
+        Returns:
+            google.cloud.iap_v1.types.ValidateIapAttributeExpressionResponse:
+                IAP Expression Linter endpoint
+                returns empty response body.
+
+        """
+        # Create or coerce a protobuf request object.
+        # - Use the request object if provided (there's no risk of modifying the input as
+        #   there are no flattened fields), or create one.
+        if not isinstance(request, service.ValidateIapAttributeExpressionRequest):
+            request = service.ValidateIapAttributeExpressionRequest(request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._client._transport._wrapped_methods[
+            self._client._transport.validate_iap_attribute_expression
+        ]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Validate the universe domain.
+        self._client._validate_universe_domain()
+
+        # Send the request.
+        response = await rpc(
+            request,
+            retry=retry,
+            timeout=timeout,
+            metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
     async def list_tunnel_dest_groups(
         self,
         request: Optional[Union[service.ListTunnelDestGroupsRequest, dict]] = None,
@@ -976,12 +1066,8 @@ async def sample_create_tunnel_dest_group():
                 client = iap_v1.IdentityAwareProxyAdminServiceAsyncClient()
 
                 # Initialize request argument(s)
-                tunnel_dest_group = iap_v1.TunnelDestGroup()
-                tunnel_dest_group.name = "name_value"
-
                 request = iap_v1.CreateTunnelDestGroupRequest(
                     parent="parent_value",
-                    tunnel_dest_group=tunnel_dest_group,
                     tunnel_dest_group_id="tunnel_dest_group_id_value",
                 )
 
@@ -1320,11 +1406,7 @@ async def sample_update_tunnel_dest_group():
                 client = iap_v1.IdentityAwareProxyAdminServiceAsyncClient()
 
                 # Initialize request argument(s)
-                tunnel_dest_group = iap_v1.TunnelDestGroup()
-                tunnel_dest_group.name = "name_value"
-
                 request = iap_v1.UpdateTunnelDestGroupRequest(
-                    tunnel_dest_group=tunnel_dest_group,
                 )
 
                 # Make the request

packages/google-cloud-iap/google/cloud/iap_v1/services/identity_aware_proxy_admin_service/client.py

@@ -1249,6 +1249,96 @@ def sample_update_iap_settings():
         # Done; return the response.
         return response
 
+    def validate_iap_attribute_expression(
+        self,
+        request: Optional[
+            Union[service.ValidateIapAttributeExpressionRequest, dict]
+        ] = None,
+        *,
+        retry: OptionalRetry = gapic_v1.method.DEFAULT,
+        timeout: Union[float, object] = gapic_v1.method.DEFAULT,
+        metadata: Sequence[Tuple[str, Union[str, bytes]]] = (),
+    ) -> service.ValidateIapAttributeExpressionResponse:
+        r"""Validates that a given CEL expression conforms to IAP
+        restrictions.
+
+        .. code-block:: python
+
+            # This snippet has been automatically generated and should be regarded as a
+            # code template only.
+            # It will require modifications to work:
+            # - It may require correct/in-range values for request initialization.
+            # - It may require specifying regional endpoints when creating the service
+            #   client as shown in:
+            #   https://googleapis.dev/python/google-api-core/latest/client_options.html
+            from google.cloud import iap_v1
+
+            def sample_validate_iap_attribute_expression():
+                # Create a client
+                client = iap_v1.IdentityAwareProxyAdminServiceClient()
+
+                # Initialize request argument(s)
+                request = iap_v1.ValidateIapAttributeExpressionRequest(
+                    name="name_value",
+                    expression="expression_value",
+                )
+
+                # Make the request
+                response = client.validate_iap_attribute_expression(request=request)
+
+                # Handle the response
+                print(response)
+
+        Args:
+            request (Union[google.cloud.iap_v1.types.ValidateIapAttributeExpressionRequest, dict]):
+                The request object. Request sent to IAP Expression Linter
+                endpoint.
+            retry (google.api_core.retry.Retry): Designation of what errors, if any,
+                should be retried.
+            timeout (float): The timeout for this request.
+            metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be
+                sent along with the request as metadata. Normally, each value must be of type `str`,
+                but for metadata keys ending with the suffix `-bin`, the corresponding values must
+                be of type `bytes`.
+
+        Returns:
+            google.cloud.iap_v1.types.ValidateIapAttributeExpressionResponse:
+                IAP Expression Linter endpoint
+                returns empty response body.
+
+        """
+        # Create or coerce a protobuf request object.
+        # - Use the request object if provided (there's no risk of modifying the input as
+        #   there are no flattened fields), or create one.
+        if not isinstance(request, service.ValidateIapAttributeExpressionRequest):
+            request = service.ValidateIapAttributeExpressionRequest(request)
+
+        # Wrap the RPC method; this adds retry and timeout information,
+        # and friendly error handling.
+        rpc = self._transport._wrapped_methods[
+            self._transport.validate_iap_attribute_expression
+        ]
+
+        # Certain fields should be provided within the metadata header;
+        # add these here.
+        metadata = tuple(metadata) + (
+            gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)),
+        )
+
+        # Validate the universe domain.
+        self._validate_universe_domain()
+
+        # Send the request.
+        response = rpc(
+            request,
+            retry=retry,
+            timeout=timeout,
+            metadata=metadata,
+        )
+
+        # Done; return the response.
+        return response
+
     def list_tunnel_dest_groups(
         self,
         request: Optional[Union[service.ListTunnelDestGroupsRequest, dict]] = None,
@@ -1405,12 +1495,8 @@ def sample_create_tunnel_dest_group():
                 client = iap_v1.IdentityAwareProxyAdminServiceClient()
 
                 # Initialize request argument(s)
-                tunnel_dest_group = iap_v1.TunnelDestGroup()
-                tunnel_dest_group.name = "name_value"
-
                 request = iap_v1.CreateTunnelDestGroupRequest(
                     parent="parent_value",
-                    tunnel_dest_group=tunnel_dest_group,
                     tunnel_dest_group_id="tunnel_dest_group_id_value",
                 )
 
@@ -1740,11 +1826,7 @@ def sample_update_tunnel_dest_group():
                 client = iap_v1.IdentityAwareProxyAdminServiceClient()
 
                 # Initialize request argument(s)
-                tunnel_dest_group = iap_v1.TunnelDestGroup()
-                tunnel_dest_group.name = "name_value"
-
                 request = iap_v1.UpdateTunnelDestGroupRequest(
-                    tunnel_dest_group=tunnel_dest_group,
                 )
 
                 # Make the request

packages/google-cloud-iap/google/cloud/iap_v1/services/identity_aware_proxy_admin_service/transports/base.py

@@ -156,6 +156,11 @@ def _prep_wrapped_messages(self, client_info):
                 default_timeout=None,
                 client_info=client_info,
             ),
+            self.validate_iap_attribute_expression: gapic_v1.method.wrap_method(
+                self.validate_iap_attribute_expression,
+                default_timeout=None,
+                client_info=client_info,
+            ),
             self.list_tunnel_dest_groups: gapic_v1.method.wrap_method(
                 self.list_tunnel_dest_groups,
                 default_timeout=None,
@@ -240,6 +245,18 @@ def update_iap_settings(
     ]:
         raise NotImplementedError()
 
+    @property
+    def validate_iap_attribute_expression(
+        self,
+    ) -> Callable[
+        [service.ValidateIapAttributeExpressionRequest],
+        Union[
+            service.ValidateIapAttributeExpressionResponse,
+            Awaitable[service.ValidateIapAttributeExpressionResponse],
+        ],
+    ]:
+        raise NotImplementedError()
+
     @property
     def list_tunnel_dest_groups(
         self,