// Copyright 2019 Google LLC.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Code generated file. DO NOT EDIT.

// Package policytroubleshooter provides access to the Policy Troubleshooter API.
//
// For product documentation, see: https://cloud.google.com/iam/
//
// Creating a client
//
// Usage example:
//
//   import "google.golang.org/api/policytroubleshooter/v1beta"
//   ...
//   ctx := context.Background()
//   policytroubleshooterService, err := policytroubleshooter.NewService(ctx)
//
// In this example, Google Application Default Credentials are used for authentication.
//
// For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials.
//
// Other authentication options
//
// To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey:
//
//   policytroubleshooterService, err := policytroubleshooter.NewService(ctx, option.WithAPIKey("AIza..."))
//
// To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource:
//
//   config := &oauth2.Config{...}
//   // ...
//   token, err := config.Exchange(ctx, ...)
//   policytroubleshooterService, err := policytroubleshooter.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token)))
//
// See https://godoc.org/google.golang.org/api/option/ for details on options.
package policytroubleshooter // import "google.golang.org/api/policytroubleshooter/v1beta"

import (
	"bytes"
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"strconv"
	"strings"

	googleapi "google.golang.org/api/googleapi"
	gensupport "google.golang.org/api/internal/gensupport"
	option "google.golang.org/api/option"
	htransport "google.golang.org/api/transport/http"
)

// Always reference these packages, just in case the auto-generated code
// below doesn't.
var _ = bytes.NewBuffer
var _ = strconv.Itoa
var _ = fmt.Sprintf
var _ = json.NewDecoder
var _ = io.Copy
var _ = url.Parse
var _ = gensupport.MarshalJSON
var _ = googleapi.Version
var _ = errors.New
var _ = strings.Replace
var _ = context.Canceled

const apiId = "policytroubleshooter:v1beta"
const apiName = "policytroubleshooter"
const apiVersion = "v1beta"
const basePath = "https://policytroubleshooter.googleapis.com/"

// OAuth2 scopes used by this API.
const (
	// View and manage your data across Google Cloud Platform services
	CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform"
)

// NewService creates a new Service.
func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) {
	scopesOption := option.WithScopes(
		"https://www.googleapis.com/auth/cloud-platform",
	)
	// NOTE: prepend, so we don't override user-specified scopes.
	opts = append([]option.ClientOption{scopesOption}, opts...)
	client, endpoint, err := htransport.NewClient(ctx, opts...)
	if err != nil {
		return nil, err
	}
	s, err := New(client)
	if err != nil {
		return nil, err
	}
	if endpoint != "" {
		s.BasePath = endpoint
	}
	return s, nil
}

// New creates a new Service. It uses the provided http.Client for requests.
//
// Deprecated: please use NewService instead.
// To provide a custom HTTP client, use option.WithHTTPClient.
// If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead.
func New(client *http.Client) (*Service, error) {
	if client == nil {
		return nil, errors.New("client is nil")
	}
	s := &Service{client: client, BasePath: basePath}
	s.Iam = NewIamService(s)
	return s, nil
}

type Service struct {
	client    *http.Client
	BasePath  string // API endpoint base URL
	UserAgent string // optional additional User-Agent fragment

	Iam *IamService
}

func (s *Service) userAgent() string {
	if s.UserAgent == "" {
		return googleapi.UserAgent
	}
	return googleapi.UserAgent + " " + s.UserAgent
}

func NewIamService(s *Service) *IamService {
	rs := &IamService{s: s}
	return rs
}

type IamService struct {
	s *Service
}

// GoogleCloudPolicytroubleshooterV1betaAccessTuple: AccessTuple defines
// information required for checking an access attempt.
// In other words, this is the tuple given to `CheckAccess`.
type GoogleCloudPolicytroubleshooterV1betaAccessTuple struct {
	// FullResourceName: Required. A full resource name according
	// to
	// https://cloud.google.com/apis/design/resource_names. This is the
	// full
	// resource name of the resource that access is checked against.
	FullResourceName string `json:"fullResourceName,omitempty"`

	// Permission: Required. The Cloud IAM permission under which defines
	// the kind of access
	// being explained. Example: "resourcemanager.projects.get" would
	// explain
	// if and why the principal has the resourcemanager.projects.get
	// permission
	// on the resource specified in full_resource_name declared in this
	// structure.
	// See https://cloud.google.com/iam/docs/testing-permissions
	Permission string `json:"permission,omitempty"`

	// Principal: Required. The principal on behalf of who the access is
	// explained for.
	// The format is one of the principal's email addresses associated
	// with
	// its gaia account. It must be an account that can appear as an
	// actor.
	// For example groups are not supported. Currently, service accounts,
	// users
	// are supported.
	Principal string `json:"principal,omitempty"`

	// ForceSendFields is a list of field names (e.g. "FullResourceName") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "FullResourceName") to
	// include in API requests with the JSON null value. By default, fields
	// with empty values are omitted from API requests. However, any field
	// with an empty value appearing in NullFields will be sent to the
	// server as null. It is an error if a field in this list has a
	// non-empty value. This may be used to include null fields in Patch
	// requests.
	NullFields []string `json:"-"`
}

func (s *GoogleCloudPolicytroubleshooterV1betaAccessTuple) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleCloudPolicytroubleshooterV1betaAccessTuple
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// GoogleCloudPolicytroubleshooterV1betaBindingExplanation: Binding
// Explanation.
type GoogleCloudPolicytroubleshooterV1betaBindingExplanation struct {
	// Access: REQUIRED: Access decision for this binding.
	//
	// Possible values:
	//   "ACCESS_STATE_UNSPECIFIED" - Reserved
	//   "GRANTED" - The access is granted due to one or multiple bindings
	// found.
	//   "NOT_GRANTED" - The access is not granted by the policy.
	//   "UNKNOWN_CONDITIONAL" - At least one binding was found but it is
	// conditional. undecided,
	// undetermined ,uncertain, open, tentative, contingent
	//   "UNKNOWN_INFO_DENIED" - Indicating that lack of access to the
	// underlying information
	// causes the result to be undetermined.
	// This can be due to
	//
	// 1) The caller has no access to the policy. In this case
	// ExplainedPolicy
	//    will have not policy set.
	//
	// 2) The caller has no access to some of the items referenced in the
	// policy.
	//    In this case the policy in ExplainedPolicy will be set but the
	//    explanations field will contain at least one inconclusive element.
	Access string `json:"access,omitempty"`

	// Condition: The condition which needs to be satisfied in order for
	// this
	// binding to grant the role to the principal.
	// See https://cloud.google.com/iam/docs/conditions-base
	Condition *GoogleTypeExpr `json:"condition,omitempty"`

	// Memberships: For each member in the binding, provides
	// information
	// whether or not the principal from the request is included
	// in the member by which the CheckResult is keyed.
	// May indicate that the caller has no access to this
	// information.
	// example key: 'group:cloud-iam-assist-eng@google.com'
	// example value '{NOT_GRANTED, HIGH}
	Memberships map[string]GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership `json:"memberships,omitempty"`

	// Relevance: Bubbles up role_permission level relavance to
	// BindingExplanation object.
	// If role permission is NORMAL, then binding relevance is NORMAL.
	// If role permission is HIGH, then binding relevance is HIGH.
	//
	// Possible values:
	//   "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value, presence of this
	// should be error.
	//   "NORMAL" - Fields annotated with this value contribute equally to
	// evaluation
	// result. In other words the fields are NOT specially important. This
	// is a
	// superset of fields annotated as HIGH.
	//   "HIGH" - Fields annotated with this are more important than the
	// fields
	// annotated by NORMAL. They are used for annotating fields which on
	// potential
	// modification can alter the overall access result.
	Relevance string `json:"relevance,omitempty"`

	// Role: The role that this binding grants in the policy.
	// for example "roles/compute.serviceAgent"
	Role string `json:"role,omitempty"`

	// RolePermission: Whether the role of this binding contains the checked
	// permission
	//
	// Possible values:
	//   "ROLE_PERMISSION_UNSPECIFIED" - Reserved
	//   "ROLE_PERMISSION_INCLUDED" - Permission is included in the role.
	//   "ROLE_PERMISSION_NOT_INCLUDED" - Permission is included in the
	// role.
	//   "ROLE_PERMISSION_UNKNOWN_INFO_DENIED" - Calling principal has no
	// access to the role permission relation.
	RolePermission string `json:"rolePermission,omitempty"`

	// Possible values:
	//   "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value, presence of this
	// should be error.
	//   "NORMAL" - Fields annotated with this value contribute equally to
	// evaluation
	// result. In other words the fields are NOT specially important. This
	// is a
	// superset of fields annotated as HIGH.
	//   "HIGH" - Fields annotated with this are more important than the
	// fields
	// annotated by NORMAL. They are used for annotating fields which on
	// potential
	// modification can alter the overall access result.
	RolePermissionRelevance string `json:"rolePermissionRelevance,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Access") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Access") to include in API
	// requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

func (s *GoogleCloudPolicytroubleshooterV1betaBindingExplanation) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleCloudPolicytroubleshooterV1betaBindingExplanation
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

type GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership struct {
	// Possible values:
	//   "MEMBERSHIP_UNSPECIFIED" - Reserved.
	//   "MEMBERSHIP_INCLUDED" - Member is included in group/domain/allUsers
	// or is a direct match.
	//   "MEMBERSHIP_NOT_INCLUDED" - Member is not included in
	// group/domain/allUsers nor is a direct match.
	//   "MEMBERSHIP_UNKNOWN_INFO_DENIED" - Calling principal has no access
	// to the membership relation.
	//   "MEMBERSHIP_UNKNOWN_UNSUPPORTED" - This member type is currently
	// not supported.
	Membership string `json:"membership,omitempty"`

	// Possible values:
	//   "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value, presence of this
	// should be error.
	//   "NORMAL" - Fields annotated with this value contribute equally to
	// evaluation
	// result. In other words the fields are NOT specially important. This
	// is a
	// superset of fields annotated as HIGH.
	//   "HIGH" - Fields annotated with this are more important than the
	// fields
	// annotated by NORMAL. They are used for annotating fields which on
	// potential
	// modification can alter the overall access result.
	Relevance string `json:"relevance,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Membership") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Membership") to include in
	// API requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

func (s *GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleCloudPolicytroubleshooterV1betaBindingExplanationAnnotatedMembership
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// GoogleCloudPolicytroubleshooterV1betaExplainedPolicy: An explained
// IAM policy combines the raw policy in the context
// of the resource which it is attached to along with
// detailed
// evaluation on the evaluation parameters provided through the request.
type GoogleCloudPolicytroubleshooterV1betaExplainedPolicy struct {
	// Access: Access decision for this section of the resource's effective
	// policy.
	//
	// Possible values:
	//   "ACCESS_STATE_UNSPECIFIED" - Reserved
	//   "GRANTED" - The access is granted due to one or multiple bindings
	// found.
	//   "NOT_GRANTED" - The access is not granted by the policy.
	//   "UNKNOWN_CONDITIONAL" - At least one binding was found but it is
	// conditional. undecided,
	// undetermined ,uncertain, open, tentative, contingent
	//   "UNKNOWN_INFO_DENIED" - Indicating that lack of access to the
	// underlying information
	// causes the result to be undetermined.
	// This can be due to
	//
	// 1) The caller has no access to the policy. In this case
	// ExplainedPolicy
	//    will have not policy set.
	//
	// 2) The caller has no access to some of the items referenced in the
	// policy.
	//    In this case the policy in ExplainedPolicy will be set but the
	//    explanations field will contain at least one inconclusive element.
	Access string `json:"access,omitempty"`

	// BindingExplanations: Detailed binding evaluation explanations provide
	// information
	// about how each binding contributes to the principal's
	// access or the lack thereof.
	BindingExplanations []*GoogleCloudPolicytroubleshooterV1betaBindingExplanation `json:"bindingExplanations,omitempty"`

	// FullResourceName: Resource that this section of the effective policy
	// attaches to.
	FullResourceName string `json:"fullResourceName,omitempty"`

	// Policy: The IAM policy attached to the resource.
	Policy *GoogleIamV1Policy `json:"policy,omitempty"`

	// Relevance: Relevance of this Policy.
	//
	// Possible values:
	//   "HEURISTIC_RELEVANCE_UNSPECIFIED" - Default value, presence of this
	// should be error.
	//   "NORMAL" - Fields annotated with this value contribute equally to
	// evaluation
	// result. In other words the fields are NOT specially important. This
	// is a
	// superset of fields annotated as HIGH.
	//   "HIGH" - Fields annotated with this are more important than the
	// fields
	// annotated by NORMAL. They are used for annotating fields which on
	// potential
	// modification can alter the overall access result.
	Relevance string `json:"relevance,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Access") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Access") to include in API
	// requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

func (s *GoogleCloudPolicytroubleshooterV1betaExplainedPolicy) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleCloudPolicytroubleshooterV1betaExplainedPolicy
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest:
// TroubleshootIamPolicyRequest is used in TroubleshootIamPolicy
type GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest struct {
	AccessTuple *GoogleCloudPolicytroubleshooterV1betaAccessTuple `json:"accessTuple,omitempty"`

	// ForceSendFields is a list of field names (e.g. "AccessTuple") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "AccessTuple") to include
	// in API requests with the JSON null value. By default, fields with
	// empty values are omitted from API requests. However, any field with
	// an empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

func (s *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse:
// TroubleshootIamPolicyResponse is used in TroubleshootIamPolicy.
type GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse struct {
	// Access: Reflects whether the probed access was granted, denied
	// or ultimately could not be decided from the caller's point of view.
	//
	// Possible values:
	//   "ACCESS_STATE_UNSPECIFIED" - Reserved
	//   "GRANTED" - The access is granted due to one or multiple bindings
	// found.
	//   "NOT_GRANTED" - The access is not granted by the policy.
	//   "UNKNOWN_CONDITIONAL" - At least one binding was found but it is
	// conditional. undecided,
	// undetermined ,uncertain, open, tentative, contingent
	//   "UNKNOWN_INFO_DENIED" - Indicating that lack of access to the
	// underlying information
	// causes the result to be undetermined.
	// This can be due to
	//
	// 1) The caller has no access to the policy. In this case
	// ExplainedPolicy
	//    will have not policy set.
	//
	// 2) The caller has no access to some of the items referenced in the
	// policy.
	//    In this case the policy in ExplainedPolicy will be set but the
	//    explanations field will contain at least one inconclusive element.
	Access string `json:"access,omitempty"`

	// ExplainedPolicies: List of explained policies.
	// Each explanation corresponds to one policy along the ancestry path.
	ExplainedPolicies []*GoogleCloudPolicytroubleshooterV1betaExplainedPolicy `json:"explainedPolicies,omitempty"`

	// ServerResponse contains the HTTP response code and headers from the
	// server.
	googleapi.ServerResponse `json:"-"`

	// ForceSendFields is a list of field names (e.g. "Access") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Access") to include in API
	// requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

func (s *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// GoogleIamV1AuditConfig: Specifies the audit configuration for a
// service.
// The configuration determines which permission types are logged, and
// what
// identities, if any, are exempted from logging.
// An AuditConfig must have one or more AuditLogConfigs.
//
// If there are AuditConfigs for both `allServices` and a specific
// service,
// the union of the two AuditConfigs is used for that service: the
// log_types
// specified in each AuditConfig are enabled, and the exempted_members
// in each
// AuditLogConfig are exempted.
//
// Example Policy with multiple AuditConfigs:
//
//     {
//       "audit_configs": [
//         {
//           "service": "allServices"
//           "audit_log_configs": [
//             {
//               "log_type": "DATA_READ",
//               "exempted_members": [
//                 "user:jose@example.com"
//               ]
//             },
//             {
//               "log_type": "DATA_WRITE",
//             },
//             {
//               "log_type": "ADMIN_READ",
//             }
//           ]
//         },
//         {
//           "service": "sampleservice.googleapis.com"
//           "audit_log_configs": [
//             {
//               "log_type": "DATA_READ",
//             },
//             {
//               "log_type": "DATA_WRITE",
//               "exempted_members": [
//                 "user:aliya@example.com"
//               ]
//             }
//           ]
//         }
//       ]
//     }
//
// For sampleservice, this policy enables DATA_READ, DATA_WRITE and
// ADMIN_READ
// logging. It also exempts jose@example.com from DATA_READ logging,
// and
// aliya@example.com from DATA_WRITE logging.
type GoogleIamV1AuditConfig struct {
	// AuditLogConfigs: The configuration for logging of each type of
	// permission.
	AuditLogConfigs []*GoogleIamV1AuditLogConfig `json:"auditLogConfigs,omitempty"`

	// Service: Specifies a service that will be enabled for audit
	// logging.
	// For example, `storage.googleapis.com`,
	// `cloudsql.googleapis.com`.
	// `allServices` is a special value that covers all services.
	Service string `json:"service,omitempty"`

	// ForceSendFields is a list of field names (e.g. "AuditLogConfigs") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "AuditLogConfigs") to
	// include in API requests with the JSON null value. By default, fields
	// with empty values are omitted from API requests. However, any field
	// with an empty value appearing in NullFields will be sent to the
	// server as null. It is an error if a field in this list has a
	// non-empty value. This may be used to include null fields in Patch
	// requests.
	NullFields []string `json:"-"`
}

func (s *GoogleIamV1AuditConfig) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleIamV1AuditConfig
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// GoogleIamV1AuditLogConfig: Provides the configuration for logging a
// type of permissions.
// Example:
//
//     {
//       "audit_log_configs": [
//         {
//           "log_type": "DATA_READ",
//           "exempted_members": [
//             "user:jose@example.com"
//           ]
//         },
//         {
//           "log_type": "DATA_WRITE",
//         }
//       ]
//     }
//
// This enables 'DATA_READ' and 'DATA_WRITE' logging, while
// exempting
// jose@example.com from DATA_READ logging.
type GoogleIamV1AuditLogConfig struct {
	// ExemptedMembers: Specifies the identities that do not cause logging
	// for this type of
	// permission.
	// Follows the same format of Binding.members.
	ExemptedMembers []string `json:"exemptedMembers,omitempty"`

	// LogType: The log type that this config enables.
	//
	// Possible values:
	//   "LOG_TYPE_UNSPECIFIED" - Default case. Should never be this.
	//   "ADMIN_READ" - Admin reads. Example: CloudIAM getIamPolicy
	//   "DATA_WRITE" - Data writes. Example: CloudSQL Users create
	//   "DATA_READ" - Data reads. Example: CloudSQL Users list
	LogType string `json:"logType,omitempty"`

	// ForceSendFields is a list of field names (e.g. "ExemptedMembers") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "ExemptedMembers") to
	// include in API requests with the JSON null value. By default, fields
	// with empty values are omitted from API requests. However, any field
	// with an empty value appearing in NullFields will be sent to the
	// server as null. It is an error if a field in this list has a
	// non-empty value. This may be used to include null fields in Patch
	// requests.
	NullFields []string `json:"-"`
}

func (s *GoogleIamV1AuditLogConfig) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleIamV1AuditLogConfig
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// GoogleIamV1Binding: Associates `members` with a `role`.
type GoogleIamV1Binding struct {
	// Condition: The condition that is associated with this binding.
	// NOTE: An unsatisfied condition will not allow user access via
	// current
	// binding. Different bindings, including their conditions, are
	// examined
	// independently.
	Condition *GoogleTypeExpr `json:"condition,omitempty"`

	// Members: Specifies the identities requesting access for a Cloud
	// Platform resource.
	// `members` can have the following values:
	//
	// * `allUsers`: A special identifier that represents anyone who is
	//    on the internet; with or without a Google account.
	//
	// * `allAuthenticatedUsers`: A special identifier that represents
	// anyone
	//    who is authenticated with a Google account or a service
	// account.
	//
	// * `user:{emailid}`: An email address that represents a specific
	// Google
	//    account. For example, `alice@example.com` .
	//
	//
	// * `serviceAccount:{emailid}`: An email address that represents a
	// service
	//    account. For example,
	// `my-other-app@appspot.gserviceaccount.com`.
	//
	// * `group:{emailid}`: An email address that represents a Google
	// group.
	//    For example, `admins@example.com`.
	//
	//
	// * `domain:{domain}`: The G Suite domain (primary) that represents all
	// the
	//    users of that domain. For example, `google.com` or
	// `example.com`.
	//
	//
	Members []string `json:"members,omitempty"`

	// Role: Role that is assigned to `members`.
	// For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
	Role string `json:"role,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Condition") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Condition") to include in
	// API requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

func (s *GoogleIamV1Binding) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleIamV1Binding
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// GoogleIamV1Policy: Defines an Identity and Access Management (IAM)
// policy. It is used to
// specify access control policies for Cloud Platform resources.
//
//
// A `Policy` is a collection of `bindings`. A `binding` binds one or
// more
// `members` to a single `role`. Members can be user accounts, service
// accounts,
// Google groups, and domains (such as G Suite). A `role` is a named
// list of
// permissions (defined by IAM or configured by users). A `binding`
// can
// optionally specify a `condition`, which is a logic expression that
// further
// constrains the role binding based on attributes about the request
// and/or
// target resource.
//
// **JSON Example**
//
//     {
//       "bindings": [
//         {
//           "role": "roles/resourcemanager.organizationAdmin",
//           "members": [
//             "user:mike@example.com",
//             "group:admins@example.com",
//             "domain:google.com",
//
// "serviceAccount:my-project-id@appspot.gserviceaccount.com"
//           ]
//         },
//         {
//           "role": "roles/resourcemanager.organizationViewer",
//           "members": ["user:eve@example.com"],
//           "condition": {
//             "title": "expirable access",
//             "description": "Does not grant access after Sep 2020",
//             "expression": "request.time <
//             timestamp('2020-10-01T00:00:00.000Z')",
//           }
//         }
//       ]
//     }
//
// **YAML Example**
//
//     bindings:
//     - members:
//       - user:mike@example.com
//       - group:admins@example.com
//       - domain:google.com
//       - serviceAccount:my-project-id@appspot.gserviceaccount.com
//       role: roles/resourcemanager.organizationAdmin
//     - members:
//       - user:eve@example.com
//       role: roles/resourcemanager.organizationViewer
//       condition:
//         title: expirable access
//         description: Does not grant access after Sep 2020
//         expression: request.time <
// timestamp('2020-10-01T00:00:00.000Z')
//
// For a description of IAM and its features, see the
// [IAM developer's guide](https://cloud.google.com/iam/docs).
type GoogleIamV1Policy struct {
	// AuditConfigs: Specifies cloud audit logging configuration for this
	// policy.
	AuditConfigs []*GoogleIamV1AuditConfig `json:"auditConfigs,omitempty"`

	// Bindings: Associates a list of `members` to a `role`. Optionally may
	// specify a
	// `condition` that determines when binding is in effect.
	// `bindings` with no members will result in an error.
	Bindings []*GoogleIamV1Binding `json:"bindings,omitempty"`

	// Etag: `etag` is used for optimistic concurrency control as a way to
	// help
	// prevent simultaneous updates of a policy from overwriting each
	// other.
	// It is strongly suggested that systems make use of the `etag` in
	// the
	// read-modify-write cycle to perform policy updates in order to avoid
	// race
	// conditions: An `etag` is returned in the response to `getIamPolicy`,
	// and
	// systems are expected to put that etag in the request to
	// `setIamPolicy` to
	// ensure that their change will be applied to the same version of the
	// policy.
	//
	// If no `etag` is provided in the call to `setIamPolicy`, then the
	// existing
	// policy is overwritten. Due to blind-set semantics of an etag-less
	// policy,
	// 'setIamPolicy' will not fail even if either of incoming or stored
	// policy
	// does not meet the version requirements.
	Etag string `json:"etag,omitempty"`

	// Version: Specifies the format of the policy.
	//
	// Valid values are 0, 1, and 3. Requests specifying an invalid value
	// will be
	// rejected.
	//
	// Operations affecting conditional bindings must specify version 3.
	// This can
	// be either setting a conditional policy, modifying a conditional
	// binding,
	// or removing a conditional binding from the stored conditional
	// policy.
	// Operations on non-conditional policies may specify any valid value
	// or
	// leave the field unset.
	//
	// If no etag is provided in the call to `setIamPolicy`, any
	// version
	// compliance checks on the incoming and/or stored policy is skipped.
	Version int64 `json:"version,omitempty"`

	// ForceSendFields is a list of field names (e.g. "AuditConfigs") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "AuditConfigs") to include
	// in API requests with the JSON null value. By default, fields with
	// empty values are omitted from API requests. However, any field with
	// an empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

func (s *GoogleIamV1Policy) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleIamV1Policy
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// GoogleTypeExpr: Represents an expression text. Example:
//
//     title: "User account presence"
//     description: "Determines whether the request has a user account"
//     expression: "size(request.user) > 0"
type GoogleTypeExpr struct {
	// Description: An optional description of the expression. This is a
	// longer text which
	// describes the expression, e.g. when hovered over it in a UI.
	Description string `json:"description,omitempty"`

	// Expression: Textual representation of an expression in
	// Common Expression Language syntax.
	//
	// The application context of the containing message determines
	// which
	// well-known feature set of CEL is supported.
	Expression string `json:"expression,omitempty"`

	// Location: An optional string indicating the location of the
	// expression for error
	// reporting, e.g. a file name and a position in the file.
	Location string `json:"location,omitempty"`

	// Title: An optional title for the expression, i.e. a short string
	// describing
	// its purpose. This can be used e.g. in UIs which allow to enter
	// the
	// expression.
	Title string `json:"title,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Description") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Description") to include
	// in API requests with the JSON null value. By default, fields with
	// empty values are omitted from API requests. However, any field with
	// an empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

func (s *GoogleTypeExpr) MarshalJSON() ([]byte, error) {
	type NoMethod GoogleTypeExpr
	raw := NoMethod(*s)
	return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields)
}

// method id "policytroubleshooter.iam.troubleshoot":

type IamTroubleshootCall struct {
	s                                                                 *Service
	googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest
	urlParams_                                                        gensupport.URLParams
	ctx_                                                              context.Context
	header_                                                           http.Header
}

// Troubleshoot: Perform a check on whether a member is granted a
// permission
// on a resource and how that grant/deny is determined accordinga
// to the resource's effective IAM policy interpretation.
func (r *IamService) Troubleshoot(googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest) *IamTroubleshootCall {
	c := &IamTroubleshootCall{s: r.s, urlParams_: make(gensupport.URLParams)}
	c.googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest = googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest
	return c
}

// Fields allows partial responses to be retrieved. See
// https://developers.google.com/gdata/docs/2.0/basics#PartialResponse
// for more information.
func (c *IamTroubleshootCall) Fields(s ...googleapi.Field) *IamTroubleshootCall {
	c.urlParams_.Set("fields", googleapi.CombineFields(s))
	return c
}

// Context sets the context to be used in this call's Do method. Any
// pending HTTP request will be aborted if the provided context is
// canceled.
func (c *IamTroubleshootCall) Context(ctx context.Context) *IamTroubleshootCall {
	c.ctx_ = ctx
	return c
}

// Header returns an http.Header that can be modified by the caller to
// add HTTP headers to the request.
func (c *IamTroubleshootCall) Header() http.Header {
	if c.header_ == nil {
		c.header_ = make(http.Header)
	}
	return c.header_
}

func (c *IamTroubleshootCall) doRequest(alt string) (*http.Response, error) {
	reqHeaders := make(http.Header)
	reqHeaders.Set("x-goog-api-client", "gl-go/1.11.0 gdcl/20190926")
	for k, v := range c.header_ {
		reqHeaders[k] = v
	}
	reqHeaders.Set("User-Agent", c.s.userAgent())
	var body io.Reader = nil
	body, err := googleapi.WithoutDataWrapper.JSONReader(c.googlecloudpolicytroubleshooterv1betatroubleshootiampolicyrequest)
	if err != nil {
		return nil, err
	}
	reqHeaders.Set("Content-Type", "application/json")
	c.urlParams_.Set("alt", alt)
	c.urlParams_.Set("prettyPrint", "false")
	urls := googleapi.ResolveRelative(c.s.BasePath, "v1beta/iam:troubleshoot")
	urls += "?" + c.urlParams_.Encode()
	req, err := http.NewRequest("POST", urls, body)
	if err != nil {
		return nil, err
	}
	req.Header = reqHeaders
	return gensupport.SendRequest(c.ctx_, c.s.client, req)
}

// Do executes the "policytroubleshooter.iam.troubleshoot" call.
// Exactly one of
// *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse
// or error will be non-nil. Any non-2xx status code is an error.
// Response headers are in either
// *GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse.Se
// rverResponse.Header or (if a response was returned at all) in
// error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check
// whether the returned error was because http.StatusNotModified was
// returned.
func (c *IamTroubleshootCall) Do(opts ...googleapi.CallOption) (*GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse, error) {
	gensupport.SetOptions(c.urlParams_, opts...)
	res, err := c.doRequest("json")
	if res != nil && res.StatusCode == http.StatusNotModified {
		if res.Body != nil {
			res.Body.Close()
		}
		return nil, &googleapi.Error{
			Code:   res.StatusCode,
			Header: res.Header,
		}
	}
	if err != nil {
		return nil, err
	}
	defer googleapi.CloseBody(res)
	if err := googleapi.CheckResponse(res); err != nil {
		return nil, err
	}
	ret := &GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse{
		ServerResponse: googleapi.ServerResponse{
			Header:         res.Header,
			HTTPStatusCode: res.StatusCode,
		},
	}
	target := &ret
	if err := gensupport.DecodeResponse(target, res); err != nil {
		return nil, err
	}
	return ret, nil
	// {
	//   "description": "Perform a check on whether a member is granted a permission\non a resource and how that grant/deny is determined accordinga\nto the resource's effective IAM policy interpretation.",
	//   "flatPath": "v1beta/iam:troubleshoot",
	//   "httpMethod": "POST",
	//   "id": "policytroubleshooter.iam.troubleshoot",
	//   "parameterOrder": [],
	//   "parameters": {},
	//   "path": "v1beta/iam:troubleshoot",
	//   "request": {
	//     "$ref": "GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyRequest"
	//   },
	//   "response": {
	//     "$ref": "GoogleCloudPolicytroubleshooterV1betaTroubleshootIamPolicyResponse"
	//   },
	//   "scopes": [
	//     "https://www.googleapis.com/auth/cloud-platform"
	//   ]
	// }

}