IDENTITYTOOLKIT

identitytoolkit.accounts.createAuthUri

valid {
    input.Body.appId == STRING
    input.Body.authFlowType == STRING
    input.Body.context == STRING
    input.Body.continueUri == STRING
    input.Body.customParameter.STRING == STRING
    input.Body.hostedDomain == STRING
    input.Body.identifier == STRING
    input.Body.oauthConsumerKey == STRING
    input.Body.oauthScope == STRING
    input.Body.openidRealm == STRING
    input.Body.otaApp == STRING
    input.Body.providerId == STRING
    input.Body.sessionId == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.delete

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.idToken == STRING
    input.Body.localId == STRING
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.issueSamlResponse

valid {
    input.Body.idToken == STRING
    input.Body.rpId == STRING
    input.Body.samlAppEntityId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.lookup

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.email[_] == STRING
    input.Body.federatedUserId[_].providerId == STRING
    input.Body.federatedUserId[_].rawId == STRING
    input.Body.idToken == STRING
    input.Body.initialEmail[_] == STRING
    input.Body.localId[_] == STRING
    input.Body.phoneNumber[_] == STRING
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.mfaEnrollment.finalize

valid {
    input.Body.displayName == STRING
    input.Body.idToken == STRING
    input.Body.phoneVerificationInfo.androidVerificationProof == STRING
    input.Body.phoneVerificationInfo.code == STRING
    input.Body.phoneVerificationInfo.phoneNumber == STRING
    input.Body.phoneVerificationInfo.sessionInfo == STRING
    input.Body.tenantId == STRING
    input.Body.totpVerificationInfo.sessionInfo == STRING
    input.Body.totpVerificationInfo.verificationCode == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.mfaEnrollment.start

enum_GoogleCloudIdentitytoolkitV2StartMfaPhoneRequestInfoClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV2StartMfaPhoneRequestInfoRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]

valid {
    input.Body.idToken == STRING
    input.Body.phoneEnrollmentInfo.autoRetrievalInfo.appSignatureHash == STRING
    input.Body.phoneEnrollmentInfo.captchaResponse == STRING
    input.Body.phoneEnrollmentInfo.clientType == enum_GoogleCloudIdentitytoolkitV2StartMfaPhoneRequestInfoClientType[_]
    input.Body.phoneEnrollmentInfo.iosReceipt == STRING
    input.Body.phoneEnrollmentInfo.iosSecret == STRING
    input.Body.phoneEnrollmentInfo.phoneNumber == STRING
    input.Body.phoneEnrollmentInfo.playIntegrityToken == STRING
    input.Body.phoneEnrollmentInfo.recaptchaToken == STRING
    input.Body.phoneEnrollmentInfo.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV2StartMfaPhoneRequestInfoRecaptchaVersion[_]
    input.Body.phoneEnrollmentInfo.safetyNetToken == STRING
    input.Body.tenantId == STRING
    input.Body.totpEnrollmentInfo.STRING == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.mfaEnrollment.withdraw

valid {
    input.Body.idToken == STRING
    input.Body.mfaEnrollmentId == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.mfaSignIn.finalize

valid {
    input.Body.mfaEnrollmentId == STRING
    input.Body.mfaPendingCredential == STRING
    input.Body.phoneVerificationInfo.androidVerificationProof == STRING
    input.Body.phoneVerificationInfo.code == STRING
    input.Body.phoneVerificationInfo.phoneNumber == STRING
    input.Body.phoneVerificationInfo.sessionInfo == STRING
    input.Body.tenantId == STRING
    input.Body.totpVerificationInfo.verificationCode == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.mfaSignIn.start

enum_GoogleCloudIdentitytoolkitV2StartMfaPhoneRequestInfoClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV2StartMfaPhoneRequestInfoRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]

valid {
    input.Body.mfaEnrollmentId == STRING
    input.Body.mfaPendingCredential == STRING
    input.Body.phoneSignInInfo.autoRetrievalInfo.appSignatureHash == STRING
    input.Body.phoneSignInInfo.captchaResponse == STRING
    input.Body.phoneSignInInfo.clientType == enum_GoogleCloudIdentitytoolkitV2StartMfaPhoneRequestInfoClientType[_]
    input.Body.phoneSignInInfo.iosReceipt == STRING
    input.Body.phoneSignInInfo.iosSecret == STRING
    input.Body.phoneSignInInfo.phoneNumber == STRING
    input.Body.phoneSignInInfo.playIntegrityToken == STRING
    input.Body.phoneSignInInfo.recaptchaToken == STRING
    input.Body.phoneSignInInfo.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV2StartMfaPhoneRequestInfoRecaptchaVersion[_]
    input.Body.phoneSignInInfo.safetyNetToken == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.resetPassword

valid {
    input.Body.email == STRING
    input.Body.newPassword == STRING
    input.Body.oldPassword == STRING
    input.Body.oobCode == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.revokeToken

enum_GoogleCloudIdentitytoolkitV2RevokeTokenRequestTokenType := [ "TOKEN_TYPE_UNSPECIFIED", "REFRESH_TOKEN", "ACCESS_TOKEN", "CODE" ]

valid {
    input.Body.idToken == STRING
    input.Body.providerId == STRING
    input.Body.redirectUri == STRING
    input.Body.tenantId == STRING
    input.Body.token == STRING
    input.Body.tokenType == enum_GoogleCloudIdentitytoolkitV2RevokeTokenRequestTokenType[_]
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.sendOobCode

enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]
enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRequestType := [ "OOB_REQ_TYPE_UNSPECIFIED", "PASSWORD_RESET", "OLD_EMAIL_AGREE", "NEW_EMAIL_ACCEPT", "VERIFY_EMAIL", "RECOVER_EMAIL", "EMAIL_SIGNIN", "VERIFY_AND_CHANGE_EMAIL", "REVERT_SECOND_FACTOR_ADDITION" ]

valid {
    input.Body.androidInstallApp == BOOLEAN
    input.Body.androidMinimumVersion == STRING
    input.Body.androidPackageName == STRING
    input.Body.canHandleCodeInApp == BOOLEAN
    input.Body.captchaResp == STRING
    input.Body.challenge == STRING
    input.Body.clientType == enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestClientType[_]
    input.Body.continueUrl == STRING
    input.Body.dynamicLinkDomain == STRING
    input.Body.email == STRING
    input.Body.iOSAppStoreId == STRING
    input.Body.iOSBundleId == STRING
    input.Body.idToken == STRING
    input.Body.newEmail == STRING
    input.Body.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRecaptchaVersion[_]
    input.Body.requestType == enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRequestType[_]
    input.Body.returnOobLink == BOOLEAN
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.Body.userIp == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.sendVerificationCode

enum_GoogleCloudIdentitytoolkitV1SendVerificationCodeRequestClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV1SendVerificationCodeRequestRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]

valid {
    input.Body.autoRetrievalInfo.appSignatureHash == STRING
    input.Body.captchaResponse == STRING
    input.Body.clientType == enum_GoogleCloudIdentitytoolkitV1SendVerificationCodeRequestClientType[_]
    input.Body.iosReceipt == STRING
    input.Body.iosSecret == STRING
    input.Body.phoneNumber == STRING
    input.Body.playIntegrityToken == STRING
    input.Body.recaptchaToken == STRING
    input.Body.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV1SendVerificationCodeRequestRecaptchaVersion[_]
    input.Body.safetyNetToken == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.signInWithCustomToken

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.instanceId == STRING
    input.Body.returnSecureToken == BOOLEAN
    input.Body.tenantId == STRING
    input.Body.token == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.signInWithEmailLink

valid {
    input.Body.email == STRING
    input.Body.idToken == STRING
    input.Body.oobCode == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.signInWithGameCenter

valid {
    input.Body.displayName == STRING
    input.Body.gamePlayerId == STRING
    input.Body.idToken == STRING
    input.Body.playerId == STRING
    input.Body.publicKeyUrl == STRING
    input.Body.salt == STRING
    input.Body.signature == STRING
    input.Body.teamPlayerId == STRING
    input.Body.tenantId == STRING
    input.Body.timestamp == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.signInWithIdp

valid {
    input.Body.autoCreate == BOOLEAN
    input.Body.delegatedProjectNumber == STRING
    input.Body.idToken == STRING
    input.Body.pendingIdToken == STRING
    input.Body.pendingToken == STRING
    input.Body.postBody == STRING
    input.Body.requestUri == STRING
    input.Body.returnIdpCredential == BOOLEAN
    input.Body.returnRefreshToken == BOOLEAN
    input.Body.returnSecureToken == BOOLEAN
    input.Body.sessionId == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.signInWithPassword

enum_GoogleCloudIdentitytoolkitV1SignInWithPasswordRequestClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV1SignInWithPasswordRequestRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.clientType == enum_GoogleCloudIdentitytoolkitV1SignInWithPasswordRequestClientType[_]
    input.Body.delegatedProjectNumber == STRING
    input.Body.email == STRING
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.password == STRING
    input.Body.pendingIdToken == STRING
    input.Body.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV1SignInWithPasswordRequestRecaptchaVersion[_]
    input.Body.returnSecureToken == BOOLEAN
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.signInWithPhoneNumber

enum_GoogleCloudIdentitytoolkitV1SignInWithPhoneNumberRequestOperation := [ "VERIFY_OP_UNSPECIFIED", "SIGN_UP_OR_IN", "REAUTH", "UPDATE", "LINK" ]

valid {
    input.Body.code == STRING
    input.Body.idToken == STRING
    input.Body.operation == enum_GoogleCloudIdentitytoolkitV1SignInWithPhoneNumberRequestOperation[_]
    input.Body.phoneNumber == STRING
    input.Body.sessionInfo == STRING
    input.Body.temporaryProof == STRING
    input.Body.tenantId == STRING
    input.Body.verificationProof == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.signUp

enum_GoogleCloudIdentitytoolkitV1SignUpRequestClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV1SignUpRequestRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.clientType == enum_GoogleCloudIdentitytoolkitV1SignUpRequestClientType[_]
    input.Body.disabled == BOOLEAN
    input.Body.displayName == STRING
    input.Body.email == STRING
    input.Body.emailVerified == BOOLEAN
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.localId == STRING
    input.Body.mfaInfo[_].displayName == STRING
    input.Body.mfaInfo[_].phoneInfo == STRING
    input.Body.password == STRING
    input.Body.phoneNumber == STRING
    input.Body.photoUrl == STRING
    input.Body.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV1SignUpRequestRecaptchaVersion[_]
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.update

enum_GoogleCloudIdentitytoolkitV1SetAccountInfoRequestDeleteAttribute := [ "USER_ATTRIBUTE_NAME_UNSPECIFIED", "EMAIL", "DISPLAY_NAME", "PROVIDER", "PHOTO_URL", "PASSWORD", "RAW_USER_INFO" ]

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.createdAt == STRING
    input.Body.customAttributes == STRING
    input.Body.delegatedProjectNumber == STRING
    input.Body.deleteAttribute[_] == enum_GoogleCloudIdentitytoolkitV1SetAccountInfoRequestDeleteAttribute[_]
    input.Body.deleteProvider[_] == STRING
    input.Body.disableUser == BOOLEAN
    input.Body.displayName == STRING
    input.Body.email == STRING
    input.Body.emailVerified == BOOLEAN
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.lastLoginAt == STRING
    input.Body.linkProviderUserInfo.displayName == STRING
    input.Body.linkProviderUserInfo.email == STRING
    input.Body.linkProviderUserInfo.federatedId == STRING
    input.Body.linkProviderUserInfo.phoneNumber == STRING
    input.Body.linkProviderUserInfo.photoUrl == STRING
    input.Body.linkProviderUserInfo.providerId == STRING
    input.Body.linkProviderUserInfo.rawId == STRING
    input.Body.linkProviderUserInfo.screenName == STRING
    input.Body.localId == STRING
    input.Body.mfa.enrollments[_].displayName == STRING
    input.Body.mfa.enrollments[_].emailInfo.emailAddress == STRING
    input.Body.mfa.enrollments[_].enrolledAt == STRING
    input.Body.mfa.enrollments[_].mfaEnrollmentId == STRING
    input.Body.mfa.enrollments[_].phoneInfo == STRING
    input.Body.mfa.enrollments[_].totpInfo.STRING == STRING
    input.Body.oobCode == STRING
    input.Body.password == STRING
    input.Body.phoneNumber == STRING
    input.Body.photoUrl == STRING
    input.Body.provider[_] == STRING
    input.Body.returnSecureToken == BOOLEAN
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.Body.upgradeToFederatedLogin == BOOLEAN
    input.Body.validSince == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.accounts.verifyIosClient

valid {
    input.Body.appToken == STRING
    input.Body.isSandbox == BOOLEAN
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.defaultSupportedIdps.list

valid {
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.getPasswordPolicy

valid {
    input.Qs.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.getProjects

valid {
    input.Qs.androidPackageName == STRING
    input.Qs.clientId == STRING
    input.Qs.delegatedProjectNumber == STRING
    input.Qs.firebaseAppId == STRING
    input.Qs.iosBundleId == STRING
    input.Qs.projectNumber == STRING
    input.Qs.returnDynamicLink == BOOLEAN
    input.Qs.sha1Cert == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.getPublicKeys

valid {
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.getRecaptchaConfig

enum_ClientTypeParameter := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_VersionParameter := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]

valid {
    input.Qs.clientType == enum_ClientTypeParameter[_]
    input.Qs.tenantId == STRING
    input.Qs.version == enum_VersionParameter[_]
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.getRecaptchaParams

valid {
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.getSessionCookiePublicKeys

valid {
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.accounts

enum_GoogleCloudIdentitytoolkitV1SignUpRequestClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV1SignUpRequestRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.clientType == enum_GoogleCloudIdentitytoolkitV1SignUpRequestClientType[_]
    input.Body.disabled == BOOLEAN
    input.Body.displayName == STRING
    input.Body.email == STRING
    input.Body.emailVerified == BOOLEAN
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.localId == STRING
    input.Body.mfaInfo[_].displayName == STRING
    input.Body.mfaInfo[_].phoneInfo == STRING
    input.Body.password == STRING
    input.Body.phoneNumber == STRING
    input.Body.photoUrl == STRING
    input.Body.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV1SignUpRequestRecaptchaVersion[_]
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.accounts.batchCreate

enum_GoogleCloudIdentitytoolkitV1Argon2ParametersHashType := [ "HASH_TYPE_UNSPECIFIED", "ARGON2_D", "ARGON2_ID", "ARGON2_I" ]
enum_GoogleCloudIdentitytoolkitV1Argon2ParametersVersion := [ "VERSION_UNSPECIFIED", "VERSION_10", "VERSION_13" ]
enum_GoogleCloudIdentitytoolkitV1UploadAccountRequestPasswordHashOrder := [ "UNSPECIFIED_ORDER", "SALT_AND_PASSWORD", "PASSWORD_AND_SALT" ]

valid {
    input.Body.allowOverwrite == BOOLEAN
    input.Body.argon2Parameters.associatedData == STRING
    input.Body.argon2Parameters.hashLengthBytes == INTEGER
    input.Body.argon2Parameters.hashType == enum_GoogleCloudIdentitytoolkitV1Argon2ParametersHashType[_]
    input.Body.argon2Parameters.iterations == INTEGER
    input.Body.argon2Parameters.memoryCostKib == INTEGER
    input.Body.argon2Parameters.parallelism == INTEGER
    input.Body.argon2Parameters.version == enum_GoogleCloudIdentitytoolkitV1Argon2ParametersVersion[_]
    input.Body.blockSize == INTEGER
    input.Body.cpuMemCost == INTEGER
    input.Body.delegatedProjectNumber == STRING
    input.Body.dkLen == INTEGER
    input.Body.hashAlgorithm == STRING
    input.Body.memoryCost == INTEGER
    input.Body.parallelization == INTEGER
    input.Body.passwordHashOrder == enum_GoogleCloudIdentitytoolkitV1UploadAccountRequestPasswordHashOrder[_]
    input.Body.rounds == INTEGER
    input.Body.saltSeparator == STRING
    input.Body.sanityCheck == BOOLEAN
    input.Body.signerKey == STRING
    input.Body.tenantId == STRING
    input.Body.users[_].createdAt == STRING
    input.Body.users[_].customAttributes == STRING
    input.Body.users[_].disabled == BOOLEAN
    input.Body.users[_].displayName == STRING
    input.Body.users[_].email == STRING
    input.Body.users[_].emailVerified == BOOLEAN
    input.Body.users[_].initialEmail == STRING
    input.Body.users[_].lastLoginAt == STRING
    input.Body.users[_].lastRefreshAt == STRING
    input.Body.users[_].localId == STRING
    input.Body.users[_].mfaInfo[_].displayName == STRING
    input.Body.users[_].mfaInfo[_].emailInfo.emailAddress == STRING
    input.Body.users[_].mfaInfo[_].enrolledAt == STRING
    input.Body.users[_].mfaInfo[_].mfaEnrollmentId == STRING
    input.Body.users[_].mfaInfo[_].phoneInfo == STRING
    input.Body.users[_].mfaInfo[_].totpInfo.STRING == STRING
    input.Body.users[_].passwordHash == STRING
    input.Body.users[_].passwordUpdatedAt == NUMBER
    input.Body.users[_].phoneNumber == STRING
    input.Body.users[_].photoUrl == STRING
    input.Body.users[_].providerUserInfo[_].displayName == STRING
    input.Body.users[_].providerUserInfo[_].email == STRING
    input.Body.users[_].providerUserInfo[_].federatedId == STRING
    input.Body.users[_].providerUserInfo[_].phoneNumber == STRING
    input.Body.users[_].providerUserInfo[_].photoUrl == STRING
    input.Body.users[_].providerUserInfo[_].providerId == STRING
    input.Body.users[_].providerUserInfo[_].rawId == STRING
    input.Body.users[_].providerUserInfo[_].screenName == STRING
    input.Body.users[_].rawPassword == STRING
    input.Body.users[_].salt == STRING
    input.Body.users[_].tenantId == STRING
    input.Body.users[_].validSince == STRING
    input.Body.users[_].version == INTEGER
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.accounts.batchDelete

valid {
    input.Body.force == BOOLEAN
    input.Body.localIds[_] == STRING
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.accounts.batchGet

valid {
    input.ReqMap.targetProjectId == STRING
    input.Qs.delegatedProjectNumber == STRING
    input.Qs.maxResults == INTEGER
    input.Qs.nextPageToken == STRING
    input.Qs.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.accounts.delete

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.idToken == STRING
    input.Body.localId == STRING
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.accounts.lookup

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.email[_] == STRING
    input.Body.federatedUserId[_].providerId == STRING
    input.Body.federatedUserId[_].rawId == STRING
    input.Body.idToken == STRING
    input.Body.initialEmail[_] == STRING
    input.Body.localId[_] == STRING
    input.Body.phoneNumber[_] == STRING
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.accounts.query

enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestOrder := [ "ORDER_UNSPECIFIED", "ASC", "DESC" ]
enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestSortBy := [ "SORT_BY_FIELD_UNSPECIFIED", "USER_ID", "NAME", "CREATED_AT", "LAST_LOGIN_AT", "USER_EMAIL" ]

valid {
    input.Body.expression[_].email == STRING
    input.Body.expression[_].phoneNumber == STRING
    input.Body.expression[_].userId == STRING
    input.Body.limit == STRING
    input.Body.offset == STRING
    input.Body.order == enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestOrder[_]
    input.Body.returnUserInfo == BOOLEAN
    input.Body.sortBy == enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestSortBy[_]
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.accounts.sendOobCode

enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]
enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRequestType := [ "OOB_REQ_TYPE_UNSPECIFIED", "PASSWORD_RESET", "OLD_EMAIL_AGREE", "NEW_EMAIL_ACCEPT", "VERIFY_EMAIL", "RECOVER_EMAIL", "EMAIL_SIGNIN", "VERIFY_AND_CHANGE_EMAIL", "REVERT_SECOND_FACTOR_ADDITION" ]

valid {
    input.Body.androidInstallApp == BOOLEAN
    input.Body.androidMinimumVersion == STRING
    input.Body.androidPackageName == STRING
    input.Body.canHandleCodeInApp == BOOLEAN
    input.Body.captchaResp == STRING
    input.Body.challenge == STRING
    input.Body.clientType == enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestClientType[_]
    input.Body.continueUrl == STRING
    input.Body.dynamicLinkDomain == STRING
    input.Body.email == STRING
    input.Body.iOSAppStoreId == STRING
    input.Body.iOSBundleId == STRING
    input.Body.idToken == STRING
    input.Body.newEmail == STRING
    input.Body.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRecaptchaVersion[_]
    input.Body.requestType == enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRequestType[_]
    input.Body.returnOobLink == BOOLEAN
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.Body.userIp == STRING
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.accounts.update

enum_GoogleCloudIdentitytoolkitV1SetAccountInfoRequestDeleteAttribute := [ "USER_ATTRIBUTE_NAME_UNSPECIFIED", "EMAIL", "DISPLAY_NAME", "PROVIDER", "PHOTO_URL", "PASSWORD", "RAW_USER_INFO" ]

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.createdAt == STRING
    input.Body.customAttributes == STRING
    input.Body.delegatedProjectNumber == STRING
    input.Body.deleteAttribute[_] == enum_GoogleCloudIdentitytoolkitV1SetAccountInfoRequestDeleteAttribute[_]
    input.Body.deleteProvider[_] == STRING
    input.Body.disableUser == BOOLEAN
    input.Body.displayName == STRING
    input.Body.email == STRING
    input.Body.emailVerified == BOOLEAN
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.lastLoginAt == STRING
    input.Body.linkProviderUserInfo.displayName == STRING
    input.Body.linkProviderUserInfo.email == STRING
    input.Body.linkProviderUserInfo.federatedId == STRING
    input.Body.linkProviderUserInfo.phoneNumber == STRING
    input.Body.linkProviderUserInfo.photoUrl == STRING
    input.Body.linkProviderUserInfo.providerId == STRING
    input.Body.linkProviderUserInfo.rawId == STRING
    input.Body.linkProviderUserInfo.screenName == STRING
    input.Body.localId == STRING
    input.Body.mfa.enrollments[_].displayName == STRING
    input.Body.mfa.enrollments[_].emailInfo.emailAddress == STRING
    input.Body.mfa.enrollments[_].enrolledAt == STRING
    input.Body.mfa.enrollments[_].mfaEnrollmentId == STRING
    input.Body.mfa.enrollments[_].phoneInfo == STRING
    input.Body.mfa.enrollments[_].totpInfo.STRING == STRING
    input.Body.oobCode == STRING
    input.Body.password == STRING
    input.Body.phoneNumber == STRING
    input.Body.photoUrl == STRING
    input.Body.provider[_] == STRING
    input.Body.returnSecureToken == BOOLEAN
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.Body.upgradeToFederatedLogin == BOOLEAN
    input.Body.validSince == STRING
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.createSessionCookie

valid {
    input.Body.idToken == STRING
    input.Body.tenantId == STRING
    input.Body.validDuration == STRING
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.defaultSupportedIdpConfigs.create

valid {
    input.Body.appleSignInConfig.bundleIds[_] == STRING
    input.Body.appleSignInConfig.codeFlowConfig.keyId == STRING
    input.Body.appleSignInConfig.codeFlowConfig.privateKey == STRING
    input.Body.appleSignInConfig.codeFlowConfig.teamId == STRING
    input.Body.clientId == STRING
    input.Body.clientSecret == STRING
    input.Body.enabled == BOOLEAN
    input.Body.name == STRING
    input.ReqMap.parent == STRING
    input.Qs.idpId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.defaultSupportedIdpConfigs.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.defaultSupportedIdpConfigs.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.defaultSupportedIdpConfigs.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.defaultSupportedIdpConfigs.patch

valid {
    input.Body.appleSignInConfig.bundleIds[_] == STRING
    input.Body.appleSignInConfig.codeFlowConfig.keyId == STRING
    input.Body.appleSignInConfig.codeFlowConfig.privateKey == STRING
    input.Body.appleSignInConfig.codeFlowConfig.teamId == STRING
    input.Body.clientId == STRING
    input.Body.clientSecret == STRING
    input.Body.enabled == BOOLEAN
    input.Body.name == STRING
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.getConfig

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.identityPlatform.initializeAuth

valid {
    input.Body.STRING == STRING
    input.ReqMap.ProjectID == STRING
    input.ProviderMetadata.Region == STRING
    input.ProviderMetadata.ProjectID == STRING
}

identitytoolkit.projects.inboundSamlConfigs.create

valid {
    input.Body.displayName == STRING
    input.Body.enabled == BOOLEAN
    input.Body.idpConfig.idpCertificates[_].x509Certificate == STRING
    input.Body.idpConfig.idpEntityId == STRING
    input.Body.idpConfig.signRequest == BOOLEAN
    input.Body.idpConfig.ssoUrl == STRING
    input.Body.name == STRING
    input.Body.spConfig.callbackUri == STRING
    input.Body.spConfig.spEntityId == STRING
    input.ReqMap.parent == STRING
    input.Qs.inboundSamlConfigId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.inboundSamlConfigs.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.inboundSamlConfigs.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.inboundSamlConfigs.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.inboundSamlConfigs.patch

valid {
    input.Body.displayName == STRING
    input.Body.enabled == BOOLEAN
    input.Body.idpConfig.idpCertificates[_].x509Certificate == STRING
    input.Body.idpConfig.idpEntityId == STRING
    input.Body.idpConfig.signRequest == BOOLEAN
    input.Body.idpConfig.ssoUrl == STRING
    input.Body.name == STRING
    input.Body.spConfig.callbackUri == STRING
    input.Body.spConfig.spEntityId == STRING
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.oauthIdpConfigs.create

valid {
    input.Body.clientId == STRING
    input.Body.clientSecret == STRING
    input.Body.displayName == STRING
    input.Body.enabled == BOOLEAN
    input.Body.issuer == STRING
    input.Body.name == STRING
    input.Body.responseType.code == BOOLEAN
    input.Body.responseType.idToken == BOOLEAN
    input.Body.responseType.token == BOOLEAN
    input.ReqMap.parent == STRING
    input.Qs.oauthIdpConfigId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.oauthIdpConfigs.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.oauthIdpConfigs.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.oauthIdpConfigs.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.oauthIdpConfigs.patch

valid {
    input.Body.clientId == STRING
    input.Body.clientSecret == STRING
    input.Body.displayName == STRING
    input.Body.enabled == BOOLEAN
    input.Body.issuer == STRING
    input.Body.name == STRING
    input.Body.responseType.code == BOOLEAN
    input.Body.responseType.idToken == BOOLEAN
    input.Body.responseType.token == BOOLEAN
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.queryAccounts

enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestOrder := [ "ORDER_UNSPECIFIED", "ASC", "DESC" ]
enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestSortBy := [ "SORT_BY_FIELD_UNSPECIFIED", "USER_ID", "NAME", "CREATED_AT", "LAST_LOGIN_AT", "USER_EMAIL" ]

valid {
    input.Body.expression[_].email == STRING
    input.Body.expression[_].phoneNumber == STRING
    input.Body.expression[_].userId == STRING
    input.Body.limit == STRING
    input.Body.offset == STRING
    input.Body.order == enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestOrder[_]
    input.Body.returnUserInfo == BOOLEAN
    input.Body.sortBy == enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestSortBy[_]
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.accounts

enum_GoogleCloudIdentitytoolkitV1SignUpRequestClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV1SignUpRequestRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.clientType == enum_GoogleCloudIdentitytoolkitV1SignUpRequestClientType[_]
    input.Body.disabled == BOOLEAN
    input.Body.displayName == STRING
    input.Body.email == STRING
    input.Body.emailVerified == BOOLEAN
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.localId == STRING
    input.Body.mfaInfo[_].displayName == STRING
    input.Body.mfaInfo[_].phoneInfo == STRING
    input.Body.password == STRING
    input.Body.phoneNumber == STRING
    input.Body.photoUrl == STRING
    input.Body.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV1SignUpRequestRecaptchaVersion[_]
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.accounts.batchCreate

enum_GoogleCloudIdentitytoolkitV1Argon2ParametersHashType := [ "HASH_TYPE_UNSPECIFIED", "ARGON2_D", "ARGON2_ID", "ARGON2_I" ]
enum_GoogleCloudIdentitytoolkitV1Argon2ParametersVersion := [ "VERSION_UNSPECIFIED", "VERSION_10", "VERSION_13" ]
enum_GoogleCloudIdentitytoolkitV1UploadAccountRequestPasswordHashOrder := [ "UNSPECIFIED_ORDER", "SALT_AND_PASSWORD", "PASSWORD_AND_SALT" ]

valid {
    input.Body.allowOverwrite == BOOLEAN
    input.Body.argon2Parameters.associatedData == STRING
    input.Body.argon2Parameters.hashLengthBytes == INTEGER
    input.Body.argon2Parameters.hashType == enum_GoogleCloudIdentitytoolkitV1Argon2ParametersHashType[_]
    input.Body.argon2Parameters.iterations == INTEGER
    input.Body.argon2Parameters.memoryCostKib == INTEGER
    input.Body.argon2Parameters.parallelism == INTEGER
    input.Body.argon2Parameters.version == enum_GoogleCloudIdentitytoolkitV1Argon2ParametersVersion[_]
    input.Body.blockSize == INTEGER
    input.Body.cpuMemCost == INTEGER
    input.Body.delegatedProjectNumber == STRING
    input.Body.dkLen == INTEGER
    input.Body.hashAlgorithm == STRING
    input.Body.memoryCost == INTEGER
    input.Body.parallelization == INTEGER
    input.Body.passwordHashOrder == enum_GoogleCloudIdentitytoolkitV1UploadAccountRequestPasswordHashOrder[_]
    input.Body.rounds == INTEGER
    input.Body.saltSeparator == STRING
    input.Body.sanityCheck == BOOLEAN
    input.Body.signerKey == STRING
    input.Body.tenantId == STRING
    input.Body.users[_].createdAt == STRING
    input.Body.users[_].customAttributes == STRING
    input.Body.users[_].disabled == BOOLEAN
    input.Body.users[_].displayName == STRING
    input.Body.users[_].email == STRING
    input.Body.users[_].emailVerified == BOOLEAN
    input.Body.users[_].initialEmail == STRING
    input.Body.users[_].lastLoginAt == STRING
    input.Body.users[_].lastRefreshAt == STRING
    input.Body.users[_].localId == STRING
    input.Body.users[_].mfaInfo[_].displayName == STRING
    input.Body.users[_].mfaInfo[_].emailInfo.emailAddress == STRING
    input.Body.users[_].mfaInfo[_].enrolledAt == STRING
    input.Body.users[_].mfaInfo[_].mfaEnrollmentId == STRING
    input.Body.users[_].mfaInfo[_].phoneInfo == STRING
    input.Body.users[_].mfaInfo[_].totpInfo.STRING == STRING
    input.Body.users[_].passwordHash == STRING
    input.Body.users[_].passwordUpdatedAt == NUMBER
    input.Body.users[_].phoneNumber == STRING
    input.Body.users[_].photoUrl == STRING
    input.Body.users[_].providerUserInfo[_].displayName == STRING
    input.Body.users[_].providerUserInfo[_].email == STRING
    input.Body.users[_].providerUserInfo[_].federatedId == STRING
    input.Body.users[_].providerUserInfo[_].phoneNumber == STRING
    input.Body.users[_].providerUserInfo[_].photoUrl == STRING
    input.Body.users[_].providerUserInfo[_].providerId == STRING
    input.Body.users[_].providerUserInfo[_].rawId == STRING
    input.Body.users[_].providerUserInfo[_].screenName == STRING
    input.Body.users[_].rawPassword == STRING
    input.Body.users[_].salt == STRING
    input.Body.users[_].tenantId == STRING
    input.Body.users[_].validSince == STRING
    input.Body.users[_].version == INTEGER
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.accounts.batchDelete

valid {
    input.Body.force == BOOLEAN
    input.Body.localIds[_] == STRING
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.accounts.batchGet

valid {
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.Qs.delegatedProjectNumber == STRING
    input.Qs.maxResults == INTEGER
    input.Qs.nextPageToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.accounts.delete

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.idToken == STRING
    input.Body.localId == STRING
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.accounts.lookup

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.email[_] == STRING
    input.Body.federatedUserId[_].providerId == STRING
    input.Body.federatedUserId[_].rawId == STRING
    input.Body.idToken == STRING
    input.Body.initialEmail[_] == STRING
    input.Body.localId[_] == STRING
    input.Body.phoneNumber[_] == STRING
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.accounts.query

enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestOrder := [ "ORDER_UNSPECIFIED", "ASC", "DESC" ]
enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestSortBy := [ "SORT_BY_FIELD_UNSPECIFIED", "USER_ID", "NAME", "CREATED_AT", "LAST_LOGIN_AT", "USER_EMAIL" ]

valid {
    input.Body.expression[_].email == STRING
    input.Body.expression[_].phoneNumber == STRING
    input.Body.expression[_].userId == STRING
    input.Body.limit == STRING
    input.Body.offset == STRING
    input.Body.order == enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestOrder[_]
    input.Body.returnUserInfo == BOOLEAN
    input.Body.sortBy == enum_GoogleCloudIdentitytoolkitV1QueryUserInfoRequestSortBy[_]
    input.Body.tenantId == STRING
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.accounts.sendOobCode

enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestClientType := [ "CLIENT_TYPE_UNSPECIFIED", "CLIENT_TYPE_WEB", "CLIENT_TYPE_ANDROID", "CLIENT_TYPE_IOS" ]
enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRecaptchaVersion := [ "RECAPTCHA_VERSION_UNSPECIFIED", "RECAPTCHA_ENTERPRISE" ]
enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRequestType := [ "OOB_REQ_TYPE_UNSPECIFIED", "PASSWORD_RESET", "OLD_EMAIL_AGREE", "NEW_EMAIL_ACCEPT", "VERIFY_EMAIL", "RECOVER_EMAIL", "EMAIL_SIGNIN", "VERIFY_AND_CHANGE_EMAIL", "REVERT_SECOND_FACTOR_ADDITION" ]

valid {
    input.Body.androidInstallApp == BOOLEAN
    input.Body.androidMinimumVersion == STRING
    input.Body.androidPackageName == STRING
    input.Body.canHandleCodeInApp == BOOLEAN
    input.Body.captchaResp == STRING
    input.Body.challenge == STRING
    input.Body.clientType == enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestClientType[_]
    input.Body.continueUrl == STRING
    input.Body.dynamicLinkDomain == STRING
    input.Body.email == STRING
    input.Body.iOSAppStoreId == STRING
    input.Body.iOSBundleId == STRING
    input.Body.idToken == STRING
    input.Body.newEmail == STRING
    input.Body.recaptchaVersion == enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRecaptchaVersion[_]
    input.Body.requestType == enum_GoogleCloudIdentitytoolkitV1GetOobCodeRequestRequestType[_]
    input.Body.returnOobLink == BOOLEAN
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.Body.userIp == STRING
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.accounts.update

enum_GoogleCloudIdentitytoolkitV1SetAccountInfoRequestDeleteAttribute := [ "USER_ATTRIBUTE_NAME_UNSPECIFIED", "EMAIL", "DISPLAY_NAME", "PROVIDER", "PHOTO_URL", "PASSWORD", "RAW_USER_INFO" ]

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.createdAt == STRING
    input.Body.customAttributes == STRING
    input.Body.delegatedProjectNumber == STRING
    input.Body.deleteAttribute[_] == enum_GoogleCloudIdentitytoolkitV1SetAccountInfoRequestDeleteAttribute[_]
    input.Body.deleteProvider[_] == STRING
    input.Body.disableUser == BOOLEAN
    input.Body.displayName == STRING
    input.Body.email == STRING
    input.Body.emailVerified == BOOLEAN
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.lastLoginAt == STRING
    input.Body.linkProviderUserInfo.displayName == STRING
    input.Body.linkProviderUserInfo.email == STRING
    input.Body.linkProviderUserInfo.federatedId == STRING
    input.Body.linkProviderUserInfo.phoneNumber == STRING
    input.Body.linkProviderUserInfo.photoUrl == STRING
    input.Body.linkProviderUserInfo.providerId == STRING
    input.Body.linkProviderUserInfo.rawId == STRING
    input.Body.linkProviderUserInfo.screenName == STRING
    input.Body.localId == STRING
    input.Body.mfa.enrollments[_].displayName == STRING
    input.Body.mfa.enrollments[_].emailInfo.emailAddress == STRING
    input.Body.mfa.enrollments[_].enrolledAt == STRING
    input.Body.mfa.enrollments[_].mfaEnrollmentId == STRING
    input.Body.mfa.enrollments[_].phoneInfo == STRING
    input.Body.mfa.enrollments[_].totpInfo.STRING == STRING
    input.Body.oobCode == STRING
    input.Body.password == STRING
    input.Body.phoneNumber == STRING
    input.Body.photoUrl == STRING
    input.Body.provider[_] == STRING
    input.Body.returnSecureToken == BOOLEAN
    input.Body.targetProjectId == STRING
    input.Body.tenantId == STRING
    input.Body.upgradeToFederatedLogin == BOOLEAN
    input.Body.validSince == STRING
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.create

enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigEnabledProviders := [ "PROVIDER_UNSPECIFIED", "PHONE_SMS" ]
enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigState := [ "STATE_UNSPECIFIED", "DISABLED", "ENABLED", "MANDATORY" ]
enum_GoogleCloudIdentitytoolkitAdminV2PasswordPolicyConfigPasswordPolicyEnforcementState := [ "PASSWORD_POLICY_ENFORCEMENT_STATE_UNSPECIFIED", "OFF", "ENFORCE" ]
enum_GoogleCloudIdentitytoolkitAdminV2ProviderConfigState := [ "MFA_STATE_UNSPECIFIED", "DISABLED", "ENABLED", "MANDATORY" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigEmailPasswordEnforcementState := [ "RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED", "OFF", "AUDIT", "ENFORCE" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigPhoneEnforcementState := [ "RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED", "OFF", "AUDIT", "ENFORCE" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaKeyType := [ "CLIENT_TYPE_UNSPECIFIED", "WEB", "IOS", "ANDROID" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaManagedRuleAction := [ "RECAPTCHA_ACTION_UNSPECIFIED", "BLOCK" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaTollFraudManagedRuleAction := [ "RECAPTCHA_ACTION_UNSPECIFIED", "BLOCK" ]

valid {
    input.Body.allowPasswordSignup == BOOLEAN
    input.Body.autodeleteAnonymousUsers == BOOLEAN
    input.Body.client.permissions.disabledUserDeletion == BOOLEAN
    input.Body.client.permissions.disabledUserSignup == BOOLEAN
    input.Body.disableAuth == BOOLEAN
    input.Body.displayName == STRING
    input.Body.emailPrivacyConfig.enableImprovedEmailPrivacy == BOOLEAN
    input.Body.enableAnonymousUser == BOOLEAN
    input.Body.enableEmailLinkSignin == BOOLEAN
    input.Body.inheritance.emailSendingConfig == BOOLEAN
    input.Body.mfaConfig.enabledProviders[_] == enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigEnabledProviders[_]
    input.Body.mfaConfig.providerConfigs[_].state == enum_GoogleCloudIdentitytoolkitAdminV2ProviderConfigState[_]
    input.Body.mfaConfig.providerConfigs[_].totpProviderConfig.adjacentIntervals == INTEGER
    input.Body.mfaConfig.state == enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigState[_]
    input.Body.monitoring.requestLogging.enabled == BOOLEAN
    input.Body.passwordPolicyConfig.forceUpgradeOnSignin == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyEnforcementState == enum_GoogleCloudIdentitytoolkitAdminV2PasswordPolicyConfigPasswordPolicyEnforcementState[_]
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsLowercaseCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsNonAlphanumericCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsNumericCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsUppercaseCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.maxPasswordLength == INTEGER
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.minPasswordLength == INTEGER
    input.Body.recaptchaConfig.emailPasswordEnforcementState == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigEmailPasswordEnforcementState[_]
    input.Body.recaptchaConfig.managedRules[_].action == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaManagedRuleAction[_]
    input.Body.recaptchaConfig.managedRules[_].endScore == NUMBER
    input.Body.recaptchaConfig.phoneEnforcementState == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigPhoneEnforcementState[_]
    input.Body.recaptchaConfig.recaptchaKeys[_].key == STRING
    input.Body.recaptchaConfig.recaptchaKeys[_].type == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaKeyType[_]
    input.Body.recaptchaConfig.tollFraudManagedRules[_].action == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaTollFraudManagedRuleAction[_]
    input.Body.recaptchaConfig.tollFraudManagedRules[_].startScore == NUMBER
    input.Body.recaptchaConfig.useAccountDefender == BOOLEAN
    input.Body.recaptchaConfig.useSmsBotScore == BOOLEAN
    input.Body.recaptchaConfig.useSmsTollFraudProtection == BOOLEAN
    input.Body.smsRegionConfig.allowByDefault.disallowedRegions[_] == STRING
    input.Body.smsRegionConfig.allowlistOnly.allowedRegions[_] == STRING
    input.Body.testPhoneNumbers.STRING == STRING
    input.ReqMap.parent == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.createSessionCookie

valid {
    input.Body.idToken == STRING
    input.Body.tenantId == STRING
    input.Body.validDuration == STRING
    input.ReqMap.targetProjectId == STRING
    input.ReqMap.tenantId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.defaultSupportedIdpConfigs.create

valid {
    input.Body.appleSignInConfig.bundleIds[_] == STRING
    input.Body.appleSignInConfig.codeFlowConfig.keyId == STRING
    input.Body.appleSignInConfig.codeFlowConfig.privateKey == STRING
    input.Body.appleSignInConfig.codeFlowConfig.teamId == STRING
    input.Body.clientId == STRING
    input.Body.clientSecret == STRING
    input.Body.enabled == BOOLEAN
    input.Body.name == STRING
    input.ReqMap.parent == STRING
    input.Qs.idpId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.defaultSupportedIdpConfigs.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.defaultSupportedIdpConfigs.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.defaultSupportedIdpConfigs.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.defaultSupportedIdpConfigs.patch

valid {
    input.Body.appleSignInConfig.bundleIds[_] == STRING
    input.Body.appleSignInConfig.codeFlowConfig.keyId == STRING
    input.Body.appleSignInConfig.codeFlowConfig.privateKey == STRING
    input.Body.appleSignInConfig.codeFlowConfig.teamId == STRING
    input.Body.clientId == STRING
    input.Body.clientSecret == STRING
    input.Body.enabled == BOOLEAN
    input.Body.name == STRING
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.getIamPolicy

valid {
    input.Body.options.requestedPolicyVersion == INTEGER
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.inboundSamlConfigs.create

valid {
    input.Body.displayName == STRING
    input.Body.enabled == BOOLEAN
    input.Body.idpConfig.idpCertificates[_].x509Certificate == STRING
    input.Body.idpConfig.idpEntityId == STRING
    input.Body.idpConfig.signRequest == BOOLEAN
    input.Body.idpConfig.ssoUrl == STRING
    input.Body.name == STRING
    input.Body.spConfig.callbackUri == STRING
    input.Body.spConfig.spEntityId == STRING
    input.ReqMap.parent == STRING
    input.Qs.inboundSamlConfigId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.inboundSamlConfigs.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.inboundSamlConfigs.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.inboundSamlConfigs.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.inboundSamlConfigs.patch

valid {
    input.Body.displayName == STRING
    input.Body.enabled == BOOLEAN
    input.Body.idpConfig.idpCertificates[_].x509Certificate == STRING
    input.Body.idpConfig.idpEntityId == STRING
    input.Body.idpConfig.signRequest == BOOLEAN
    input.Body.idpConfig.ssoUrl == STRING
    input.Body.name == STRING
    input.Body.spConfig.callbackUri == STRING
    input.Body.spConfig.spEntityId == STRING
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.oauthIdpConfigs.create

valid {
    input.Body.clientId == STRING
    input.Body.clientSecret == STRING
    input.Body.displayName == STRING
    input.Body.enabled == BOOLEAN
    input.Body.issuer == STRING
    input.Body.name == STRING
    input.Body.responseType.code == BOOLEAN
    input.Body.responseType.idToken == BOOLEAN
    input.Body.responseType.token == BOOLEAN
    input.ReqMap.parent == STRING
    input.Qs.oauthIdpConfigId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.oauthIdpConfigs.delete

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.oauthIdpConfigs.get

valid {
    input.ReqMap.name == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.oauthIdpConfigs.list

valid {
    input.ReqMap.parent == STRING
    input.Qs.pageSize == INTEGER
    input.Qs.pageToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.oauthIdpConfigs.patch

valid {
    input.Body.clientId == STRING
    input.Body.clientSecret == STRING
    input.Body.displayName == STRING
    input.Body.enabled == BOOLEAN
    input.Body.issuer == STRING
    input.Body.name == STRING
    input.Body.responseType.code == BOOLEAN
    input.Body.responseType.idToken == BOOLEAN
    input.Body.responseType.token == BOOLEAN
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.patch

enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigEnabledProviders := [ "PROVIDER_UNSPECIFIED", "PHONE_SMS" ]
enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigState := [ "STATE_UNSPECIFIED", "DISABLED", "ENABLED", "MANDATORY" ]
enum_GoogleCloudIdentitytoolkitAdminV2PasswordPolicyConfigPasswordPolicyEnforcementState := [ "PASSWORD_POLICY_ENFORCEMENT_STATE_UNSPECIFIED", "OFF", "ENFORCE" ]
enum_GoogleCloudIdentitytoolkitAdminV2ProviderConfigState := [ "MFA_STATE_UNSPECIFIED", "DISABLED", "ENABLED", "MANDATORY" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigEmailPasswordEnforcementState := [ "RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED", "OFF", "AUDIT", "ENFORCE" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigPhoneEnforcementState := [ "RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED", "OFF", "AUDIT", "ENFORCE" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaKeyType := [ "CLIENT_TYPE_UNSPECIFIED", "WEB", "IOS", "ANDROID" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaManagedRuleAction := [ "RECAPTCHA_ACTION_UNSPECIFIED", "BLOCK" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaTollFraudManagedRuleAction := [ "RECAPTCHA_ACTION_UNSPECIFIED", "BLOCK" ]

valid {
    input.Body.allowPasswordSignup == BOOLEAN
    input.Body.autodeleteAnonymousUsers == BOOLEAN
    input.Body.client.permissions.disabledUserDeletion == BOOLEAN
    input.Body.client.permissions.disabledUserSignup == BOOLEAN
    input.Body.disableAuth == BOOLEAN
    input.Body.displayName == STRING
    input.Body.emailPrivacyConfig.enableImprovedEmailPrivacy == BOOLEAN
    input.Body.enableAnonymousUser == BOOLEAN
    input.Body.enableEmailLinkSignin == BOOLEAN
    input.Body.inheritance.emailSendingConfig == BOOLEAN
    input.Body.mfaConfig.enabledProviders[_] == enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigEnabledProviders[_]
    input.Body.mfaConfig.providerConfigs[_].state == enum_GoogleCloudIdentitytoolkitAdminV2ProviderConfigState[_]
    input.Body.mfaConfig.providerConfigs[_].totpProviderConfig.adjacentIntervals == INTEGER
    input.Body.mfaConfig.state == enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigState[_]
    input.Body.monitoring.requestLogging.enabled == BOOLEAN
    input.Body.passwordPolicyConfig.forceUpgradeOnSignin == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyEnforcementState == enum_GoogleCloudIdentitytoolkitAdminV2PasswordPolicyConfigPasswordPolicyEnforcementState[_]
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsLowercaseCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsNonAlphanumericCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsNumericCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsUppercaseCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.maxPasswordLength == INTEGER
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.minPasswordLength == INTEGER
    input.Body.recaptchaConfig.emailPasswordEnforcementState == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigEmailPasswordEnforcementState[_]
    input.Body.recaptchaConfig.managedRules[_].action == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaManagedRuleAction[_]
    input.Body.recaptchaConfig.managedRules[_].endScore == NUMBER
    input.Body.recaptchaConfig.phoneEnforcementState == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigPhoneEnforcementState[_]
    input.Body.recaptchaConfig.recaptchaKeys[_].key == STRING
    input.Body.recaptchaConfig.recaptchaKeys[_].type == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaKeyType[_]
    input.Body.recaptchaConfig.tollFraudManagedRules[_].action == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaTollFraudManagedRuleAction[_]
    input.Body.recaptchaConfig.tollFraudManagedRules[_].startScore == NUMBER
    input.Body.recaptchaConfig.useAccountDefender == BOOLEAN
    input.Body.recaptchaConfig.useSmsBotScore == BOOLEAN
    input.Body.recaptchaConfig.useSmsTollFraudProtection == BOOLEAN
    input.Body.smsRegionConfig.allowByDefault.disallowedRegions[_] == STRING
    input.Body.smsRegionConfig.allowlistOnly.allowedRegions[_] == STRING
    input.Body.testPhoneNumbers.STRING == STRING
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.setIamPolicy

enum_GoogleIamV1AuditLogConfigLogType := [ "LOG_TYPE_UNSPECIFIED", "ADMIN_READ", "DATA_WRITE", "DATA_READ" ]

valid {
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].exemptedMembers[_] == STRING
    input.Body.policy.auditConfigs[_].auditLogConfigs[_].logType == enum_GoogleIamV1AuditLogConfigLogType[_]
    input.Body.policy.auditConfigs[_].service == STRING
    input.Body.policy.bindings[_].condition.description == STRING
    input.Body.policy.bindings[_].condition.expression == STRING
    input.Body.policy.bindings[_].condition.location == STRING
    input.Body.policy.bindings[_].condition.title == STRING
    input.Body.policy.bindings[_].members[_] == STRING
    input.Body.policy.bindings[_].role == STRING
    input.Body.policy.etag == STRING
    input.Body.policy.version == INTEGER
    input.Body.updateMask == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.tenants.testIamPermissions

valid {
    input.Body.permissions[_] == STRING
    input.ReqMap.resource == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.projects.updateConfig

enum_GoogleCloudIdentitytoolkitAdminV2EmailTemplateBodyFormat := [ "BODY_FORMAT_UNSPECIFIED", "PLAIN_TEXT", "HTML" ]
enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigEnabledProviders := [ "PROVIDER_UNSPECIFIED", "PHONE_SMS" ]
enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigState := [ "STATE_UNSPECIFIED", "DISABLED", "ENABLED", "MANDATORY" ]
enum_GoogleCloudIdentitytoolkitAdminV2PasswordPolicyConfigPasswordPolicyEnforcementState := [ "PASSWORD_POLICY_ENFORCEMENT_STATE_UNSPECIFIED", "OFF", "ENFORCE" ]
enum_GoogleCloudIdentitytoolkitAdminV2ProviderConfigState := [ "MFA_STATE_UNSPECIFIED", "DISABLED", "ENABLED", "MANDATORY" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigEmailPasswordEnforcementState := [ "RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED", "OFF", "AUDIT", "ENFORCE" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigPhoneEnforcementState := [ "RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED", "OFF", "AUDIT", "ENFORCE" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaKeyType := [ "CLIENT_TYPE_UNSPECIFIED", "WEB", "IOS", "ANDROID" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaManagedRuleAction := [ "RECAPTCHA_ACTION_UNSPECIFIED", "BLOCK" ]
enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaTollFraudManagedRuleAction := [ "RECAPTCHA_ACTION_UNSPECIFIED", "BLOCK" ]
enum_GoogleCloudIdentitytoolkitAdminV2SendEmailMethod := [ "METHOD_UNSPECIFIED", "DEFAULT", "CUSTOM_SMTP" ]
enum_GoogleCloudIdentitytoolkitAdminV2SmtpSecurityMode := [ "SECURITY_MODE_UNSPECIFIED", "SSL", "START_TLS" ]

valid {
    input.Body.authorizedDomains[_] == STRING
    input.Body.autodeleteAnonymousUsers == BOOLEAN
    input.Body.blockingFunctions.forwardInboundCredentials.accessToken == BOOLEAN
    input.Body.blockingFunctions.forwardInboundCredentials.idToken == BOOLEAN
    input.Body.blockingFunctions.forwardInboundCredentials.refreshToken == BOOLEAN
    input.Body.blockingFunctions.triggers.STRING.functionUri == STRING
    input.Body.blockingFunctions.triggers.STRING.updateTime == STRING
    input.Body.client.permissions.disabledUserDeletion == BOOLEAN
    input.Body.client.permissions.disabledUserSignup == BOOLEAN
    input.Body.emailPrivacyConfig.enableImprovedEmailPrivacy == BOOLEAN
    input.Body.mfa.enabledProviders[_] == enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigEnabledProviders[_]
    input.Body.mfa.providerConfigs[_].state == enum_GoogleCloudIdentitytoolkitAdminV2ProviderConfigState[_]
    input.Body.mfa.providerConfigs[_].totpProviderConfig.adjacentIntervals == INTEGER
    input.Body.mfa.state == enum_GoogleCloudIdentitytoolkitAdminV2MultiFactorAuthConfigState[_]
    input.Body.monitoring.requestLogging.enabled == BOOLEAN
    input.Body.multiTenant.allowTenants == BOOLEAN
    input.Body.multiTenant.defaultTenantLocation == STRING
    input.Body.notification.defaultLocale == STRING
    input.Body.notification.sendEmail.callbackUri == STRING
    input.Body.notification.sendEmail.changeEmailTemplate.body == STRING
    input.Body.notification.sendEmail.changeEmailTemplate.bodyFormat == enum_GoogleCloudIdentitytoolkitAdminV2EmailTemplateBodyFormat[_]
    input.Body.notification.sendEmail.changeEmailTemplate.replyTo == STRING
    input.Body.notification.sendEmail.changeEmailTemplate.senderDisplayName == STRING
    input.Body.notification.sendEmail.changeEmailTemplate.senderLocalPart == STRING
    input.Body.notification.sendEmail.changeEmailTemplate.subject == STRING
    input.Body.notification.sendEmail.dnsInfo.useCustomDomain == BOOLEAN
    input.Body.notification.sendEmail.legacyResetPasswordTemplate.body == STRING
    input.Body.notification.sendEmail.legacyResetPasswordTemplate.bodyFormat == enum_GoogleCloudIdentitytoolkitAdminV2EmailTemplateBodyFormat[_]
    input.Body.notification.sendEmail.legacyResetPasswordTemplate.replyTo == STRING
    input.Body.notification.sendEmail.legacyResetPasswordTemplate.senderDisplayName == STRING
    input.Body.notification.sendEmail.legacyResetPasswordTemplate.senderLocalPart == STRING
    input.Body.notification.sendEmail.legacyResetPasswordTemplate.subject == STRING
    input.Body.notification.sendEmail.method == enum_GoogleCloudIdentitytoolkitAdminV2SendEmailMethod[_]
    input.Body.notification.sendEmail.resetPasswordTemplate.body == STRING
    input.Body.notification.sendEmail.resetPasswordTemplate.bodyFormat == enum_GoogleCloudIdentitytoolkitAdminV2EmailTemplateBodyFormat[_]
    input.Body.notification.sendEmail.resetPasswordTemplate.replyTo == STRING
    input.Body.notification.sendEmail.resetPasswordTemplate.senderDisplayName == STRING
    input.Body.notification.sendEmail.resetPasswordTemplate.senderLocalPart == STRING
    input.Body.notification.sendEmail.resetPasswordTemplate.subject == STRING
    input.Body.notification.sendEmail.revertSecondFactorAdditionTemplate.body == STRING
    input.Body.notification.sendEmail.revertSecondFactorAdditionTemplate.bodyFormat == enum_GoogleCloudIdentitytoolkitAdminV2EmailTemplateBodyFormat[_]
    input.Body.notification.sendEmail.revertSecondFactorAdditionTemplate.replyTo == STRING
    input.Body.notification.sendEmail.revertSecondFactorAdditionTemplate.senderDisplayName == STRING
    input.Body.notification.sendEmail.revertSecondFactorAdditionTemplate.senderLocalPart == STRING
    input.Body.notification.sendEmail.revertSecondFactorAdditionTemplate.subject == STRING
    input.Body.notification.sendEmail.smtp.host == STRING
    input.Body.notification.sendEmail.smtp.password == STRING
    input.Body.notification.sendEmail.smtp.port == INTEGER
    input.Body.notification.sendEmail.smtp.securityMode == enum_GoogleCloudIdentitytoolkitAdminV2SmtpSecurityMode[_]
    input.Body.notification.sendEmail.smtp.senderEmail == STRING
    input.Body.notification.sendEmail.smtp.username == STRING
    input.Body.notification.sendEmail.verifyEmailTemplate.body == STRING
    input.Body.notification.sendEmail.verifyEmailTemplate.bodyFormat == enum_GoogleCloudIdentitytoolkitAdminV2EmailTemplateBodyFormat[_]
    input.Body.notification.sendEmail.verifyEmailTemplate.replyTo == STRING
    input.Body.notification.sendEmail.verifyEmailTemplate.senderDisplayName == STRING
    input.Body.notification.sendEmail.verifyEmailTemplate.senderLocalPart == STRING
    input.Body.notification.sendEmail.verifyEmailTemplate.subject == STRING
    input.Body.notification.sendSms.useDeviceLocale == BOOLEAN
    input.Body.passwordPolicyConfig.forceUpgradeOnSignin == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyEnforcementState == enum_GoogleCloudIdentitytoolkitAdminV2PasswordPolicyConfigPasswordPolicyEnforcementState[_]
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsLowercaseCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsNonAlphanumericCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsNumericCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.containsUppercaseCharacter == BOOLEAN
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.maxPasswordLength == INTEGER
    input.Body.passwordPolicyConfig.passwordPolicyVersions[_].customStrengthOptions.minPasswordLength == INTEGER
    input.Body.quota.signUpQuotaConfig.quota == STRING
    input.Body.quota.signUpQuotaConfig.quotaDuration == STRING
    input.Body.quota.signUpQuotaConfig.startTime == STRING
    input.Body.recaptchaConfig.emailPasswordEnforcementState == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigEmailPasswordEnforcementState[_]
    input.Body.recaptchaConfig.managedRules[_].action == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaManagedRuleAction[_]
    input.Body.recaptchaConfig.managedRules[_].endScore == NUMBER
    input.Body.recaptchaConfig.phoneEnforcementState == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaConfigPhoneEnforcementState[_]
    input.Body.recaptchaConfig.recaptchaKeys[_].key == STRING
    input.Body.recaptchaConfig.recaptchaKeys[_].type == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaKeyType[_]
    input.Body.recaptchaConfig.tollFraudManagedRules[_].action == enum_GoogleCloudIdentitytoolkitAdminV2RecaptchaTollFraudManagedRuleAction[_]
    input.Body.recaptchaConfig.tollFraudManagedRules[_].startScore == NUMBER
    input.Body.recaptchaConfig.useAccountDefender == BOOLEAN
    input.Body.recaptchaConfig.useSmsBotScore == BOOLEAN
    input.Body.recaptchaConfig.useSmsTollFraudProtection == BOOLEAN
    input.Body.signIn.allowDuplicateEmails == BOOLEAN
    input.Body.signIn.anonymous.enabled == BOOLEAN
    input.Body.signIn.email.enabled == BOOLEAN
    input.Body.signIn.email.passwordRequired == BOOLEAN
    input.Body.signIn.phoneNumber.enabled == BOOLEAN
    input.Body.signIn.phoneNumber.testPhoneNumbers.STRING == STRING
    input.Body.smsRegionConfig.allowByDefault.disallowedRegions[_] == STRING
    input.Body.smsRegionConfig.allowlistOnly.allowedRegions[_] == STRING
    input.ReqMap.name == STRING
    input.Qs.updateMask == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.createAuthUri

valid {
    input.Body.appId == STRING
    input.Body.authFlowType == STRING
    input.Body.clientId == STRING
    input.Body.context == STRING
    input.Body.continueUri == STRING
    input.Body.customParameter.STRING == STRING
    input.Body.hostedDomain == STRING
    input.Body.identifier == STRING
    input.Body.oauthConsumerKey == STRING
    input.Body.oauthScope == STRING
    input.Body.openidRealm == STRING
    input.Body.otaApp == STRING
    input.Body.providerId == STRING
    input.Body.sessionId == STRING
    input.Body.tenantId == STRING
    input.Body.tenantProjectNumber == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.deleteAccount

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.idToken == STRING
    input.Body.localId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.downloadAccount

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.maxResults == INTEGER
    input.Body.nextPageToken == STRING
    input.Body.targetProjectId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.emailLinkSignin

valid {
    input.Body.email == STRING
    input.Body.idToken == STRING
    input.Body.oobCode == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.getAccountInfo

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.email[_] == STRING
    input.Body.idToken == STRING
    input.Body.localId[_] == STRING
    input.Body.phoneNumber[_] == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.getOobConfirmationCode

valid {
    input.Body.androidInstallApp == BOOLEAN
    input.Body.androidMinimumVersion == STRING
    input.Body.androidPackageName == STRING
    input.Body.canHandleCodeInApp == BOOLEAN
    input.Body.captchaResp == STRING
    input.Body.challenge == STRING
    input.Body.continueUrl == STRING
    input.Body.email == STRING
    input.Body.iOSAppStoreId == STRING
    input.Body.iOSBundleId == STRING
    input.Body.idToken == STRING
    input.Body.kind == STRING
    input.Body.newEmail == STRING
    input.Body.requestType == STRING
    input.Body.userIp == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.getProjectConfig

valid {
    input.Qs.delegatedProjectNumber == STRING
    input.Qs.projectNumber == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.getPublicKeys

valid {
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.getRecaptchaParam

valid {
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.resetPassword

valid {
    input.Body.email == STRING
    input.Body.newPassword == STRING
    input.Body.oldPassword == STRING
    input.Body.oobCode == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.sendVerificationCode

valid {
    input.Body.iosReceipt == STRING
    input.Body.iosSecret == STRING
    input.Body.phoneNumber == STRING
    input.Body.recaptchaToken == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.setAccountInfo

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.createdAt == STRING
    input.Body.customAttributes == STRING
    input.Body.delegatedProjectNumber == STRING
    input.Body.deleteAttribute[_] == STRING
    input.Body.deleteProvider[_] == STRING
    input.Body.disableUser == BOOLEAN
    input.Body.displayName == STRING
    input.Body.email == STRING
    input.Body.emailVerified == BOOLEAN
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.lastLoginAt == STRING
    input.Body.localId == STRING
    input.Body.oobCode == STRING
    input.Body.password == STRING
    input.Body.phoneNumber == STRING
    input.Body.photoUrl == STRING
    input.Body.provider[_] == STRING
    input.Body.returnSecureToken == BOOLEAN
    input.Body.upgradeToFederatedLogin == BOOLEAN
    input.Body.validSince == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.setProjectConfig

valid {
    input.Body.allowPasswordUser == BOOLEAN
    input.Body.apiKey == STRING
    input.Body.authorizedDomains[_] == STRING
    input.Body.changeEmailTemplate.body == STRING
    input.Body.changeEmailTemplate.format == STRING
    input.Body.changeEmailTemplate.from == STRING
    input.Body.changeEmailTemplate.fromDisplayName == STRING
    input.Body.changeEmailTemplate.replyTo == STRING
    input.Body.changeEmailTemplate.subject == STRING
    input.Body.delegatedProjectNumber == STRING
    input.Body.enableAnonymousUser == BOOLEAN
    input.Body.idpConfig[_].clientId == STRING
    input.Body.idpConfig[_].enabled == BOOLEAN
    input.Body.idpConfig[_].experimentPercent == INTEGER
    input.Body.idpConfig[_].provider == STRING
    input.Body.idpConfig[_].secret == STRING
    input.Body.idpConfig[_].whitelistedAudiences[_] == STRING
    input.Body.legacyResetPasswordTemplate.body == STRING
    input.Body.legacyResetPasswordTemplate.format == STRING
    input.Body.legacyResetPasswordTemplate.from == STRING
    input.Body.legacyResetPasswordTemplate.fromDisplayName == STRING
    input.Body.legacyResetPasswordTemplate.replyTo == STRING
    input.Body.legacyResetPasswordTemplate.subject == STRING
    input.Body.resetPasswordTemplate.body == STRING
    input.Body.resetPasswordTemplate.format == STRING
    input.Body.resetPasswordTemplate.from == STRING
    input.Body.resetPasswordTemplate.fromDisplayName == STRING
    input.Body.resetPasswordTemplate.replyTo == STRING
    input.Body.resetPasswordTemplate.subject == STRING
    input.Body.useEmailSending == BOOLEAN
    input.Body.verifyEmailTemplate.body == STRING
    input.Body.verifyEmailTemplate.format == STRING
    input.Body.verifyEmailTemplate.from == STRING
    input.Body.verifyEmailTemplate.fromDisplayName == STRING
    input.Body.verifyEmailTemplate.replyTo == STRING
    input.Body.verifyEmailTemplate.subject == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.signOutUser

valid {
    input.Body.instanceId == STRING
    input.Body.localId == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.signupNewUser

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.disabled == BOOLEAN
    input.Body.displayName == STRING
    input.Body.email == STRING
    input.Body.emailVerified == BOOLEAN
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.localId == STRING
    input.Body.password == STRING
    input.Body.phoneNumber == STRING
    input.Body.photoUrl == STRING
    input.Body.tenantId == STRING
    input.Body.tenantProjectNumber == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.uploadAccount

valid {
    input.Body.allowOverwrite == BOOLEAN
    input.Body.blockSize == INTEGER
    input.Body.cpuMemCost == INTEGER
    input.Body.delegatedProjectNumber == STRING
    input.Body.dkLen == INTEGER
    input.Body.hashAlgorithm == STRING
    input.Body.memoryCost == INTEGER
    input.Body.parallelization == INTEGER
    input.Body.rounds == INTEGER
    input.Body.saltSeparator == STRING
    input.Body.sanityCheck == BOOLEAN
    input.Body.signerKey == STRING
    input.Body.targetProjectId == STRING
    input.Body.users[_].createdAt == STRING
    input.Body.users[_].customAttributes == STRING
    input.Body.users[_].customAuth == BOOLEAN
    input.Body.users[_].disabled == BOOLEAN
    input.Body.users[_].displayName == STRING
    input.Body.users[_].email == STRING
    input.Body.users[_].emailVerified == BOOLEAN
    input.Body.users[_].lastLoginAt == STRING
    input.Body.users[_].localId == STRING
    input.Body.users[_].passwordHash == STRING
    input.Body.users[_].passwordUpdatedAt == NUMBER
    input.Body.users[_].phoneNumber == STRING
    input.Body.users[_].photoUrl == STRING
    input.Body.users[_].providerUserInfo[_].displayName == STRING
    input.Body.users[_].providerUserInfo[_].email == STRING
    input.Body.users[_].providerUserInfo[_].federatedId == STRING
    input.Body.users[_].providerUserInfo[_].phoneNumber == STRING
    input.Body.users[_].providerUserInfo[_].photoUrl == STRING
    input.Body.users[_].providerUserInfo[_].providerId == STRING
    input.Body.users[_].providerUserInfo[_].rawId == STRING
    input.Body.users[_].providerUserInfo[_].screenName == STRING
    input.Body.users[_].rawPassword == STRING
    input.Body.users[_].salt == STRING
    input.Body.users[_].screenName == STRING
    input.Body.users[_].validSince == STRING
    input.Body.users[_].version == INTEGER
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.verifyAssertion

valid {
    input.Body.autoCreate == BOOLEAN
    input.Body.delegatedProjectNumber == STRING
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.pendingIdToken == STRING
    input.Body.postBody == STRING
    input.Body.requestUri == STRING
    input.Body.returnIdpCredential == BOOLEAN
    input.Body.returnRefreshToken == BOOLEAN
    input.Body.returnSecureToken == BOOLEAN
    input.Body.sessionId == STRING
    input.Body.tenantId == STRING
    input.Body.tenantProjectNumber == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.verifyCustomToken

valid {
    input.Body.delegatedProjectNumber == STRING
    input.Body.instanceId == STRING
    input.Body.returnSecureToken == BOOLEAN
    input.Body.token == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.verifyPassword

valid {
    input.Body.captchaChallenge == STRING
    input.Body.captchaResponse == STRING
    input.Body.delegatedProjectNumber == STRING
    input.Body.email == STRING
    input.Body.idToken == STRING
    input.Body.instanceId == STRING
    input.Body.password == STRING
    input.Body.pendingIdToken == STRING
    input.Body.returnSecureToken == BOOLEAN
    input.Body.tenantId == STRING
    input.Body.tenantProjectNumber == STRING
    input.ProviderMetadata.Region == STRING
}

identitytoolkit.relyingparty.verifyPhoneNumber

valid {
    input.Body.code == STRING
    input.Body.idToken == STRING
    input.Body.operation == STRING
    input.Body.phoneNumber == STRING
    input.Body.sessionInfo == STRING
    input.Body.temporaryProof == STRING
    input.Body.verificationProof == STRING
    input.ProviderMetadata.Region == STRING
}