google-cloud-network_security-v1 0.a → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.yardopts +12 -0
- data/AUTHENTICATION.md +122 -0
- data/README.md +154 -8
- data/lib/google/cloud/network_security/v1/address_group_service/client.rb +1457 -0
- data/lib/google/cloud/network_security/v1/address_group_service/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/address_group_service/operations.rb +843 -0
- data/lib/google/cloud/network_security/v1/address_group_service/paths.rb +110 -0
- data/lib/google/cloud/network_security/v1/address_group_service.rb +52 -0
- data/lib/google/cloud/network_security/v1/dns_threat_detector_service/client.rb +900 -0
- data/lib/google/cloud/network_security/v1/dns_threat_detector_service/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/dns_threat_detector_service/paths.rb +86 -0
- data/lib/google/cloud/network_security/v1/dns_threat_detector_service.rb +49 -0
- data/lib/google/cloud/network_security/v1/firewall_activation/client.rb +2098 -0
- data/lib/google/cloud/network_security/v1/firewall_activation/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/firewall_activation/operations.rb +843 -0
- data/lib/google/cloud/network_security/v1/firewall_activation/paths.rb +165 -0
- data/lib/google/cloud/network_security/v1/firewall_activation.rb +50 -0
- data/lib/google/cloud/network_security/v1/intercept/client.rb +2599 -0
- data/lib/google/cloud/network_security/v1/intercept/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/intercept/operations.rb +843 -0
- data/lib/google/cloud/network_security/v1/intercept/paths.rb +160 -0
- data/lib/google/cloud/network_security/v1/intercept.rb +51 -0
- data/lib/google/cloud/network_security/v1/mirroring/client.rb +2598 -0
- data/lib/google/cloud/network_security/v1/mirroring/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/mirroring/operations.rb +843 -0
- data/lib/google/cloud/network_security/v1/mirroring/paths.rb +160 -0
- data/lib/google/cloud/network_security/v1/mirroring.rb +50 -0
- data/lib/google/cloud/network_security/v1/network_security/client.rb +5161 -0
- data/lib/google/cloud/network_security/v1/network_security/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/network_security/operations.rb +843 -0
- data/lib/google/cloud/network_security/v1/network_security/paths.rb +280 -0
- data/lib/google/cloud/network_security/v1/network_security.rb +52 -0
- data/lib/google/cloud/network_security/v1/organization_address_group_service/client.rb +1457 -0
- data/lib/google/cloud/network_security/v1/organization_address_group_service/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/organization_address_group_service/operations.rb +843 -0
- data/lib/google/cloud/network_security/v1/organization_address_group_service/paths.rb +110 -0
- data/lib/google/cloud/network_security/v1/organization_address_group_service.rb +52 -0
- data/lib/google/cloud/network_security/v1/organization_security_profile_group_service/client.rb +1471 -0
- data/lib/google/cloud/network_security/v1/organization_security_profile_group_service/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/organization_security_profile_group_service/operations.rb +843 -0
- data/lib/google/cloud/network_security/v1/organization_security_profile_group_service/paths.rb +191 -0
- data/lib/google/cloud/network_security/v1/organization_security_profile_group_service.rb +50 -0
- data/lib/google/cloud/network_security/v1/security_profile_group_service/client.rb +1472 -0
- data/lib/google/cloud/network_security/v1/security_profile_group_service/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/security_profile_group_service/operations.rb +843 -0
- data/lib/google/cloud/network_security/v1/security_profile_group_service/paths.rb +191 -0
- data/lib/google/cloud/network_security/v1/security_profile_group_service.rb +51 -0
- data/lib/google/cloud/network_security/v1/sse_realm_service/client.rb +1316 -0
- data/lib/google/cloud/network_security/v1/sse_realm_service/credentials.rb +47 -0
- data/lib/google/cloud/network_security/v1/sse_realm_service/operations.rb +843 -0
- data/lib/google/cloud/network_security/v1/sse_realm_service/paths.rb +88 -0
- data/lib/google/cloud/network_security/v1/sse_realm_service.rb +50 -0
- data/lib/google/cloud/network_security/v1/version.rb +7 -2
- data/lib/google/cloud/network_security/v1.rb +49 -0
- data/lib/google/cloud/networksecurity/v1/address_group_pb.rb +46 -0
- data/lib/google/cloud/networksecurity/v1/address_group_services_pb.rb +97 -0
- data/lib/google/cloud/networksecurity/v1/authorization_policy_pb.rb +37 -0
- data/lib/google/cloud/networksecurity/v1/authz_policy_pb.rb +56 -0
- data/lib/google/cloud/networksecurity/v1/backend_authentication_config_pb.rb +33 -0
- data/lib/google/cloud/networksecurity/v1/client_tls_policy_pb.rb +33 -0
- data/lib/google/cloud/networksecurity/v1/common_pb.rb +24 -0
- data/lib/google/cloud/networksecurity/v1/dns_threat_detector_pb.rb +36 -0
- data/lib/google/cloud/networksecurity/v1/dns_threat_detector_services_pb.rb +53 -0
- data/lib/google/cloud/networksecurity/v1/firewall_activation_pb.rb +48 -0
- data/lib/google/cloud/networksecurity/v1/firewall_activation_services_pb.rb +73 -0
- data/lib/google/cloud/networksecurity/v1/gateway_security_policy_pb.rb +32 -0
- data/lib/google/cloud/networksecurity/v1/gateway_security_policy_rule_pb.rb +33 -0
- data/lib/google/cloud/networksecurity/v1/intercept_pb.rb +71 -0
- data/lib/google/cloud/networksecurity/v1/intercept_services_pb.rb +104 -0
- data/lib/google/cloud/networksecurity/v1/mirroring_pb.rb +72 -0
- data/lib/google/cloud/networksecurity/v1/mirroring_services_pb.rb +103 -0
- data/lib/google/cloud/networksecurity/v1/network_security_pb.rb +35 -0
- data/lib/google/cloud/networksecurity/v1/network_security_services_pb.rb +138 -0
- data/lib/google/cloud/networksecurity/v1/security_profile_group_intercept_pb.rb +24 -0
- data/lib/google/cloud/networksecurity/v1/security_profile_group_mirroring_pb.rb +24 -0
- data/lib/google/cloud/networksecurity/v1/security_profile_group_pb.rb +31 -0
- data/lib/google/cloud/networksecurity/v1/security_profile_group_service_pb.rb +42 -0
- data/lib/google/cloud/networksecurity/v1/security_profile_group_service_services_pb.rb +98 -0
- data/lib/google/cloud/networksecurity/v1/security_profile_group_threatprevention_pb.rb +30 -0
- data/lib/google/cloud/networksecurity/v1/security_profile_group_urlfiltering_pb.rb +25 -0
- data/lib/google/cloud/networksecurity/v1/server_tls_policy_pb.rb +35 -0
- data/lib/google/cloud/networksecurity/v1/sse_realm_pb.rb +46 -0
- data/lib/google/cloud/networksecurity/v1/sse_realm_services_pb.rb +59 -0
- data/lib/google/cloud/networksecurity/v1/tls_inspection_policy_pb.rb +34 -0
- data/lib/google/cloud/networksecurity/v1/tls_pb.rb +26 -0
- data/lib/google/cloud/networksecurity/v1/url_list_pb.rb +32 -0
- data/lib/google-cloud-network_security-v1.rb +21 -0
- data/proto_docs/README.md +4 -0
- data/proto_docs/google/api/client.rb +593 -0
- data/proto_docs/google/api/field_behavior.rb +85 -0
- data/proto_docs/google/api/field_info.rb +88 -0
- data/proto_docs/google/api/launch_stage.rb +71 -0
- data/proto_docs/google/api/resource.rb +227 -0
- data/proto_docs/google/cloud/networksecurity/v1/address_group.rb +374 -0
- data/proto_docs/google/cloud/networksecurity/v1/authorization_policy.rb +263 -0
- data/proto_docs/google/cloud/networksecurity/v1/authz_policy.rb +735 -0
- data/proto_docs/google/cloud/networksecurity/v1/backend_authentication_config.rb +217 -0
- data/proto_docs/google/cloud/networksecurity/v1/client_tls_policy.rb +162 -0
- data/proto_docs/google/cloud/networksecurity/v1/common.rb +57 -0
- data/proto_docs/google/cloud/networksecurity/v1/dns_threat_detector.rb +159 -0
- data/proto_docs/google/cloud/networksecurity/v1/firewall_activation.rb +469 -0
- data/proto_docs/google/cloud/networksecurity/v1/gateway_security_policy.rb +144 -0
- data/proto_docs/google/cloud/networksecurity/v1/gateway_security_policy_rule.rb +178 -0
- data/proto_docs/google/cloud/networksecurity/v1/intercept.rb +960 -0
- data/proto_docs/google/cloud/networksecurity/v1/mirroring.rb +970 -0
- data/proto_docs/google/cloud/networksecurity/v1/security_profile_group.rb +166 -0
- data/proto_docs/google/cloud/networksecurity/v1/security_profile_group_intercept.rb +38 -0
- data/proto_docs/google/cloud/networksecurity/v1/security_profile_group_mirroring.rb +38 -0
- data/proto_docs/google/cloud/networksecurity/v1/security_profile_group_service.rb +211 -0
- data/proto_docs/google/cloud/networksecurity/v1/security_profile_group_threatprevention.rb +193 -0
- data/proto_docs/google/cloud/networksecurity/v1/security_profile_group_urlfiltering.rb +66 -0
- data/proto_docs/google/cloud/networksecurity/v1/server_tls_policy.rb +251 -0
- data/proto_docs/google/cloud/networksecurity/v1/sse_realm.rb +388 -0
- data/proto_docs/google/cloud/networksecurity/v1/tls.rb +90 -0
- data/proto_docs/google/cloud/networksecurity/v1/tls_inspection_policy.rb +239 -0
- data/proto_docs/google/cloud/networksecurity/v1/url_list.rb +144 -0
- data/proto_docs/google/longrunning/operations.rb +191 -0
- data/proto_docs/google/protobuf/any.rb +145 -0
- data/proto_docs/google/protobuf/duration.rb +98 -0
- data/proto_docs/google/protobuf/empty.rb +34 -0
- data/proto_docs/google/protobuf/field_mask.rb +229 -0
- data/proto_docs/google/protobuf/timestamp.rb +127 -0
- data/proto_docs/google/rpc/status.rb +48 -0
- data/proto_docs/google/type/expr.rb +75 -0
- metadata +186 -9
|
@@ -0,0 +1,735 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
# Copyright 2026 Google LLC
|
|
4
|
+
#
|
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
6
|
+
# you may not use this file except in compliance with the License.
|
|
7
|
+
# You may obtain a copy of the License at
|
|
8
|
+
#
|
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
|
10
|
+
#
|
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
14
|
+
# See the License for the specific language governing permissions and
|
|
15
|
+
# limitations under the License.
|
|
16
|
+
|
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
|
18
|
+
|
|
19
|
+
|
|
20
|
+
module Google
|
|
21
|
+
module Cloud
|
|
22
|
+
module NetworkSecurity
|
|
23
|
+
module V1
|
|
24
|
+
# `AuthzPolicy` is a resource that allows to forward traffic to a
|
|
25
|
+
# callout backend designed to scan the traffic for security purposes.
|
|
26
|
+
# @!attribute [rw] name
|
|
27
|
+
# @return [::String]
|
|
28
|
+
# Required. Identifier. Name of the `AuthzPolicy` resource in the following
|
|
29
|
+
# format:
|
|
30
|
+
# `projects/{project}/locations/{location}/authzPolicies/{authz_policy}`.
|
|
31
|
+
# @!attribute [r] create_time
|
|
32
|
+
# @return [::Google::Protobuf::Timestamp]
|
|
33
|
+
# Output only. The timestamp when the resource was created.
|
|
34
|
+
# @!attribute [r] update_time
|
|
35
|
+
# @return [::Google::Protobuf::Timestamp]
|
|
36
|
+
# Output only. The timestamp when the resource was updated.
|
|
37
|
+
# @!attribute [rw] description
|
|
38
|
+
# @return [::String]
|
|
39
|
+
# Optional. A human-readable description of the resource.
|
|
40
|
+
# @!attribute [rw] labels
|
|
41
|
+
# @return [::Google::Protobuf::Map{::String => ::String}]
|
|
42
|
+
# Optional. Set of labels associated with the `AuthzPolicy` resource.
|
|
43
|
+
#
|
|
44
|
+
# The format must comply with [the following
|
|
45
|
+
# requirements](/compute/docs/labeling-resources#requirements).
|
|
46
|
+
# @!attribute [rw] target
|
|
47
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::Target]
|
|
48
|
+
# Required. Specifies the set of resources to which this policy should be
|
|
49
|
+
# applied to.
|
|
50
|
+
# @!attribute [rw] http_rules
|
|
51
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>]
|
|
52
|
+
# Optional. A list of authorization HTTP rules to match against the incoming
|
|
53
|
+
# request. A policy match occurs when at least one HTTP rule matches the
|
|
54
|
+
# request or when no HTTP rules are specified in the policy.
|
|
55
|
+
# At least one HTTP Rule is required for Allow or Deny Action. Limited
|
|
56
|
+
# to 5 rules.
|
|
57
|
+
# @!attribute [rw] network_rules
|
|
58
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>]
|
|
59
|
+
# Optional. A list of authorization network rules to match against the
|
|
60
|
+
# incoming request. A policy match occurs when at least one network rule
|
|
61
|
+
# matches the request.
|
|
62
|
+
# At least one network rule is required for Allow or Deny Action if no HTTP
|
|
63
|
+
# rules are provided. Network rules are mutually exclusive with HTTP rules.
|
|
64
|
+
# Limited to 5 rules.
|
|
65
|
+
# @!attribute [rw] action
|
|
66
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzAction]
|
|
67
|
+
# Required. Can be one of `ALLOW`, `DENY`, `CUSTOM`.
|
|
68
|
+
#
|
|
69
|
+
# When the action is `CUSTOM`, `customProvider` must be specified.
|
|
70
|
+
#
|
|
71
|
+
# When the action is `ALLOW`, only requests matching the policy will
|
|
72
|
+
# be allowed.
|
|
73
|
+
#
|
|
74
|
+
# When the action is `DENY`, only requests matching the policy will be
|
|
75
|
+
# denied.
|
|
76
|
+
#
|
|
77
|
+
# When a request arrives, the policies are evaluated in the following order:
|
|
78
|
+
#
|
|
79
|
+
# 1. If there is a `CUSTOM` policy that matches the request, the `CUSTOM`
|
|
80
|
+
# policy is evaluated using the custom authorization providers and the
|
|
81
|
+
# request is denied if the provider rejects the request.
|
|
82
|
+
#
|
|
83
|
+
# 2. If there are any `DENY` policies that match the request, the request
|
|
84
|
+
# is denied.
|
|
85
|
+
#
|
|
86
|
+
# 3. If there are no `ALLOW` policies for the resource or if any of the
|
|
87
|
+
# `ALLOW` policies match the request, the request is allowed.
|
|
88
|
+
#
|
|
89
|
+
# 4. Else the request is denied by default if none of the configured
|
|
90
|
+
# AuthzPolicies with `ALLOW` action match the request.
|
|
91
|
+
# @!attribute [rw] custom_provider
|
|
92
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider]
|
|
93
|
+
# Optional. Required if the action is `CUSTOM`. Allows delegating
|
|
94
|
+
# authorization decisions to Cloud IAP or to Service Extensions. One of
|
|
95
|
+
# `cloudIap` or `authzExtension` must be specified.
|
|
96
|
+
# @!attribute [rw] policy_profile
|
|
97
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::PolicyProfile]
|
|
98
|
+
# Optional. Immutable. Defines the type of authorization being performed.
|
|
99
|
+
# If not specified, `REQUEST_AUTHZ` is applied. This field cannot be changed
|
|
100
|
+
# once AuthzPolicy is created.
|
|
101
|
+
class AuthzPolicy
|
|
102
|
+
include ::Google::Protobuf::MessageExts
|
|
103
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
104
|
+
|
|
105
|
+
# Specifies the set of targets to which this policy should be applied to.
|
|
106
|
+
# @!attribute [rw] load_balancing_scheme
|
|
107
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
|
|
108
|
+
# Optional. All gateways and forwarding rules referenced by this policy and
|
|
109
|
+
# extensions must share the same load balancing scheme. Required only when
|
|
110
|
+
# targeting forwarding rules. If targeting Secure Web Proxy, this field
|
|
111
|
+
# must be `INTERNAL_MANAGED` or not specified. Must not be specified
|
|
112
|
+
# when targeting Agent Gateway. Supported values:
|
|
113
|
+
# `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
|
|
114
|
+
# to [Backend services
|
|
115
|
+
# overview](https://cloud.google.com/load-balancing/docs/backend-service).
|
|
116
|
+
# @!attribute [rw] resources
|
|
117
|
+
# @return [::Array<::String>]
|
|
118
|
+
# Required. A list of references to the Forwarding Rules, Secure Web Proxy
|
|
119
|
+
# Gateways, or Agent Gateways on which this policy will be applied.
|
|
120
|
+
class Target
|
|
121
|
+
include ::Google::Protobuf::MessageExts
|
|
122
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
# Conditions to match against the incoming request.
|
|
126
|
+
# @!attribute [rw] from
|
|
127
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
|
|
128
|
+
# Optional. Describes properties of a source of a request.
|
|
129
|
+
# @!attribute [rw] to
|
|
130
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
|
|
131
|
+
# Optional. Describes properties of a target of a request.
|
|
132
|
+
# @!attribute [rw] when
|
|
133
|
+
# @return [::String]
|
|
134
|
+
# Optional. CEL expression that describes the conditions to be satisfied
|
|
135
|
+
# for the action. The result of the CEL expression is ANDed with the from
|
|
136
|
+
# and to. Refer to the CEL language reference for a list of available
|
|
137
|
+
# attributes.
|
|
138
|
+
class AuthzRule
|
|
139
|
+
include ::Google::Protobuf::MessageExts
|
|
140
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
141
|
+
|
|
142
|
+
# Determines how a string value should be matched.
|
|
143
|
+
# @!attribute [rw] exact
|
|
144
|
+
# @return [::String]
|
|
145
|
+
# The input string must match exactly the string specified here.
|
|
146
|
+
#
|
|
147
|
+
# Examples:
|
|
148
|
+
#
|
|
149
|
+
# * ``abc`` only matches the value ``abc``.
|
|
150
|
+
#
|
|
151
|
+
# Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
|
|
152
|
+
# @!attribute [rw] prefix
|
|
153
|
+
# @return [::String]
|
|
154
|
+
# The input string must have the prefix specified here.
|
|
155
|
+
# Note: empty prefix is not allowed, please use regex instead.
|
|
156
|
+
#
|
|
157
|
+
# Examples:
|
|
158
|
+
#
|
|
159
|
+
# * ``abc`` matches the value ``abc.xyz``
|
|
160
|
+
#
|
|
161
|
+
# Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
|
|
162
|
+
# @!attribute [rw] suffix
|
|
163
|
+
# @return [::String]
|
|
164
|
+
# The input string must have the suffix specified here.
|
|
165
|
+
# Note: empty prefix is not allowed, please use regex instead.
|
|
166
|
+
#
|
|
167
|
+
# Examples:
|
|
168
|
+
#
|
|
169
|
+
# * ``abc`` matches the value ``xyz.abc``
|
|
170
|
+
#
|
|
171
|
+
# Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
|
|
172
|
+
# @!attribute [rw] contains
|
|
173
|
+
# @return [::String]
|
|
174
|
+
# The input string must have the substring specified here.
|
|
175
|
+
# Note: empty contains match is not allowed, please use regex instead.
|
|
176
|
+
#
|
|
177
|
+
# Examples:
|
|
178
|
+
#
|
|
179
|
+
# * ``abc`` matches the value ``xyz.abc.def``
|
|
180
|
+
#
|
|
181
|
+
# Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
|
|
182
|
+
# @!attribute [rw] ignore_case
|
|
183
|
+
# @return [::Boolean]
|
|
184
|
+
# If true, indicates the exact/prefix/suffix/contains matching should be
|
|
185
|
+
# case insensitive. For example, the matcher ``data`` will match both
|
|
186
|
+
# input string ``Data`` and ``data`` if set to true.
|
|
187
|
+
class StringMatch
|
|
188
|
+
include ::Google::Protobuf::MessageExts
|
|
189
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
190
|
+
end
|
|
191
|
+
|
|
192
|
+
# Represents a range of IP Addresses.
|
|
193
|
+
# @!attribute [rw] prefix
|
|
194
|
+
# @return [::String]
|
|
195
|
+
# Required. The address prefix.
|
|
196
|
+
# @!attribute [rw] length
|
|
197
|
+
# @return [::Integer]
|
|
198
|
+
# Required. The length of the address range.
|
|
199
|
+
class IpBlock
|
|
200
|
+
include ::Google::Protobuf::MessageExts
|
|
201
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
202
|
+
end
|
|
203
|
+
|
|
204
|
+
# Describes the properties of a client VM resource accessing the internal
|
|
205
|
+
# application load balancers.
|
|
206
|
+
# @!attribute [rw] tag_value_id_set
|
|
207
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
|
|
208
|
+
# Optional. A list of resource tag value permanent IDs to match against
|
|
209
|
+
# the resource manager tags value associated with the source VM of a
|
|
210
|
+
# request.
|
|
211
|
+
# @!attribute [rw] iam_service_account
|
|
212
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
|
|
213
|
+
# Optional. An IAM service account to match against the source
|
|
214
|
+
# service account of the VM sending the request.
|
|
215
|
+
class RequestResource
|
|
216
|
+
include ::Google::Protobuf::MessageExts
|
|
217
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
218
|
+
|
|
219
|
+
# Describes a set of resource tag value permanent IDs to match against
|
|
220
|
+
# the resource manager tags value associated with the source VM of a
|
|
221
|
+
# request.
|
|
222
|
+
# @!attribute [rw] ids
|
|
223
|
+
# @return [::Array<::Integer>]
|
|
224
|
+
# Required. A list of resource tag value permanent IDs to match against
|
|
225
|
+
# the resource manager tags value associated with the source VM of a
|
|
226
|
+
# request. The match follows AND semantics which means all
|
|
227
|
+
# the ids must match. Limited to 5 ids in the Tag value id set.
|
|
228
|
+
class TagValueIdSet
|
|
229
|
+
include ::Google::Protobuf::MessageExts
|
|
230
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
231
|
+
end
|
|
232
|
+
end
|
|
233
|
+
|
|
234
|
+
# Determines how a HTTP header should be matched.
|
|
235
|
+
# @!attribute [rw] name
|
|
236
|
+
# @return [::String]
|
|
237
|
+
# Optional. Specifies the name of the header in the request.
|
|
238
|
+
# @!attribute [rw] value
|
|
239
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
|
|
240
|
+
# Optional. Specifies how the header match will be performed.
|
|
241
|
+
class HeaderMatch
|
|
242
|
+
include ::Google::Protobuf::MessageExts
|
|
243
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
244
|
+
end
|
|
245
|
+
|
|
246
|
+
# Describes the properties of a principal to be matched against.
|
|
247
|
+
# @!attribute [rw] principal_selector
|
|
248
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
|
|
249
|
+
# Optional. An enum to decide what principal value the principal rule
|
|
250
|
+
# will match against. If not specified, the PrincipalSelector is
|
|
251
|
+
# CLIENT_CERT_URI_SAN.
|
|
252
|
+
# @!attribute [rw] principal
|
|
253
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
|
|
254
|
+
# Required. A non-empty string whose value is matched against the
|
|
255
|
+
# principal value based on the principal_selector. Only exact match can
|
|
256
|
+
# be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
|
|
257
|
+
# CLIENT_CERT_COMMON_NAME selectors.
|
|
258
|
+
class Principal
|
|
259
|
+
include ::Google::Protobuf::MessageExts
|
|
260
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
261
|
+
|
|
262
|
+
# The principal value the principal rule will match against.
|
|
263
|
+
module PrincipalSelector
|
|
264
|
+
# Unspecified principal selector. It will be treated as
|
|
265
|
+
# CLIENT_CERT_URI_SAN by default.
|
|
266
|
+
PRINCIPAL_SELECTOR_UNSPECIFIED = 0
|
|
267
|
+
|
|
268
|
+
# The principal rule is matched against a list of URI SANs in the
|
|
269
|
+
# validated client's certificate. A match happens when there is any
|
|
270
|
+
# exact URI SAN value match. This is the default principal selector.
|
|
271
|
+
CLIENT_CERT_URI_SAN = 1
|
|
272
|
+
|
|
273
|
+
# The principal rule is matched against a list of DNS Name SANs in the
|
|
274
|
+
# validated client's certificate. A match happens when there is any
|
|
275
|
+
# exact DNS Name SAN value match.
|
|
276
|
+
# This is only applicable for Application Load Balancers
|
|
277
|
+
# except for classic Global External Application load balancer.
|
|
278
|
+
# CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
|
|
279
|
+
# load balancing scheme.
|
|
280
|
+
CLIENT_CERT_DNS_NAME_SAN = 2
|
|
281
|
+
|
|
282
|
+
# The principal rule is matched against the common name in the client's
|
|
283
|
+
# certificate. Authorization against multiple common names in the
|
|
284
|
+
# client certificate is not supported. Requests with multiple common
|
|
285
|
+
# names in the client certificate will be rejected if
|
|
286
|
+
# CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
|
|
287
|
+
# happens when there is an exact common name value match.
|
|
288
|
+
# This is only applicable for Application Load Balancers
|
|
289
|
+
# except for global external Application Load Balancer and
|
|
290
|
+
# classic Application Load Balancer.
|
|
291
|
+
# CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
|
|
292
|
+
# load balancing scheme.
|
|
293
|
+
CLIENT_CERT_COMMON_NAME = 3
|
|
294
|
+
end
|
|
295
|
+
end
|
|
296
|
+
|
|
297
|
+
# Describes properties of one or more sources of a request.
|
|
298
|
+
# @!attribute [rw] sources
|
|
299
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
|
|
300
|
+
# Optional. Describes the properties of a request's sources. At least one
|
|
301
|
+
# of sources or notSources must be specified. Limited to 1 source.
|
|
302
|
+
# A match occurs when ANY source (in sources or notSources) matches the
|
|
303
|
+
# request. Within a single source, the match follows AND semantics
|
|
304
|
+
# across fields and OR semantics within a single field, i.e. a match
|
|
305
|
+
# occurs when ANY principal matches AND ANY ipBlocks match.
|
|
306
|
+
# @!attribute [rw] not_sources
|
|
307
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
|
|
308
|
+
# Optional. Describes the negated properties of request sources. Matches
|
|
309
|
+
# requests from sources that do not match the criteria specified in this
|
|
310
|
+
# field. At least one of sources or notSources must be specified.
|
|
311
|
+
class From
|
|
312
|
+
include ::Google::Protobuf::MessageExts
|
|
313
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
314
|
+
|
|
315
|
+
# Describes the properties of a single source.
|
|
316
|
+
# @!attribute [rw] principals
|
|
317
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
|
|
318
|
+
# Optional. A list of identities derived from the client's certificate.
|
|
319
|
+
# This field will not match on a request unless frontend mutual TLS is
|
|
320
|
+
# enabled for the forwarding rule or Gateway and the client certificate
|
|
321
|
+
# has been successfully validated by mTLS.
|
|
322
|
+
# Each identity is a string whose value is matched against a list of
|
|
323
|
+
# URI SANs, DNS Name SANs, or the common name in the client's
|
|
324
|
+
# certificate. A match happens when any principal matches with the
|
|
325
|
+
# rule. Limited to 50 principals per Authorization Policy for regional
|
|
326
|
+
# internal Application Load Balancers, regional external Application
|
|
327
|
+
# Load Balancers, cross-region internal Application Load Balancers, and
|
|
328
|
+
# Cloud Service Mesh. This field is not supported for global external
|
|
329
|
+
# Application Load Balancers.
|
|
330
|
+
# @!attribute [rw] ip_blocks
|
|
331
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
|
|
332
|
+
# Optional. A list of IP addresses or IP address ranges to match
|
|
333
|
+
# against the source IP address of the request. Limited to 10 ip_blocks
|
|
334
|
+
# per Authorization Policy
|
|
335
|
+
# @!attribute [rw] resources
|
|
336
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
|
|
337
|
+
# Optional. A list of resources to match against the resource of the
|
|
338
|
+
# source VM of a request. Limited to 10 resources per Authorization
|
|
339
|
+
# Policy.
|
|
340
|
+
class RequestSource
|
|
341
|
+
include ::Google::Protobuf::MessageExts
|
|
342
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
343
|
+
end
|
|
344
|
+
end
|
|
345
|
+
|
|
346
|
+
# Describes properties of one or more targets of a request.
|
|
347
|
+
# @!attribute [rw] operations
|
|
348
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
|
|
349
|
+
# Optional. Describes properties of one or more targets of a request. At
|
|
350
|
+
# least one of operations or notOperations must be specified. Limited to
|
|
351
|
+
# 1 operation. A match occurs when ANY operation (in operations or
|
|
352
|
+
# notOperations) matches. Within an operation, the match follows AND
|
|
353
|
+
# semantics across fields and OR semantics within a field, i.e. a match
|
|
354
|
+
# occurs when ANY path matches AND ANY header matches and ANY method
|
|
355
|
+
# matches.
|
|
356
|
+
# @!attribute [rw] not_operations
|
|
357
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
|
|
358
|
+
# Optional. Describes the negated properties of the targets of a request.
|
|
359
|
+
# Matches requests for operations that do not match the criteria
|
|
360
|
+
# specified in this field. At least one of operations or notOperations
|
|
361
|
+
# must be specified.
|
|
362
|
+
class To
|
|
363
|
+
include ::Google::Protobuf::MessageExts
|
|
364
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
365
|
+
|
|
366
|
+
# Describes properties of one or more targets of a request.
|
|
367
|
+
# @!attribute [rw] header_set
|
|
368
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
|
|
369
|
+
# Optional. A list of headers to match against in http header.
|
|
370
|
+
# @!attribute [rw] hosts
|
|
371
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
|
|
372
|
+
# Optional. A list of HTTP Hosts to match against. The match can be one
|
|
373
|
+
# of exact, prefix, suffix, or contains (substring match). Matches are
|
|
374
|
+
# always case sensitive unless the ignoreCase is set. Limited to 10
|
|
375
|
+
# hosts per Authorization Policy.
|
|
376
|
+
# @!attribute [rw] paths
|
|
377
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
|
|
378
|
+
# Optional. A list of paths to match against. The match can be one of
|
|
379
|
+
# exact, prefix, suffix, or contains (substring match). Matches are
|
|
380
|
+
# always case sensitive unless the ignoreCase is set. Limited to 10
|
|
381
|
+
# paths per Authorization Policy.
|
|
382
|
+
# Note that this path match includes the query parameters. For gRPC
|
|
383
|
+
# services, this should be a fully-qualified name of the form
|
|
384
|
+
# /package.service/method.
|
|
385
|
+
# @!attribute [rw] methods
|
|
386
|
+
# @return [::Array<::String>]
|
|
387
|
+
# Optional. A list of HTTP methods to match against. Each entry must be
|
|
388
|
+
# a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
|
|
389
|
+
# OPTIONS). It only allows exact match and is always case sensitive.
|
|
390
|
+
# Limited to 10 methods per Authorization Policy.
|
|
391
|
+
# @!attribute [rw] mcp
|
|
392
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
|
|
393
|
+
# Optional. Defines the MCP protocol attributes to match on. If the MCP
|
|
394
|
+
# payload in the request body cannot be successfully parsed, the
|
|
395
|
+
# request will be denied. This field can be set only for AuthzPolicies
|
|
396
|
+
# targeting AgentGateway resources.
|
|
397
|
+
# @!attribute [rw] snis
|
|
398
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
|
|
399
|
+
# Optional. A list of SNIs to match against. The match can be one of
|
|
400
|
+
# exact, prefix, suffix, or contains (substring match). If there is no
|
|
401
|
+
# SNI (i.e. plaintext HTTP traffic), the request will be denied.
|
|
402
|
+
# Matches are always case sensitive unless the ignoreCase is set.
|
|
403
|
+
# Limited to 10 SNIs per Authorization Policy.
|
|
404
|
+
class RequestOperation
|
|
405
|
+
include ::Google::Protobuf::MessageExts
|
|
406
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
407
|
+
|
|
408
|
+
# Describes a set of HTTP headers to match against.
|
|
409
|
+
# @!attribute [rw] headers
|
|
410
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
|
|
411
|
+
# Required. A list of headers to match against in http header.
|
|
412
|
+
# The match can be one of exact, prefix, suffix, or contains
|
|
413
|
+
# (substring match). The match follows AND semantics which means all
|
|
414
|
+
# the headers must match. Matches are always case sensitive unless
|
|
415
|
+
# the ignoreCase is set. Limited to 10 headers per Authorization
|
|
416
|
+
# Policy.
|
|
417
|
+
class HeaderSet
|
|
418
|
+
include ::Google::Protobuf::MessageExts
|
|
419
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
420
|
+
end
|
|
421
|
+
|
|
422
|
+
# Describes a set of MCP methods to match against.
|
|
423
|
+
# @!attribute [rw] name
|
|
424
|
+
# @return [::String]
|
|
425
|
+
# Required. The MCP method to match against. Allowed values are as
|
|
426
|
+
# follows:
|
|
427
|
+
# 1. `tools`, `prompts`, `resources` - these will match against all
|
|
428
|
+
# sub methods under the respective methods.
|
|
429
|
+
# 2. `prompts/list`, `tools/list`, `resources/list`,
|
|
430
|
+
# `resources/templates/list`
|
|
431
|
+
# 3. `prompts/get`, `tools/call`, `resources/subscribe`,
|
|
432
|
+
# `resources/unsubscribe`, `resources/read`
|
|
433
|
+
# Params cannot be specified for categories 1 and 2.
|
|
434
|
+
# @!attribute [rw] params
|
|
435
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
|
|
436
|
+
# Optional. A list of MCP method parameters to match against. The
|
|
437
|
+
# match can be one of exact, prefix, suffix, or contains (substring
|
|
438
|
+
# match). Matches are always case sensitive unless the ignoreCase is
|
|
439
|
+
# set. Limited to 10 MCP method parameters per Authorization Policy.
|
|
440
|
+
class MCPMethod
|
|
441
|
+
include ::Google::Protobuf::MessageExts
|
|
442
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
443
|
+
end
|
|
444
|
+
|
|
445
|
+
# Describes a set of MCP protocol attributes to match against for a
|
|
446
|
+
# given MCP request.
|
|
447
|
+
# @!attribute [rw] base_protocol_methods_option
|
|
448
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
|
|
449
|
+
# Optional. If specified, matches on the MCP protocol’s non-access
|
|
450
|
+
# specific methods namely:
|
|
451
|
+
# * initialize
|
|
452
|
+
# * completion/
|
|
453
|
+
# * logging/
|
|
454
|
+
# * notifications/
|
|
455
|
+
# * ping
|
|
456
|
+
# Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
|
|
457
|
+
# @!attribute [rw] methods
|
|
458
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
|
|
459
|
+
# Optional. A list of MCP methods and associated parameters to match
|
|
460
|
+
# on. It is recommended to use this field to match on tools, prompts
|
|
461
|
+
# and resource accesses while setting the baseProtocolMethodsOption
|
|
462
|
+
# to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
|
|
463
|
+
# protocol methods.
|
|
464
|
+
# Limited to 10 MCP methods per Authorization Policy.
|
|
465
|
+
class MCP
|
|
466
|
+
include ::Google::Protobuf::MessageExts
|
|
467
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
468
|
+
end
|
|
469
|
+
|
|
470
|
+
# Describes the option to match against the base MCP protocol methods.
|
|
471
|
+
module BaseProtocolMethodsOption
|
|
472
|
+
# Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
|
|
473
|
+
BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0
|
|
474
|
+
|
|
475
|
+
# Skip matching on the base MCP protocol methods.
|
|
476
|
+
SKIP_BASE_PROTOCOL_METHODS = 1
|
|
477
|
+
|
|
478
|
+
# Match on the base MCP protocol methods.
|
|
479
|
+
MATCH_BASE_PROTOCOL_METHODS = 2
|
|
480
|
+
end
|
|
481
|
+
end
|
|
482
|
+
end
|
|
483
|
+
end
|
|
484
|
+
|
|
485
|
+
# Allows delegating authorization decisions to Cloud IAP or to
|
|
486
|
+
# Service Extensions.
|
|
487
|
+
# @!attribute [rw] cloud_iap
|
|
488
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
|
|
489
|
+
# Optional. Delegates authorization decisions to Cloud IAP. Applicable
|
|
490
|
+
# only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
|
|
491
|
+
# level is not compatible with Cloud IAP settings in the BackendService.
|
|
492
|
+
# Enabling IAP in both places will result in request failure. Ensure that
|
|
493
|
+
# IAP is enabled in either the AuthzPolicy or the BackendService but not in
|
|
494
|
+
# both places.
|
|
495
|
+
# @!attribute [rw] authz_extension
|
|
496
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
|
|
497
|
+
# Optional. Delegate authorization decision to user authored Service
|
|
498
|
+
# Extension. Only one of cloudIap or authzExtension can be specified.
|
|
499
|
+
class CustomProvider
|
|
500
|
+
include ::Google::Protobuf::MessageExts
|
|
501
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
502
|
+
|
|
503
|
+
# Optional. Delegates authorization decisions to Cloud IAP. Applicable
|
|
504
|
+
# only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
|
|
505
|
+
# level is not compatible with Cloud IAP settings in the BackendService.
|
|
506
|
+
# Enabling IAP in both places will result in request failure. Ensure that
|
|
507
|
+
# IAP is enabled in either the AuthzPolicy or the BackendService but not in
|
|
508
|
+
# both places.
|
|
509
|
+
class CloudIap
|
|
510
|
+
include ::Google::Protobuf::MessageExts
|
|
511
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
512
|
+
end
|
|
513
|
+
|
|
514
|
+
# Optional. Delegate authorization decision to user authored extension.
|
|
515
|
+
# Only one of cloudIap or authzExtension can be specified.
|
|
516
|
+
# @!attribute [rw] resources
|
|
517
|
+
# @return [::Array<::String>]
|
|
518
|
+
# Required. A list of references to authorization
|
|
519
|
+
# extensions that will be invoked for requests matching this policy.
|
|
520
|
+
# Limited to 1 custom provider.
|
|
521
|
+
class AuthzExtension
|
|
522
|
+
include ::Google::Protobuf::MessageExts
|
|
523
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
524
|
+
end
|
|
525
|
+
end
|
|
526
|
+
|
|
527
|
+
# @!attribute [rw] key
|
|
528
|
+
# @return [::String]
|
|
529
|
+
# @!attribute [rw] value
|
|
530
|
+
# @return [::String]
|
|
531
|
+
class LabelsEntry
|
|
532
|
+
include ::Google::Protobuf::MessageExts
|
|
533
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
534
|
+
end
|
|
535
|
+
|
|
536
|
+
# Load balancing schemes supported by the `AuthzPolicy` resource. The valid
|
|
537
|
+
# values are `INTERNAL_MANAGED` and
|
|
538
|
+
# `EXTERNAL_MANAGED`. For more information, refer to [Backend services
|
|
539
|
+
# overview](https://cloud.google.com/load-balancing/docs/backend-service).
|
|
540
|
+
module LoadBalancingScheme
|
|
541
|
+
# Default value. Do not use.
|
|
542
|
+
LOAD_BALANCING_SCHEME_UNSPECIFIED = 0
|
|
543
|
+
|
|
544
|
+
# Signifies that this is used for Regional internal or Cross-region
|
|
545
|
+
# internal Application Load Balancing.
|
|
546
|
+
INTERNAL_MANAGED = 1
|
|
547
|
+
|
|
548
|
+
# Signifies that this is used for Global external or Regional external
|
|
549
|
+
# Application Load Balancing.
|
|
550
|
+
EXTERNAL_MANAGED = 2
|
|
551
|
+
|
|
552
|
+
# Signifies that this is used for Cloud Service Mesh. Meant for use by
|
|
553
|
+
# CSM GKE controller only.
|
|
554
|
+
INTERNAL_SELF_MANAGED = 3
|
|
555
|
+
end
|
|
556
|
+
|
|
557
|
+
# The action to be applied to this policy. Valid values are
|
|
558
|
+
# `ALLOW`, `DENY`, `CUSTOM`.
|
|
559
|
+
module AuthzAction
|
|
560
|
+
# Unspecified action.
|
|
561
|
+
AUTHZ_ACTION_UNSPECIFIED = 0
|
|
562
|
+
|
|
563
|
+
# Allow request to pass through to the backend.
|
|
564
|
+
ALLOW = 1
|
|
565
|
+
|
|
566
|
+
# Deny the request and return a HTTP 404 to the client.
|
|
567
|
+
DENY = 2
|
|
568
|
+
|
|
569
|
+
# Delegate the authorization decision to an external authorization engine.
|
|
570
|
+
CUSTOM = 3
|
|
571
|
+
end
|
|
572
|
+
|
|
573
|
+
# The type of authorization being performed.
|
|
574
|
+
# New values may be added in the future.
|
|
575
|
+
module PolicyProfile
|
|
576
|
+
# Unspecified policy profile.
|
|
577
|
+
POLICY_PROFILE_UNSPECIFIED = 0
|
|
578
|
+
|
|
579
|
+
# Applies to request authorization. `CUSTOM` authorization
|
|
580
|
+
# policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
|
|
581
|
+
# `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
|
|
582
|
+
# events.
|
|
583
|
+
REQUEST_AUTHZ = 1
|
|
584
|
+
|
|
585
|
+
# Applies to content security, sanitization, etc. Only
|
|
586
|
+
# `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
|
|
587
|
+
# custom provider must support `EXT_PROC_GRPC` protocol only and be capable
|
|
588
|
+
# of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
|
|
589
|
+
# REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
|
|
590
|
+
# with `FULL_DUPLEX_STREAMED` body send mode.
|
|
591
|
+
CONTENT_AUTHZ = 2
|
|
592
|
+
end
|
|
593
|
+
end
|
|
594
|
+
|
|
595
|
+
# Message for creating an `AuthzPolicy` resource.
|
|
596
|
+
# @!attribute [rw] parent
|
|
597
|
+
# @return [::String]
|
|
598
|
+
# Required. The parent resource of the `AuthzPolicy` resource. Must be in
|
|
599
|
+
# the format `projects/{project}/locations/{location}`.
|
|
600
|
+
# @!attribute [rw] authz_policy_id
|
|
601
|
+
# @return [::String]
|
|
602
|
+
# Required. User-provided ID of the `AuthzPolicy` resource to be created.
|
|
603
|
+
# @!attribute [rw] authz_policy
|
|
604
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy]
|
|
605
|
+
# Required. `AuthzPolicy` resource to be created.
|
|
606
|
+
# @!attribute [rw] request_id
|
|
607
|
+
# @return [::String]
|
|
608
|
+
# Optional. An optional request ID to identify requests. Specify a unique
|
|
609
|
+
# request ID so that if you must retry your request, the server can ignore
|
|
610
|
+
# the request if it has already been completed. The server guarantees
|
|
611
|
+
# that for at least 60 minutes since the first request.
|
|
612
|
+
#
|
|
613
|
+
# For example, consider a situation where you make an initial request and the
|
|
614
|
+
# request times out. If you make the request again with the same request
|
|
615
|
+
# ID, the server can check if original operation with the same request ID
|
|
616
|
+
# was received, and if so, ignores the second request. This prevents
|
|
617
|
+
# clients from accidentally creating duplicate commitments.
|
|
618
|
+
#
|
|
619
|
+
# The request ID must be a valid UUID with the exception that zero UUID is
|
|
620
|
+
# not supported (00000000-0000-0000-0000-000000000000).
|
|
621
|
+
class CreateAuthzPolicyRequest
|
|
622
|
+
include ::Google::Protobuf::MessageExts
|
|
623
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
624
|
+
end
|
|
625
|
+
|
|
626
|
+
# Message for requesting list of `AuthzPolicy` resources.
|
|
627
|
+
# @!attribute [rw] parent
|
|
628
|
+
# @return [::String]
|
|
629
|
+
# Required. The project and location from which the `AuthzPolicy` resources
|
|
630
|
+
# are listed, specified in the following format:
|
|
631
|
+
# `projects/{project}/locations/{location}`.
|
|
632
|
+
# @!attribute [rw] page_size
|
|
633
|
+
# @return [::Integer]
|
|
634
|
+
# Optional. Requested page size. The server might return fewer items than
|
|
635
|
+
# requested. If unspecified, the server picks an appropriate default.
|
|
636
|
+
# @!attribute [rw] page_token
|
|
637
|
+
# @return [::String]
|
|
638
|
+
# Optional. A token identifying a page of results that the server returns.
|
|
639
|
+
# @!attribute [rw] filter
|
|
640
|
+
# @return [::String]
|
|
641
|
+
# Optional. Filtering results.
|
|
642
|
+
# @!attribute [rw] order_by
|
|
643
|
+
# @return [::String]
|
|
644
|
+
# Optional. Hint for how to order the results.
|
|
645
|
+
class ListAuthzPoliciesRequest
|
|
646
|
+
include ::Google::Protobuf::MessageExts
|
|
647
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
648
|
+
end
|
|
649
|
+
|
|
650
|
+
# Message for response to listing `AuthzPolicy` resources.
|
|
651
|
+
# @!attribute [rw] authz_policies
|
|
652
|
+
# @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy>]
|
|
653
|
+
# The list of `AuthzPolicy` resources.
|
|
654
|
+
# @!attribute [rw] next_page_token
|
|
655
|
+
# @return [::String]
|
|
656
|
+
# A token identifying a page of results that the server returns.
|
|
657
|
+
# @!attribute [rw] unreachable
|
|
658
|
+
# @return [::Array<::String>]
|
|
659
|
+
# Locations that could not be reached.
|
|
660
|
+
class ListAuthzPoliciesResponse
|
|
661
|
+
include ::Google::Protobuf::MessageExts
|
|
662
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
663
|
+
end
|
|
664
|
+
|
|
665
|
+
# Message for getting a `AuthzPolicy` resource.
|
|
666
|
+
# @!attribute [rw] name
|
|
667
|
+
# @return [::String]
|
|
668
|
+
# Required. A name of the `AuthzPolicy` resource to get. Must be in the
|
|
669
|
+
# format
|
|
670
|
+
# `projects/{project}/locations/{location}/authzPolicies/{authz_policy}`.
|
|
671
|
+
class GetAuthzPolicyRequest
|
|
672
|
+
include ::Google::Protobuf::MessageExts
|
|
673
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
674
|
+
end
|
|
675
|
+
|
|
676
|
+
# Message for updating an `AuthzPolicy` resource.
|
|
677
|
+
# @!attribute [rw] update_mask
|
|
678
|
+
# @return [::Google::Protobuf::FieldMask]
|
|
679
|
+
# Required. Used to specify the fields to be overwritten in the
|
|
680
|
+
# `AuthzPolicy` resource by the update.
|
|
681
|
+
# The fields specified in the `update_mask` are relative to the resource, not
|
|
682
|
+
# the full request. A field is overwritten if it is in the mask. If the
|
|
683
|
+
# user does not specify a mask, then all fields are overwritten.
|
|
684
|
+
# @!attribute [rw] authz_policy
|
|
685
|
+
# @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy]
|
|
686
|
+
# Required. `AuthzPolicy` resource being updated.
|
|
687
|
+
# @!attribute [rw] request_id
|
|
688
|
+
# @return [::String]
|
|
689
|
+
# Optional. An optional request ID to identify requests. Specify a unique
|
|
690
|
+
# request ID so that if you must retry your request, the server can ignore
|
|
691
|
+
# the request if it has already been completed. The server guarantees
|
|
692
|
+
# that for at least 60 minutes since the first request.
|
|
693
|
+
#
|
|
694
|
+
# For example, consider a situation where you make an initial request and the
|
|
695
|
+
# request times out. If you make the request again with the same request
|
|
696
|
+
# ID, the server can check if original operation with the same request ID
|
|
697
|
+
# was received, and if so, ignores the second request. This prevents
|
|
698
|
+
# clients from accidentally creating duplicate commitments.
|
|
699
|
+
#
|
|
700
|
+
# The request ID must be a valid UUID with the exception that zero UUID is
|
|
701
|
+
# not supported (00000000-0000-0000-0000-000000000000).
|
|
702
|
+
class UpdateAuthzPolicyRequest
|
|
703
|
+
include ::Google::Protobuf::MessageExts
|
|
704
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
705
|
+
end
|
|
706
|
+
|
|
707
|
+
# Message for deleting an `AuthzPolicy` resource.
|
|
708
|
+
# @!attribute [rw] name
|
|
709
|
+
# @return [::String]
|
|
710
|
+
# Required. The name of the `AuthzPolicy` resource to delete. Must be in
|
|
711
|
+
# the format
|
|
712
|
+
# `projects/{project}/locations/{location}/authzPolicies/{authz_policy}`.
|
|
713
|
+
# @!attribute [rw] request_id
|
|
714
|
+
# @return [::String]
|
|
715
|
+
# Optional. An optional request ID to identify requests. Specify a unique
|
|
716
|
+
# request ID so that if you must retry your request, the server can ignore
|
|
717
|
+
# the request if it has already been completed. The server guarantees
|
|
718
|
+
# that for at least 60 minutes after the first request.
|
|
719
|
+
#
|
|
720
|
+
# For example, consider a situation where you make an initial request and the
|
|
721
|
+
# request times out. If you make the request again with the same request
|
|
722
|
+
# ID, the server can check if original operation with the same request ID
|
|
723
|
+
# was received, and if so, ignores the second request. This prevents
|
|
724
|
+
# clients from accidentally creating duplicate commitments.
|
|
725
|
+
#
|
|
726
|
+
# The request ID must be a valid UUID with the exception that zero UUID is
|
|
727
|
+
# not supported (00000000-0000-0000-0000-000000000000).
|
|
728
|
+
class DeleteAuthzPolicyRequest
|
|
729
|
+
include ::Google::Protobuf::MessageExts
|
|
730
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
731
|
+
end
|
|
732
|
+
end
|
|
733
|
+
end
|
|
734
|
+
end
|
|
735
|
+
end
|