Class: Google::Cloud::NetworkSecurity::V1::AuthzPolicy
- Inherits:
-
Object
- Object
- Google::Cloud::NetworkSecurity::V1::AuthzPolicy
- Extended by:
- Protobuf::MessageExts::ClassMethods
- Includes:
- Protobuf::MessageExts
- Defined in:
- proto_docs/google/cloud/networksecurity/v1/authz_policy.rb
Overview
AuthzPolicy is a resource that allows to forward traffic to a
callout backend designed to scan the traffic for security purposes.
Defined Under Namespace
Modules: AuthzAction, LoadBalancingScheme, PolicyProfile Classes: AuthzRule, CustomProvider, LabelsEntry, Target
Instance Attribute Summary collapse
-
#action ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzAction
Required.
-
#create_time ⇒ ::Google::Protobuf::Timestamp
readonly
Output only.
-
#custom_provider ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider
Optional.
-
#description ⇒ ::String
Optional.
-
#http_rules ⇒ ::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>
Optional.
-
#labels ⇒ ::Google::Protobuf::Map{::String => ::String}
Optional.
-
#name ⇒ ::String
Required.
-
#network_rules ⇒ ::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>
Optional.
-
#policy_profile ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::PolicyProfile
Optional.
-
#target ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::Target
Required.
-
#update_time ⇒ ::Google::Protobuf::Timestamp
readonly
Output only.
Instance Attribute Details
#action ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzAction
Returns Required. Can be one of ALLOW, DENY, CUSTOM.
When the action is CUSTOM, customProvider must be specified.
When the action is ALLOW, only requests matching the policy will
be allowed.
When the action is DENY, only requests matching the policy will be
denied.
When a request arrives, the policies are evaluated in the following order:
If there is a
CUSTOMpolicy that matches the request, theCUSTOMpolicy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.If there are any
DENYpolicies that match the request, the request is denied.If there are no
ALLOWpolicies for the resource or if any of theALLOWpolicies match the request, the request is allowed.Else the request is denied by default if none of the configured AuthzPolicies with
ALLOWaction match the request.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#create_time ⇒ ::Google::Protobuf::Timestamp (readonly)
Returns Output only. The timestamp when the resource was created.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#custom_provider ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider
Returns Optional. Required if the action is CUSTOM. Allows delegating
authorization decisions to Cloud IAP or to Service Extensions. One of
cloudIap or authzExtension must be specified.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#description ⇒ ::String
Returns Optional. A human-readable description of the resource.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#http_rules ⇒ ::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>
Returns Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#labels ⇒ ::Google::Protobuf::Map{::String => ::String}
Returns Optional. Set of labels associated with the AuthzPolicy resource.
The format must comply with the following requirements.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#name ⇒ ::String
Returns Required. Identifier. Name of the AuthzPolicy resource in the following
format:
projects/{project}/locations/{location}/authzPolicies/{authz_policy}.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#network_rules ⇒ ::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>
Returns Optional. A list of authorization network rules to match against the incoming request. A policy match occurs when at least one network rule matches the request. At least one network rule is required for Allow or Deny Action if no HTTP rules are provided. Network rules are mutually exclusive with HTTP rules. Limited to 5 rules.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#policy_profile ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::PolicyProfile
Returns Optional. Immutable. Defines the type of authorization being performed.
If not specified, REQUEST_AUTHZ is applied. This field cannot be changed
once AuthzPolicy is created.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#target ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::Target
Returns Required. Specifies the set of resources to which this policy should be applied to.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |
#update_time ⇒ ::Google::Protobuf::Timestamp (readonly)
Returns Output only. The timestamp when the resource was updated.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101 class AuthzPolicy include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the set of targets to which this policy should be applied to. # @!attribute [rw] load_balancing_scheme # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme] # Optional. All gateways and forwarding rules referenced by this policy and # extensions must share the same load balancing scheme. Required only when # targeting forwarding rules. If targeting Secure Web Proxy, this field # must be `INTERNAL_MANAGED` or not specified. Must not be specified # when targeting Agent Gateway. Supported values: # `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer # to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to the Forwarding Rules, Secure Web Proxy # Gateways, or Agent Gateways on which this policy will be applied. class Target include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Conditions to match against the incoming request. # @!attribute [rw] from # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From] # Optional. Describes properties of a source of a request. # @!attribute [rw] to # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To] # Optional. Describes properties of a target of a request. # @!attribute [rw] when # @return [::String] # Optional. CEL expression that describes the conditions to be satisfied # for the action. The result of the CEL expression is ANDed with the from # and to. Refer to the CEL language reference for a list of available # attributes. class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end # Allows delegating authorization decisions to Cloud IAP or to # Service Extensions. # @!attribute [rw] cloud_iap # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap] # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. # @!attribute [rw] authz_extension # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension] # Optional. Delegate authorization decision to user authored Service # Extension. Only one of cloudIap or authzExtension can be specified. class CustomProvider include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Optional. Delegates authorization decisions to Cloud IAP. Applicable # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy # level is not compatible with Cloud IAP settings in the BackendService. # Enabling IAP in both places will result in request failure. Ensure that # IAP is enabled in either the AuthzPolicy or the BackendService but not in # both places. class CloudIap include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Optional. Delegate authorization decision to user authored extension. # Only one of cloudIap or authzExtension can be specified. # @!attribute [rw] resources # @return [::Array<::String>] # Required. A list of references to authorization # extensions that will be invoked for requests matching this policy. # Limited to 1 custom provider. class AuthzExtension include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # @!attribute [rw] key # @return [::String] # @!attribute [rw] value # @return [::String] class LabelsEntry include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Load balancing schemes supported by the `AuthzPolicy` resource. The valid # values are `INTERNAL_MANAGED` and # `EXTERNAL_MANAGED`. For more information, refer to [Backend services # overview](https://cloud.google.com/load-balancing/docs/backend-service). module LoadBalancingScheme # Default value. Do not use. LOAD_BALANCING_SCHEME_UNSPECIFIED = 0 # Signifies that this is used for Regional internal or Cross-region # internal Application Load Balancing. INTERNAL_MANAGED = 1 # Signifies that this is used for Global external or Regional external # Application Load Balancing. EXTERNAL_MANAGED = 2 # Signifies that this is used for Cloud Service Mesh. Meant for use by # CSM GKE controller only. INTERNAL_SELF_MANAGED = 3 end # The action to be applied to this policy. Valid values are # `ALLOW`, `DENY`, `CUSTOM`. module AuthzAction # Unspecified action. AUTHZ_ACTION_UNSPECIFIED = 0 # Allow request to pass through to the backend. ALLOW = 1 # Deny the request and return a HTTP 404 to the client. DENY = 2 # Delegate the authorization decision to an external authorization engine. CUSTOM = 3 end # The type of authorization being performed. # New values may be added in the future. module PolicyProfile # Unspecified policy profile. POLICY_PROFILE_UNSPECIFIED = 0 # Applies to request authorization. `CUSTOM` authorization # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header # events. REQUEST_AUTHZ = 1 # Applies to content security, sanitization, etc. Only # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the # custom provider must support `EXT_PROC_GRPC` protocol only and be capable # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY, # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS) # with `FULL_DUPLEX_STREAMED` body send mode. CONTENT_AUTHZ = 2 end end |